Legal

UptimeBoss Privacy Policy

This Privacy Policy explains how XTEK Invest SRL collects, uses, stores, shares, and protects personal data when you visit uptimeboss.io, use the client portal, request an instance, receive service emails, contact support, or run an installation that sends anonymous usage statistics.

Last updated: April 24, 2026 Controller: XTEK Invest SRL Privacy contact: support portal

1. Who controls the data

The controller for the processing described in this Privacy Policy is:

  • Legal entity: XTEK Invest SRL
  • Registered address: Str. Mihail Kogalniceanu 1, Miroslava, Iasi, Romania
  • Trade Register: J2007001534220
  • CUI / VAT: RO21789595
  • Privacy and support contact: support portal or support [at] uptimeboss [dot] io

2. Scope

This Privacy Policy applies to the public website, the client portal, onboarding and sign-in flows, password reset flows, instance requests, operational emails, anonymous telemetry, and support interactions connected to UptimeBoss.

This Privacy Policy does not automatically govern third-party websites or services that are linked from UptimeBoss. Separate services, including external support software or payment systems if introduced later, may publish their own notices.

3. What we collect

3.1 Information you provide directly

  • Name, email address, and account credentials.
  • Instance request details such as requested subdomain, package, and timezone.
  • Messages and materials you send through support or account communications.

3.2 Information generated when you use the portal or service

  • Account status, last login time, password reset and verification token records, and security event records.
  • Operational metadata such as provisioning status, package assignment, heartbeat state, app version state, and management actions taken in the portal.
  • Limited hashed security metadata such as IP-related hashes and user-agent-related hashes used to protect the service and maintain an audit trail for security and legal acceptance records.

3.3 Anonymous or low-identifiability telemetry from installations

  • Installation identifier and signing metadata used to authenticate telemetry.
  • Application version.
  • Aggregate counts for running applications, online agents, and total monitors.
  • Send timestamps and receipt timestamps.

That flow is designed not to transmit customer names, monitor names, monitored URLs, incident content, usernames, hostnames, domains, or similar installation content.

3.4 Information collected automatically when you visit the site

  • IP address or proxy-forwarded IP address.
  • Browser and device information.
  • Request timing, referrer data, pages viewed, and related server log information.
  • Essential session and security cookie information needed to operate the portal safely.

4. How we collect it

  • Directly from you when you submit forms, activate an account, sign in, request an instance, or contact support.
  • Automatically from your browser, device, and server logs when you browse the site or use the portal.
  • From UptimeBoss installations when anonymous usage statistics or managed heartbeats are enabled.
  • From infrastructure, hosting, delivery, and security providers where needed to operate, secure, or troubleshoot the service.

5. Why we use it and legal bases

Where GDPR, UK GDPR, or similar privacy laws apply, we rely on one or more legal bases depending on the context.

Purpose Typical data Legal basis
Create and manage portal accounts, sign users in, and deliver password reset and verification flows. Name, email, password hash, token records, session data. Performance of a contract or steps taken before entering into a contract.
Review requests, provision instances, maintain packages, and operate the client portal. Account data, requested subdomain, package, timezone, workflow metadata. Performance of a contract or pre-contract steps; legitimate interests in operating and administering the service.
Send transactional emails such as setup links, password reset emails, ready-instance notices, and security messages. Email address, account status, tokens, service notifications. Performance of a contract; legitimate interests in secure account administration.
Protect the service against abuse, fraud, brute-force attempts, and unauthorized access. Security logs, IP-related hashes, user-agent-related hashes, rate-limit and anti-abuse records. Legitimate interests in security, fraud prevention, and service integrity; legal obligations where applicable.
Respond to support requests and compliance matters. Contact data, messages, account context, diagnostic data. Performance of a contract; legitimate interests in support, troubleshooting, and compliance.
Receive anonymous usage stats and managed heartbeats, calculate public aggregates, and track adoption and version state. Install identifier, version, aggregate counts, signatures, timestamps. Legitimate interests in product planning, service management, capacity planning, and operating public usage metrics; consent where we expressly rely on it under applicable law.
Maintain logs, backups, diagnostics, and continuity records. Technical logs, error traces, job history, infrastructure metadata. Legitimate interests in secure and reliable operations; legal obligations where applicable.

If we ever rely on consent for a specific processing activity, you may withdraw that consent at any time. Withdrawal does not affect lawful processing completed before withdrawal.

