Privacy Policy
Last updated: 10 June 2026
1. Who we are
CertSentry (certsentry.dev) is operated by Stanisław Czajka (the "Operator", "we"), who is the controller of your personal data within the meaning of the EU General Data Protection Regulation (GDPR). You can reach us about anything in this policy at support@certsentry.dev.
2. Data we process
- Account data. Your email address and, if you sign in with GitHub or Google, the name and avatar those providers share with us.
- Authentication data. OAuth account identifiers and tokens from GitHub or Google (if you use them), and a session cookie that keeps you signed in. We never see or store passwords.
- Monitoring configuration. The hostnames or URLs you ask us to monitor, labels, enabled check types, check intervals, regions and alert thresholds.
- Check results. The outcome of each check: status, response latency, HTTP status codes, SSL certificate expiry dates, domain registration expiry dates and DNS record snapshots for the targets you configured.
- Notification settings. Your alert email address and, if you configure them, Slack webhook URLs or Telegram bot tokens and chat IDs. These credentials are used solely to deliver the alerts you requested.
- Billing data. Your plan, subscription status and Stripe customer and subscription identifiers. Card numbers and full payment details are handled entirely by Stripe and never reach our servers.
- Technical logs. Our hosting providers keep standard server logs (IP address, request time, user agent) for security and operations.
- Analytics data (only with your consent). If you accept analytics cookies, Google Analytics collects the pages you visit, the referring site, approximate location (country/city derived from your IP address, which Google Analytics does not log), device and browser type, and interaction events. If you decline or have not yet chosen, only anonymous, cookieless pings without persistent identifiers are sent (Google Consent Mode). Google's advertising features are disabled.
3. Why we process it (legal bases)
- To provide the service — creating your account, running the checks you configure, sending alerts and handling billing (Art. 6(1)(b) GDPR, performance of a contract).
- To keep the service secure — preventing abuse, blocking checks against private networks, rate limiting and investigating incidents (Art. 6(1)(f) GDPR, our legitimate interest in operating a safe service).
- To comply with the law — keeping billing records required by accounting and tax regulations (Art. 6(1)(c) GDPR).
- To understand how the service is used — usage statistics via Google Analytics (Art. 6(1)(a) GDPR, your consent). You can withdraw consent at any time via the cookie preferences on our Cookie Policy page; withdrawal does not affect the lawfulness of processing before it.
We do not use your data for advertising, we do not sell it, and we do not make automated decisions about you or profile you.
4. Who receives your data (subprocessors)
We use a small number of service providers who process data on our behalf under data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting (web app and API) | USA / EU edge network |
| Neon Inc. | PostgreSQL database (account, monitor and check data) | EU region |
| Stripe, Inc. | Payment processing and subscription billing | USA / EU |
| Resend (Plus Five Five, Inc.) | Transactional email (sign-in links, alerts) | USA |
| Zoho Corporation Pvt. Ltd. (Zoho Mail) | Support and contact mailboxes (email you send to us) | EU data centres |
| Amazon Web Services | Monitoring checkers (Lambda) in N. Virginia, Dublin and Singapore | USA / Ireland / Singapore |
| Google Ireland Ltd. (Google Analytics) | Usage statistics — only with your consent | EU / USA |
If you sign in with GitHub or Google, those providers act as independent controllers under their own privacy policies. If you configure Slack or Telegram alerts, alert content is sent to the webhook or bot you provide, under those platforms' own terms.
5. International transfers
Some of our providers process data in the United States and, for the Singapore monitoring region, in Singapore. Where data leaves the European Economic Area, transfers rely on adequacy decisions (including the EU–US Data Privacy Framework where the provider is certified) or the European Commission's Standard Contractual Clauses.
6. How long we keep it
| Data | Retention |
|---|---|
| Account data (email, name, avatar) | Until you delete your account |
| Monitor configuration and notification channels | Until you delete them or your account |
| Check results (status, latency, SSL/DNS/domain data) | Up to 90 days, then pruned automatically |
| Billing and subscription records | As required by Polish accounting and tax law (generally 5 years) |
| Authentication session | Until sign-out or session expiry |
| Analytics events (Google Analytics) | 14 months, then only aggregated statistics |
7. Your rights
Under the GDPR you have the right to access, rectify, erase and receive a copy of your personal data, to restrict or object to its processing, and to data portability. Two of these are self-service:
- Export — download everything we hold about you as JSON via Settings → Export data.
- Erasure — delete your account and all associated data at any time via Settings → Delete account. This cancels any active subscription and is irreversible.
For anything else, email support@certsentry.dev. You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
8. Cookies
We use strictly necessary first-party cookies for authentication and, only if you consent via the cookie banner, Google Analytics cookies for usage statistics. There are no advertising cookies and no cross-site trackers. Details, including how to change your choice at any time, are in our Cookie Policy.
9. Security
All traffic is encrypted in transit (TLS, with HTTP Strict Transport Security). Internal traffic between the application and the monitoring checkers is authenticated with signed requests. Data is encrypted at rest by our database and infrastructure providers. No system is perfectly secure; if a breach affects your data, we will notify you as required by the GDPR.
10. Children
The service is intended for people aged 18 or over. We do not knowingly process data of anyone younger; if you believe a minor has created an account, contact us and we will delete it.
11. Changes to this policy
If we change this policy in a way that materially affects you, we will notify you by email or in the dashboard before the change takes effect. The date at the top tells you when it was last revised.