Privacy Policy

Effective date: March 12, 2026 · Last updated: April 3, 2026

1. Introduction

This Privacy Policy explains how Uptivus (“Uptivus,” “we,” “us,” or “our”), operated by Fluenik, LLC, collects, uses, and protects personal information when you visit our website, use the Uptivus uptime monitoring platform, interact with our status pages, or submit information through our forms and waitlists.

2. Scope

This policy applies to personal information collected through:

uptivus.com — our public-facing website and marketing pages.
The Uptivus platform — the uptime monitoring dashboard, including login, monitor management, alert configuration, status pages, and team management.
Status pages — public and password-protected pages published by Uptivus users to communicate service health to their customers.
Contact and waitlist forms — forms on our website used to get in touch, join waitlists, and subscribe to product updates.

3. Accountability and Privacy Contact

Uptivus is operated by Fluenik, LLC, a Michigan limited liability company in the United States. For privacy questions, requests, or complaints, contact us at:

Privacy Contact: Fluenik, LLC Privacy Officer
Email: [email protected]
Request label: Please include “Privacy Request” in the subject line so we can route your inquiry promptly.

4. Information We Collect

4.1 Account and platform data

When you create an account or use the Uptivus platform, we collect:

Email address and password-derived authentication data (your password is immediately hashed using industry-standard algorithms; we never store or transmit your plaintext password) to authenticate your identity.
Name and profile information you provide when setting up or updating your account.
Session tokens — short-lived access tokens stored in your browser to maintain your authenticated session. These are not used for tracking or advertising.
Monitor and alert configuration — URLs, endpoints, alert preferences, and notification settings you configure within the platform.
Monitoring data — uptime check results, response times, status codes, incident records, anomaly detections, and related availability metrics collected by the platform on your behalf.
AI insights and actions — when AI-enabled features are active, AI-generated analysis, incident summaries, confidence scores, and any automated actions taken on your behalf.
Notification and workflow logs — records of alert deliveries, notification channel activity, and workflow execution history.
Integration credentials — OAuth tokens and API keys for connected services (such as GitHub, GitLab, Slack, and Discord), encrypted at rest.
Usage and activity data within the platform, such as monitor actions, configuration changes, and feature interactions, to support your account and improve the product.
Server, application, and security logs — we and our infrastructure providers maintain logs that may include IP address, request metadata, timestamps, device/browser information, and related technical data for security, debugging, fraud prevention, and service reliability.

4.2 Promotional emails

We send promotional emails about our products and updates only with your consent. You may unsubscribe at any time using the link in our emails or by contacting us.

We retain your email address for marketing purposes until you unsubscribe or request deletion.

We use third-party email delivery providers to send communications.

We do not use phone numbers for marketing communications unless explicitly stated.

4.3 Contact forms and waitlists

When you submit a contact form or join a waitlist, we collect:

Contact details such as email address and, if provided, name and phone number.
Message content — the subject and body of your message (contact forms).
Subscription metadata such as list membership, consent status, and subscribe/unsubscribe timestamps.
Technical and anti-abuse data such as IP address and captcha verification status when anti-spam checks are enabled.

4.4 Contact form submissions

Legal basis: We process contact form submissions based on our legitimate interest in responding to inquiries, or your consent where applicable.

Purpose: We use this information solely to respond to your request and communicate with you.

Retention: We retain contact form submissions for up to 90 days unless required longer for an active support matter, security issue, dispute, or legal obligation.

Your rights: You may request access, correction, or deletion of your submitted data at any time by contacting us.

4.5 Through uptivus.com (public website)

On our public-facing website, we collect limited information automatically, including IP address, browser type, device information, and page-visit data. This data is used for security, network management, performance monitoring, and privacy-friendly web analytics.

Specifically, our public website uses Cloudflare for CDN and security services (which processes IP addresses and sets strictly necessary cookies for bot protection), and Umami (self-hosted) for cookie-free, privacy-friendly web analytics (which processes anonymized page-visit data without setting cookies or tracking individuals across sites; all analytics data is processed on our own infrastructure). If you enable the optional anti-spam check on a form, hCaptcha may also process IP address and device information as described in Section 9 below.

5. Data Roles

Fluenik, LLC acts in different data-protection roles depending on the category of personal data and purpose of processing:

Uptivus as controller: For account registration and administration, website visitor data, waitlist and contact form submissions, billing and payment data, security and abuse-prevention logging, error diagnostics, product usage analytics, direct marketing communications, and compliance and legal obligations, Fluenik, LLC acts as an independent data controller and determines the purposes and means of processing.

