Privacy Policy

1. Who we are

Observare is a bundled ops-monitoring service for developers, freelancers, and small agencies, operated from the United Kingdom.

In this policy, "we", "us", and "Observare" refer to the operator of the service; "you" means anyone who visits this website, signs up for an account, or uses our product.

The marketing website lives at observare.co.uk. The application, API, and customer control panel live at observare.io. Both are operated by the same data controller and this policy covers both.

2. The data we collect

Controller vs processor

Observare acts as data controller for your account, billing, and contact information — we decide why and how that data is processed. For monitoring data (the URLs you ask us to check, cron heartbeat tokens, webhook payloads you route through us, status-page content), we act as data processor — you are the controller and we process it solely on your instructions to deliver the service. This distinction is covered in more detail on our GDPR page.

Account data

When you sign up, we collect your email address and a hashed password. If you give us a name or company name, we store that too.

Billing data

Payments are processed by Stripe. We do not see or store your full card number. We receive and store a Stripe customer identifier, the last four digits of your card, card expiry, billing country, and invoice history.

Monitoring data

When you add a monitor, we store the URL or endpoint you asked us to check, and the results of each check (HTTP status code, response time, TLS certificate details, cron heartbeat timestamps, and similar technical signals).

Website usage

When you visit this website, our servers receive the standard information every web server receives: IP address, browser user-agent, the page you visited, and the time. We retain those logs for a short period (see §5).

Cookies

The marketing site (observare.co.uk) sets one strictly necessary cookie — a short-lived PHP session cookie used by the contact form to prevent form abuse — and, only with your consent via the cookie bar, Google Analytics 4. The customer application (observare.io) sets its own session cookie to keep you signed in; that cookie is scoped to observare.io and is never set by visiting the marketing site. We do not use advertising, fingerprinting, or cross-site tracking cookies on either domain. See §9 for the full per-domain list and /cookies for the short reference.

3. Why we collect it (lawful basis)

Under UK GDPR we have to tell you the lawful basis for each type of processing. Here it is:

• Contract: we need account, billing, and monitoring data to provide the service you signed up for.
• Legitimate interest: we use server logs and aggregate usage data to keep the service secure, debug problems, and prevent abuse.
• Legal obligation: we keep invoices and related records for as long as UK tax law requires.
• Consent: if we ever send you marketing emails beyond product updates about a service you already use, we will ask first, and you can withdraw consent at any time.

4. Who we share it with

We do not sell your data. We share it only with sub-processors who help us run the service:

• Stripe — payment processing (billing data)
• Mailgun — sending alert emails and account emails
• VooDoo SMS — sending SMS alerts if you opt in to a phone alert channel
• OVH — VPS hosting for our servers and databases
• Backblaze B2 — encrypted off-site database backups
• Google LLC (Google Analytics 4) — aggregate marketing-site usage analytics, only if you accept analytics cookies on observare.co.uk. Google Analytics is never loaded on the customer app at observare.io.

Each sub-processor only receives the minimum data they need to do their job. We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data. We will notify existing customers by email before adding a new sub-processor that processes personal data, and we will update this list accordingly.

5. How long we keep it

• Account data: for as long as your account is active, plus 30 days after you delete it (to allow recovery from accidental deletion).
• Billing records: at least 6 years, as required by UK tax law.
• Monitoring check results: 30 days by default; older data is aggregated or deleted.
• Web server logs: up to 30 days.
• Support emails: up to 2 years, then deleted.

6. International transfers

Our primary servers are hosted in the UK (OVH). Some sub-processors — notably Stripe, Google (Analytics), and Backblaze — may process data in the United States. Where personal data leaves the UK, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent approved safeguard. For Google Analytics specifically, Google is certified under the UK Extension to the EU-US Data Privacy Framework.

We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf.

7. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Ask us to correct data that is wrong
• Ask us to delete your data ("right to erasure")
• Ask us to restrict or stop processing your data
• Receive your data in a portable format
• Object to processing based on legitimate interest
• Withdraw consent (where we rely on consent)

To exercise any of these rights, email contact@observare.co.uk. We will respond within one month.

8. How we keep it safe

We encrypt data in transit (HTTPS/TLS) and at rest. Passwords are hashed, not stored. We use the principle of least privilege for access to systems, and we review access regularly. We host on reputable infrastructure providers with industry-standard physical and network security.

No system is 100% secure. If we become aware of a breach that affects your personal data, we will notify you and the ICO within 72 hours as required by law.

9. Cookies

Observare runs on two separate hostnames, each of which sets its own cookies. The full per-cookie breakdown — purpose, lifetime, provider — lives on the dedicated cookies page.

Strictly necessary — marketing site (observare.co.uk)

• PHPSESSID: a short-lived PHP session cookie used by the contact form to hold a CSRF token that prevents cross-site request forgery. Set only when you visit the contact page; expires when you close your browser.

This cookie is exempt from the PECR consent requirement under Regulation 6(4) because it is strictly necessary for a service you have explicitly requested (submitting a contact form).

Strictly necessary — customer application (observare.io)

• observare_session: keeps you signed in to your account on the customer dashboard. Set only on observare.io — it is not set by visiting the marketing site, and it is not readable from the marketing site. Expires when you log out or when your session ends.

This cookie is exempt from the PECR consent requirement under Regulation 6(4) because it is strictly necessary for a service you have explicitly requested (signing in to the service you subscribed to).

Analytics (consent required, opt-in only)

We run Google Analytics 4 on the marketing site (observare.co.uk) in Consent Mode v2 with analytics storage set to denied by default. Until you click Accept in the cookie bar, no _ga or _ga_* cookies are placed in your browser and Google Analytics receives only cookieless, aggregated pings. If you accept, two cookies (_ga and _ga_Z3R3GN0444) are set and kept for up to two years; you can withdraw consent at any time from the cookies page.

We do not use Google Analytics for advertising, ad personalisation, or to share data with Google Ads. We do not use Facebook, LinkedIn, TikTok, or any other third-party tracking pixel. Google Analytics is not loaded on the customer application at observare.io.

The lawful basis for the analytics cookies is your consent under PECR Regulation 6. You can change or withdraw your decision at any time from the cookies page.

10. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Monitoring alerts are triggered by technical checks (HTTP status codes, certificate expiry dates, missed heartbeats) — not by profiling of personal data.

11. Children

Observare is a B2B tool for developers and businesses. It is not intended for or directed at children under 16, and we do not knowingly collect data from them.

12. Changes to this policy

If we change this policy materially, we will tell you by email and update the "last updated" date at the top. Small clarifications may be made without notice.

13. Complaints

If you are unhappy with how we handle your data, please email us first — we would like the chance to fix it. You also have the right to complain to the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113