UptimeHunt
Legal

Privacy Policy

Last updated: 4 June 2026

This Privacy Policy explains how UptimeHunt handles personal data. UptimeHunt is a distributed uptime, website, and service monitoring platform. We have written this in plain language; it is our policy and describes what we actually do today.

1. Who we are and how to contact us

UptimeHunt is operated by OpenHades Cloud Services Konrad Mosoń — Konrad Mosoń, an individual entrepreneur (jednoosobowa działalność gospodarcza) registered in the Polish CEIDG and based in Kraków, Poland (EU), NIP 8681952845, REGON 387960680. For the personal data described in this policy, OpenHades Cloud Services Konrad Mosoń is the data controller.

You can reach us about anything in this policy — privacy questions, data-subject requests, and support — at:

A postal address is available on request via that email.

Our services run across these domains:

  • uptimehunt.io — marketing site
  • app.uptimehunt.io — dashboard and REST API
  • docs.uptimehunt.io — documentation
  • mcp.uptimehunt.io — MCP server (for AI clients)
  • auth.uptimehunt.io — OAuth 2.1 authorization server

UptimeHunt is currently free and in beta, provided "as is". No paid plans are purchasable yet.

2. The personal data we collect

We collect two broad categories of data: personal data about you (the account holder), and the monitoring data you supply to run your checks.

2.1 Data about your account

  • Account data: your email address, your password (stored only as a salted hash — we never store the plaintext), and an optional name. We use this to create and operate your account, authenticate you, and contact you.
  • Authentication artifacts: JWT access and refresh tokens, which are held client-side in your browser's localStorage (these are not third-party advertising cookies); and OAuth 2.1 authorization data — consent records, your list of "connected apps", and opaque access tokens — used by the MCP server and AI clients you connect.
  • API tokens: long-lived, uh_-prefixed tokens for automation. We store only a hash of each token; the secret is shown to you once at creation, is scoped, and is revocable.
  • Technical and usage data: IP address, browser/user-agent, request and server logs, and timestamps. We collect this to secure and operate the service, prevent abuse, and debug.
  • Communications: emails we send you (account and security notices, password resets, and alert notifications) delivered over SMTP; and any correspondence you send to support@uptimehunt.io.
  • Billing/payment data: none today. We do not currently collect or store payment or card data because no payment processor is wired in. If paid plans launch, a payment processor will handle payment details at that time.

Providing your account data (at least an email address and password) is necessary to create and operate an account. If you do not provide it, we cannot create an account for you or provide the service.

2.2 Monitoring data you supply

To provide monitoring, we process the data you configure. Some of this may relate to systems or services that belong to third parties you choose to monitor, and some may include credentials you enter.

  • Monitoring configuration: target URLs, hostnames, IP addresses, ports, request method and headers, optional HTTP basic/bearer credentials you enter for authenticated checks, custom DNS nameservers, check intervals, assertions/expectations, projects, and chosen probe locations (the geographically distributed servers — "probes" — that run your checks; see Section 6). The targets you enter may belong to third parties you have chosen to monitor.
  • Check results: response times and phase breakdowns (DNS/TCP/TLS/first-byte), HTTP status codes, TLS certificate chains and expiry, DNS records (A/AAAA/MX/TXT/NS/SOA/CNAME) and TTLs, SMTP banners and EHLO capabilities, SSH identification banners/version/host-key fingerprints, ping round-trip time and packet loss, and game-server status (Quake3/Source/A2S/GoldSource/Minecraft — map, game type, player counts and roster).
  • Incidents and incident history; alert rules; and an audit log of account actions.
  • Integrations: outbound webhook URLs and channel configuration. Email and Webhook integrations are live today; Slack, Discord, Telegram, Microsoft Teams, Google Chat, and Mattermost are coming soon. Alerts are delivered to destinations you choose, which are third-party services governed by their own terms and privacy policies.
  • Kubernetes auto-discovery (optional): if you run the UptimeHunt operator in your own cluster, it reads cluster Ingress hostnames and paths and mirrors them into HTTP checks using a long-lived API token. This is add/update-only.

