Privacy Policy
Effective: June 10, 2026 · Last updated: June 10, 2026
Summary
We run status.yt (status.yt) — a SaaS platform
that lets companies publish status pages and send incident notifications to their subscribers.
We are an independent company registered in the European Union, so GDPR is our baseline law.
In short: we collect only what we need to run the service, we do not sell your data, we store
everything on EU infrastructure, we use a small set of well-known sub-processors, and you can
request deletion at any time. The sections below give you the full picture.
Who We Are
The data controller for status.yt and its sub-domains is:
- Legal name: {COMPANY_LEGAL_NAME}
- Registered address: {COMPANY_ADDRESS}
- Privacy contact: privacy@status.yt
- Data Protection Officer: dpo@status.yt
When our customers (organizations that sign up for an account) operate their own status pages and collect subscribers, they act as the data controller for those subscribers. In that capacity we act as their data processor. See the "Customers as Controllers" section for details.
Information We Collect
Account data
When you sign up we collect your name, email address, and password (stored as a bcrypt hash). If your organization uses SSO (OIDC or SAML), we receive the attributes your identity provider sends us — typically name, email, and group memberships.
Billing data
Paid plans are processed by Stripe. We never see or store your raw card number. Stripe sends us a customer ID, subscription ID, and billing email, which we store to manage your subscription. Your full payment details live only in Stripe's systems, governed by Stripe's Privacy Policy.
Status-page content
Incident titles and updates, component names, maintenance window descriptions, and any other text you enter into the platform are stored and used solely to operate your status page.
Subscriber lists
Your subscribers' email addresses and phone numbers (for SMS) are stored on your behalf. You are the controller of this data; we process it only on your instructions. See "Customers as Controllers".
Telemetry and logs
We collect server-side request logs (IP address, user agent, HTTP status, timestamp) and application error logs. These are used for debugging, abuse prevention, and capacity planning. We do not use client-side tracking pixels or fingerprinting.
Cookies
See the Cookies section below for the complete list — it is short.
How We Use Your Information
We only process personal data for a defined purpose and with a legal basis under GDPR Article 6.
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Create and manage your account | Name, email, password hash | Contract performance (Art. 6(1)(b)) |
| Deliver status-page and notification features | All account and content data | Contract performance (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Billing email, Stripe IDs | Contract performance (Art. 6(1)(b)) |
| Send transactional emails (password reset, billing receipts) | Email address | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | IP address, logs | Legitimate interests (Art. 6(1)(f)) |
| Platform health monitoring and debugging | Application logs, error traces | Legitimate interests (Art. 6(1)(f)) |
| Product announcement emails (marketing) | Email address | Consent (Art. 6(1)(a)) — opt-in only |
| Comply with legal obligations | As required by law | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data. We do not use it for advertising profiling. We do not share it with third parties except our sub-processors listed below and as required by law.
Cookies
We use as few cookies as possible.
| Name / pattern | Type | Purpose | Duration |
|---|---|---|---|
hostyt_session |
Essential | Keeps you logged in across page loads. HTTP-only, Secure, SameSite=Lax. | Session / 2 hours |
XSRF-TOKEN |
Essential | CSRF protection on form submissions. | Session |
cookie_consent |
Essential | Remembers whether you have dismissed the cookie banner. | 1 year |
We do not currently use analytics, advertising, or social-media tracking cookies. If we add any in the future, we will update this policy, show a new consent banner, and give you 30 days' advance notice by email.
Sub-Processors
We work with the following sub-processors — companies that handle personal data on our behalf. We have written data-processing agreements with each of them.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | USA (EU SCC + Data Privacy Framework) |
| {SMS_PROVIDER} | Outbound SMS notifications to status-page subscribers | {SMS_PROVIDER_LOCATION} |
| Hetzner Online GmbH | Cloud infrastructure — servers, storage, networking | Germany / Finland (EU) |
| Sentry | Application error tracking — only enabled when the customer organization opts in to error reporting in their settings | USA (EU SCC) |
| Anthropic / OpenAI / OpenRouter / Google | AI-assisted features (e.g. incident summary drafting) — only when a customer provides their own API key and explicitly opts content into AI processing. We never send subscriber PII to AI providers. | USA (EU SCC or DPF) |
We will notify you at least 14 days in advance before adding a new sub-processor that handles personal data beyond the categories already described here.
International Data Transfers
Our primary infrastructure is located in the European Union (Hetzner, Germany/Finland). Some sub-processors are based in the United States. For those transfers we rely on:
- Standard Contractual Clauses (SCCs) — the EU Commission's 2021 module templates for controller-to-processor transfers, supplemented by a transfer impact assessment.
- EU–U.S. Data Privacy Framework — where the sub-processor is certified (currently Stripe and Google).
- Supplementary measures — encryption in transit (TLS 1.2+) and at rest, contractual pseudonymisation requirements, and limited access controls.
If you are located in the UK, transfers are additionally covered by the UK Addendum to the SCCs.
Data Retention
| Data category | Retention period |
|---|---|
| Account and profile data | Until you delete your account or request erasure, then a 30-day soft-delete window for backup integrity, then permanent purge. |
| Billing records | 7 years after the last transaction (required by EU tax and accounting law). These are held in Stripe's systems. |
| Application and server logs | 90 days, then automatic deletion. |
| Incident history and status-page content | Retained while your account is active. Configurable per plan — some plans allow longer public history windows. Deleted with your account on closure. |
| Subscriber email and phone data (on behalf of customers) | Until the subscriber unsubscribes, the customer organization deletes the record, or the customer account is deleted — whichever comes first. |
| Deleted accounts | Soft-deleted for 30 days (allows accidental-deletion recovery), then all personal data is permanently purged from live systems and expunged from backups within the next scheduled backup rotation cycle (≤ 30 days). |
Your Rights Under GDPR
If you are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR (and UK GDPR). You can exercise most of them through your account settings or by emailing privacy@status.yt. We will respond within 30 days.
