Privacy Policy
What personal data Observer processes, why, where it lives, and what rights you have. Plain language. Last updated 2026-05-24.
Effective date: 2026-05-24 Last updated: 2026-05-24
This Privacy Policy explains what personal data Observer processes, why, where it lives, and what rights you have. We have tried to write it as plainly as we can. Where a defined term is used, it has the meaning given to it in the Terms of Service.
Summary in plain English
- Observer is a SaaS that does monitoring and runs status pages. We collect the personal data we need to operate the Service and bill for it.
- The primary database lives in Germany. A disaster-recovery replica is held in the United Kingdom with Oracle Cloud Infrastructure. Some processing happens through service providers located in the United States; we use Standard Contractual Clauses plus the UK Addendum to cover those transfers.
- We do not sell your data. We do not use your data to train AI models. We do not run third-party advertising.
- Customer-uploaded data is held for 30 days after you delete it or close your account; backups are then purged within a further 30 days (60 days total).
- You have rights under UK GDPR and EU GDPR (access, rectification, erasure, portability, restriction, objection). California residents have equivalent rights under CCPA/CPRA. Write to [email protected] to exercise them.
1. Who we are
Observer is operated by a sole trader based in England, United Kingdom, trading as "Observer". For the purposes of UK GDPR and EU GDPR, we are the controller for the personal data we collect about our direct customers (the people who sign up to and pay for the Service).
When you create a status page that has end users (for example, subscribers who receive incident emails), you are the controller of those end users' personal data and we process it as your processor under the Data Processing Agreement.
We do not have a statutory obligation to appoint a Data Protection Officer because the scale and nature of our processing do not meet the thresholds in UK GDPR Article 37 / EU GDPR Article 37.
- Contact: [email protected]
- Security disclosure: [email protected]
- Trading address: available on request
2. What personal data we collect
The table below covers everything we collect that is, or could be, personal data. Each row links to the lawful basis we rely on in section 3.
| Category | Specific fields | Where it comes from |
|---|---|---|
| Account identity | User ID, email address, optional username, optional first and last name, last sign-in timestamp | Provided by you at sign-up; mirrored from our auth provider when you create or update your account |
| Organisation information | Organisation name, organisation members, your role in the organisation | Provided by you when you create or join an organisation |
| Subscription information | Plan tier, subscription status, billing period dates, opaque subscription identifier | Generated by our billing provider when you subscribe or change plan. We never see credit card data. Card details are handled by Stripe via our billing provider; we receive only the status and plan information |
| Customer records you create | Where you create customer records inside the Service (for customer-scoped status pages), the customer's name and email address | Provided by you. You are the controller of this data; we process it on your behalf |
| Status page subscribers | Email address; opaque confirmation and unsubscribe tokens; the services and notification preferences they selected | Provided by the subscriber when they opt in to receive updates from one of your status pages. You are the controller of this data; we process it on your behalf as documented in the DPA |
| Audit records | Your IP address (the last hop reported by our ingress); your browser User-Agent string; the action you performed and on which resource | Captured automatically when you act on the Service via the dashboard or API |
| Customer-configured monitoring data | Metric definitions, probe configurations (URLs, hostnames, queries), the verdicts the Agent computes, status timestamps | Provided by you. May contain personal data if you choose to monitor systems whose URLs or queries embed personal data; we recommend that you do not |
| Email engagement | Whether confirmation, status, or report emails were delivered to a given address | Reported back by our transactional email provider |
We do not intentionally collect special-category personal data (health, race, religion, sexual orientation, political opinion, trade union membership, genetics, biometrics, criminal records). If you choose to include such data in monitoring configuration, customer records, or status page content, you do so under your own responsibility and lawful basis.
We do not collect personal data about status page viewers who do not subscribe. Public status pages are served without any analytics or tracking attached to the viewer.
3. Why we process your data (lawful basis)
| Processing activity | Lawful basis under UK GDPR / EU GDPR |
|---|---|
| Creating and operating your account | Performance of the contract between you and us (Article 6(1)(b)) |
| Providing the monitoring, alerting, and status page features you have configured | Performance of the contract (Article 6(1)(b)) |
| Sending transactional email (account confirmation, subscription receipts, status changes you have signed up for, weekly SLO reports) | Performance of the contract (Article 6(1)(b)) |
| Billing, invoicing, and processing payments via the billing provider | Performance of the contract (Article 6(1)(b)); legal obligation for record-keeping (Article 6(1)(c)) |
| Logging administrative actions for security, fraud prevention, and customer support | Legitimate interests in operating the Service securely and accountably (Article 6(1)(f)) |
| Rate limiting, abuse prevention, IP-based blocking when necessary | Legitimate interests in protecting the Service and its other customers (Article 6(1)(f)) |
| Responding to law-enforcement requests, supervisory authority requests, and court orders | Legal obligation (Article 6(1)(c)) |
We do not rely on consent as a lawful basis for the core Service. If we ever add features that require consent (for example, optional product analytics or marketing email), we will ask for it specifically and you will be able to withdraw it at any time.
We do not engage in automated decision-making with legal or similarly significant effects in the meaning of UK GDPR Article 22.
4. Who has access to your data
Production database access is limited to a small set of authorised administrators bound by confidentiality obligations.
