Privacy Policy
Last updated: 2 April 2026
This Privacy Policy explains how Vision Software Solutions Limited, a company registered in England and Wales with its registered office at C/O Benison Solvers Limited, 1000 Great West Road, Brentford, United Kingdom, TW8 9DW ("Uptrue", "we", "us", or "our"), collects, uses, stores, and protects your personal data when you use our website at uptrue.io and our monitoring platform (collectively, the "Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, and all other relevant data protection legislation.
1. Data Controller
Vision Software Solutions Limited is the data controller for personal data collected through the Service. For any questions regarding this Privacy Policy or your personal data, please contact us at:
- Email: privacy@uptrue.io
- Post: Data Protection Officer, Vision Software Solutions Limited, C/O Benison Solvers Limited, 1000 Great West Road, Brentford, United Kingdom, TW8 9DW
2. Personal Data We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Organisation name (if applicable)
- Password (stored as a cryptographic hash; we never store or have access to your plain-text password)
- Profile preferences and notification settings
- Currency preference (GBP, USD, or INR)
2.2 Billing Information
When you subscribe to a paid plan, we collect:
- Billing name and address
- VAT or tax identification number (where applicable)
Payment card details are collected and processed directly by our payment processor, Stripe. We do not store, process, or have access to your full card number, CVV, or other sensitive payment credentials. We receive only a tokenised reference, card type, last four digits, and expiry date from Stripe for display and identification purposes.
2.3 Monitoring and Service Data
When you use the Service, we process:
- Monitor configurations (URLs, endpoints, check intervals, alert rules)
- Check results (response times, status codes, SSL certificate data, DNS records)
- Incident records and resolution history
- Status page content and configuration
- AI-generated report summaries and analysis
- Community Credit balance and credit transaction history
2.4 Email Engagement Data
Our email delivery provider (Resend) may collect data relating to your interaction with transactional and notification emails we send, including whether an email was opened and whether links within the email were clicked. This data is used to monitor email deliverability, improve our communications, and troubleshoot delivery issues. We do not use this data for marketing profiling.
2.5 Technical and Usage Data
We automatically collect:
- IP address
- Browser type and version
- Operating system
- Pages visited and features used within the Service
- Date and time of access
- Referring URL
2.6 Communication Data
If you contact us via email or support channels, we collect the content of your communications, your email address, and any other information you choose to provide.
3. Legal Basis for Processing
We process your personal data on the following legal bases under the GDPR:
| Purpose | Legal Basis |
|---|---|
| Providing and maintaining the Service | Performance of a contract (Article 6(1)(b)) |
| Processing payments and billing | Performance of a contract (Article 6(1)(b)) |
| Sending transactional emails (alerts, invoices, account notices) | Performance of a contract (Article 6(1)(b)) |
| Improving the Service, analytics, and troubleshooting | Legitimate interest (Article 6(1)(f)) |
| Ensuring security and preventing fraud | Legitimate interest (Article 6(1)(f)) |
| Sending marketing communications | Consent (Article 6(1)(a)) |
| Complying with legal obligations (tax, regulatory) | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms.
4. How We Use Your Data
We use your personal data to:
- Create and manage your account
- Provide monitoring services, alerts, status pages, and reports
- Process payments, issue invoices, and manage subscriptions
- Send transactional communications (alerts, incident notifications, account updates)
- Generate AI-powered performance reports and summaries using aggregated monitoring data
- Provide technical support and respond to enquiries
- Maintain security, detect fraud, and prevent abuse
- Improve the Service through aggregated usage analytics
- Comply with applicable legal and regulatory requirements
- Send marketing communications (only with your explicit consent, and you may opt out at any time)
4A. Publicly Visible Data
Certain features of the Service generate data that is publicly accessible:
- Public Tracker: Uptime monitoring results for selected third-party websites and services are displayed publicly on the Uptrue website. This data relates to the monitored third-party services, not to your personal data. No personal data from your account is included in Public Tracker results.
- Uptrue Score: When you or any visitor uses the Uptrue Score tool to scan a URL, the resulting health score and diagnostic summary may be cached and displayed publicly. The scanned URL and the resulting score are not linked to your account or personal data unless you are logged in at the time of the scan, in which case the scan is associated with your account for your convenience but the public display does not reveal your identity.
- Status Pages: If you create a public status page, the monitoring data, incident history, and uptime statistics displayed on that page are publicly visible by design.
4B. Account Access by Uptrue Personnel
To provide customer support, diagnose technical issues, and maintain the integrity of the Service, authorised Uptrue administrators may access your account in a read-only view ("account impersonation"). When this occurs:
- Access is limited to authorised personnel and is used solely for support and operational purposes.
