This policy explains what personal data uokay ("we", "us") processes, why, and what rights you have under the GDPR. We act as controller for account and billing data, and as processor for the monitoring data you configure.
1. Data we process
- Account data: name, email address, password hash, two-factor secrets, team membership and roles.
- Billing data: subscription tier, invoices, and payment status. Card and bank details are handled by our payment provider Mollie and never touch our servers.
- Monitoring configuration: the URLs, prompts, assertions, and alert destinations you configure. These may contain personal data if you choose to include it.
- Check results: response times, status codes, error messages, and (for AI checks) model responses and token counts, retained per your plan's retention period.
- API keys: provider keys you supply for AI checks, stored encrypted (AES-256-CBC) and decrypted only at check execution.
- Usage data: server logs (IP address, user agent, timestamps) kept for security and debugging.
2. Purposes and legal bases
- Providing the Service, executing checks, and sending alerts — performance of contract (Art. 6(1)(b) GDPR).
- Billing and accounting — legal obligation (Art. 6(1)(c)).
- Service security, abuse prevention, and product improvement — legitimate interest (Art. 6(1)(f)).
- Product emails beyond transactional messages — consent (Art. 6(1)(a)), withdrawable at any time.
3. Subprocessors
We use the following subprocessors. Compute for check execution runs on EU infrastructure; some providers are US-owned companies operating EU regions, and transfers are covered by the EU Standard Contractual Clauses or an adequacy decision where applicable.
- Hetzner Online GmbH (Germany) — check execution and application hosting, Falkenstein DE.
- Supabase, Inc. (US company, eu-central-1 region) — managed Postgres database.
- Cloudflare, Inc. (US company) — DNS, CDN, and public status page edge rendering.
- Mollie B.V. (Netherlands) — payment processing.
- Postmark / ActiveCampaign (US company) — transactional email delivery.
4. Retention
Check results are retained for the period defined by your plan, then deleted automatically. Account data is deleted within 30 days of account deletion. Invoices are kept for the statutory retention period (7 years in the Netherlands). Server logs are kept up to 30 days.
5. Your rights
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest (Arts. 15–21 GDPR). Contact [email protected]. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
6. Cookies
The application uses strictly necessary cookies only: session, CSRF protection, and appearance preference. No advertising or cross-site tracking cookies are set.
7. Changes
We update this policy as the Service evolves; material changes are announced by email or in the dashboard.