Privacy Policy | Monitrova

1 Introduction

This privacy policy explains what personal data Monitrova collects, why we collect it, how we use it, and what your rights are. We've written it in plain English so you don't need a law degree to understand it.

By creating a Monitrova account, you agree to the practices described here. If you have questions about anything on this page, contact us — we'll respond promptly and clearly.

2 Who we are

Monitrova is a website monitoring service operated by Wayne Tomlinson, registered at Partida Benicolada 1-N, 03710 Calpe, Alicante, Spain (Spanish tax ID / NIE: ESY6523555X).

For the purposes of GDPR, we are the data controller — the organisation responsible for deciding how your personal data is collected and used.

You can reach us at: hello@monitrova.com

3 Data we collect

We only collect data that is necessary to provide the service. Here is a clear breakdown:

Category	Data collected	Why
Account data	Account name, email address, username, hashed password	To create and manage your account and authenticate you
Monitoring configuration	Website URLs you add, check intervals, alert preferences	To perform monitoring on your behalf
Monitoring results	Uptime status, HTTP response times, SSL certificate data, homepage SEO check results, incident history	To show you your site's health history and trigger alerts
Billing data	Email address, subscription plan	To process payments via Stripe (see Third-party services)
Session data	Login timestamps, session cookie	To keep you securely logged in

We do not collect payment card details directly — those are handled entirely by Stripe. We never see or store your full card number.

4 How we use your data

We use the data we collect for the following specific purposes:

Providing the service. Your account data and monitoring configuration are used to run uptime, SSL, and SEO checks on the websites you add.
Sending alerts. Your email address is used to notify you when a monitored site goes down, an SSL certificate is about to expire, or a homepage issue is detected.
Sending reports. If you have a plan that includes monthly reports, we send these to your account email address.
Processing payments. We pass your email address to Stripe to manage your subscription.
Account communication. We may email you about important changes to the service, security notices, or updates to this policy.
Improving the service. We use aggregated, non-identifying data to understand how the product is used and where it can be improved.

We do not sell your data to third parties. We do not use your data for advertising. We do not profile you for marketing purposes.

5 Monitoring data

Important: Monitrova only checks publicly accessible URLs. We do not access private areas of your websites, and we never ask for or store passwords or credentials for any site you monitor.

When you add a website to Monitrova, we perform the following automated checks:

Uptime checks — we send an HTTP request to your URL and record whether it responds successfully, how long it takes, and the HTTP status code. We do not read, copy, or store the content of the page.
SSL certificate checks — we connect to your domain and inspect the public SSL certificate details: expiry date, issuer, and validity status. No private keys are accessed.
Homepage SEO checks — we fetch the HTML of your homepage (just as any browser or search engine crawler would) and check for specific meta tags and technical signals: noindex directives, canonical tags, the presence of an H1 heading, robots.txt accessibility, and sitemap availability. We do not store the full HTML content beyond what is needed to compute the result.

The results of these checks — status codes, response times, SSL details, and SEO check outcomes — are stored against your account so you can view your site's history. Incidents (e.g. a period of downtime or an SSL warning) are retained until resolved and then kept as part of your history.

The URLs you add to Monitrova are your data. We only use them to perform the checks you have requested. We do not crawl beyond the pages you configure, and we do not index or republish your site's content.

6 Legal basis (GDPR)

Under GDPR, we must have a lawful reason to process personal data. We rely on the following bases:

Contract (Article 6(1)(b)). Processing your account data, monitoring configuration, and alert emails is necessary to provide the service you signed up for. Without this data, we cannot run checks or send you alerts.
Legitimate interests (Article 6(1)(f)). We process aggregated usage data to operate and improve the service. This does not override your rights — the interest is proportionate and you can object at any time.
Legal obligation (Article 6(1)(c)). We may retain billing records to comply with tax and financial regulations.

We do not rely on consent for core service processing. If we introduce any optional marketing communications, we will ask for your explicit consent separately and you will always be able to withdraw it.

7 Data retention

We keep your data for as long as it is needed — no longer.

