pingtoren

Privacy policy

Last updated: 2026-04-18

This page explains what personal data we collect, why we collect it, how long we keep it, and the rights you have. We aim for plain language — no legalese.

Who we are

This service is operated by pingtoren. For any privacy-related question, write to:

Contact: privacy@pingtoren.com

Data we process

We only collect what's needed to run the service:

  • Account information — your email address and a one-way hash of your password. If you choose to sign in with GitHub, we also store your GitHub username, verified primary email, display name, and avatar URL, imported with your explicit authorization on the GitHub consent screen.
  • Service content — the URLs, names, schedules, alert recipients, and settings of the monitors you create.
  • Operational data — the results of each check we run for you (status, response time, error if any), incidents, and aggregated daily statistics.
  • Technical metadata — request IP address and user agent, kept in short-lived server logs for security and debugging.

Why we process it, and on what legal basis

Each purpose has a single legal basis under GDPR Article 6:

  • Provide the monitoring service (run checks, send alerts, show your data).
    Performance of a contract — Art 6(1)(b).
  • Keep the service secure and prevent abuse (rate limits, fraud, account protection).
    Legitimate interest — Art 6(1)(f).
  • Diagnose errors and maintain reliability (server logs).
    Legitimate interest — Art 6(1)(f).
  • Meet legal obligations (e.g. respond to authority requests).
    Legal obligation — Art 6(1)(c).

Who receives your data

Your data is processed by us and a small number of service providers acting on our instructions:

  • AWS Europe S.à r.l. (Luxembourg) — our cloud infrastructure provider. We use them for hosting, account sign-in, data storage, and sending email notifications. Everything runs in Frankfurt. Other regions may run your monitoring checks if you explicitly enable them — details in the Infrastructure section below.
  • Plausible Insights OÜ (Estonia) — privacy-friendly web analytics. Details in the Analytics section below.
  • GitHub, Inc. (United States) — only if you choose to sign in with your GitHub account. We read your username, verified primary email, display name, and avatar URL to authenticate you. GitHub, Inc. is certified under the EU–US Data Privacy Framework, which covers this transfer.

Where data is stored, and international transfers

All account, monitor, and operational data is stored in the European Economic Area (Frankfurt, Germany).

Transfers outside the EEA

By default, we don't transfer data outside the EEA. Two things can change that, both under your explicit control: signing in with GitHub (your sign-in reaches GitHub, Inc. in the US, covered by GitHub's EU–US Data Privacy Framework certification), and turning on monitoring checks from non-EU regions. Full picture in the Infrastructure section below.

Infrastructure & data residency

Where your data lives

Your account, your monitors, the check results we collect for you, and your incident history are stored in one place only: Frankfurt, Germany. No other region holds any copy of your data.

Data at rest is encrypted with AES-256, using an encryption key we hold and control ourselves — rotated on our schedule, auditable on every use, and revocable at will. Data in transit is always over HTTPS with modern TLS (1.2 or higher).

Monitoring from other regions

When you configure a monitor to run checks from the USA or Asia Pacific, the check runs from that region and the result is recorded back in Frankfurt. During each check, the monitor's settings you set — target URL, HTTP method, headers, request body, and basic-authentication credentials if you use them — are used in that region to run that single check, and discarded when it ends. Nothing about your data is kept outside Frankfurt.

Default

New monitors run from Europe only. Additional regions are added only when you explicitly turn them on per monitor.

Available probe regions
  • Europe — Frankfurt and Ireland
  • USA — N. Virginia and Oregon
  • Asia Pacific — Singapore and Tokyo

Contracting entity and cross-border safeguards

Our cloud infrastructure is operated under contract with AWS Europe S.à r.l. (Luxembourg), governed by the AWS EU Data Processing Addendum with Standard Contractual Clauses. If you sign in with GitHub, that authentication is handled by GitHub, Inc. (US), covered by its EU–US Data Privacy Framework certification.

Data sovereignty and the US CLOUD Act

Our cloud infrastructure provider has a US parent (Amazon.com, Inc.), which means its foreign subsidiaries are subject to US law including the CLOUD Act. We've designed the service around that reality:

What we built
  • Your data never leaves Europe. Frankfurt is the only place it lives — we don't replicate, cache, or back it up anywhere else.
  • Everything at rest is encrypted with a key we hold and control. We rotate it, audit its use, and can invalidate it entirely if ever required.
  • We collect only the personal data the service actually needs to run. No profiling, no advertising identifiers, no behavioural tracking.

If you operate in a regulated industry, public sector, or critical-infrastructure context where you need a fully EU-sovereign posture, we can evaluate a dedicated deployment on a European cloud provider (for example, Hetzner or Scaleway) on a contract basis. Write to privacy@pingtoren.com to discuss.

How long we keep your data

We keep data only as long as needed for the purpose:

  • Account (email, password hash, profile) — until you delete your account.
  • Monitor configurations and incidents — until you delete the monitor or your account.
  • Raw check results — 7 days (rolling).
  • Daily aggregated statistics — 400 days.
  • Server request logs — 14 days.

Your rights

Under GDPR you have the following rights regarding your personal data:

  • Access — get a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — ask us to delete your data.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — at any time, for anything based on consent.

To exercise any of these rights, write to privacy@pingtoren.com. We respond within 30 days.

If you believe we mishandled your data, you can lodge a complaint with your national Data Protection Authority. The list of EU/EEA DPAs is available at edpb.europa.eu.

Cookies

We do not set any cookies ourselves. The application runs as a single-page web app with no tracking cookies and no advertising scripts. Our analytics provider (see the Analytics section below) is cookieless by design. During a GitHub sign-in, a short-lived session cookie may be set by the authentication endpoint on its own subdomain; it is strictly necessary to complete the OAuth redirect and does not leak to our application domain.

No cookie banner is shown because no cookies that would require consent under the GDPR or the ePrivacy Directive are set by this site.

Analytics

To see which pages get visited and how traffic grows, we use Plausible — a privacy-friendly, cookieless web analytics tool operated by Plausible Insights OÜ (Estonia) on EU infrastructure. It gives us aggregate counts only; it does not use cookies, does not collect personal data, and does not identify visitors. Because of this, no consent banner is required under the GDPR or the ePrivacy Directive.

Prefer not to be counted

Any browser-level tracker blocker (including the ones built into Firefox, Brave, and Safari) will block Plausible like any other third-party script. The site keeps working normally.

Browser storage

We use browser storage for a handful of items required to operate the service. Under ePrivacy and GDPR these are exempt from consent ("strictly necessary" or user-initiated preferences):

  • Session tokens — keep you signed in and refresh your session automatically. Cleared on sign-out.
  • Display preferences — your selected language, time zone, and light/dark theme.
  • Sign-in security code — short-lived, set only during a sign-in attempt with GitHub and cleared when you return.

Security

Data is encrypted in transit (HTTPS/TLS) and at rest with a key we hold and control. Access to production systems is tightly restricted and audit-logged. Passwords are stored only as one-way hashes — we never see them. We follow modern security practices and keep hardening the service as threats evolve.

Children

This service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has signed up, write to privacy@pingtoren.com and we will delete the account.

Changes to this policy

We may update this policy when our practices change. The "Last updated" date at the top reflects the most recent change. Material changes (e.g. a new processor or a new data-collection purpose) will be surfaced on the service itself, not only here.

Contact

For any privacy question, request, or complaint, write to:

privacy@pingtoren.com

© 2026 pingtoren