Privacy Policy

Last Updated: June 8, 2026

1. Introduction

This Privacy Policy explains how Site Sheriff Limited ("SiteSheriff," "we," "our," or "us") collects, uses, discloses, and safeguards your information when you use our monitoring service. Site Sheriff Limited is a company registered in England and Wales (company number 16983997) with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. For the purposes of UK and EU data protection law, Site Sheriff Limited is the data controller.

By using SiteSheriff, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our service.

We are not required to appoint a Data Protection Officer under UK GDPR. For any privacy-related questions, please contact us at [email protected].

2. Information We Collect

2.1 Personal Information

We collect the following personal information when you register for an account:

  • Name and email address
  • Account credentials (passwords are stored as one-way cryptographic hashes; we never store or have access to your plain-text password)
  • IP address and browser/device identifier (user agent) at the time of login, stored alongside your active sessions for security purposes (e.g. detecting unauthorised access)
  • Two-factor authentication secrets, stored in encrypted form if you enable 2FA on your account

Payment and billing information is collected and processed directly by our payment provider, Stripe. We do not store your full payment card number on our servers; however, we do retain the card brand (e.g. Visa, Mastercard) and last four digits of the card number for transaction records and to help you identify which card was charged. Please refer to Stripe's privacy policy for information on how your complete payment data is handled.

2.2 Website Monitoring Data

To provide our monitoring service, we collect:

  • URLs of websites you want to monitor
  • Response times and status codes
  • Uptime/downtime statistics
  • Alert configurations and notification preferences, including third-party service URLs you provide (such as Slack webhook URLs or custom webhook endpoints)

When alerts are triggered, incident details are sent to the destinations you configure. We are not responsible for how third-party services handle data once it is delivered to them.

To deliver geographically distributed checks, our scheduler workers run in the United Kingdom and in additional regions outside the UK (currently Canada and Singapore). All persistent data continues to be stored in the United Kingdom; the workers in other regions only access the configuration and results data needed to perform and record each individual check, and do so over an encrypted private network connection. See section 11 for the safeguards that apply to these transfers.

2.3 Server Log Data

Our servers automatically log certain information when you access our service. This may include:

  • IP address and browser type
  • Operating system and device information
  • Pages and endpoints accessed
  • Time and date of requests
  • Referring URLs

This data is collected passively through standard server logging and is used for security monitoring, troubleshooting, and maintaining the reliability of our service. We do not use client-side analytics or real user monitoring tools.

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Provision: To provide, maintain, and improve our website monitoring service
  • Account Management: To manage your account and provide customer support
  • Notifications: To send you alerts about website downtime and service updates
  • Billing: To process payments and manage subscriptions
  • Security: To detect, prevent, and address technical issues and security threats
  • Legal Compliance: To comply with legal obligations and protect our rights

4. Legal Bases for Processing

For users in the United Kingdom and European Economic Area, we process your personal information on the following legal grounds:

  • Contractual Necessity: Processing is necessary to fulfill our obligations under our Terms of Service, such as providing the monitoring service, managing your account, and processing payments.
  • Legal Obligation: Processing is necessary to comply with applicable laws, such as tax and accounting requirements.
  • Legitimate Interest: Processing is necessary for our legitimate interests, such as improving our service, ensuring security, and troubleshooting issues, provided these interests are not overridden by your rights.
  • Consent: Where required, we rely on your consent, for example before placing non-essential cookies on your device.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers (Sub-processors)

We use a small number of trusted third-party service providers to help operate our service. Each is bound by appropriate data processing terms. Our current sub-processors are:

  • Stripe Payments Europe Limited (registered in Ireland) - payment processing (privacy policy)
  • Amazon Web Services EMEA SARL (Amazon SES) - transactional email delivery (privacy policy)
  • OVH Limited (UK) - cloud hosting and object storage for application data and encrypted backups (privacy policy)

We will update this list when sub-processors change. If you would like to be notified of changes, please contact [email protected].

5.2 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Secure data centers with physical security measures

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations.