Account data — retained for as long as your account is active. If you delete your account, your account data and all associated monitoring data will be permanently deleted within 30 days of your request.
Monitoring results and incident history — retained while your account is active, on a rolling window set by your plan: 15 days on Free, 90 days on Starter, and 365 days on Pro. Beyond that window, individual check results are pruned automatically; incident records (open / resolved entries with timestamps and durations) are kept in full for the same window so you have a complete record of past outages within your retention period.
Billing records — we may retain transactional billing records for up to 7 years to comply with accounting and tax obligations, even after account deletion. These records contain only the information necessary for legal compliance (transaction amounts, dates, plan names).

Two retention concepts to keep separate:

Operational retention — how far back your monitoring history stays visible while your account is active. This is the rolling window above (15 / 90 / 365 days) and is a plan feature, not a deletion deadline.
Deletion on request — when you delete your account or ask us to delete your personal data, we permanently delete your account data and all associated monitoring data within 30 days, regardless of plan or operational window. The only data kept past that point is the legally-required billing records described above.

If you want your data deleted before your account expires, email us at hello@monitrova.com and we will act on your request without delay.

8 Third-party services

We use a small number of carefully chosen third-party services to operate Monitrova. Each one receives only the minimum data necessary for its specific role.

Service	Purpose	Data shared
Stripe	Payment processing and subscription management	Your email address and subscription details. Stripe handles all payment card data directly — we never see your card number, CVV, or full billing address. Stripe is PCI-DSS compliant and GDPR-compliant. Stripe privacy policy →
Mailgun Email delivery provider	Sending alert emails and monthly reports	Your email address and the content of alert notifications. The provider processes this data solely to deliver email on our behalf and does not use it for its own marketing or profiling.

We do not share your data with analytics platforms, advertising networks, or any other third parties beyond those listed above.

If we add a new third-party service that involves your personal data, we will update this policy and notify you by email where required.

9 Cookies

Monitrova uses one cookie: a session cookie that keeps you logged in while you use the application. It is set when you sign in and expires when you sign out or your session times out.

This cookie contains only a session identifier — it does not track you across other websites, does not contain personal information, and is not used for advertising. It is strictly necessary for the application to function, so it does not require your consent under ePrivacy rules.

We do not use analytics cookies, tracking pixels, or third-party advertising cookies on this site or in the application. For full details, see our Cookie Policy.

10 Your rights

Under GDPR, you have clear rights over your personal data. Here is what they mean in practice:

Right to access You can request a copy of all personal data we hold about you — your account details, monitoring history, and any other data associated with your account.
Right to rectification If any of your data is inaccurate or incomplete, you can update it directly in your account settings, or ask us to correct it.
Right to erasure ("right to be forgotten") You can ask us to delete your account and all associated data. We will action this promptly, except where we are required to retain records for legal reasons (see Data retention).
Right to restriction You can ask us to pause processing of your data in certain circumstances — for example, while a dispute is being resolved.
Right to data portability You can request an export of your data in a structured, machine-readable format.
Right to object You can object to processing based on our legitimate interests. We will stop unless we have compelling grounds to continue.

To exercise any of these rights, email us at hello@monitrova.com with a brief description of what you need. We will respond within 30 days — usually much faster.

If you believe we have not handled your data correctly, you also have the right to lodge a complaint with your national data protection authority. In the EU, you can find the relevant authority at edpb.europa.eu.

11 Data security

We take reasonable and appropriate measures to protect your data:

All traffic to Monitrova is served over HTTPS (TLS encryption).
Passwords are stored as bcrypt hashes — never in plaintext. Even we cannot read your password.
Access to the production database is restricted to authorised infrastructure only.
We do not store payment card data — all card handling is delegated to Stripe.

No system is completely immune to security incidents. In the unlikely event of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

12 Contact us

For any privacy-related questions, requests, or concerns, please contact us at:

Monitrova
Wayne Tomlinson
Partida Benicolada 1-N
03710 Calpe, Alicante, Spain
NIE: ESY6523555X
hello@monitrova.com

We aim to respond to all privacy enquiries within 5 business days.

13 Changes to this policy

We may update this policy from time to time — for example, when we add a new third-party service or when regulations change. The "last updated" date at the top of this page will always reflect the most recent version.

If we make a significant change that affects how we use your personal data, we will notify you by email before it takes effect. Minor clarifications or rewording may be made without individual notification.

Continued use of Monitrova after a policy update constitutes acceptance of the revised policy.