We share personal data with the subprocessors listed at Subprocessors. The list includes who they are, where they process data, and the transfer mechanism that applies. Where a subprocessor is located outside the United Kingdom and the European Economic Area, transfers are governed by the European Commission's 2021 Standard Contractual Clauses (Decision (EU) 2021/914) plus the UK International Data Transfer Addendum (UK IDTA) as appropriate.
We do not sell personal data. We do not share personal data with advertisers, data brokers, or analytics platforms outside the subprocessor list. We do not use personal data to train AI models.
We will disclose personal data to law-enforcement authorities, supervisory authorities, or courts where we are legally compelled to do so. Where the law permits, we will tell you before we comply with such a request.
5. International transfers
The primary database holding Customer Data is hosted with Hetzner Online GmbH in Germany, inside the European Economic Area. A disaster-recovery replica of the same Postgres database is held with Oracle Cloud Infrastructure (Oracle Corporation UK Limited) in the United Kingdom. The UK-to-EU transfer is covered by the EU's adequacy decision for the United Kingdom (Commission Implementing Decision (EU) 2021/1772). UK Personal Data does not leave the United Kingdom.
Some of our service providers (notably our authentication, billing, transactional email, content delivery network, and webhook signing providers) operate from the United States. Personal data flowing to those providers is transferred under:
- the European Commission's 2021 Standard Contractual Clauses (Decision (EU) 2021/914), in the appropriate module, for EU GDPR transfers; and
- the United Kingdom's International Data Transfer Addendum to the EU SCCs (UK IDTA, version B1.0) for UK GDPR transfers.
The full list of subprocessors, their locations, and the transfer mechanism for each is at Subprocessors.
6. How long we keep your data
| Data | Retention |
|---|---|
| Customer Data uploaded to or generated through the Service (metric definitions, probes, customer records, status pages, configuration) | Held while your account is active. On deletion or account closure, removed from active systems within 30 days and permanently deleted from backups within a further 30 days (60 days total) |
| Account identity (email, name) | Retained for the duration of the account; deleted on the same schedule as Customer Data after account closure |
| Subscription and billing records | Retained for 7 years after the last invoice, in line with our statutory record-keeping obligations under UK tax law |
| Audit log (administrative actions, IP, User-Agent) | 60 days, after which records are automatically deleted by a scheduled job in the database |
| Transactional email logs held by our email provider | Subject to that provider's retention; typically 30 days for delivery logs |
| Backups | Retained for the period required to provide point-in-time recovery (target 14 days). All Customer Data inside a backup is purged on the schedule above |
We do not extend retention to "improve the Service" or for unspecified product development. Where we genuinely need to keep something longer (for example, an audit log entry tied to an unresolved security incident), the retention extension is documented and scoped to the specific record.
7. Your rights
If you are in the United Kingdom or the European Economic Area, you have the following rights under UK GDPR or EU GDPR:
- Right of access: to a copy of the personal data we hold about you.
- Right to rectification: to have inaccurate personal data corrected.
- Right to erasure: to ask us to delete personal data we hold about you, where one of the GDPR grounds applies.
- Right to restriction: to ask us to limit how we use your personal data, while a question about it is being resolved.
- Right to portability: to receive your personal data in a structured, machine-readable format, where the processing is based on contract or consent.
- Right to object: to processing based on legitimate interests, on grounds relating to your particular situation.
- Right to withdraw consent at any time, where we rely on consent.
- Right to lodge a complaint with a supervisory authority. For UK residents, the supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk. For EEA residents, the supervisory authority is the data protection authority in your member state.
If you are a California resident, you have equivalent rights under the CCPA / CPRA, including the right to know what personal information we have collected about you, the right to delete that information, the right to correct inaccurate information, the right to limit the use of any sensitive personal information, and the right to opt out of sale or sharing of personal information. We do not sell or share personal information in the CCPA sense, so the opt-out is effectively pre-applied.
To exercise any of these rights, write to [email protected] from the email address associated with your account, or use any equivalent verification method we ask for. We will respond within 30 days for UK GDPR and EU GDPR requests, and within 45 days for CCPA / CPRA requests. We may extend by a further 60 days for complex requests; we will tell you if we need the extension.
We will not discriminate against you for exercising any of these rights.
8. Cookies
We use only strictly-necessary cookies today (session cookies set by our authentication provider, Clerk). There is no analytics or advertising tracking on the Service. The full cookie inventory and the rules we follow are in the Cookie Policy.
9. Security
A description of the technical and organisational measures we apply to protect personal data is in the Security page. We are honest there about what we do today and about the limits of those measures.
If you discover a security issue, please write to [email protected]. Our disclosure policy and contact details are also available at /.well-known/security.txt.
10. Children
The Service is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at [email protected] and we will delete the data.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to the account owner and via the in-product notification mechanism at least 30 days before they take effect. The current version is always available at https://use.observer/policies/privacy.
12. Contact
- General privacy questions: [email protected]
- Security: [email protected]
- Postal address: available on request
If you are not satisfied with our response to a privacy question, you can lodge a complaint with the Information Commissioner's Office at ico.org.uk (UK) or with the supervisory authority in your member state (EEA).