Legal

Privacy Policy

Effective [date]. Written for the GDPR, from a Swedish, EU-based company.

1. Who is responsible for your data

[Company legal name], registered in Sweden under organization number [org. number] and located at [registered address], is the data controller for the personal data described in this policy. For any privacy question or to exercise the rights below, reach us through our contact page.

2. What we collect

Account data: your name, email address, and password (stored as a salted hash, never in plain text) when you sign up, plus your role and company/account membership.

Billing data: if you're on a paid plan, Stripe processes and stores your payment details on our behalf - we never see or store your full card number ourselves, only the subscription status and billing history Stripe returns to us.

Domain and monitoring data: the hostnames you add for monitoring, and the check results we collect for them (SSL, DNS, registration, email-security, and HTTP data) - this is customer content you control, not personal data about you specifically, unless a hostname itself happens to identify a person.

Usage and log data: sign-in timestamps, IP address at the time of a request (used for rate-limiting login/signup attempts against abuse), and basic analytics about which pages are viewed (see “Cookies and analytics” below).

Communications: anything you send us via the contact form or email support, including the content of your message.

3. Why we process it, and our legal basis

To provide the Service you've signed up for (running checks, sending alert emails, billing your subscription) - necessary to perform our contract with you (GDPR Art. 6(1)(b)).

To keep the Service secure (rate-limiting, abuse and fraud prevention) and to improve it - our legitimate interest (Art. 6(1)(f)), balanced against your rights.

To comply with legal obligations, such as retaining billing records for tax purposes (Art. 6(1)(c)).

Where we ever ask for it separately (for example, optional marketing communications), your consent (Art. 6(1)(a)), which you can withdraw at any time.

4. Who we share it with

We don't sell your personal data. We share it only with the subprocessors that help us run the Service, each bound by a data processing agreement:

Stripe (payment processing and billing) - stripe.com/privacy.

Resend (transactional email delivery for alerts, invites, and password resets) - resend.com/legal/privacy-policy.

MongoDB Atlas (database hosting for account and monitoring data).

Vercel (application hosting, and basic, privacy-focused page-view analytics) - vercel.com/legal/privacy-policy.

Some of these providers may process data outside the EU/EEA; where that happens, we rely on the EU Standard Contractual Clauses or an equivalent safeguard recognized under the GDPR.

We may also disclose data if required by law, or to protect the rights, property, or safety of Upkeep, our users, or the public.

5. How long we keep it

Account data: for as long as your account is active, and for a limited period afterward in case you want to reactivate it, then deleted.

Domain and check-result data: for as long as the domain remains in your account; deleting a domain deletes its check history immediately.

Billing records: for as long as required under Swedish accounting law (currently seven years).

Rate-limit and security logs: for a short rolling window (weeks, not years), then automatically purged.

6. Your rights under the GDPR

You have the right to access the personal data we hold about you, request correction of inaccurate data, request erasure (“right to be forgotten”), request that we restrict or object to certain processing, and request a portable copy of your data in a structured, machine-readable format.

Where processing is based on consent, you can withdraw it at any time without affecting processing carried out before the withdrawal.

To exercise any of these rights, reach us through our contact page. We'll respond within one month, as required by the GDPR.

If you're not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or with the data protection authority in your own EU/EEA country of residence.

7. Cookies and analytics

We use a single essential session cookie to keep you signed in - it's required for the Service to work and isn't used for tracking or advertising. We also use privacy-focused, cookie-free page-view analytics (Vercel Analytics) to understand aggregate traffic to our public pages; it doesn't use cookies or collect data that identifies you individually.

Because our only cookie is strictly necessary for the Service to function, it doesn't require the consent banner the ePrivacy Directive requires for non-essential cookies.

8. Security

Passwords are hashed, never stored in plain text. Sessions use signed, httpOnly cookies. We rate-limit login and signup to slow down abuse, and every check we run is validated and restricted to a domain's own public infrastructure.

No system is perfectly secure, but we design and review the Service with these protections as a baseline, not an afterthought.

9. Children's privacy

The Service is intended for business use and isn't directed at children. We don't knowingly collect personal data from anyone under 16.

10. Changes to this policy

We'll update this page if how we handle personal data changes, and post the new effective date here. For material changes, we'll also email the account owner.

11. Contact

Questions about this policy or your data? Reach us through our contact page.