Because this is a monitoring product, the target data and any credentials you enter for authenticated checks are processed specifically to run your checks — for example, a hostname or URL is sent to a probe so it can connect and measure the result, and bearer/basic credentials you provide are used to authenticate those checks against the target you configured.

2.3 Personal data about third parties that you supply

The monitoring configuration and check results you enter can include personal data about third parties that we did not collect directly from those individuals. Examples include hostnames and IP addresses belonging to other people or organisations, credentials you enter for authenticated checks, and game-server data such as player counts and rosters.

For this third-party personal data:

  • the categories of data are those listed in Section 2.2 (e.g. hostnames/IPs, credentials you enter, and check results such as game-server rosters);
  • the source is you, the account holder, who configured the check; and
  • we process it only to provide the monitoring service to you, on your instructions.

You are responsible for ensuring you have a valid legal basis and any necessary authorisation to monitor the targets you configure and to enter any credentials and third-party data, and for your use of the results. Please only configure checks against systems you own or are authorised to monitor.

3. How and why we use your data

We use the data above to:

  • create, operate, and secure your account, and authenticate you;
  • run the monitoring checks you configure and return their results to you;
  • generate incidents, evaluate alert rules, and deliver alert notifications to your chosen destinations;
  • send you account, security, and service emails;
  • maintain an audit log and diagnose problems;
  • protect the service against abuse, overload, and misuse, and protect our infrastructure and other users;
  • improve and maintain the service; and
  • comply with our legal obligations.

We do not use third-party advertising or analytics trackers, and we do not sell your personal data.

4. Legal bases (GDPR Article 6)

We rely on the following legal bases under Article 6 of the GDPR, mapped to the purposes in Section 3:

  • Performance of a contract (Art. 6(1)(b)) — to create, operate, and secure your account and authenticate you; to run the monitoring checks you configure and return their results; to generate incidents, evaluate your alert rules, and deliver alert notifications to your chosen destinations; and to send you account, security, and service emails. This is the basis for providing the service you have signed up for.
  • Legitimate interests (Art. 6(1)(f)) — for the following purposes, where we have a legitimate interest that we balance against your rights and interests:
    • keeping the platform and your account secure and protecting our infrastructure and other users (our interest: information security and fraud/abuse prevention);
    • preventing abuse, overload, and misuse of the service (our interest: maintaining service integrity and availability);
    • diagnosing problems and maintaining an audit log (our interest: operating, troubleshooting, and ensuring accountability of the service);
    • improving and maintaining the service (our interest: developing and improving our product).
  • Consent (Art. 6(1)(a)) — where we specifically ask for it, for example optional features that require consent. You can withdraw consent at any time, without affecting processing already carried out before withdrawal.
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with applicable law.

5. Data retention

We keep personal data only as long as needed for the purposes above or as required by law.

Raw probe results (the per-check results we store):

PlanRetention
Free7 days
Starter30 days
Pro90 days
Enterprisecustom

Incident history:

PlanRetention
Free30 days
Starter90 days
Pro13 months
Enterprisecustom

Retention windows are plan-dependent. Free is the only live tier today; the other tiers are listed for transparency and will apply when those plans launch.

Account data is retained for the life of your account and is deleted when you close your account, subject to any retention we are legally required to perform. To close your account or request deletion, email support@uptimehunt.io (see Section 9, Your GDPR rights).

Other data categories:

  • Technical and usage data (IP address, user-agent, request and server logs, timestamps): retained for a limited period for security, abuse prevention, and debugging, and then deleted or aggregated; where it forms part of the audit log it follows the audit-log rule below.
  • Audit log of account actions: retained for the life of your account (and deleted on account closure), subject to any legally required retention.
  • Support and other correspondence you send to us: retained for as long as needed to handle your request and for a reasonable period afterwards for our records, then deleted.
  • Authentication and OAuth artifacts (JWT tokens, OAuth consent records, connected-apps entries, opaque access tokens, API token hashes): retained while they remain valid or while the relevant connection or token exists, and removed when you revoke them, disconnect the app, or close your account.

Where we are under a legal obligation to retain certain data for longer (for example record-keeping requirements), we keep it for the period required and then delete it.

