Privacy Policy

Last updated: 6 May 2025

This Privacy Policy explains how Heyping (the "Operator") collects, uses and protects your personal data when you use heyping.io. We comply with the EU General Data Protection Regulation (GDPR) and Austrian data protection law. By registering for or using the Service, you consent to the data practices described below.

1. Data Controller

The data controller is the Operator (a sole proprietor in Austria). You can contact us at hey@heyping.io. If you have any questions about your data, please send us an email.

2. Data we collect

We collect the following personal data from you: your name and email (provided at registration), and your password (stored only as a secure hash). We also collect your account activity: for example, the IP address and timestamps when you log in. When you add websites or endpoints to monitor, those URLs and related configuration are stored, but these are typically not personal data. We record monitoring logs (timestamps, status codes, response details) for about 12 months. If you pay for a subscription, Paddle will process your billing and payment information. We do not store any credit card information. We may also store any support communications or feedback you send us. Additionally, we use cookies and similar technologies on our website. These are only used for essential functionality, to allow you to stay logged in and navigate securely.

3. How we use your data

We use your personal data primarily to provide and improve the Service. Specifically:

  • Service Provision: Your name, email and account data are used to create and manage your user account. We use your email to send transactional messages (e.g. password resets, status alerts you request).
  • Monitoring Service: We process the endpoints you submit in order to run the uptime checks and present results in your dashboard and status pages.
  • Communication: We use your email to respond to support inquiries and to send important updates about the Service (security notifications, maintenance notices, etc.).
  • Billing and Legal Compliance: We use invoice and payment data to manage subscriptions, enforce payment, and comply with tax laws (VAT reporting, accounting).
  • Service Improvement: We may aggregate and anonymize usage data to analyze performance and improve the Service. This aggregated data cannot identify you personally.

4. Legal basis for processing

Under GDPR Article 6, our legal bases are:

  • Performance of Contract: We process your registration data (name, email, password), service usage, and transactional communications to fulfill the contract for the Service.
  • Legal Obligation: We process billing and contact information to comply with tax and accounting laws (e.g. storing invoices for required periods).
  • Consent: We rely on your consent for any marketing emails. You may withdraw consent at any time (see "Your Rights" below).
  • Legitimate Interests: To the extent permissible, we process data for the legitimate interests of maintaining and securing the Service (e.g. analytics, fraud prevention, customer support) balanced against your privacy. For instance, monitoring and analyzing service logs is in our interest to improve uptime.

5. Third-Party Processors

We use third-party services to operate our platform. Key processors include:

  • Paddle (Payments): We use Paddle.com to handle billing, subscription management and invoicing. Paddle may receive your email, name and billing address to process payments.
  • Railway.com (Hosting): Our application is hosted on Railway's cloud infrastructure. The servers are located in the EU. User data (website uptime logs, account info) are stored on Railway servers.
  • Sentry (Error Monitoring): We use Sentry to collect application errors and performance issues. Sentry may receive limited user data (e.g. IP address, browser, and error context) to debug issues.
  • Email Services: We use an email service to send transactional emails (password resets, alerts). These services process your email and name for email delivery.
  • Analytics: We use Plausible Analytics hosted on our own servers at Railway, no third-party processing of personal data is involved.

We only share data with these providers as needed. For example, we do not give third parties direct access to your private data. We do not sell your personal data to anyone.

6. International Data Transfers

Some of our processors operate servers outside the EU or have legal entities in third countries. In such cases, we always opt to store your data on servers in the EU. By using the Service, you acknowledge that your data may be transferred to third countries of the processors, if it cannot be prevented by us.

7. Data Retention

We retain your personal data only as long as needed to provide the Service and to comply with legal obligations. Specifically:

  • Your account information (name, email) is retained while your account is active and for a reasonable period after account deletion for security and legal reasons.
  • Monitoring logs and ping data are retained for about 1 year, as this is necessary for meaningful historical reports and troubleshooting. After one year, these logs are deleted or anonymized.
  • Billing records (invoices, payment confirmations) are kept for at least 7-10 years as required by tax law.
  • If you request to delete your account, we will erase or anonymize your personal data promptly, except any data we are legally obliged to retain.

8. Security

We implement reasonable technical and organizational measures to protect your data from unauthorized access or disclosure (encryption, secure password storage, access controls, etc.). However, no system is perfectly secure. We cannot guarantee absolute security against breaches. In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by law.

9. Your Rights

Under GDPR (Articles 15–21), you have the following rights concerning your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct incomplete or inaccurate data.
  • Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data, in whole or in part, when there is no overriding reason for us to keep it. Some data may persist in backups or as required by law, but will be inaccessible.
  • Right to Data Portability: You can request an export of the personal data you provided to us in a common format.
  • Right to Withdraw Consent: Where we rely on your consent, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.

To exercise any of these rights, please contact us at our email address hey@heyping.io. We will verify your identity before responding. We strive to respond within one month.

10. Minors

The Service is not intended for children under 16. We do not knowingly collect data from minors. If you are under 16, you must obtain parental consent before using the Service. If we become aware of personal data of a child under 16 in our system, we will delete it.

11. Updates to this Policy

We may update this Privacy Policy periodically. We will publish the revised policy on our website, and if changes are material, notify you (e.g. by email). Please review this policy regularly. Your continued use of the Service after changes indicates your acceptance.

12. Contact Information

If you have questions about this policy or your personal data, please contact: hey@heyping.io