Privacy Policy
Last updated: 2026-03-25 UTC.
This policy explains exactly how Uptimer processes data in the current product implementation. It covers cloud and self-hosted deployments, what we collect, why we use it, and where it can be shared.
Data Map: What Uptimer Uses and Why
| Data category | What it includes | Why it is used | Retention behavior |
|---|---|---|---|
| Account identity | Username, email, tenant membership, account status, last login timestamp. | Sign-in, workspace access control, account lifecycle, support communication. | Kept while the account exists; related audit/compliance evidence may remain longer where required. |
| Authentication and session security | Password hash (bcrypt), MFA secret/recovery codes, lockout counters, session version, verification/reset tokens. | Authenticate users, enforce MFA policy, prevent account takeover and brute-force abuse. | Security state is kept while account is active; short-lived token windows are enforced in-product. |
| Monitoring configuration | Monitor names, monitor targets, check intervals, thresholds, visibility, notification routing. | Run uptime checks, trigger alerts, and render dashboard/public status views. | Kept while monitor/workspace configuration exists. |
| Monitoring results and incidents | Check timing/status data, error summaries, status transitions, incident summaries, anomaly/prediction snapshots. | Uptime history, incident response, exports/reports, and optional AI-assisted reliability insights. | Plan-based retention for checks/events: Free 7 days, Solo 90 days, Team 365 days, Business 730 days, Enterprise custom. |
| Notification and integration settings | Email recipients, webhook/chat destinations, provider account/sender values, delivery attempt logs. | Deliver downtime and recovery notifications through channels you configure. | Endpoint settings are retained until changed or removed; delivery records are kept for operational traceability. |
| Billing and subscription operations | Plan choice, billing cycle, checkout totals, country/currency, PayPal order/capture/subscription identifiers, webhook events. | Process checkout, apply discounts, reconcile subscription state, and maintain billing auditability. | Retained as billing and finance operations records. |
| Contact and enterprise enquiries | Name, email, subject/topic/message, company/deployment preferences; contact form metadata can include source IP and user-agent. | Reply to enquiries, sales workflows, abuse/spam filtering, and support audit history. | Stored as audit entries; removable through Super Admin data management workflows. |
| Anonymous app traffic telemetry | Timestamp, route category (page/api/auth/public/other), HTTP status code, response duration. | Capacity monitoring, error-rate analysis, reliability trends, and abuse detection. | Used in rolling 5m/1h/24h service metrics and retained as operational telemetry. |
What We Intentionally Do Not Collect for App Traffic Telemetry
Uptimer app traffic telemetry is designed for minimization. This dataset does not store IP addresses, user-agent strings, cookies, full request URLs, or direct user identifiers.
Uptimer currently does not run advertising cookies or analytics/performance cookies in the product.
Cookie Usage
Uptimer uses a minimal cookie set for authentication, security controls, and optional UI preference storage.
| Cookie | Category | Purpose | Typical retention |
|---|---|---|---|
Uptimer.Auth |
Strictly necessary | Authenticated session cookie. | Up to 8 hours |
Uptimer.External |
Strictly necessary | Temporary external sign-in state for SSO/OIDC handoffs. | Up to 10 minutes |
.AspNetCore.Antiforgery.* |
Strictly necessary | Cross-site request forgery protection. | Session scoped |
uptimer_cookie_consent |
Strictly necessary | Stores cookie consent choice. | Up to 12 months |
uptimer_theme |
Optional preference | Stores selected theme preference. | Up to 12 months |
When Data Is Shared Outside Uptimer
- Payment processing: Paid cloud checkout uses PayPal, so billing transaction identifiers are exchanged with PayPal.
- Notifications you configure: Alert payloads are sent to destinations you choose (for example email, webhook, Slack, Teams, or Discord endpoints).
- Email delivery: Verification, password reset, and operational email can be routed through configured SMTP or managed relay settings.
- Legal/security obligations: Data may be disclosed when required by law, legal process, or to protect service security.
Public Status Data Boundary
Only monitors explicitly marked public are exposed on public status routes. Private monitors and private descendants remain non-public. Public output is minimized and target values are sanitized before display.
AI-Assisted Features and Data
AI-assisted features in Uptimer operate on tenant-scoped monitoring telemetry for summaries, anomaly signals, and prediction snapshots. In the current implementation, these capabilities are local/offline and do not require external LLM API calls.
For implementation-level details, see AI Transparency.
Data Protection Controls
- Passwords are stored as bcrypt hashes, not plaintext.
- Sensitive stored secrets use protected/encrypted storage mechanisms.
- Authentication cookies are
HttpOnlyand marked essential. - Audit logging and compliance workflows support traceability for security and privacy actions.
Your Rights and Choices
You can request access, correction, export, restriction, or deletion of personal data, subject to legal and security obligations. Uptimer includes DSAR workflows with due-date tracking for privacy operations.
You can change optional cookie preference at any time via Cookie Settings in the footer.
Contact
For privacy requests, use Contact and include your workspace/subject details so requests can be verified and processed securely.
Terms of use and additional notices remain available at Legal Notices.