- Access (Art. 15). Get a copy of the personal data we hold about you and learn how we use it. Use the "Export my data" button in your account settings.
- Rectification (Art. 16). Correct inaccurate or incomplete data. Most profile fields can be updated directly in your account settings.
- Erasure (Art. 17). Ask us to delete your account and personal data. Submit a request from your account settings or by email. Note: we may retain some data where we have a legal obligation to do so (e.g. tax records).
- Data portability (Art. 20). Receive your data in a machine-readable format (JSON/CSV export available in account settings).
- Restriction of processing (Art. 18). Ask us to pause processing of your data while a dispute or erasure request is pending.
- Object to processing (Art. 21). Object to processing based on legitimate interests (e.g. marketing analytics). We will stop unless we have compelling legitimate grounds that override your interests.
- Withdraw consent (Art. 7(3)). If you gave consent for marketing emails, you can withdraw it at any time using the unsubscribe link in any email or in your account settings. Withdrawal does not affect the lawfulness of prior processing.
- Lodge a complaint. You have the right to complain to your local Data Protection Authority. Our lead supervisory authority is the Personal Data Protection Office (UODO) in Poland (uodo.gov.pl). You may also contact the DPA in your country of residence.
Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by CPRA, gives you additional rights.
- Right to know. You can request disclosure of the categories and specific pieces of personal information we have collected about you in the last 12 months.
- Right to delete. You can ask us to delete your personal information, subject to certain exceptions (legal obligations, fraud prevention, etc.).
- Right to correct. You can ask us to correct inaccurate personal information.
- Right to opt-out of sale or sharing. We do not sell your personal information. We do not share it with third parties for cross-context behavioral advertising.
- Right to non-discrimination. We will not discriminate against you for exercising any of these rights.
To exercise CCPA rights, email privacy@status.yt with the subject line "CCPA Request". We will verify your identity before responding. We do not use a toll-free number for CCPA requests.
Security Measures
We take reasonable technical and organizational measures to protect your data:
- Encryption in transit. All connections are served over HTTPS with TLS 1.2 or higher. Certificates are auto-issued and renewed.
- Encryption at rest. API keys, webhook secrets, and sensitive credentials are encrypted at rest using AES-256 before storage in the database. Database backups are encrypted.
- Access controls. Production systems are accessible only via SSH with key-based authentication. Database access is restricted to the application server. We follow least-privilege principles for all service accounts.
- Two-factor authentication. 2FA is available and encouraged for all user accounts. Admin-level accounts can be required to enroll by organization policy.
- Audit logging. Significant actions (login, settings changes, subscriber imports) are written to an audit log.
- Regular backups. Database backups run daily and are stored encrypted on a separate provider.
- Dependency management. We maintain automated dependency scanning and apply security patches promptly.
We are not currently SOC 2 certified. We do not claim compliance with HIPAA, PCI-DSS (card data is handled entirely by Stripe), or ISO 27001 at this time. No system can guarantee 100% security, and we will tell you promptly if a breach affects your data (see Data Breach Notification below).
Children
status.yt is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us at privacy@status.yt and we will delete the account promptly.
International Users
Our service is operated from the European Union. If you access it from outside the EU — including from the United States, Canada, Australia, or elsewhere — your personal data will be transferred to and processed in the EU. By using the service you acknowledge this transfer. We handle your data under GDPR standards regardless of where you are located.
Data Breach Notification
If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (UODO, Poland) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
- Provide a clear description of what happened, the categories of data affected, likely consequences, and the steps we are taking to address it.
Customers as Controllers
When you sign up for an account and operate a status page, you collect email addresses and phone numbers from your subscribers. In this context:
- You (the customer organization) are the data controller for your subscribers' personal data.
- We (status.yt) are the data processor — we process subscriber data only on your instructions, to deliver notifications and manage subscriptions.
As a customer-controller you are responsible for:
- Having a lawful basis for collecting subscriber email addresses and phone numbers (typically consent via the subscription form).
- Providing your subscribers with a privacy notice that describes how you use their data.
- Handling subscriber rights requests (access, erasure, etc.) directed at your organization.
A Data Processing Agreement (DPA) — required by GDPR Article 28 — is available upon request. Email dpo@status.yt to request a signed DPA.
Changes to This Policy
We may update this policy from time to time. For minor, non-material changes (e.g. fixing a typo, clarifying an existing practice), we will update the "Last updated" date at the top without additional notice.
For material changes — such as adding new data categories, changing the legal basis for processing, or adding new sub-processors — we will:
- Send an email to all registered account holders at least 30 days before the change takes effect.
- Post a notice on this page.
- For changes that require fresh consent, provide a clear opt-in mechanism before the change applies to you.
Continued use of the service after the effective date of a material change constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, data subject requests, or DPA inquiries, please contact us:
- Email: privacy@status.yt
- DPO email: dpo@status.yt
- Postal address:
{COMPANY_LEGAL_NAME}
Attn: Data Protection Officer
{COMPANY_ADDRESS}
We aim to respond to all privacy enquiries within 5 business days and to complete all data subject requests within 30 days (extendable to 90 days for complex requests, with notice).