CRONWATCH LEGAL
Privacy Policy
Effective Date: May 28, 2026 · Last Updated: May 28, 2026
2.1 Introduction
CronWatch is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we retain it, and what rights you have over it. This policy applies to all users of the Service, including visitors to our website.
We comply with applicable data protection laws, including obligations relevant to processing personal data of individuals located in the European Economic Area (GDPR) and other jurisdictions where data protection law applies.
2.2 Data We Collect
2.2.1 Account Data
When you register, we collect your email address and a cryptographic hash of your password. We do not store plaintext passwords.
2.2.2 Monitor & Usage Data
We store the monitor configurations you create (name, interval, grace period, alert email address) and the ping event logs associated with each monitor, including timestamps. This data is necessary to provide the core Service.
2.2.3 Payment Data
Payment card and billing information is processed and stored exclusively by Lemon Squeezy (our Merchant of Record). We store only the resulting subscription status, plan tier, and the Lemon Squeezy customer reference identifier. We never receive or store raw card data.
2.2.4 Technical & Log Data
Our servers and third-party infrastructure providers automatically collect IP addresses, HTTP request metadata (URL, method, status code, response time), User-Agent strings, and request timestamps. This data is used for security monitoring, rate-limiting, abuse detection, and infrastructure diagnostics.
2.2.5 Communications
If you contact us for support, we retain the content of that communication and your contact details in order to respond and maintain support history.
2.3 How We Use Your Data
We process your personal data for the following purposes:
- Service delivery: authenticate your account, process ping events, compute monitor status, and enforce plan limits;
- Alerting: send transactional alert emails when a monitored job fails to ping;
- Payments: manage subscription billing and plan entitlements via Lemon Squeezy;
- Security: detect and prevent abuse, fraud, and unauthorised access;
- AI analysis: pass anonymised statistical summaries of ping history (not personal data) to the Google Gemini API for failure diagnosis. No personally identifiable information is transmitted to AI inference providers;
- Legal compliance: retain records as required by applicable law;
- Product improvement: analyse aggregated, anonymised usage patterns to improve the Service.
2.4 Data Retention
| DATA CATEGORY | RETENTION PERIOD |
|---|---|
| Ping logs (Free tier) | 7 days from creation, then automatically purged |
| Ping logs (Pro tier) | 90 days from creation, then automatically purged |
| Monitor configurations | Retained for the lifetime of the account |
| Account data (email, hashed password) | Retained until account deletion, then removed within 30 days |
| Payment records (subscription status, customer ID) | 7 years from last transaction for legal and tax compliance |
| Server / access logs | 30 days rolling window |
| Support communications | 2 years from last communication, unless earlier deletion is requested |
Upon account deletion, all personal data and monitor data is permanently removed within 30 days, except where retention is required by law, contractual obligation, or legitimate fraud-prevention purposes.
2.5 Third-Party Data Processors
We share your data with the following categories of processors, each bound by appropriate data processing agreements:
| PROCESSOR | PURPOSE & DATA SHARED |
|---|---|
| Supabase (AWS ap-southeast-1, Singapore) | Database hosting: stores all account, monitor, and ping data |
| Vercel (global edge network) | Application hosting: processes all HTTP requests to the Service |
| Resend | Transactional email: receives alert email address to deliver monitoring alerts |
| Lemon Squeezy | Payment processing: receives billing information as Merchant of Record |
| Google Gemini API | AI inference: receives anonymised ping statistics with no PII |
2.6 International Data Transfers
Your data is primarily stored on infrastructure located in Singapore (AWS ap-southeast-1) and processed via Vercel's global edge network. Transfers to processors outside your country of residence are conducted under appropriate legal mechanisms. If you are located in the EEA, any transfers to third countries are subject to adequate safeguards such as Standard Contractual Clauses.
2.7 Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you;
- Rectification: request correction of inaccurate or incomplete data;
- Erasure: request deletion of your personal data ("right to be forgotten");
- Restriction: request that we limit processing of your data in certain circumstances;
- Portability: receive your monitor and ping data in a machine-readable format (JSON);
- Objection: object to processing for purposes other than service delivery;
- Withdraw consent: where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@cronwatch.dev. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days.
2.8 Security
We implement industry-standard technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit;
- AES-256 encryption at rest via Supabase managed infrastructure;
- Row Level Security (RLS) policies ensuring users can only access their own data;
- Bcrypt password hashing managed by Supabase Auth;
- Rate limiting on all public API endpoints;
- Timing-safe credential comparison for internal cron job authentication;
- Regular security reviews and dependency audits.
No method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability related to the Service, please disclose it responsibly to security@cronwatch.dev.
2.9 Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without verified parental consent, we will take steps to delete that data promptly.
2.10 Contact
For privacy-related inquiries, data access requests, or to report a suspected data breach:
- Email: privacy@cronwatch.dev
- Address: CronWatch, Ho Chi Minh City, Vietnam
- Response time: within 30 calendar days for substantive requests
OTHER POLICIES