GDPR

Our role under GDPR

Observare acts in two capacities depending on the data:

• Data controller — for your account, billing, and contact information. We decide why and how this data is processed.
• Data processor — for the monitoring data you submit (URLs you ask us to monitor, cron heartbeat identifiers, status-page content). You are the controller of that data; we process it on your instructions to deliver the service.

Lawful bases at a glance

• Contract — account, billing, and service-delivery data
• Legitimate interest — security logging, abuse prevention, product improvement
• Legal obligation — tax and accounting records
• Consent — any non-essential marketing (we will ask; you can withdraw at any time)

Detail: Privacy Policy §3.

Your rights

If you are in the UK or EU, you have the right to:

• Access your personal data
• Correct data that is wrong
• Delete your data ("right to erasure")
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent (where we rely on it)
• Lodge a complaint with a supervisory authority

To exercise any of these rights, email contact@observare.co.uk with "GDPR Data Request" in the subject. We will respond within one month.

Sub-processors

We use a small number of third parties to help us run the service. Each receives only the minimum data needed. We have Data Processing Agreements (DPAs) in place with sub-processors that handle personal data.

• Stripe — payment processing (billing data)
• Mailgun — transactional and alert emails
• VooDoo SMS — SMS alerts (if you opt in to a phone alert channel)
• OVH — VPS hosting for servers and databases
• Backblaze B2 — encrypted off-site database backups
• Google LLC (Google Analytics 4) — aggregate marketing-site usage analytics on observare.co.uk only, and only if you accept analytics cookies. Not loaded on the customer application at observare.io.

This list is kept in sync with Privacy Policy §4. We will notify existing customers by email before adding a new sub-processor that processes personal data.

Data Processing Agreement (DPA)

For customers processing personal data of EU/UK individuals through Observare, we offer a Data Processing Agreement (DPA) that incorporates the UK International Data Transfer Addendum and EU Standard Contractual Clauses as appropriate.

If you need a signed DPA, email contact@observare.co.uk and we will send you our current template.

Data residency & transfers

Our primary infrastructure is hosted in the UK (OVH VPS). Some sub-processors — notably Stripe, Google (Analytics), and Backblaze — may process data in the United States. Where personal data leaves the UK, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent approved safeguard (e.g. the UK Extension to the EU-US Data Privacy Framework for Google).

We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf.

Security

We apply industry-standard measures appropriate to the risk: TLS in transit, encryption at rest, hashed passwords, least-privilege access controls, and separation of customer data. Detail in Privacy Policy §8.

Breach notification

If we become aware of a personal data breach likely to result in risk to you, we will notify the ICO within 72 hours and, where the risk is high, notify affected individuals without undue delay — as required by UK GDPR Article 33–34.

Complaints

If you are unhappy with how we handle your data, please email us first at contact@observare.co.uk. You also have the right to complain to your supervisory authority:

• UK: Information Commissioner's Office — ico.org.uk — 0303 123 1113
• EU: your national data protection authority (list: edpb.europa.eu)

More detail

• Privacy Policy — full detail on what we collect, why, and how long we keep it
• Terms & Conditions — the service contract, including your data ownership
• Cookies — per-cookie breakdown, consent controls, and how to change your preferences