🔒 Privacy

Privacy Policy

We only collect what we need to do the job. No ad tracking, no data selling, no surprises. This page explains exactly what we collect, why, and what you can do about it.

Currently in effect
Effective date: July 1, 2026
·
Version v1.0
·
~14 min read
Last updated: July 1, 2026 · Replaces all prior versions
Version 1.0
💡
The short version We collect your email, account info, and monitoring configuration to run the service. We do not sell your data. We do not run ads. Your infrastructure data is yours. For anything else, read on — or email support@statusorbit.com.
§ 01

Overview & Scope

This Privacy Policy describes how Techdera Services Pvt. Ltd. ("StatusOrbit", "we", "us", or "our") collects, uses, stores, and shares personal data when you use our uptime and website monitoring platform, visit our website at statusorbit.com, or interact with any of our services (collectively, the "Service").

This policy applies to all users of the Service, including visitors to our website, registered account holders, Free plan users, paid subscribers, and API consumers. It does not apply to third-party websites or services that may be linked to from our platform.

ℹ️
Monitored endpoints are not your personal data The URLs, API endpoints, and domains you configure for monitoring are operational data — not personal data in the GDPR sense. We process this data solely to provide the Service to you.
§ 02

Who We Are

The data controller responsible for your personal data is:

For EU/EEA residents, StatusOrbit acts as the data controller for personal data processed in connection with your account and use of the Service.

§ 03

What Data We Collect

We collect the minimum data necessary to provide, improve, and secure the Service. The categories of data we collect are described below.

Account & identity data

  • Email address (used for login, alerts, and communications)
  • Full name (optional, used for display and team identification)
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Profile photo (optional, if provided via OAuth)
  • Company or organization name (optional)

Monitoring configuration data

  • URLs, API endpoints, and domains you add as monitors
  • Check intervals, alert thresholds, and notification preferences
  • Custom HTTP headers or authentication tokens you supply for authenticated checks
  • Keyword strings used for content monitoring

Check results & operational data

  • HTTP status codes, response times, and body content (as necessary for keyword checks)
  • SSL certificate metadata (issuer, expiry date, subject)
  • WHOIS domain registration data (expiry date, registrar)
  • Incident timestamps, downtime durations, and recovery events
  • Uptime percentage calculations and historical availability logs

Billing & payment data

  • Subscription plan and billing cycle information
  • Payment method type (card brand and last 4 digits — stored by our payment processor, never by us)
  • Billing address and GST/tax identification number (where applicable)
  • Invoice and transaction history

Usage & technical data

  • IP address and approximate geographic location (country/city level)
  • Browser type, operating system, and device identifiers
  • Pages visited, features used, and session duration within the dashboard
  • API request logs (endpoint, timestamp, response code — retained for 30 days)
  • Error logs and crash reports for debugging purposes
🔑
Authentication tokens in monitor config If you supply API keys, bearer tokens, or Basic Auth credentials as part of a monitor's HTTP headers, these are encrypted at rest using AES-256. They are used only to perform the check and are never logged in plaintext.
§ 04

How We Use Your Data

We use the data we collect exclusively for the following purposes:

Purpose Data used Legal basis
Providing the monitoring service Monitor config, check results, account data Contract performance
Sending outage and recovery alerts Email, Slack token, webhook URL, check results Contract performance
Billing and subscription management Billing data, email Contract performance
Account authentication and security Email, password hash, IP address Legitimate interest
Product improvement and debugging Usage data, error logs, anonymized telemetry Legitimate interest
Transactional emails (invoices, plan changes) Email, billing data Contract performance
Product announcements and changelog updates Email Legitimate interest / Consent
Legal and compliance obligations Account data, billing records Legal obligation
🚫
What we never do We do not sell, rent, or broker your personal data to any third party. We do not use your data to serve behavioural advertisements. We do not train AI or machine learning models on your monitoring data or account information.
§ 05

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under one of the following legal bases as defined by the General Data Protection Regulation (GDPR) and UK GDPR:

  • Contractual necessity (Art. 6(1)(b)): Processing required to fulfil our agreement with you — delivering monitoring results, sending alerts, managing your subscription, and providing customer support.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests such as fraud prevention, security logging, product improvement, and sending product update communications where we have assessed these interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)): Processing required by applicable law, including tax record-keeping, responding to lawful government requests, and complying with data subject rights requests.
  • Consent (Art. 6(1)(a)): Where we rely on consent — such as optional marketing communications — you may withdraw consent at any time via your account notification settings or by emailing support@statusorbit.com.
§ 06

Data Sharing & Disclosure

We do not sell your data. We share data only in the limited circumstances described below, and only with parties who are contractually required to protect it.

Sub-processors & service providers

Provider Purpose Data shared Location
Razorpay Payment processing Billing info, email India / USA / EU
Amazon Web Services Cloud infrastructure & storage All service data India, Singapore
SMTP2GO Transactional email delivery Email address, alert content USA
Cloudflare CDN, DDoS protection, DNS IP address, request metadata Global

Legal disclosures

We may disclose personal data if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of StatusOrbit, our users, or the public. We will notify affected users of such requests wherever legally permitted.

Business transfers

In the event of a merger, acquisition, asset sale, or bankruptcy, your personal data may be transferred as part of that transaction. We will notify users via email and in-dashboard notice at least 30 days before any such transfer takes effect, and provide an option to delete your account before the transfer is complete.

§ 07

Data Retention

We retain your data only for as long as is necessary to fulfil the purpose for which it was collected, comply with legal obligations, or resolve disputes.