Uptivus as processor: For customer content that you submit to or generate through the Uptivus platform — including monitor configuration, check results, incident records, alert rules, status page content, and integration connection data — Fluenik, LLC acts as a data processor on your behalf, processing that content to provide the monitoring services you have configured. You, as the account holder, determine the purposes for which this customer content is processed within Uptivus.

Mixed-role processing: Some data may be processed in both roles. For example, notification logs and workflow execution logs are processed as a processor to deliver the alerting and automation services you direct, and also as a controller for limited purposes such as diagnostics, security monitoring, debugging, and enforcing our terms. AI insights and anomaly records are similarly retained as a processor to provide operational intelligence on your behalf, and as a controller for service reliability and compliance purposes.

If you are a customer that requires Article 28 GDPR processor terms, our Data Processing Agreement is available at /data-processing-agreement.

6. Service Providers and Vendors

The following third-party service providers process personal data on our behalf or as part of providing Uptivus. A full list with transfer mechanism references is published at /subprocessors.

DigitalOcean — application hosting, managed PostgreSQL database, and managed Redis. Processes account data, monitoring data, incident records, and all platform data stored at rest.
AWS (Amazon S3) — object storage for static assets and file attachments.
Microsoft Azure OpenAI Service — AI model hosting and inference. Processes monitoring data and incident context sent for AI response generation and operational insights.
Cloudflare — CDN, DDoS protection, bot management, and DNS. Processes IP addresses, request headers, and sets strictly necessary security cookies on page load across both uptivus.com and the Uptivus platform.
Sentry — error monitoring and application diagnostics. Receives error reports and associated technical context (such as stack traces, request metadata, and browser/device information) when application errors occur on the Uptivus platform.
Proton — email communications. Processes email addresses and message content for transactional and support email delivery (such as account verification, alert notifications, and privacy request responses).
hCaptcha (Intuition Machines, Inc.) — anti-spam verification on contact and waitlist forms (consent-gated; not loaded unless the user enables it). Processes IP address and device interaction data when activated. See Section 9 for details.
Umami (self-hosted) — cookie-free, privacy-friendly web analytics on uptivus.com, hosted on our own DigitalOcean infrastructure. Processes anonymized page-visit data (page URL, referrer, browser, OS, and country derived from IP address, which is discarded after processing). Does not track individuals across sites or sessions and does not set cookies. No analytics data is sent to any third party.

7. How We Use Information

Authenticate and operate your Uptivus account.
Provide, maintain, and improve the Uptivus platform and monitoring services.
Process monitoring and incident data with AI-enabled features to provide incident summaries and operational insights when those features are enabled.
Send uptime alerts, incident notifications, and monthly reports you have configured.
Manage waitlists and send product updates where you opt in.
Respond to support requests and account communications.
Monitor errors and application performance for diagnostics and reliability.
Analyze anonymized website usage through privacy-friendly analytics.
Protect against fraud, abuse, and unauthorized access.
Comply with legal obligations.

Uptivus does not use monitoring data, incident data, or account data to train our own generalized AI models. Where AI-enabled features rely on third-party model providers, we use provider controls and contractual terms intended to prevent your content from being used to train their generalized AI models. Specifically: when customer content is submitted through Uptivus via Microsoft Azure OpenAI Service (as configured in our production environment), that content is not used by Microsoft to train generalized models, subject to the applicable Microsoft Products and Services DPA. Azure OpenAI Service may retain limited content for short periods for abuse monitoring and safety purposes as described in its data processing terms. If our provider's terms or our configuration change materially, we will update this policy.

Most of the processing described above is necessary to perform our contract with you (providing the Uptivus service) or is carried out under our legitimate interests in operating, securing, and improving our services. Where we rely on consent as the legal basis — specifically for promotional emails, product-update newsletters, and optional hCaptcha anti-spam verification — you may withdraw consent at any time by using the unsubscribe link in promotional emails, disabling the anti-spam check, or by contacting our Privacy Officer. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

Creating an account or submitting a form does not, by itself, constitute consent for all purposes. Account-related and service-delivery processing is based on our contractual relationship and legitimate interests, not consent.

8. Sharing of Information

We do not sell personal information. We do not share personal information with third parties for advertising or marketing purposes. We may share information with service providers that help operate our infrastructure (hosting, security, AI processing, error monitoring, email delivery, and analytics), subject to contractual confidentiality and security obligations. See Section 6 for a description of each service provider and the data it processes.

AI providers: Your monitoring data and incident context are sent to our AI provider (Microsoft Azure OpenAI Service) solely to generate AI-powered insights and analysis. This provider processes data under contractual terms that prohibit training on customer content, as described in Section 7.

We may also share information where required by law or to enforce our rights.

Our current subprocessor list, including transfer mechanism references, is published at /subprocessors.

If you are a customer and need Article 28 processor terms, our DPA is available at /data-processing-agreement.

9. Cookies and Tracking Technologies

We use a small number of cookies and similar technologies to support security and functionality. We do not use advertising cookies.

Session tokens — short-lived tokens stored in your browser after login to maintain your authenticated session. These are functional, not tracking cookies, and are cleared when you sign out or your session expires.
Cloudflare cookies (__cf_bm and related __cf_ prefixed cookies, strictly necessary) — our sites are served through Cloudflare, which automatically sets essential cookies to manage bot protection, security, and network performance. These cookies are set on page load, do not track you across sites, and are not used for advertising. They are governed by the Cloudflare Privacy Policy.
Umami (no cookies, self-hosted) — we use Umami on uptivus.com for privacy-friendly web analytics, hosted on our own DigitalOcean infrastructure. Umami does not set any cookies, does not use personal identifiers, and is configured to avoid identifying individual visitors. It processes anonymized page-visit data (page URL, referrer, browser, OS, and country derived from IP). The IP address itself is discarded after processing and is not stored. No analytics data is sent to any third party.
hCaptcha cookies (optional, consent-gated) — our contact and waitlist forms optionally use hCaptcha to protect against spam and automated abuse. The hCaptcha widget is not loaded, and no hCaptcha cookies are set, unless you explicitly enable the anti-spam check by clicking the “Enable anti-spam check” button on the form. If you enable it, hCaptcha may set cookies (such as hc_accessibility and hmt_id) and may collect IP address, device information, and interaction data for security and anti-bot purposes. These cookies and data collection are governed by hCaptcha's own policies, which describe broader data uses than our summary here; for full details, see the hCaptcha Privacy Policy and hCaptcha Terms of Service. If you do not enable the anti-spam check, no hCaptcha cookies are placed. You may disable the anti-spam check at any time before submitting, which resets and removes the widget.

10. EU/EEA/UK Article 13 Privacy Notice

If you are in the EU, EEA, or UK, this section provides Article 13 GDPR transparency information.

Controller: Fluenik, LLC (acting as controller for account, website, security, diagnostics, analytics, and compliance data; and as processor for customer monitoring content used to deliver the service, as described in Section 5).
Controller contact: [email protected]
Purposes and legal bases:
- Performance of contract (Article 6(1)(b)): providing and operating the Uptivus platform, executing monitoring checks, processing incidents, delivering alerts, maintaining status pages, and connecting integrations under your account agreement.
- Legitimate interests (Article 6(1)(f)): securing our services and preventing abuse; error monitoring and diagnostics; product usage analytics; maintaining service reliability and debugging; enforcing our terms.
- Consent (Article 6(1)(a)): sending promotional emails and product updates where you opt in; loading optional hCaptcha anti-spam verification when you enable it.
- Legal obligation (Article 6(1)(c)): complying with applicable legal, regulatory, and accounting requirements.
Recipients: hosting providers (DigitalOcean), object storage (AWS S3), AI/language model provider (Microsoft Azure OpenAI Service), security and CDN (Cloudflare), anti-spam verification (hCaptcha, consent-gated), error monitoring (Sentry), email communications (Proton), self-hosted web analytics (Umami, on our own infrastructure), and professional advisors where required.
International transfers: our core services are hosted in the United States, and your information may be transferred to or accessed from the United States or other countries where our subprocessors operate. Where required, we rely on recognized transfer safeguards such as adequacy decisions (including the EU-U.S. Data Privacy Framework where applicable) and/or Standard Contractual Clauses (including required UK and Swiss transfer addenda).
Retention: see Section 13 for specific retention periods by data category.
Your rights: subject to applicable law, you may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where processing is based on consent.
Complaint route: you may lodge a complaint with your local supervisory authority. A directory of EU supervisory authorities is available via the EDPB.
Automated decision-making: we do not use solely automated decision-making that produces legal or similarly significant effects. AI-generated insights and automated actions are provided as tools under your control and do not constitute automated individual decision-making under GDPR Article 22.

11. California Notice at Collection (CCPA/CPRA)

At or before the point of collection, we provide this notice describing the categories of personal information collected, the purposes for collection or use, whether personal information is sold or shared, and retention periods.

