Privacy Policy

1. Introduction

ThirdWatch (“we”, “us”, “our”) respects your privacy. This policy explains how we collect, use, store, and protect your personal data when you use our API monitoring platform at thirdwatch.app.

By using our Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address
• Name (optional)
• Password (hashed with bcrypt, never stored in plain text)
• Organization name

2.2 Monitoring Data

When you configure monitors, we collect and store:

• URLs and endpoints you choose to monitor
• HTTP headers and request bodies you configure
• Authentication credentials for protected endpoints (encrypted with AES-GCM)
• Health check results: response times, status codes, error messages
• Incident data: alerts triggered, severity, resolution timeline

2.3 Session Data

When you log in, we automatically collect:

• IP address
• Browser type and operating system (from user-agent header)
• Login and last activity timestamps

We do not track pages visited, features used, or perform any analytics tracking on the frontend.

2.4 Payment Data

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We only receive from Stripe: your subscription status, plan, and billing period dates.

3. How We Use Your Data

We use your data to:

• Provide the monitoring service (perform health checks, send alerts)
• Manage your account and subscription
• Send transactional emails (welcome, password reset, alert notifications, billing)
• Improve the Service (anonymized analytics, performance optimization)
• Ensure security (fraud detection, rate limiting, audit logging)
• Comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Data Sharing

We share data only with:

• Stripe — for payment processing (subject to Stripe's Services Agreement and Privacy Policy)
• Resend — for sending transactional emails (subject to Resend's Privacy Policy)
• OVH — for hosting, servers located in Roubaix, France (subject to OVH's General Terms of Service and Privacy Policy)

We may disclose data if required by law, court order, or to protect our rights and safety.

5. Data Security

We protect your data with:

• TLS encryption for all data in transit
• AES-GCM encryption for stored authentication credentials
• Bcrypt hashing for passwords (12 rounds)
• Database access restricted to application services only
• Regular backups with encrypted storage
• Rate limiting and brute-force protection on all endpoints
• Role-based access control for team members

6. Data Retention

Monitoring data (health checks, response times, incidents) is retained according to your subscription plan:

• Starter: 30 days
• Pro: 90 days
• Enterprise: 365 days

Data older than your plan's retention period is not displayed in the dashboard. Automated purge of expired data is planned for a future release.

Account data is retained for the duration of your account. When you delete your account, all personal data and monitoring data is permanently deleted from our database immediately. Anonymized aggregate data may be retained indefinitely.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data (“right to be forgotten”)
• Portability — receive your data in a structured, machine-readable format
• Restriction — limit how we process your data
• Objection — object to data processing based on legitimate interests

To exercise these rights, contact us at support@thirdwatch.app. We will respond within 30 days.

8. Cookies

We use minimal cookies:

• NEXT_LOCALE — stores your language preference (functional, not tracking)
• Theme preference — stores dark/light mode choice (local storage)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Authentication is handled via JWT tokens stored in local storage, not cookies.

9. Children

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will delete it promptly.

10. International Transfers

Our servers are hosted by OVH in Roubaix, France. All data is stored and processed in France. If you access the Service from outside France, your data is transferred to and processed in France. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this policy from time to time. Changes take effect upon publication. We will notify registered users of material changes via email. Your continued use of the Service after changes constitutes acceptance.

12. Contact

For privacy-related questions or to exercise your rights, contact us at:

Email: support@thirdwatch.app
Website: https://thirdwatch.app