0.0 Intro
0.1 What is Personal Data?
The European Union defines Personal Data as follows:
It is also worth mentioning that if any personal data is one-way hashed, it is no longer considered personal data:Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_enPersonal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
1.0 Data
1.1 Data storage
All data collected by the HetrixTools platform is electronically stored on secure servers within our infrastructure.
The database tables containing personal data are only accessible by the application itself, with no external access.
Our external nodes (ie: uptime monitoring nodes) communicate with the central database only via encrypted internal APIs, not direct database access.
User passwords are one-way hashed before being stored in our database; no plain text passwords are ever stored anywhere on our systems.
Our users are assigned a unique user identifier, called UID, so that our platform can perform external actions (such as: live chat sessions, payment processing, etc) without using any personal information.
1.2 Data collection
We explain in Section "2.0 Information" of our Privacy Policy exactly what personal data is being collected by our platform from our users: https://hetrixtools.com/privacy-policy/
1.3 Which of the collected user data is considered 'personal data'?
As expressed under Section "0.1 What is Personal Data?", 'personal data' is defined by any information that can identify you as an individual.
Given the above, only the following data collected by our platform will be considered 'personal data':
- the user's full name, provided during registration, or later added/modified in their Account Settings (only applies if it's your full real name, not including only the first name, or a nickname)
- the user's email address, provided during registration, or later added/modified in their Account Settings (only applies if the email address contains your full name, ie: name.surname@company.com)
- the user's IP address that is being logged during registration, and during account activity
- the email address(es) that the user may input into their contact list(s) (only applies to email address(es) containing a full name, ie: name.surname@company.com)
Below are some examples of private data that we collect, which is not classified as 'personal data':
- the IP addresses and domains/hostnames that the user may add to the blacklist/uptime monitoring
- the report data generated by our platform
- the user's unique identifier (UID)
- the user's username
- the user's hashed password
- the user's white label logo/favicon/website/title
- the user's settings and account options
Even though most of our collected/stored data does not fall under the 'personal data' category (as defined by the EU), we treat all of our users' data as 'private data', and keep it private and safe, as per our Privacy Policy.
1.4 Data usage
We explain in Section "3.0 Use of Information" of our Privacy Policy exactly our collected personal data is being used for, and what it is not used for: https://hetrixtools.com/privacy-policy/
1.5 Data access
The collected personal data is being accessed from the database by our platform at the application level.
Our support staff has access to a secured administration panel, but no direct database access.
All actions done by our support agents are being logged and constantly monitored.
The application and database servers access is only given out to critical staff that is responsible to keeping the infrastructure up and running.
1.6 Data backup
We rely on database replication to keep data safe in case of any hardware failure. All data is replicated via secure encrypted connections.
The database is also being backed up several times per day. Backups are transferred via secure encrypted connections, and then stored in encrypted data safes. Backups containing user data are stored for 30 days, after which they are automatically purged and being replaced by newer backups.
2.0 User's rights
2.1 User's right to be informed
This GDPR Compliance page, along with our Privacy Policy are used to inform our users of what personal data we collect from them, and how this personal data is being used by our platform in order to provide services. Users would need to read, understand, and agree to these terms before signing up to using our services. Our platform could not provide said services without this personal data being collected from the users.
2.2 User's right of access
Our users have full access to their personal data that we have collected or they have provided to our platform.
User personal data that has been used during sign-up, can be found in the user's client area under Account Settings (only exception here being the password, which we do not store as plain text so we cannot display it back to the user in any shape or form).
If the user has created any contact lists, then that data can be found in user's client area under Contact Lists.
If the user has added any blacklist monitors, then that data can be found in user's client area under Blacklist Monitors.
If the user has added any uptime monitors, then that data can be found in user's client area under Uptime Monitors.
If the user has added any status pages, then that data can be found in user's client area under Status Pages.
If the user has added any sub-accounts, then that data can be found in user's client area under Sub-Accounts.
If the user has configured white label reports, then that data can be found in user's client area under White Label Settings.
The following personal data is not directly accessible by the user via our platform, but the user can always open a support ticket to request this data:
- the IP address used when user has signed up
- the IP address used to log into the user account
- the IP address of the currently opened session(s)
- the IP address from our internal Activity Log (containing the latest actions performed by this user account)
Please note that we will only give you access to your personal data, but nothing else attached to this data. For instance our internal Activity Log contains the timestamp, user's UID, IP Address, and the actions the user has performed in their account lately; we will only share with you the IP address, as that is the only part of this data that is your personal data.