Categories collected: identifiers (name, email, IP address, session ID); internet and network activity (browser/device metadata, page interactions, monitoring check results, alert delivery logs); authentication credentials (password hash); professional information (workspace name, job title if provided); and mailing-list subscription data (list membership, consent/opt-in status, unsubscribe status, and related timestamps).
Sensitive personal information: we do not intentionally request sensitive personal information.
Business purposes: authenticating and operating your account; delivering monitoring, alerting, and incident analysis services; providing AI-powered operational insights; managing waitlists; sending product updates where you opt in; error monitoring and diagnostics; protecting against spam and abuse; web analytics; maintaining unsubscribe and suppression lists; maintaining business records; and complying with legal obligations.
Sold or shared: we do not sell personal information and do not share it for cross-context behavioral advertising.
Retention by category: see Section 13 for specific retention periods by data category.
Right to know, delete, correct, and opt out: California residents may exercise their rights under the CCPA/CPRA by contacting us at [email protected]. You may also designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization and may separately verify your identity. We will verify your identity before processing requests. We will not discriminate against you for exercising your privacy rights.

12. Do Not Track Disclosure

Because there is no universal standard for interpreting Do Not Track signals, our website does not currently respond to DNT signals. We do not allow third-party advertising networks to collect personal information on our properties.

13. Data Retention

We retain personal information only for as long as needed for the purposes described in this policy, including legal, accounting, and operational requirements. The following retention periods apply:

Account data (name, email, profile, authentication credentials) — retained for the duration of your account. After account deletion, retained in backups for up to 30 days, after which it is permanently deleted.
Raw monitoring check results (individual uptime checks, response times, status codes) — automatically deleted after 30 days.
Aggregated statistics (hourly and daily rollups for uptime charts and historical reporting) — retained according to your plan's history limits (12 or 24 months). Deleted within 30 days of account deletion.
Monitor and alert configuration (monitor definitions, alert rules, notification channels, escalation rules) — retained for the duration of your account. Deleted within 30 days of account deletion.
Incident records — retained for the duration of your account. Deleted within 30 days of account deletion.
Notification logs (alert delivery history) — automatically deleted after 90 days.
AI insights and actions (AI-generated analysis, incident summaries, automated resolution actions) — automatically deleted after 90 days.
Anomaly records (detected statistical anomalies) — automatically deleted after 30 days.
Workflow execution logs (automation run history) — automatically deleted after 90 days.
Integration credentials (OAuth tokens, API keys for GitHub, Slack, Discord, etc.) — retained while the integration is connected. Revoked and deleted within 30 days of disconnection or account deletion.
Status page configuration — retained for the duration of your account. Deleted within 30 days of account deletion.
Security and diagnostic logs (Sentry error reports, request audit logs) — retained for up to 90 days for security monitoring, error diagnostics, and abuse prevention, unless a longer period is required for an active investigation or legal obligation.
Contact form submissions — retained for up to 90 days unless required longer for an active support matter, security issue, dispute, or legal obligation.
Waitlist and mailing-list records — retained while you remain subscribed. After unsubscribe, we retain minimal suppression-list records (email address and opt-out timestamp) for as long as needed to honor your opt-out and comply with anti-spam laws.
Web analytics data (Umami, self-hosted) — anonymized and aggregated; no personal data is retained.

14. Data Security

We apply reasonable technical and organizational safeguards designed to protect personal information, including:

Encrypted transmission (HTTPS/TLS) for all data in transit.
Hashed password storage using industry-standard algorithms.
Encryption at rest for OAuth tokens, API keys, and other sensitive credentials.
Role-based access controls and least-privilege principles.
Managed PostgreSQL and managed Redis on DigitalOcean App Platform with automated backups.
Cloudflare DDoS protection and bot management.
Application error monitoring via Sentry with access restricted to authorized personnel.

No system can be guaranteed 100% secure. We cannot guarantee absolute security of information transmitted over the internet.

15. Your Rights

Depending on your location, you may have rights to access, correct, delete, or limit use of your personal information. Submit requests to [email protected].

We may need to verify your identity before processing requests.
We aim to respond within timelines required by applicable law.
If you receive promotional emails, you can unsubscribe at any time using the link in the message.
For California residents, please see our California Notice at Collection above for CCPA/CPRA-specific rights and procedures.
For EU/EEA/UK residents, please see our Article 13 Privacy Notice above for GDPR-specific rights and procedures.

16. Children's Privacy

Uptivus services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at [email protected] so we can delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised effective date. If we make material changes, we will provide notice through the Uptivus platform or by email where practicable.

Where a material change involves a new use of personal data that requires consent under applicable law, we will obtain that consent before the new use takes effect. Your continued use of our services after non-material updates constitutes acceptance of the revised policy; for material changes, we will notify you and, where required, seek your consent.

18. Contact

For privacy questions or requests, contact us at [email protected].