Privacy Policy

Effective date: 2026-06-11.

This policy describes what data howlops.com collects, how it is processed, and the rights you have under GDPR and equivalent regimes. This is the initial published version — please review the latest version in the admin legal editor.

1. Data we collect

• Account data: email, name, workspace name, password hash, MFA factors.
• Operational data: monitor configurations, incidents, alert deliveries, audit log.
• Billing data: Stripe customer ID, last 4 digits of payment instrument, invoice metadata.
• Diagnostics: server logs (90 days), request rate metrics (1 year aggregated).

2. How we use it

• To operate the platform, deliver alerts, and bill paid subscriptions.
• To investigate abuse or security incidents.
• To improve the product (aggregated, never individually identifiable).

3. Sharing

We do not sell personal data. We share data with sub-processors strictly to operate the service: Stripe (billing), Amazon Web Services (hosting and email delivery via SES), Cloudflare (network and CDN), Google Analytics (consent-gated product analytics), GitHub (source code and CI), and Twilio (SMS and voice alerts, only when you configure it). A full, current sub-processor list is published at /legal/subprocessors.

4. Your rights

You can access, export, correct or delete your personal data at any time via Settings → Account. Workspace owners can export the entire workspace via the data-export endpoint.

5. Retention

Monitoring data — check results and heartbeat pings — is retained for 365 days for all tiers; verbose diagnostic logs are retained for 90 days. Closed accounts are scrubbed within 30 days of confirmation.

6. Contact

Privacy questions: [email protected].

Data controller

The data controller for personal data processed through HowlOps is the operator identified in our Imprint. For data-protection requests, contact [email protected].

Legal bases for processing (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — operating your account, running your monitors, delivering alerts, and billing.
• Legitimate interests (Art. 6(1)(f)) — securing the service, preventing abuse, keeping audit logs, and improving reliability, balanced against your rights.
• Consent (Art. 6(1)(a)) — optional analytics cookies and any marketing communications; you may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — retaining invoicing/tax records where the law requires.

International transfers

Customer data is hosted in the European Union by default (Frankfurt primary, Paris replica). Where a sub-processor processes data outside the EEA, the transfer is covered by the European Commission's Standard Contractual Clauses or an equivalent safeguard. See our Sub-processors and Data Processing Agreement.

Your right to complain

You have the right to lodge a complaint with a data-protection supervisory authority. In the Czech Republic this is the Úřad pro ochranu osobních údajů (ÚOOÚ), https://uoou.gov.cz. You may also contact the authority in your EU country of residence.