Privacy Policy

Verzia 2.0.0 · May 27, 2026

This document is an informative translation. The legally binding version is in Slovak.

1. Controller

BLD - Agency s.r.o. Company ID: 50 058 215 Tax ID: 2120156841 VAT ID: SK2120156841 Address: Jána Ondruša 3357/19F, 900 31 Stupava, Slovak Republic Email: traq@uptraq.eu Registered with: Bratislava III City Court, Sro section

Hereafter "Controller" or "we". The Controller is responsible for processing your personal data under Regulation (EU) 2016/679 ("GDPR") and Slovak Act No. 18/2018 Coll. on the protection of personal data.

2. Scope

This document describes what personal data we process when you use Uptraq (web uptraq.eu and app app.uptraq.eu), for what purpose, on what legal basis, how long, and with whom we share it. It also lays out your rights under GDPR (section 7).

3. Data we collect

3.1. Account data

  • Email — required for registration and communication
  • Name — optional
  • Password — stored only as a bcrypt hash (Better Auth), never in plaintext
  • Preferred language and timezone — for UI and notification localization

3.2. Billing data (paid plans only)

  • Company name, Tax/VAT IDs
  • Billing address
  • Payment history and invoices
Payments are processed by Lemon Squeezy Inc. as Merchant of Record. We have no access to your payment card data.

3.3. Monitor data (your content)

  • URLs, hostnames, and ports of monitored services
  • Names and email addresses of clients you add (if you use Uptraq as an agency)
  • Uptime, response time, incident, and SSL check history
  • Content of notifications sent to your end-clients

3.4. Technical data

  • IP address — for rate limiting and security logs
  • Cookies — essential only (session, locale); see Cookie Policy
  • User-Agent — for UI compatibility
  • Server logs — HTTP request records, anonymized after 90 days

3.5. Communication

Emails sent to traq@uptraq.eu are retained for conversation context for up to 3 years from last interaction.

4. Purpose and legal basis

Each processing purpose maps to a specific legal basis under Art. 6 GDPR:

  • Service delivery — Contract performance (Art. 6(1)(b))
  • Billing and accounting — Legal obligation (Art. 6(1)(c)) per Slovak Act 431/2002 Coll. on accounting
  • Security and abuse prevention — Legitimate interest (Art. 6(1)(f))
  • Service communication (terms changes, outages, maintenance notices) — Contract performance (Art. 6(1)(b))
  • Product improvement based on anonymized aggregated data — Legitimate interest (Art. 6(1)(f))
  • Marketing (newsletter) — Consent (Art. 6(1)(a)) — withdrawable at any time

5. Retention

  • Account data: for the duration of the account + 30 days after deletion (to allow recovery)
  • Invoices: 10 years after issue (Slovak Act 431/2002 Coll.)
  • Monitor data: per your plan's retention policy (7, 30, or 365 days)
  • Security and server logs: 90 days, then anonymized
  • Email communication: 3 years from last interaction
After these periods, data is permanently deleted or irreversibly anonymized.

6. Sub-processors

We share your data with third parties only to the extent necessary to provide the service. We have DPAs (Data Processing Agreements) under Art. 28 GDPR in place with all sub-processors:

  • Hetzner Online GmbH (Germany) — server and database hosting in EU (Germany/Finland) — DPA
  • Resend Inc. (USA) — transactional email delivery, EU regional servers — DPA
  • Lemon Squeezy Inc. (USA) — payments as Merchant of Record, invoicing, PCI-DSS Level 1 — DPA
  • OpenAI, L.L.C. (USA) — AI incident diagnostics, anonymized outage data only — DPA

6.1. International data transfers

Lemon Squeezy and OpenAI involve data transfers to a third country (USA). Transfers are secured under Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. OpenAI receives only anonymized outage data (status code, error message, response time) with no link to an identifiable person.

All other personal data remains within the EU.

7. Your rights (GDPR)

Uptraq processes your data in accordance with EU Regulation 2016/679 (GDPR). You have these rights:

7.1. Right of access (Art. 15)

Request a copy of all personal data we process about you. We respond within 30 days. Data is delivered in a structured format (JSON or CSV).

7.2. Right to rectification (Art. 16)

Edit inaccurate data directly in your profile. Contact us for changes to billing information.

7.3. Right to erasure / "right to be forgotten" (Art. 17)

Profile → Danger Zone → Delete Account. Account, monitors, incidents, and logs are permanently deleted within 30 days. Exception: invoices we are legally required to retain for 10 years.

7.4. Right to restriction (Art. 18)

Email us at traq@uptraq.eu.

7.5. Right to data portability (Art. 20)

Incidents → Export CSV for incident history. Contact us for a full account-data export.

7.6. Right to object (Art. 21)

Object to processing based on legitimate interest by emailing us.

7.7. Right not to be subject to automated decision-making (Art. 22)

We do not make automated decisions with legal effects on you. AI incident diagnostics is advisory only.

7.8. Data Processing Agreement (DPA)

For B2B customers — especially agencies processing their own clients' data — we provide a DPA per Art. 28 GDPR. Contact traq@uptraq.eu.

7.9. Data Protection Officer (DPO)

Given the scope and nature of personal data processing, BLD - Agency s.r.o. is not required to appoint a DPO under Art. 37 GDPR. The contact for data protection matters is: Email: traq@uptraq.eu Address: BLD - Agency s.r.o., Jána Ondruša 3357/19F, 900 31 Stupava

7.10. Supervisory authority

If you believe we process your data in violation of GDPR, you can file a complaint with: Slovak Office for Personal Data Protection Hraničná 12, 820 07 Bratislava 27, Slovak Republic Web: dataprotection.gov.sk Email: statny.dozor@pdp.gov.sk

8. Security

We protect your data with measures proportionate to risk and current state of the art:

  • Encryption at rest: AES-256-GCM (database, backups)
  • Encryption in transit: TLS 1.3 (HTTPS)
  • Authentication: Better Auth, bcrypt password hashing, optional 2FA (TOTP)
  • System access: principle of least privilege, audit logs
  • Backups: daily, encrypted, 30-day retention
In the event of a personal data breach, we notify affected individuals and the Slovak Office for Personal Data Protection within 72 hours, as required by Art. 33 and 34 GDPR.

9. Cookies

Details on our cookie usage are in a separate document: Cookie Policy. In short: we use only essential cookies (session, locale). We do not use any analytics or marketing tracking cookies.

10. Policy changes

We may update this policy. For material changes we will notify you by email and on the website at least 30 days before the effective date.

11. Contact

For any questions about personal data protection:

Email: traq@uptraq.eu Mail: BLD - Agency s.r.o., Jána Ondruša 3357/19F, 900 31 Stupava, Slovak Republic Effective: 2026-05-27