7.1 While Your Account Is Active

  • Account and profile information is retained for the lifetime of your account.
  • Monitoring results are automatically purged after 14 days.
  • Aggregated hourly statistics are retained for 90 days.
  • Aggregated daily statistics are retained indefinitely for long-term reporting.
  • Server log data is retained for up to 7 days.

7.2 When You Delete Your Account

When you delete your account, your personal information and operational data (including monitors, monitor groups, alert configurations, notification destinations, incidents, maintenance windows, and billing preferences) are permanently deleted immediately. Your customer record with our payment processor (Stripe) is also deleted at the same time.

Historical monitoring check results are retained only for the periods described in section 7.1 above and are automatically purged when those periods elapse.

Financial records (payments, invoices, and transactions) are anonymised by removing your user identifier rather than deleted. We are required to retain these records for tax and accounting purposes as described in section 7.4.

7.3 Backups

Encrypted database backups are retained for the period required for disaster recovery and point-in-time recovery, typically up to four weeks. Deleted data may persist in these backups until they are overwritten by the standard backup rotation. Backups are not used for any purpose other than disaster recovery and are not restored to recover individual records once deletion has occurred.

7.4 Legal Obligations

We retain certain information beyond the periods described above where required by law. In particular, anonymised billing transaction records are retained for at least six years after the end of the relevant accounting period in order to comply with HMRC tax and accounting requirements.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information
  • Data Portability: Request a copy of your data in a structured, machine-readable format
  • Objection: Object to processing of your personal information
  • Restriction: Request restriction of processing
  • Withdrawal of Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us at [email protected]. We will respond to verified requests without undue delay and at the latest within one month of receipt. Where a request is complex or where you have submitted a number of requests, we may extend this period by up to a further two months and will let you know within the first month if this is necessary.

If you are located in the UK or EEA, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe your personal information has been processed in a manner inconsistent with applicable data protection laws. In the United Kingdom, this is the Information Commissioner's Office (ico.org.uk).

9. Your Choices

You have several choices when it comes to your information:

  • Limit Information Provided: You can choose not to provide optional information, though this may limit access to certain features of our service.
  • Cookie Preferences: You can configure your browser to reject non-essential cookies, though this may affect the functionality of our service.
  • Close Your Account: You may close your account at any time.

10. Cookies and Tracking Technologies

We use cookies for essential purposes such as authentication and session management. We do not use tracking cookies, third-party advertising cookies, or similar technologies to monitor your behavior across other websites. For more details, please refer to our Cookie Policy.

11. International Data Transfers

Your personal data is stored on infrastructure hosted within the United Kingdom. To run monitoring checks from multiple geographic locations, our scheduler workers also run in the following regions:

  • United Kingdom - primary processing location, where all personal data is stored.
  • Canada - scheduler worker for the americas-ca-1 region.
  • Singapore - scheduler worker for the apac-sg-1 region.

Workers in Canada and Singapore connect to our UK database over an encrypted private network to read the configuration of the check they are about to perform and to record the result. They do not store personal data locally; data is held only transiently in memory while a check is being processed. Some of our sub-processors (in particular Stripe and Amazon Web Services) may also process personal data outside the UK, including in the United States and the European Economic Area.

Where personal data is transferred outside the United Kingdom, we rely on appropriate safeguards as required by UK and EU data protection law:

  • European Economic Area: covered by the UK adequacy regulations for the EEA.
  • Canada: covered by the UK adequacy regulations recognising Canada's commercial data protection regime.
  • United States: covered, where applicable, by the EU-US Data Privacy Framework and the UK Extension to that Framework, supplemented by the European Commission's Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum.
  • Other locations (including Singapore): covered by the UK International Data Transfer Agreement (IDTA), or by the European Commission's Standard Contractual Clauses together with the UK International Data Transfer Addendum, supplemented by a transfer risk assessment.

You may request more information about the safeguards in place for a particular transfer by contacting [email protected].

12. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

13. Automated Decision-Making

We do not use your personal information for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will notify you by email or through a prominent notice on our service prior to the change becoming effective.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

  • Email: [email protected]
  • Company: Site Sheriff Limited (registered in England and Wales, company number 16983997)
  • Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