ProductsFeaturesIntegrationsDocsPricingHelp
Log in
Create account

Privacy Policy

Last updated: May 10, 2026 · Effective: May 10, 2026

Plain-English summary: We only collect data needed to run AppStatus. We never sell your personal data. Payments are handled by Paddle.com Market Limited acting as our Merchant of Record. You can export, correct or delete your data at any time by emailing privacy@appstatus.io.

1. Who We Are (Data Controller)

This Privacy Policy describes how AppStatus ("AppStatus", "we", "our", or "us") collects, uses, stores, shares and protects personal information of visitors and customers ("you") ofhttps://appstatus.io and the AppStatus monitoring platform ("Service").

AppStatus is the data controller for personal data of customers and website visitors. For data relating to payments, our payment provider Paddle.com Market Limited acts as the Merchant of Record and is an independent controller for billing data.

2. Information We Collect

2.1 Account Information

  • Email address and securely-hashed password (we use Argon2/bcrypt; we never store plaintext passwords)
  • Display name, workspace name, and team-member email addresses you invite
  • Authentication tokens, API keys and 2FA secrets (encrypted at rest)

2.2 Billing Information (handled by Paddle)

When you purchase a paid plan, our payment processor Paddle.com Market Limited collects:

  • Billing name, billing address and country (for tax/VAT determination)
  • Payment instrument details (card last 4 digits, brand, expiry) — full card numbers never reach AppStatus servers
  • VAT / tax IDs you provide for B2B invoicing

Paddle's processing is governed by the Paddle Privacy Notice and Paddle Checkout Buyer Terms.

2.3 Monitoring Data

  • URLs, domains, IP addresses, ports and endpoints you choose to monitor
  • SSL certificate metadata for the targets you monitor
  • Uptime, latency and response-code time-series
  • Incident, alert and on-call notification records

2.4 Usage & Technical Data

  • IP address, browser, device type and operating system
  • Pages visited, features used, referrer URLs and timestamps
  • Diagnostic logs and crash reports (anonymised wherever possible)

3. How & Why We Use Your Information (Legal Basis)

Under GDPR Art. 6, we rely on the following legal bases:

  • Contract performance: deliver monitoring, send alerts, manage your account and process subscriptions.
  • Legitimate interest: secure the platform, prevent fraud, improve features, perform aggregate analytics.
  • Consent: non-essential cookies, marketing emails (you can withdraw at any time).
  • Legal obligation: tax records, fraud reporting, lawful requests from authorities.

4. Payments & Merchant of Record

All paid subscriptions are sold and invoiced by Paddle.com Market Limited(registered in England & Wales, company no. 08172165, address: Judd House, 18-29 Mora Street, London EC1V 8BT, UK) acting as the Merchant of Record for AppStatus.

This means Paddle is responsible for:

  • Charging your payment method and issuing the invoice/receipt
  • Calculating, collecting and remitting sales tax / VAT / GST in your jurisdiction
  • Handling chargebacks, refunds and PCI-DSS compliance

Charges appear on your statement as PADDLE.NET* APPSTATUS or similar. AppStatus never stores full payment-card data on its servers.

5. International Data Transfers

AppStatus operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States, the European Union and the United Kingdom. When transferring personal data outside the EEA/UK, we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Addendum where applicable
  • Adequacy decisions issued by the relevant authorities

6. Data Security

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Network isolation, least-privilege IAM and role-based access control
  • Optional two-factor authentication (TOTP) for all accounts
  • Continuous vulnerability scanning and periodic third-party penetration testing
  • Comprehensive audit logging on every administrative action

In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Art. 33 / 34.

7. Data Retention

  • Free plan: 30 days monitoring data, 7 days audit logs
  • Starter plan: 90 days monitoring data, 30 days audit logs
  • Pro plan: 180 days monitoring data, 90 days audit logs
  • Business plan: 365 days monitoring data, 365 days audit logs
  • Enterprise plan: 730 days monitoring data, unlimited audit logs
  • Account deletion: personal data is fully erased within 30 days; backups expire within 90 days
  • Tax / billing records: retained for up to 7 years where required by law

8. Your Rights

Depending on your location, you have the following rights:

  • Access & portability: request a machine-readable copy of your data
  • Rectification: correct inaccurate or incomplete information
  • Erasure ("right to be forgotten"): delete your account and personal data
  • Restriction & objection: limit or object to certain processing
  • Withdraw consent: opt out of marketing communications at any time
  • CCPA / CPRA (California residents): right to know, delete and opt-out of sale (we do not sell personal data)
  • Lodge a complaint: with your local data protection authority

To exercise any right, email privacy@appstatus.io. We respond within 30 days (extendable to 60 days for complex requests).

9. Subprocessors & Third-Party Services

We use the following sub-processors to operate the Service:

ProviderPurposeRegion
Paddle.com Market LtdPayments / Merchant of RecordUK / EU / US
Brevo (Sendinblue)Transactional & alert emailsEU
Cloudflare, Inc.CDN, DDoS protection, DNSGlobal
Supabase Inc.Authentication & database hostingEU / US
Hetzner / Contabo / AWSApplication hosting & storageEU / US

We do not sell or rent your personal data to third parties, ever.

10. Children's Privacy

AppStatus is a B2B service and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at privacy@appstatus.io and we will delete it promptly.

11. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal obligations. Material changes will be announced by email and a notice on this page at least 14 days before they take effect. The "Last updated" date above always reflects the current version.

12. Contact & Data Protection

For privacy questions, data-subject requests or to reach our Data Protection contact:

Privacy: privacy@appstatus.io

Support: support@appstatus.io

Legal: legal@appstatus.io

Billing & refunds (Paddle): help@paddle.com