Privacy Policy

Last updated: April 4, 2026 · Version 2.0

                In plain language: We collect your email and monitoring data to run the service. We don't sell your data. You can delete your account at any time. We use a small number of trusted third-party services (listed below).
            

1. Data Controller

The data controller responsible for your personal data is:

Service name: Valpero
Operated by: Individual operator (sole trader)
Contact: [email protected]
Website: https://valpero.com

For any privacy-related requests or questions, contact us at [email protected]. We respond within 30 days (typically within 3 business days).

2. What Data We Collect

2.1 Data you provide directly

Email address (required for registration and alerts)
Password (stored as bcrypt hash — we never see your plaintext password)
Monitor URLs and names you configure
Phone number (optional, for SMS alerts)
Telegram chat ID (optional, for Telegram alerts)

2.2 Data collected automatically

IP address (for security, rate limiting, and activity logs)
Browser type and operating system (from User-Agent header)
Session tokens (for authentication)
Check results — uptime, response time, SSL status for your monitored URLs
Activity log — actions performed in your account (login, monitor created, etc.)

2.3 Payment data

Payment card details are processed entirely by Lemon Squeezy and never touch our servers. We store only: plan name, expiry date, and the Lemon Squeezy order/subscription ID as a reference.

3. Legal Basis for Processing (GDPR Art. 6)

Processing activity	Legal basis	Details
Account registration, authentication, delivering the monitoring service	Art. 6(1)(b) — Contract	Necessary to perform the service you signed up for
Sending downtime/SSL/incident alert emails	Art. 6(1)(b) — Contract	Core feature of the service you requested
Processing payments, billing records	Art. 6(1)(b) — Contract + Art. 6(1)(c) — Legal obligation	Required to fulfil the paid subscription and comply with accounting law
IP logging, rate limiting, fraud prevention	Art. 6(1)(f) — Legitimate interest	Protecting the service and users from abuse and security threats
Analytics cookies (with consent)	Art. 6(1)(a) — Consent	Only when you accept analytics cookies in the cookie banner. You can withdraw at any time.
Activity logs (audit trail)	Art. 6(1)(f) — Legitimate interest	Security auditing and support; helps investigate incidents

4. Data Retention

Data type	Retention period
Account data (email, password hash, settings)	Until account deletion, then immediately purged
Monitor check history (uptime results)	90 days rolling (older data is automatically deleted)
Incident records	Until account deletion
Activity logs	90 days, then automatically deleted
IP address logs (rate limiting)	24 hours in memory (Redis), not persisted to disk
Payment records (Lemon Squeezy order/subscription IDs, plan info)	7 years (legal accounting obligation)
Email correspondence with support	3 years
Backup copies	Deleted within 30 days of account deletion

5. Data Sharing and Third Parties

We do not sell your data. We do not share it for marketing purposes. We share data only with the following processors, under data processing agreements, to the minimum extent necessary to operate the service:

→ Full list: Sub-processors page

Key third parties currently used:

Lemon Squeezy — payment processing and Merchant of Record (USA). Lemon Squeezy LLC is certified under PCI-DSS and acts as the seller of record, handling all tax compliance.
Cloudflare — DDoS protection, CDN, DNS. Data may transit Cloudflare infrastructure.
SMTP provider — transactional email delivery (alerts, verification).
Hetzner / hosting provider — server infrastructure in the EU.
Telegram — optional alert delivery if you connect your Telegram account.

When we share data with processors outside the EU/EEA, we ensure appropriate safeguards under GDPR Chapter V (Standard Contractual Clauses or adequacy decisions).

6. Your Rights (GDPR Art. 15–22)

As a data subject in the EU/EEA, you have the following rights:

Access (Art. 15) Request a copy of all personal data we hold about you.

Rectification (Art. 16) Correct inaccurate data via account settings or by contacting us.

Erasure (Art. 17) "Right to be forgotten" — delete your account in Settings → Delete Account, or email us.

Restriction (Art. 18) Request that we limit processing of your data while a dispute is resolved.

Portability (Art. 20) Receive your data in a machine-readable format (JSON/CSV). Email us to request an export.

Objection (Art. 21) Object to processing based on legitimate interest. We will stop unless we have compelling grounds.

Withdraw consent (Art. 7) Withdraw analytics cookie consent at any time via "Cookie preferences" in the footer.

No automated decisions (Art. 22) We do not make automated decisions with legal or significant effects about you.

To exercise any right, email [email protected] with the subject "GDPR Request: [right name]". We will respond within 30 days. We may ask you to verify your identity.

7. Cookies

See our Cookie Policy for full details. In summary:

Essential cookies — authentication session, CSRF protection. Always active, no consent required.
Analytics cookies — only set with your explicit consent. You can change this at any time via "Cookie preferences" in the footer.

8. Security

We implement the following technical and organisational measures (GDPR Art. 32):

All traffic encrypted via TLS 1.2+ (HTTPS enforced with HSTS)
Passwords stored as bcrypt hashes (never in plaintext)
TOTP two-factor authentication available to all users
Rate limiting and bot protection (Cloudflare Turnstile) on authentication endpoints
Security response headers (X-Frame-Options, CSP, HSTS, etc.)
Regular backups with encryption at rest
Access to production systems restricted to the minimum necessary

In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay (GDPR Art. 33–34).

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority (data protection authority) in your country of residence or habitual establishment.

For users in the EU, you can find your national supervisory authority at: edpb.europa.eu

We encourage you to contact us first at [email protected] — we are committed to resolving any concerns directly.

10. Children's Privacy

The Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

Questions? [email protected] · Sub-processors · Cookie Policy