Privacy Policy

Effective date: 21 February 2026

1. Introduction

Vertexion Ltd (“we”, “us”, “our”), a company registered in England and Wales, is the data controller for the personal data collected through the PathWatch website monitoring platform (“Service”).

This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

Account Information

• Name, email address, and password (hashed) when you register.
• Organisation name and settings you configure.
• Authentication tokens (hashed before storage).

Monitoring Configuration

• URLs, API endpoints, and check parameters you configure for monitoring.
• Alert rules, notification channel settings, and status page configuration.

Check Results & Artifacts

• Response times, status codes, headers, and error details from monitoring checks.
• Screenshots, HAR files, and other artifacts generated by browser checks.

Usage & Technical Data

• IP addresses, browser type, and device information when you access the Service.
• Feature usage data to understand how the platform is used and to improve the Service.

Payment Data

Payment information (card details, billing address) is collected and processed directly by Paddle.com Market Limited, our Merchant of Record. We do not store your full card details. Paddle may share your name, email, transaction history, and billing country with us for account management purposes.

3. How We Use Your Data

• Service delivery: Running monitoring checks, generating alerts, and displaying results.
• Billing: Managing subscriptions, processing payments via Paddle, and maintaining invoicing records.
• Support: Responding to your enquiries and troubleshooting issues.
• Improvement: Analysing usage patterns to improve the platform, fix bugs, and develop new features.
• Security: Detecting and preventing abuse, fraud, and unauthorised access.
• Legal compliance: Meeting our obligations under applicable laws and regulations.

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

• Contract performance (Article 6(1)(b)): Processing necessary to deliver the Service you signed up for.
• Legitimate interests (Article 6(1)(f)): Platform improvement, security, and fraud prevention, where our interests do not override your rights.
• Consent (Article 6(1)(a)): Where we ask for your explicit consent, such as for optional marketing communications.
• Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with the law.

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of third parties, and only as necessary to deliver the Service:

• Paddle.com Market Limited — payment processing, invoicing, and tax compliance (Merchant of Record).
• Cloud infrastructure providers — Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, for executing monitoring checks from multiple regions.
• Cloudflare — CDN, DNS, and object storage (R2) for screenshots and artifacts.
• Hetzner — VPS hosting for the API and browser check infrastructure.
• Amazon Web Services (SES) — transactional email delivery.

All third-party providers are contractually bound to process data only on our instructions and to maintain appropriate security measures.

6. Data Retention

• Check results and artifacts: Retained according to your plan’s retention period (1 day on the Free tier up to 365 days on Enterprise). Data beyond your retention period is automatically deleted.
• Account data: Retained while your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law.
• Billing records: Retained for up to 7 years after the end of your subscription, as required by UK tax and accounting regulations.
• Server logs: Retained for up to 90 days for security and debugging purposes.

7. International Transfers

Your data may be processed outside the United Kingdom when monitoring checks are executed from cloud infrastructure in other regions (e.g., AWS regions in the US, EU, and Asia-Pacific).

Where personal data is transferred outside the UK, we ensure adequate protection through:

• UK adequacy decisions for the destination country.
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO).
• Other appropriate safeguards as required by UK GDPR.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to restriction: Request that we limit processing of your data in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@pathwatch.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

9. Cookies

PathWatch uses only strictly necessary cookies for authentication and session management. These cookies are:

• HttpOnly and Secure.
• Not used for tracking, advertising, or analytics.
• Scoped to the PathWatch application domain.

We do not use third-party tracking cookies or advertising pixels. If this changes in the future, we will update this policy and obtain your consent where required.

10. Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

• TLS encryption for all data in transit (minimum TLS 1.2).
• Encryption at rest for stored data.
• Mutual TLS (mTLS) authentication between runners and the API.
• API keys and runner tokens hashed before storage.
• Regular security reviews and updates.

11. Children

PathWatch is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ notice via email or a prominent notice within the Service. The “Effective date” at the top of this page indicates when the policy was last revised.

13. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us:

• Privacy enquiries: privacy@pathwatch.app
• General support: support@pathwatch.app
• Company: Vertexion Ltd, United Kingdom