Data type Retention period Basis
Account & identity data Until account deletion + 30 days Contract performance
Monitor check results (Free) 24 hours rolling window Plan terms
Monitor check results (Premium) 15 days rolling window Plan terms
Monitor check results (Gold) 90 days rolling window Plan terms
Billing & invoice records 7 years from transaction date Legal obligation (GST/tax)
API access logs 30 days Security & debugging
Email communication logs 2 years Legitimate interest
Deleted account data Purged within 30 days of deletion Data minimisation
📦
Requesting your data before deletion After closing your account, you have 30 days to request a full export of your monitoring data and history. After this window, all data is permanently and irreversibly purged from our systems. Gold plan subscribers may export at any time during their active subscription.
§ 08

Cookies & Tracking

StatusOrbit uses a minimal set of cookies strictly necessary to operate the platform. We do not use advertising cookies, retargeting pixels, or behavioural tracking technology.

Cookie name Purpose Duration Type
so_session Maintains your authenticated login session 30 days (or session) Strictly necessary
so_csrf CSRF protection token for form submissions Session Strictly necessary
so_prefs Stores UI preferences (theme, timezone, table density) 1 year Functional
cf_clearance Cloudflare bot challenge result 30 minutes Strictly necessary

We do not use Google Analytics, Meta Pixel, or any third-party analytics that track you across websites. Our internal product analytics are event-based, anonymized, and processed entirely within our own infrastructure.

You may disable cookies in your browser settings; however, disabling the so_session cookie will prevent you from logging into the dashboard.

§ 09

Data Security

We implement industry-standard technical and organisational measures to protect your data against unauthorised access, accidental loss, destruction, or disclosure.

Technical controls in place:

  • All data in transit is encrypted using TLS 1.2+; all data at rest is encrypted using AES-256
  • Passwords are hashed with bcrypt and never stored in plaintext
  • Authentication tokens in monitor config are stored encrypted and never logged
  • Database access is restricted to application-layer connections within a private VPC; no direct public access
  • Regular automated backups with encrypted snapshots retained for 14 days
  • Vulnerability scanning, dependency audits, and penetration testing conducted quarterly
  • Access to production systems is limited to essential personnel and requires MFA
🚨
Security incident notification In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33 and the DPDP Act 2023.
§ 10

Your Rights

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, email support@statusorbit.com with the subject line matching the right you wish to exercise. We will respond within 30 days.

Right What it means Available to
Right of access Obtain a copy of all personal data we hold about you All users
Right to rectification Correct inaccurate or incomplete personal data All users
Right to erasure Request deletion of your personal data ("right to be forgotten") All users
Right to restriction Pause processing of your data while a dispute is resolved EEA / UK users
Right to portability Receive your data in a machine-readable format (JSON/CSV) EEA / UK users
Right to object Object to processing based on legitimate interests EEA / UK users
Right to withdraw consent Withdraw consent for consent-based processing at any time All users
Right to lodge a complaint File a complaint with your national supervisory authority EEA / UK / India users

You may also exercise many of these rights directly from your account settings, including updating personal details, downloading your data, and deleting your account.

§ 11

Children's Privacy

The StatusOrbit Service is not directed at, and is not intended for use by, children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a child under 18 without verified parental consent, we will take steps to delete that information as quickly as possible.

If you believe that a child under 18 has provided us with personal data, please contact us at support@statusorbit.com and we will act promptly.

§ 12

International Data Transfers

StatusOrbit is incorporated in India. Your data is primarily stored on servers located in India (Mumbai region, AWS) and Singapore (AWS, for redundancy). If you access the Service from outside India, your data will be transferred to and processed in India.

For users in the EEA or UK, transfers of personal data to countries without an adequacy decision (including India) are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission and the UK ICO respectively. Copies of applicable SCCs are available on request.

🌍
Transfer safeguards Our payment processor (Razorpay) and email provider (Postmark) are US-based. Both are covered by SCCs and, where applicable, the UK International Data Transfer Agreement (IDTA). We maintain Data Processing Agreements with all sub-processors.
§ 13

DPDP Act 2023 (India)

StatusOrbit complies with India's Digital Personal Data Protection Act 2023 (DPDP Act). As a data fiduciary, we fulfil the following obligations under this legislation:

  • We collect personal data only for lawful purposes and only with your consent or for legitimate use under Section 4 of the DPDP Act
  • We designate a Data Protection Officer reachable at support@statusorbit.com
  • We implement reasonable security safeguards to protect personal data as required under Section 8
  • We report personal data breaches to the Data Protection Board of India and to affected individuals within 72 hours of discovery
  • We respect your right to correct inaccurate data, to erasure, and to grievance redressal as established under Chapter III
  • We do not process the personal data of children (persons under 18) without verifiable parental consent

Grievances under the DPDP Act may be raised at support@statusorbit.com. We will acknowledge all grievances within 48 hours and resolve them within 30 days.

§ 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the features of our Service. When we make changes, we will:

  • Update the "Last updated" date at the top of this page
  • Increment the version number and record the change in our policy changelog
  • For material changes — such as new categories of data collection or new third-party sharing — send an email notification to all registered users at least 30 days before the change takes effect
  • Where required by law, obtain your renewed consent before processing personal data in new ways

Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the revised terms, except where applicable law requires affirmative consent.

§ 15

Contact & DPO

For any privacy-related question, data subject rights request, or concern about how we handle your personal data, please contact us through the appropriate channel below. We respond to all privacy requests within 5 business days.

Fastest resolution Most account-related privacy actions — downloading your data, updating your profile, or deleting your account — can be completed instantly from your Account → Settings → Privacy page without needing to contact us.