- Every instance of impersonation access is recorded in an immutable audit log, including the administrator's identity, the account accessed, the timestamp, duration, and IP address.
- Administrators cannot modify your data, change your settings, or take actions on your behalf during impersonation access.
- You may request a copy of the audit log entries relating to any impersonation access to your account by contacting support@uptrue.io.
The legal basis for this processing is our legitimate interest (Article 6(1)(f)) in providing effective customer support and maintaining the security and integrity of the Service.
5. Third-Party Data Processors
We share your personal data with the following third-party service providers, each of whom acts as a data processor on our behalf. All processors are bound by data processing agreements and are required to handle your data in accordance with applicable data protection law.
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (Frankfurt) | Database, authentication, real-time services | Account data, monitoring data, check results | EU (Frankfurt, Germany) |
| Stripe | Payment processing, subscriptions, Connect payouts | Billing information, transaction data | EU / US (with EU SCCs) |
| Vercel | Application hosting, edge functions, cron jobs | IP address, request metadata | Global (EU-primary with SCCs) |
| Resend | Transactional email delivery (alerts, reports, account emails) | Email address, email content | US (with EU SCCs) |
| Anthropic (Claude API) | AI-powered report generation and analysis | Aggregated, anonymised monitoring data | US (with EU SCCs) |
| Razorpay | Payment processing for customers in India (coming soon) | Billing information, transaction data | India (with EU SCCs) |
| Twilio | SMS, WhatsApp, and voice call alerts | Phone number, alert content | US (with EU SCCs) |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
6. International Data Transfers
Your primary data is stored in the European Union (Supabase Frankfurt region). Where data is transferred outside the EU/UK, we ensure that appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreement (IDTA) with all processors that store or process data outside the EU/UK.
- Transfers to countries with an adequacy decision from the European Commission or UK Secretary of State, where applicable.
We conduct transfer impact assessments for each international transfer to ensure your data receives an equivalent level of protection.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Monitoring and check result data | Duration of account + 30 days after deletion |
| Billing and transaction records | 7 years from the date of transaction (legal requirement) |
| Audit logs | 1 year from creation |
| Support correspondence | 2 years from the last communication |
| Technical/usage logs | 90 days |
When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.
8. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
- Right to rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data.
- Right to erasure (Article 17): You have the right to request the deletion of your personal data, subject to certain legal exceptions. Upon a valid erasure request, we will delete your data within 30 days.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV).
- Right to restriction of processing (Article 18): You have the right to request that we limit the processing of your personal data in certain circumstances.
- Right to object (Article 21): You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@uptrue.io. We will respond to your request within one month, or notify you if an extension is required (up to two additional months for complex requests). You will not be charged a fee for exercising your rights, except where requests are manifestly unfounded or excessive.
You may also export your data at any time using the data export feature in your account settings.
9. Children's Privacy
The Service is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as soon as possible. If you believe we may have collected data from a child under 16, please contact us at privacy@uptrue.io.
10. Cookies
We use a limited number of cookies and similar technologies to operate the Service. For full details on the cookies we use, their purpose, and how to manage them, please see ourCookie Policy.
11. Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of sensitive data at rest using AES-256
- Row-level security (RLS) at the database level to ensure strict data isolation
- Hashing of passwords using bcrypt
- Hashing of API keys on creation (shown once, never stored in plain text)
- HMAC-SHA256 signing of webhook payloads
- Immutable audit logging of all security-relevant events
- Automated security scanning of dependencies
- Regular access reviews and principle of least privilege
While we take all reasonable steps to protect your data, no system is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR.
- Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 of the UK GDPR.
- Take immediate steps to contain the breach, investigate its cause, and implement measures to prevent recurrence.
13. Automated Decision-Making
We use AI (Anthropic Claude API) to generate automated report summaries and performance analyses based on your monitoring data. These are informational outputs only and do not constitute automated decision-making that produces legal or similarly significant effects on you. You may request human review of any AI-generated output by contacting support@uptrue.io.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email and by posting a prominent notice on the Service at least 30 days before the changes take effect.
We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when the most recent revision was made.
15. Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:
- United Kingdom:Information Commissioner's Office (ICO) — ico.org.uk— Telephone: 0303 123 1113
- European Union: Your local Data Protection Authority (DPA). A list of EU DPAs is available atedpb.europa.eu.
16. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
- Data Protection Officer: privacy@uptrue.io
- General Support: support@uptrue.io
- Post: Data Protection Officer, Vision Software Solutions Limited, C/O Benison Solvers Limited, 1000 Great West Road, Brentford, United Kingdom, TW8 9DW