This Privacy Policy explains how StackPatrol ("we", "us", "our") collects, uses, stores and protects personal data when you use our website at stackpatrol.eu and the services available through it.
We are committed to processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection law.
1. Data controller
The data controller responsible for your personal data is:
Org.nr. 937 621 035
Paul Holmsens vei 24, 1613 Fredrikstad, Norway
Contact: Andreas@stackpatrol.eu
If you have questions about how your data is processed, you can reach us at any time at the address above.
2. What data we collect and why
We collect only the minimum data necessary to operate the service. The table below describes what we collect, the legal basis, and why.
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation, authentication via magic link, transactional emails (invoices, plan changes, monitoring alerts) | Contract performance (Art. 6(1)(b)) |
| Scan results (URLs, vendor lists, scores) | Delivering the scan service and, for paid users, building scan history and monitoring alerts | Contract performance (Art. 6(1)(b)) |
| Stripe customer ID, subscription status | Processing payments, managing your subscription and billing history | Contract performance (Art. 6(1)(b)) |
| IP address (anonymised) | Rate limiting and abuse prevention on the scan API | Legitimate interest (Art. 6(1)(f)) |
| Contact form message | Responding to your enquiry | Consent (Art. 6(1)(a)) |
| Free audit request (name, agency, email, URLs) | Delivering the requested free mini-audit for agencies and following up by email | Consent (Art. 6(1)(a)) |
We do not use personal data for advertising, profiling, or sale to third parties.
3. Free scans (no account)
You can use the scanner without creating an account. When you scan a URL without being logged in, the scan result is stored linked only to a random report ID, not to your identity. We store the scanned URL and vendor results so the shareable report link remains valid for 90 days.
Your IP address is used solely for rate limiting and is hashed (not stored in plaintext) immediately upon receipt.
4. Cookies and tracking
We do not use third-party analytics or advertising cookies. StackPatrol sets one functional cookie: a session token used for authentication when you are signed in to a paid account. This cookie is strictly necessary for the service to function and does not require your consent under ePrivacy rules.
We do not load any third-party tracking scripts. No Google Analytics, no Meta Pixel, no Hotjar. You can verify this yourself by running a scan on stackpatrol.eu.
5. Data processors and third-party services
We use a small number of trusted third-party processors. Each has a Data Processing Agreement (DPA) with us and is either incorporated in the EU/EEA or covered by the EU-US Data Privacy Framework (DPF).
| Processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Hetzner Cloud | Hosting and infrastructure | EU (Finland) | EU-based, no transfer |
| Resend | Transactional email delivery | EU (Ireland, eu-west-1) | EU-based, no transfer |
| Stripe | Payment processing | US | DPF certified, SCCs |
Stripe processes payment data under its own privacy policy and is responsible for the security of card data. We never see or store your card number.
6. International data transfers
Our primary infrastructure runs on Hetzner Cloud in Finland and transactional email is sent from Resend's EU region (Ireland). Personal data submitted to the service does not leave the EU/EEA for these flows.
Stripe processes payment data in the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). Stripe is DPF-certified. We have conducted a Transfer Impact Assessment and are satisfied that the safeguards are adequate for the limited billing data involved (name, email, billing address, payment method token). We never see or store card numbers.
7. Data retention
We retain personal data only as long as necessary for the purposes described above or as required by law.
- Anonymous scan reports (no account): stored for 90 days from the date of the scan, then automatically deleted.
- Account data and scan history: retained for as long as your account is active. If you delete your account, all associated data is deleted within 30 days.
- Payment records: retained for 5 years from the date of the transaction to comply with applicable accounting and tax obligations.
- Contact form messages: deleted within 12 months of the last correspondence unless you have an ongoing relationship with us.
8. Your rights
Under the GDPR you have the following rights in relation to your personal data:
- Right of access (Art. 15): request a copy of the data we hold about you.
- Right to rectification (Art. 16): ask us to correct inaccurate data.
- Right to erasure (Art. 17): request deletion of your data where no legal obligation requires us to keep it.
- Right to restriction of processing (Art. 18): ask us to pause processing under certain conditions.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email Andreas@stackpatrol.eu with "Data Rights Request" in the subject line. We will respond within 30 days.
9. Right to lodge a complaint
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with a supervisory authority. The lead authority is the supervisory authority in your country of residence.
A list of EU data protection authorities is available at edpb.europa.eu.
10. Security
We use industry-standard security measures to protect your data: HTTPS/TLS for all traffic, hashed authentication tokens, no plaintext passwords (authentication is by magic link only), and regular security patching on all infrastructure.
The application and database run on Hetzner Cloud infrastructure in Finland behind a Caddy reverse proxy with automatic TLS. The database is not exposed to the internet.
11. Children
StackPatrol is not directed at children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently done so, contact us immediately and we will delete the data.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email when we make material changes. The "Last updated" date at the top of this page always reflects the most recent version.
Continued use of the service after the effective date of a revision constitutes acceptance of the revised policy.
13. Contact
For any privacy-related questions, data rights requests or concerns, contact us at: