Privacy Policy
Last updated: 28 May 2026
Notdown ("we", "us", "our") respects your privacy. This policy explains what data we collect, why we collect it, how we use it, and what rights you have over it. By using Notdown you agree to the practices described here.
1. Data we collect
- Account data: name, email address, hashed password.
- Monitor configuration: URLs, hostnames, schedule expressions, alert preferences you create.
- Check data: HTTP response codes, response times, certificate metadata, RDAP responses for domains you monitor.
- Payment data: handled by Stripe. We store your Stripe customer ID and subscription state, never your card number.
- Operational data: server logs (IP, user agent, timestamp), error reports, queue activity.
2. Why we collect it
- To run the monitoring service you signed up for.
- To send you alerts when something you monitor changes state.
- To bill you, if you are on a paid plan.
- To detect and fix bugs.
- To comply with legal obligations (tax records, fraud prevention).
3. Legal basis (GDPR)
We process your data on three legal bases under the EU General Data Protection Regulation:
- Contract: data we need to deliver the service you bought.
- Legal obligation: tax and accounting records.
- Legitimate interest: security, fraud prevention, debugging.
4. How long we keep it
| Data | Retention |
|---|---|
| Account profile | Until you delete your account |
| Check records | 7-90 days depending on plan |
| Incident records | As long as the account exists |
| Notification logs | 30 days |
| Deleted accounts | Permanently removed within 30 days |
| Invoices & tax records | 10 years (Czech tax law) |
5. Who we share with (sub-processors)
We only share data with the services we need to operate Notdown. Each is contractually bound by GDPR-compliant Data Processing Addenda.
- Stripe — payments, subscription management.
- Resend — transactional email delivery (alerts, password resets).
- Hetzner Cloud — hosting infrastructure (Germany, EU).
- Cloudflare — DNS, DDoS protection, TLS termination.
- Sentry — error tracking.
6. Your rights
Under GDPR and similar regulations you can:
- Access a copy of the data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your account and all associated data.
- Export your monitor configuration.
- Object to processing based on legitimate interest.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@notdown.dev. We respond within 30 days.
7. International transfers
Primary infrastructure is hosted in the EU (Hetzner, Germany). Some sub-processors (Stripe, Resend, Sentry, Cloudflare) operate globally. Transfers outside the EEA rely on Standard Contractual Clauses approved by the European Commission.
8. Security
Passwords are hashed with bcrypt. Connections use TLS 1.2+. Database access is restricted to the application server. Backups are encrypted at rest and stored in a separate region. We never log card numbers, full passwords, or session tokens.
9. Children
Notdown is not directed at children under 16. We do not knowingly collect data from minors. Contact us if you believe a child has registered.
10. Changes
We will email registered users at least 30 days before any material change. The current version is always at this URL.
11. Contact
Privacy questions: privacy@notdown.dev
Support: support@notdown.dev
Data controller: Martin Macháček, Czech Republic.