Privacy policy

How we collect, process, and protect personal data.

Privacy policy

Last updated: 2026-04-22

NoDowntimeShield ("we", "our", "us") operates a security monitoring platform. This policy explains what personal data we collect, why we process it, how long we keep it, and the rights you have.

Controller

NoDowntimeShield is the controller for personal data collected through our service. Contact: [email protected].

What we collect

  • Account data — name, email, hashed password, organisation name, billing address.
  • Scan data — domains and subdomains you submit for monitoring, the technical findings our scanners produce, and any files you upload for manifest scanning.
  • Usage data — pages viewed, actions taken, device and browser metadata.
  • Billing data — handled by Stripe; we store only the customer ID and last-4 of the card for display.

Why we process it

  • Service delivery — running scans, alerting you to findings, displaying your dashboard. Legal basis: contract.
  • Billing — processing subscriptions and one-off purchases. Legal basis: contract.
  • Security and abuse prevention — rate limiting, fraud detection. Legal basis: legitimate interest.
  • Product improvement — analytics (with your consent where required by law).

Who we share with

Sub-processors we use to deliver the service:

  • Supabase (hosting, database) — EU region by default, US for some workloads
  • Stripe (payments) — global
  • Brevo (transactional email) — EU
  • Cloudflare (CDN, DDoS) — global
  • Upstash / Redis Labs (queue + cache) — EU or US based on region
  • Anthropic / OpenRouter (AI for plain-English explanations) — data is not used for model training

We do not sell personal data and do not share it for advertising.

Retention

  • Scan data — kept for the life of the subscription plus 90 days.
  • Account data — kept until account deletion, then purged within 30 days.
  • Billing records — kept for 7 years to meet tax and accounting obligations.

Your rights

Under GDPR (and equivalent legislation in the UK, UAE, and elsewhere) you have rights of access, rectification, erasure, restriction, portability, and objection. Exercise any of these by emailing [email protected] — we respond within 30 days.

International transfers

Where data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) with each sub-processor and publish the SCC addendum as part of our DPA.

Security

All data in transit is TLS 1.2+. Data at rest is AES-256. Credentials stored in the application are bcrypt-hashed. Third-party credentials (API keys for integrations) are AES-256 encrypted with per-tenant keys.

Contact

[email protected] — or write to NoDowntimeShield, [Registered office address].