Privacy Policy

Last updated July 5, 2026

This policy explains what we collect, why we collect it, and the choices you have. We aim to collect as little as possible to run reliable monitoring while being transparent about how sensitive infrastructure data is secured.

1. Information we collect

We collect the following categories of information:

  • Account data: name, email, organization, and authentication details you provide during registration.
  • Monitoring configuration: the endpoints, regions, check intervals, and alert channels you set up within the Service.
  • Operational data: probe results, response times, HTTP status codes, TLS certificate metadata, incident history, and logs generated by the Service to perform monitoring.
  • Usage and device data: IP address, browser type and version, operating system, and interaction events collected to secure and improve the Service.
  • Billing data: payment method details are collected and processed by our payment processor (Stripe). We store only a tokenized reference and the last four digits of your card.

2. How we use information

We use information to:

  • Operate monitoring, consensus evaluation, and alerting.
  • Authenticate you and protect against abuse.
  • Provide support and communicate service notices.
  • Generate aggregated, non-identifying analytics to improve the Service.
  • Process billing and prevent fraudulent transactions.

3. Telemetry and consent

We classify data collection into two categories to respect your choices:

  • Consent-free telemetry: anonymized, non-identifying signals such as aggregated feature-usage counts, error rates, and performance metrics. These contain no personal data and are collected automatically to maintain service reliability. No opt-in is required.
  • Consent-required data: any collection tied to your identity — usage patterns linked to your account, feedback surveys, optional product-research participation, and marketing communications. We collect these only with your explicit opt-in and you may withdraw consent at any time from your account settings.

You will never be required to complete surveys or provide optional feedback to use the Service. Where we solicit feedback (e.g. onboarding surveys), participation is voluntary, the data is stored separately from your monitoring configuration, and declining has no effect on your access or service quality.

5. How we share information

We do not sell your personal data. We share it only with sub-processors that help us run the Service, under contracts that require equivalent data-protection standards:

  • Cloud infrastructure: for hosting and data storage.
  • Payment processing: Stripe, for billing and subscription management.
  • Email delivery: for transactional notifications and alerts.

We may also disclose data when required by law or to protect the security and integrity of the Service.

6. Data retention

We retain data only as long as it serves a clear purpose:

  • Probe results and logs: retained on a rolling window (30 days on the free plan, up to 365 days on higher plans), then permanently deleted.
  • Account data: kept while your account is active and for up to 90 days afterward to allow for reactivation, after which it is deleted.
  • Billing records: retained as required by tax and financial regulations (typically 7 years) in anonymized form.
  • Backups: encrypted backups are purged on a 30-day rolling cycle.

You may request early deletion of your data at any time by contacting us or using the account deletion feature in your settings.

7. Data security, protection, and storage

Downtime monitoring inherently involves sensitive data — your infrastructure endpoints, alert configurations, and incident history. We take specific, concrete measures to protect it:

  • Encryption in transit: all connections use TLS 1.2+. Internal service-to-service communication is encrypted with mutual TLS.
  • Encryption at rest: all stored data, including backups, is encrypted using AES-256.
  • Tenant isolation:each organization's data is logically isolated at the database level. One customer's queries cannot access another's data.
  • Access controls: internal access to production data follows least-privilege principles. Access is scoped by role, logged, and auditable.
  • Infrastructure: the Service runs on SOC 2 Type II-certified cloud infrastructure with geographic redundancy.
  • Incident response: we maintain a documented incident response plan. In the event of a data breach, affected customers will be notified within 72 hours as required by applicable law.
  • Vulnerability management: dependencies are continuously scanned, and we perform regular security assessments.

No system is perfectly secure. If you discover a vulnerability, please report it to security@tallwatch.com.

8. Your rights

Depending on your location, you may have rights to:

  • Access and receive a copy of your personal data.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent at any time where consent is the legal basis.

Contact us to exercise these rights and we will respond within the timeframes required by applicable law (typically 30 days).

9. International transfers

We may process data in countries other than your own. Where we transfer data outside the EEA, UK, or your jurisdiction, we rely on appropriate safeguards such as standard contractual clauses (SCCs) approved by the European Commission, or adequacy decisions, to ensure your data remains protected.

10. Cookies

We use cookies in two categories:

  • Essential cookies: required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
  • Analytics cookies: a minimal set used to understand product usage in aggregate. These are optional and can be controlled through your browser settings or our cookie preferences panel.

We do not use advertising cookies or share cookie data with ad networks.

11. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated through the Service or by email at least 30 days before they take effect, with the effective date noted above. Continued use of the Service after the effective date constitutes acceptance.

12. Contact

For privacy questions or requests, contact privacy@tallwatch.com or visit our contact page.