Last updated: 6 April 2026. This page is a summary of Observare's GDPR posture with pointers to the underlying policies. For the detailed treatment of your personal data, see our Privacy Policy.
Our role under GDPR
Observare acts in two capacities depending on the data:
- Data controller — for your account, billing, and contact information. We decide why and how this data is processed.
- Data processor — for the monitoring data you submit (URLs you ask us to monitor, cron heartbeat identifiers, status-page content). You are the controller of that data; we process it on your instructions to deliver the service.
Lawful bases at a glance
- Contract — account, billing, and service-delivery data
- Legitimate interest — security logging, abuse prevention, product improvement
- Legal obligation — tax and accounting records
- Consent — any non-essential marketing (we will ask; you can withdraw at any time)
Detail: Privacy Policy §3.
Your rights
If you are in the UK or EU, you have the right to:
- Access your personal data
- Correct data that is wrong
- Delete your data ("right to erasure")
- Restrict or object to processing
- Receive your data in a portable format
- Withdraw consent (where we rely on it)
- Lodge a complaint with a supervisory authority
To exercise any of these rights, email contact@observare.co.uk with "GDPR Data Request" in the subject. We will respond within one month.
Sub-processors
We use a small number of third parties to help us run the service. Each receives only the minimum data needed:
- Stripe — payment processing
- Amazon SES (or equivalent) — transactional email
- OVH / VPS hosting provider — infrastructure
- Twilio / Meta Cloud API — WhatsApp/SMS alerts (if you opt in)
The current list is maintained in our Privacy Policy §4. We will notify existing customers by email before adding a new sub-processor that processes personal data.
Data Processing Agreement (DPA)
For customers processing personal data of EU/UK individuals through Observare, we offer a Data Processing Agreement (DPA) that incorporates the UK International Data Transfer Addendum and EU Standard Contractual Clauses as appropriate.
If you need a signed DPA, email contact@observare.co.uk and we will send you our current template.
Data residency & transfers
Our primary infrastructure is hosted in the UK and EU. Some sub-processors (notably Stripe) may process data in the United States. Where personal data leaves the UK, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent approved safeguard.
Security
We apply industry-standard measures appropriate to the risk: TLS in transit, encryption at rest, hashed passwords, least-privilege access controls, and separation of customer data. Detail in Privacy Policy §8.
Breach notification
If we become aware of a personal data breach likely to result in risk to you, we will notify the ICO within 72 hours and, where the risk is high, notify affected individuals without undue delay — as required by UK GDPR Article 33–34.
Complaints
If you are unhappy with how we handle your data, please email us first at contact@observare.co.uk. You also have the right to complain to your supervisory authority:
- UK: Information Commissioner's Office — ico.org.uk — 0303 123 1113
- EU: your national data protection authority (list: edpb.europa.eu)
More detail
- Privacy Policy — full detail on what we collect, why, and how long we keep it
- Terms & Conditions — the service contract, including your data ownership