6. Sharing, recipients, subprocessors, and infrastructure

We do not sell your data and we do not share it for advertising. The categories of recipients of personal data are:

  • Infrastructure providers / subprocessors (listed below), who process data on our behalf to run the service;
  • Third-party alert destinations you choose — when an alert fires, we transmit the alert content (which may include monitoring details) to the integration destinations you have configured (e.g. your webhook endpoints, and, when available, chat platforms). These are third-party services governed by their own terms and privacy policies; you choose them; and
  • Competent courts, regulators, and public authorities, where we are legally required to disclose data, or where disclosure is necessary to enforce our terms or to protect the rights, safety, and security of UptimeHunt, our users, or the public.

We process data using the following infrastructure and providers:

  • Core platform: runs on the operator's own self-managed Kubernetes cluster.
  • Distributed probe nodes: run on third-party VPS providers in multiple countries. These probes execute your checks from their locations and return the results to the core platform. The providers and countries change over time; current providers include, for example, RackNerd and Mikr.us — this is a representative, non-exhaustive list, not the complete set.
  • Data stores: PostgreSQL (application data) and MongoDB (archived probe results), plus a NATS message queue — all self-hosted.
  • Email delivery: via SMTP using a self-hosted / configured mail host.
  • Advertising/analytics trackers: none.
  • Payment processor: none yet.

7. International transfers

Our core infrastructure is operated from the EU.

By design, our probe nodes are distributed globally, including outside the European Economic Area (EEA), and run on third-party VPS providers located in multiple countries — so a non-EEA subprocessor is involved when a check runs from a non-EEA location. When a check runs from a non-EEA probe, the data processed at that location includes the monitoring configuration you entered (for example the target hostname or URL, request method and headers), any HTTP basic/bearer credentials you entered for authenticated checks, and the check results produced there.

For these transfers, we seek to rely on appropriate safeguards under Chapter V of the GDPR (for example, Standard Contractual Clauses) where they are available from the relevant provider. Where you would like more information about the safeguards in place, a copy can be requested via support@uptimehunt.io.

8. Security

We take reasonable measures to protect personal data, including:

  • passwords stored only as salted hashes;
  • API tokens stored only as hashes, and which are scoped and revocable;
  • TLS encryption for data in transit;
  • per-owner tenant isolation, so each account can only access its own data.

No method of transmission or storage is completely secure, but we work to protect your data using the measures above.

9. Your GDPR rights

Subject to the conditions in the GDPR, you have the right to:

  • access your personal data;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten");
  • restrict processing;
  • data portability — receive your data in a portable format;
  • object to processing based on legitimate interests;
  • withdraw consent where we relied on it; and
  • lodge a complaint with a supervisory authority.

To exercise any of these rights, email support@uptimehunt.io. We will respond within one month; for complex or numerous requests we may extend this by up to two further months and will tell you if we do.

You also have the right to complain to the Polish supervisory authority:

You may also lodge a complaint with the supervisory authority in your EU country of residence.

10. Automated decision-making

UptimeHunt does not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR. Our alert-rule evaluation and incident generation operate on the monitored systems and their results — not to make decisions about you as an individual.

11. Children

UptimeHunt is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, contact support@uptimehunt.io and we will take appropriate steps.

12. Cookies and local storage

We do not use third-party advertising cookies. To keep you signed in, the dashboard stores JWT access and refresh tokens in your browser's localStorage. The OAuth authorization server (auth.uptimehunt.io) sets a first-party session cookie during sign-in and consent so it can remember your authenticated session through the OAuth flow, and uses the data described in Section 2.1 to manage sign-in and connected apps. These are strictly necessary for the service to function.

13. California residents (CCPA/CPRA)

This section is for residents of California, United States. GDPR is our primary framework; this is a short summary for US users.

We do not sell or share your personal information as those terms are used under the CCPA/CPRA. Subject to applicable law, California residents may have the right to know what personal information we collect, to delete it, to correct it, and to opt out of the sale or sharing of personal information — although the opt-out does not apply here because we do not sell or share your data. We will not discriminate against you for exercising any of these rights. To make a request, email support@uptimehunt.io.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Please review this page periodically.

15. Contact

For any privacy question or to exercise your rights, contact us at support@uptimehunt.io.