UpsNode

Privacy Policy

Last updated: April 29, 2026

1. Introduction and Data Controller

UpsNode ("Company", "we", "our") operates the website upsnode.com and the UpsNode uptime monitoring service (collectively, the "Service"). This Privacy Policy describes how we collect, use, retain, and disclose personal data when you access or use the Service, and the rights available to you under applicable data protection legislation, including the European Union General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law No. 6698 (KVKK).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information in accordance with this Privacy Policy. If you do not agree, you must discontinue use of the Service immediately.

2. Categories of Personal Data We Collect

We collect the following categories of personal data:

  • Account Data: Full name, email address, hashed password, preferred language, account creation timestamp, and subscription plan tier.
  • Monitor Configuration Data: URLs, IP addresses, hostnames, and check intervals submitted by you for monitoring purposes.
  • Usage and Technical Data: Log data including IP address, browser type and version, operating system, pages visited, timestamps of access, HTTP response codes, and error information generated during use of the Service.
  • Billing Data: Subscription status, plan tier, and Lemon Squeezy customer reference identifiers. We do not store payment card numbers, bank account details, or any other sensitive payment instrument data on our systems. All payment processing is performed by our third-party payment processor, Lemon Squeezy (see Section 6).
  • Communications Data: The content of support requests, feedback, or other correspondence you direct to us.

3. Legal Basis for Processing

We process personal data on the following legal bases under the GDPR and KVKK:

  • Performance of a Contract (Art. 6(1)(b) GDPR / KVKK Art. 5(2)(c)): Processing necessary to provide the Service you have subscribed to, including account creation, monitor execution, and incident alerting.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Fraud prevention, security, abuse detection, service improvement, and aggregate analytics.
  • Legal Obligation (Art. 6(1)(c) GDPR / KVKK Art. 5(2)(ç)): Compliance with applicable laws and regulatory requirements, including tax and accounting obligations.
  • Consent (Art. 6(1)(a) GDPR): Where we send optional marketing communications. You may withdraw consent at any time.

4. Purposes of Processing

We use your personal data exclusively for the following purposes:

  • Provisioning, operating, and maintaining the Service.
  • Sending transactional notifications, including uptime incident alerts, account verification emails, and password reset communications.
  • Processing subscription payments and managing billing lifecycle events.
  • Providing technical support and responding to inquiries.
  • Detecting, preventing, and investigating fraudulent or unauthorized use of the Service.
  • Complying with applicable legal obligations.
  • Conducting internal analytics to improve service reliability and performance (using aggregated, anonymised data where possible).

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Privacy Policy, or as required by applicable law. Account data is retained for the duration of your active account and for a maximum period of 90 days following account deletion, after which it is permanently purged from our production systems. Monitor logs and incident records are retained for a rolling period of 90 days. Anonymised, aggregated analytics data may be retained indefinitely as it no longer constitutes personal data.

6. Third-Party Data Processors

We engage the following sub-processors to deliver the Service. Each sub-processor is bound by contractual data processing agreements and provides appropriate technical and organisational safeguards:

  • Lemon Squeezy — Payment processing and subscription lifecycle management. Lemon Squeezy acts as the Merchant of Record and is independently responsible for PCI-DSS compliant handling of payment card data.
  • Resend — Transactional email delivery (alerts, account notifications).
  • Cloud Infrastructure Providers — Hosting, database, and network infrastructure. Servers are located within jurisdictions that provide adequate data protection guarantees.

We do not sell, rent, trade, or otherwise transfer your personal data to third parties for their own marketing or commercial purposes.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area or Turkey, we ensure that such transfers are subject to appropriate safeguards in accordance with applicable law, including Standard Contractual Clauses approved by the European Commission or equivalent instruments recognised under KVKK, or transfers to countries recognised as providing an adequate level of data protection.

8. Cookies and Tracking Technologies

We use strictly necessary cookies solely to maintain your authenticated session. We do not deploy advertising, tracking, or non-essential analytical cookies. Your session token is stored exclusively in an HttpOnly, Secure cookie and is never exposed to client-side JavaScript. We do not use third-party tracking scripts or pixel beacons.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include, but are not limited to: encrypted data transmission via TLS, bcrypt password hashing, network-level access controls, and regular security reviews. Notwithstanding these measures, no transmission or storage system can be guaranteed to be 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

10. Your Rights

Subject to applicable law, you have the following rights with respect to your personal data:

  • Right of Access: To obtain confirmation of whether we process your personal data and to receive a copy thereof.
  • Right to Rectification: To have inaccurate personal data corrected without undue delay.
  • Right to Erasure: To request deletion of your personal data where there is no compelling legal basis for continued processing.
  • Right to Restriction: To request that we restrict processing of your personal data in certain circumstances.
  • Right to Data Portability: To receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: To object to processing based on legitimate interests.
  • Right to Lodge a Complaint: To submit a complaint to the relevant supervisory authority (in Turkey: Kişisel Verileri Koruma Kurumu – KVKK; in the EU: your national data protection authority).

To exercise any of these rights, please contact us at support@upsnode.com. We will respond within 30 days.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will take prompt steps to delete such information.

12. Amendments to This Policy

We reserve the right to modify this Privacy Policy at any time. Where changes are material, we will provide at least 30 days' notice via email or a prominent notice on the Service prior to the effective date of the change. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us at:

Email: support@upsnode.com