6. Anonymous usage stats

UptimeBoss supports a setting called Send anonymous stats. When enabled, installations may send a signed server-to-server heartbeat at a controlled interval so that UptimeBoss can display aggregate adoption information and keep managed heartbeat and version status current.

6.1 Data sent in this flow

  • applications_running
  • agents_online
  • monitors_total
  • app_version
  • sent_at
  • Installation identifier and signing metadata required to validate the payload

6.2 Data not sent in this flow

  • No monitored URLs or hostnames.
  • No monitor names, incident content, usernames, or customer organization names from the installation.
  • No customer domains or private service labels from the installation.

6.3 Control

Users can disable this setting in the application. When disabled, future telemetry stops and public aggregate counts age out according to the service freshness rules.

7. Cookies and similar technologies

UptimeBoss currently uses essential session and security technologies needed to operate the portal, protect forms, and keep account access secure. These technologies are described in more detail in our Cookie Policy.

At the time of this publication, UptimeBoss does not use advertising cookies or marketing trackers on the public site. If non-essential analytics, advertising, or cross-site tracking technologies are added later, we will update our notices and request consent where required.

8. How we share data

We do not sell personal data in the ordinary sense of selling customer lists. We may disclose personal data to the following categories of recipients where needed:

  • Hosting, infrastructure, DNS, SSL, storage, database, backup, and email-delivery providers.
  • Support, helpdesk, security, or operational providers acting on our behalf.
  • Professional advisers, auditors, insurers, and legal counsel.
  • Authorities, regulators, courts, or law-enforcement bodies where required by law or reasonably necessary to protect rights, security, or the service.
  • Parties involved in a merger, acquisition, financing, sale of assets, or reorganization, subject to appropriate confidentiality protections.

We may also publish aggregate, non-content-based usage statistics derived from telemetry, such as total reporting installations, online agents, and total monitors.

9. International transfers

Depending on where our vendors and infrastructure operate, personal data may be processed outside the country where you are located, including outside the European Economic Area or the United Kingdom.

Where required, we will use an appropriate transfer mechanism, such as an adequacy decision, standard contractual clauses, or another recognized safeguard, together with supplementary measures where appropriate.

10. Retention

We keep personal data only for as long as reasonably necessary for the purposes described above, including to provide the service, maintain security, comply with law, resolve disputes, and enforce agreements.

Record type Typical retention approach
Portal account records For the life of the account and a reasonable period afterward for security, audit, and compliance purposes.
Email verification and password reset tokens Short-lived and kept only until expiry, consumption, or routine cleanup.
Security event logs and anti-abuse records Kept for a limited period proportionate to fraud prevention, security, and forensic needs.
Provisioning and operational logs Kept as needed for service delivery, diagnostics, and auditability, then rotated or deleted under normal retention practice.
Anonymous telemetry and aggregate snapshot records Kept as needed to calculate current and historical aggregate usage statistics and heartbeat state.
Support communications Kept for support continuity, dispute handling, compliance, and account history, then archived or deleted under ordinary retention practice.

11. Security

We use technical and organizational measures designed to protect personal data, including access controls, credential protection, secure transport where appropriate, signed telemetry, secrets handling, anti-abuse controls, and operational safeguards.

No system is perfectly secure. You are responsible for using strong credentials, protecting your devices and inbox, and notifying us promptly if you suspect unauthorized access.

12. Your rights and choices

Depending on your location and the law that applies, you may have rights such as access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where consent applies.

You may also have the right to complain to a competent supervisory authority or other regulator. California residents and residents of other jurisdictions may have additional statutory rights where the relevant law applies.

You can also disable anonymous usage stats from within the application if that option is presented to you.

13. Children

UptimeBoss is intended for business, professional, and adult individual use. It is not directed to children, and we do not knowingly collect personal data from children in a context where parental consent is legally required.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect product changes, security practices, legal developments, or operational requirements. We will publish the updated version with a revised effective date and provide additional notice where required by law.

15. Contact

For privacy requests, legal notices, or questions about this Privacy Policy, contact:

  • Controller: XTEK Invest SRL
  • Address: Str. Mihail Kogalniceanu 1, Miroslava, Iasi, Romania
  • Trade Register: J2007001534220
  • CUI / VAT: RO21789595
  • Support: https://support.uptimeboss.io/index.php?a=add
  • Email: support [at] uptimeboss [dot] io