Data Protection

Privacy Policy

Information on the processing of personal data in accordance with the GDPR.

Last updated: May 3, 2026

1. Responsible Entity (Data Controller)

The operator listed below is responsible for data processing on this platform.

Operator
Marcel Breuer
Address
Grünbaumstr. 89
42659 Solingen
Germany

2. Categories of Personal Data Processed

Depending on your usage, WebGuard processes the following data categories:

  • Account and profile data (name, email, password hash, role, locale, theme settings, and optional avatar).
  • Authentication and session data (login timestamps, session identifiers, IP address, user agent, and required session/CSRF metadata).
  • Consent and auditability data (timestamps of acceptance for Terms of Use and Privacy Policy).
  • Monitoring configuration data (name, monitoring type, target, port, keyword, DNS record expectations, HTTP method, expected HTTP status codes, headers/body, optional credentials, preferred location, maintenance window, public label/widget setting, heartbeat interval, grace period, and private heartbeat ping URL or token).
  • Monitoring result data (status, HTTP status codes, response times, SSL/TLS certificate data, domain-expiration data including registrar where available, heartbeat ping timestamps, incidents, recent individual checks, archived raw data, and daily uptime/downtime aggregates).
  • Publicly exposed status data when public labels or public widgets are enabled (for example monitoring name, current status, uptime metrics, and maintenance status).
  • Notification data (channel configuration including webhook URLs, Telegram bot token/chat ID, event preferences, delivery status, delivery history, technical payloads/error messages, and read state).
  • Email communication data for verification, password reset, incident/SSL/domain-expiration warnings, weekly digests, and unread-notification reminders.
  • API and operations data (personal access tokens, logged API routes, timestamps, monitoring locations, server-instance codes, IP addresses, and last-seen timestamps where administratively required).
  • Audit log data for user-controlled changes (for example registration, profile changes, notification settings, API-token actions, monitoring creation/update/deletion, account-deletion requests, actor, affected record, event name, timestamp, and changed fields with configured secrets redacted).
  • Optional for GitHub login: GitHub ID, OAuth token/refresh token, avatar URL, and linked email address.

3. Purposes and Legal Basis of Processing

Data is processed only where needed for the operation and security of WebGuard.

Processing purposes

  • Providing registration, login (including optional GitHub login), account management, and authentication.
  • Performing monitoring checks (HTTP, ping, keyword, port, heartbeat, DNS records, domain expiration), incident detection, and uptime, domain, SSL, and performance reporting.
  • Providing public status labels and public widgets when users enable these features.
  • Sending service-related messages (for example verification/password reset emails, weekly digests, unread-notification reminders, and incident/recovery/SSL/domain-expiration alerts via configured channels).
  • Providing and securing API access (token handling, abuse protection, usage logging).
  • Security and operations (troubleshooting, fault analysis, integrity protection, and auditability of account and monitoring changes).

Legal basis under GDPR Art. 6

  • Art. 6(1)(b) GDPR (contract performance and pre-contractual measures).
  • Art. 6(1)(f) GDPR (legitimate interests in reliable, secure platform operation).
  • Art. 6(1)(c) GDPR (compliance with legal obligations, where applicable).
  • Art. 6(1)(a) GDPR (consent, where consent is explicitly requested).

4. Use of Third-Party Services and Processors

WebGuard uses external providers only where necessary to operate the service.

  • Hosting and infrastructure providers (compute, storage, network, backups).
  • Email delivery providers for transactional account emails (for example verification and password reset).
  • Third-party APIs/webhook endpoints for user-configured notification channels (for example Slack, Telegram, Discord, custom webhooks). Status data, monitoring names, and technical error details may be sent to recipients configured by the user.
  • GitHub as OAuth provider when you choose GitHub sign-in.
  • Operational and security tooling required for stable and secure delivery.

Where required, processing agreements under Art. 28 GDPR are in place. If providers process data outside the EU/EEA, this is done only under the safeguards required by Art. 44 et seq. GDPR.

5. Cookies and User Options

WebGuard uses technically necessary cookies to provide login and session functionality.

  • Session cookies for authentication and secure account usage.
  • Security/CSRF cookies required for protected forms and sessions.
  • Preference cookie for language selection (`webguard_locale`).
  • No marketing or analytics tracking cookies are currently used.

You can configure your browser to block or delete cookies. Blocking required cookies may limit platform functionality.

6. Your Rights under GDPR

You have the following rights subject to legal requirements:

  • Right of access (Art. 15 GDPR).
  • Right to rectification (Art. 16 GDPR).
  • Right to erasure (Art. 17 GDPR).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object (Art. 21 GDPR).
  • Right to withdraw consent at any time with future effect (Art. 7(3) GDPR).
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

7. Storage Duration

Personal data is stored only as long as needed for contractual, legal, and operational purposes. In the current app configuration, read notifications are regularly deleted after about one month, and demo user notifications are removed after about one week. Audit log entries for user-controlled account, profile, API-token, and monitoring changes are deleted after 30 days. Older raw monitoring responses are regularly moved to an archive table. Delivery histories and technical error data are stored temporarily for auditability and troubleshooting. When accounts or monitorings are deleted, related data is removed as part of technical deletion workflows.

8. Security Measures

WebGuard applies appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or manipulation. These include role-based access control, email verification, token-based API authentication, and hashed storage of passwords and instance API keys. Users should keep API tokens, heartbeat ping URLs, webhook URLs, bot tokens, and optional monitoring credentials confidential.

9. Data Protection Contact

For privacy and data protection inquiries, please contact the operator using the details below.

To reduce automated harvesting, contact details are only shown after manual interaction.

Email
Hidden until revealed.
Phone
Hidden until revealed.

If you believe your data protection rights are violated, you may contact a competent supervisory authority.