Privacy Policy

Last updated: 7 May 2026

This Privacy Policy explains what personal data Cronheart collects, why we collect it, how long we keep it, and what rights you have. We aim for plain English over legal jargon wherever the law lets us. If something is unclear, write to support@cronheart.com and we will explain.

1. Who is the data controller

The data controller for personal data processed through Cronheart is Aliaksandr Palazok, an individual operating from the Republic of Poland. For data-protection enquiries, contact support@cronheart.com. The controller's full residential address is held on file with the Polish supervisory authority and is provided on request when needed to exercise data-subject rights.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with a designated supervisory authority, you have the right to lodge a complaint with that authority. In Poland this is the Urząd Ochrony Danych Osobowych (UODO); in other countries see your local equivalent.

2. What data we collect

We collect three categories of data:

2.1 Account data

  • Email address — your login identifier and the channel through which we send security and billing notices.
  • Password (hashed) — stored only as a bcrypt hash; we never see or log the plaintext.
  • Last login timestamp and IP address — kept for security and abuse-detection purposes; rotated out of hot storage after 90 days.
  • Theme preference (light / dark) — stored in a non-tracking cookie.

2.2 Monitor & ping data

  • Monitor configuration — name, schedule expression, grace period, alert channels you wired up.
  • Ping events — time of receipt, ping kind (start / success / fail), source IP, user-agent, and the optional message body of failure pings (kept so you can correlate alerts with failure context).
  • Alert delivery records — when an alert was sent, which channel, and whether it succeeded.

2.3 Billing data

  • Stripe customer and subscription identifiers — used to reconcile our billing state with Stripe's.
  • Invoice metadata — date, amount, currency, last four digits of the card. We do not store full card numbers, CVV, or bank details. Payment data is processed by Stripe under their privacy notice (stripe.com/privacy).
  • Tax-relevant location data — country and (for EU customers) VAT number, used so Stripe can calculate the correct tax rate at checkout.

3. Why we collect it (legal bases)

Under GDPR Art. 6, we process personal data on the following bases:

  • Performance of a contract (Art. 6(1)(b)) — to deliver the service you signed up for: account management, monitor execution, alert delivery, billing.
  • Legitimate interest (Art. 6(1)(f)) — for security telemetry (IP-based abuse detection, login throttling), service-availability monitoring, and debugging production incidents. We balance these against your privacy interests and minimise retention accordingly.
  • Legal obligation (Art. 6(1)(c)) — for billing records and tax-relevant data we are required to retain by accounting and tax law.
  • Consent (Art. 6(1)(a)) — only where we ask explicitly (e.g. for optional product-update emails; we do not currently send these).

4. Subprocessors

We use the following third-party services to operate Cronheart. Each acts as a data processor under our instructions and is covered by a data-processing agreement (DPA) where required:

SubprocessorPurposeRegion
Stripe Payments Europe Subscription billing, payment processing, tax calculation Ireland (EU)
Resend Transactional email delivery (alerts, security, account) United States (EU SCCs in place)
DigitalOcean VPS hosting, DNS Frankfurt (EU)
ImprovMX Inbound email forwarding for support@cronheart.com European Union

When you wire up a Slack, Telegram, Discord, or generic-webhook alert channel, alert payloads are also sent to that destination at your direction. Those services are not our subprocessors — they are separate controllers, governed by their own privacy notices.

5. How long we keep data

  • Account data — for as long as your account exists. Deleted within 30 days after account closure, except where law requires longer retention.
  • Ping events — last 90 days of detailed events; older history aggregated into summary statistics.
  • Alert delivery records — 12 months, then deleted.
  • Audit logs (login, admin actions) — 24 months, then deleted.
  • Billing records — retained for the period required by tax law in the jurisdiction of the Provider (typically 5–10 years for invoices in the EU).

6. Your rights

If you are in the EU, EEA, UK, or another jurisdiction with equivalent rights, you have the right to:

  • Access the personal data we hold about you (GDPR Art. 15).
  • Rectify inaccurate data — most fields are editable directly in your account; for the rest, email us (Art. 16).
  • Erase your data ("right to be forgotten") — by closing your account or by request (Art. 17), subject to legal-retention exceptions.
  • Restrict processing in specific circumstances (Art. 18).
  • Port your data to another service in a machine-readable format (Art. 20). Monitor configurations and event history can be exported as JSON on request.
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)).

Send requests to support@cronheart.com. We will respond within 30 days. We may ask you to verify your identity (typically by replying from the email address on file) before disclosing data.

7. Cookies & similar technologies

Cronheart uses cookies sparingly. We do not use third-party advertising or analytics trackers. The cookies set by cronheart.com are:

  • Session cookie — required for login; expires on logout.
  • CSRF token cookie — required to protect form submissions; expires with the session.
  • UI theme cookie — stores your light / dark preference; one year.
  • Remember-me cookie (optional) — set only if you check "Remember me" at login; 30 days.

None of these cookies are used for advertising, profiling, or cross-site tracking. We do not require a cookie banner under EU ePrivacy because all of these cookies are strictly-necessary for the service you requested.

8. International transfers

Most processing happens within the EU. Where a subprocessor processes data outside the EEA (notably Resend, in the United States), the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) under the DPA we sign with that subprocessor.

9. Children

Cronheart is intended for developers and operations engineers. It is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, write to us and we will delete it.

10. Security

We protect personal data with industry-standard measures: transport-layer encryption (TLS 1.2+), at-rest encryption of database backups, password hashing with bcrypt, isolated production credentials, and rate-limiting against brute force. Despite these measures, no online service can guarantee absolute security; if a breach occurs we will notify affected users and the relevant supervisory authority in line with GDPR Art. 33–34.

11. Changes to this Policy

We may update this Privacy Policy when we add features, change subprocessors, or respond to regulatory changes. Material changes will be announced by email to the address on your account at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy questions, data-subject requests, or formal notices, contact support@cronheart.com.

See also: Terms of Service.