2.3 User's right to rectification
Our users can modify themselves most of the personal data that they have stored on our platform, at any time, from their client area.
In order to locate and modify any of your data, please see where to access this data from, in Section "2.2 User's right of access" of this document.
Certain personal data cannot be modified (such as user's logged login IP address, or current active sessions IP address) as to maintain the standard platform functionality; however, if you wish to modify this data at any cost, then please follow the steps under Section "2.4 User's right to erasure or 'the right to be forgotten'".
2.4 User's right to erasure or 'the right to be forgotten'
Our users can accomplish this by doing the following:
- if the user has created any contact lists, those can be permanently deleted from the user's client area under Contact Lists
- if the user has added any blacklist monitors, those can be permanently deleted from the user's client area under Blacklist Monitors (Blacklist Monitors history is not instantly deleted, and will linger on in our system until automatically purged in 15 days)
- if the user has added any uptime monitors, those can be permanently deleted from the user's client area under Uptime Monitors
- if the user has added any status pages, those can be permanently deleted from the user's client area under Status Pages
- if the user has added any sub-accounts, those can be permanently detached from the master account, from the user's account client area under Sub-Accounts (please note that this won't delete the sub-account itself, the owner of that sub-account would have to perform that action themselves)
Account closure:
The user has the option, in their Account Settings, to close down their HetrixTools account entirely.
Our implementation of the 'right to be forgotten' has 3 stages:
- Stage 1: the user triggers the account closing action from their Account Settings; the user is instantly logged and locked out of the account. At this stage all account activity (ie: monitors processing) will be disabled.
- [upon user written request] Stage 2: within 30 days from user's written request, we will completely purge the user's personal data from the database.
- [upon user written request] Stage 3: 30 days after 'Stage 2' the automatic backups containing any of your personal data would have been automatically purged from all of our backup systems.
Stage 2 and Stage 3, mentioned above, will only be triggered upon user written request. If you wish to proceed with your right to erasure, please contact us (after completing Stage 1) with a written consent letter, that lets us know you wish to proceed with Stage 2 and Stage 3 of your 'right to be forgotten'. You can email this letter to our support department email, listed on our website.
When Stages 2 and 3 are carried out, to prevent users from registering over and over and abusing the right to be forgotten, our system will one-way hash the user's email address and username, which will turn this personal data into non-personal data, see "Section 0.1 What is Personal Data?" from this document. This encrypted info will be added to an internal blacklist which is checked every time a new account is registered, so our system will not allow anyone to register again using that specific email address or username.
2.5 User's right to restrict processing
This right only applies under certain circumstances, and does not apply in our case here.
If any user wishes to restrict processing of their personal data by our platform, they are advised to follow the steps listed in Section "2.4 User's right to erasure or 'the right to be forgotten'" of this document.
2.6 User's right to data portability
Our users have the right to take their personal data and move it elsewhere.
You can do so by opening a support ticket on our website and request any of the 'personal data' described under Section "1.3 Which of the collected user data is considered 'personal data'?" of this document. As per GDPR ruling, the said data will be provided back to your in text format, within one month of your request.
2.7 User's right to object
Our users have the right to object to the way that we are using their personal data.
You can do so from your client area under Account Settings, where you can opt out of our Promotional Emails, Announcement Emails, Uptime Monitoring Network Changes Emails, etc.
Furthermore, we have an in-house built unsubscribe system, which allows our users to opt-out and unsubscribe from very specific emails (ie: blacklist monitoring notifications, uptime monitoring notifications, etc.).
However, certain critical emails cannot be opted out of, such as account related emails (ie: account verification, password reset) and billing emails (ie: invoices). Our system cannot function properly without the use of these emails, so if any user objects to their personal data being used this way they can always follow the steps listed under Section "2.4 User's right to erasure or 'the right to be forgotten'" of this document.
3.0 Notification
3.1 Breach notification
In the event where we become aware of any 'personal data' breach that results in unlawful or unauthorized access, loss, disclosure, or alteration of the 'personal data' stored on our infrastructure, we will notify all the users that have been affected by said breach.