Legal
GDPR & Data Protection
Last updated: 11 June 2026
This page is the practical companion to our Privacy Policy: who does what under UK GDPR, what we'll sign, how long data lives, and what happens if something goes wrong.
1. Roles
| Data | Our role |
|---|---|
| Your account, team, billing and audit data | Controller |
| Status-page subscriber contact details (your subscribers, your audience) | Processor — you are the controller |
| Monitoring data about your endpoints (URLs, response metadata, screenshots) | Processor on your instructions |
2. Data Processing Agreement
A signed DPA incorporating the UK International Data Transfer Addendum and EU Standard Contractual Clauses (where they apply) is available on request, on any paid plan — email [email protected]. Our subprocessors (Stripe, SendGrid, Twilio, Microsoft Azure, OVHcloud, Cloudflare and the analytics providers you consent to) are listed with their roles in the Privacy Policy; we'll notify DPA holders before adding or replacing one, with the right to object.
3. Retention
Monitoring check history is retained according to your plan, then deleted from our stores:
| Plan | Check-history retention |
|---|---|
| Free | 30 days |
| Starter | 1 year |
| Pro | 2 years |
| Business | 3 years |
| Enterprise | Custom, by agreement |
Account and team data lives for as long as your account does. After you close your account you have 30 days to export everything; we then delete or irreversibly anonymise your personal data, except the minimum we must keep for legal, tax or fraud-defence reasons (and then only for as long as those reasons last).
4. Breach notification
If we become aware of a personal-data breach affecting you or your subscribers, we will: contain and assess it immediately; notify the UK Information Commissioner's Office where required within 72 hours of becoming aware; and notify affected customers without undue delay by email to the account owner, with what happened, what data was involved, and what we and you should do next. Where we act as your processor, we notify you so you can meet your own controller obligations.
5. Exports and portability
You don't need to ask us for your data: account snapshots and CSV exports of monitors, check history and incidents are built into the dashboard (Settings → Data export). Anything the self-serve export doesn't cover, request via [email protected].
6. Data subject rights
Access, rectification, erasure, restriction, portability, objection — email [email protected] and we respond within one month. If we hold the data as a processor for one of our customers (e.g. you subscribed to someone's status page), we'll point the request to them and assist. You can also complain to the ICO, though we'd appreciate the chance to fix things first.
7. International transfers
Primary hosting is in the UK and EU (OVHcloud). Some subprocessors process data in the US or other regions; those transfers rest on the UK IDTA / EU SCCs or an adequacy decision, as set out in the Privacy Policy.