Privacy Policy | VitalSentinel

1. Introduction

mountain explorer, s. r. o. ("we", "us", or "our") operates the VitalSentinel website, application, and tracking scripts (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service.

This policy covers two types of data subjects:

VitalSentinel Users: Individuals who create accounts and use our dashboard
Website Visitors: End-users who visit websites that use our tracking scripts

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller Information

mountain explorer, s. r. o.

Karpatske namestie 7770/10A

83106 Bratislava

Slovakia (European Union)

Company ID: 53226119

VAT ID: SK2121306704

Email: privacy@vitalsentinel.com

3. Data Collection from VitalSentinel Users

3.1 Account Information

When you create an account, we collect:

Email address (required)
Password (stored securely encrypted)
First name and last name (optional)
Account creation and last login timestamps
Email verification status

3.2 Authentication and Security Data

Two-factor authentication (2FA) configuration
Trusted device information (device name, browser, OS, location)
Session data
Login history

3.3 Workspace and Team Data

Workspace names and settings
Team member email addresses and roles
Invitation records

3.4 Domain Configuration

Website URLs you choose to monitor
Alert rules and notification preferences
Integration credentials (Google OAuth tokens for Analytics/Search Console access)

3.5 Billing Information

Stripe customer and subscription IDs
Billing cycle and subscription status
Payment history (processed by Stripe; we do not store full card details)

3.6 Support Communications

Support ticket messages and attachments
Feedback and feature requests

4. Data Collection from Website Visitors (Via Tracking Scripts)

When VitalSentinel users install our tracking scripts on their websites, we collect data from their website visitors on their behalf. The website operator is the Data Controller for this data, and we act as the Data Processor.

4.1 Real User Monitoring (RUM) Script

The RUM script collects:

Performance Metrics: Core Web Vitals (LCP, FCP, CLS, INP, TTFB), Long Animation Frames, resource timing
Device Information: Device type (desktop/mobile/tablet), screen dimensions, CPU cores, memory, device pixel ratio
Browser Information: Browser type and version, operating system, user agent string
Network Information: Connection type (4G, 3G, WiFi), effective bandwidth, round-trip time
Navigation Data: Page URLs, referrer information, SPA route changes
Error Data: JavaScript errors, unhandled promise rejections, resource loading errors
Engagement Data (optional): Scroll depth, click interactions (when enabled)
Geographic Location: Country and city derived from IP address
IP Address Handling: IP addresses are used for geolocation and then discarded; we do not store raw IP addresses in RUM data
Session Identifier: Temporary session ID for grouping events (not persistent across sessions)

The RUM script may collect additional technical data beyond what is listed above to ensure proper functionality. All collected data is anonymized and encrypted during transmission and storage.

4.2 Web Analytics Script

The Analytics script collects:

Pageview Data: Page URLs, titles, referrer sources
Event Tracking: Custom events defined by the website operator
User Identification: Optional user ID (if provided by website operator, can be hashed)
Session/Visitor Tracking: Session ID and visitor ID for analytics
Attribution Data: UTM parameters, referrer, first-touch source
Search Tracking: On-site search queries
Outbound Links: Clicks to external websites
Ecommerce Data: Product views, purchases (for supported platforms like Shopify, WooCommerce)

The Analytics script may collect additional data beyond what is listed above depending on website configuration. All collected data is anonymized and encrypted during transmission and storage.

4.3 Privacy Controls for Tracking Scripts

Our scripts include privacy-friendly features:

Sampling Rate: Configurable to collect only a percentage of visitor data
Text Masking: Option to mask text content in error reports
Query Parameter Filtering: Automatic removal of sensitive URL parameters
Do Not Track (DNT): Respects browser DNT headers when enabled
Bot Detection: Excludes known bots and crawlers from tracking
No Persistent Cookies: RUM script does not set persistent cookies by default

5. Information for Website Visitors

If you are visiting a website that uses VitalSentinel tracking scripts, this section is for you.

VitalSentinel provides performance monitoring tools to website operators. When you visit a website using our scripts, certain data about your visit may be collected to help the website owner understand and improve their site's performance.

What data may be collected:

Page loading speed and performance metrics
Device type (desktop, mobile, tablet) and screen size
Browser type and operating system
Network connection type (WiFi, 4G, etc.)
Pages you visit and how you navigate the site
General geographic location (country/city level, derived from IP)
JavaScript errors encountered during your visit

What we do NOT collect:

Your name, email, or contact information (unless provided to the website)
Passwords or payment card details
Your precise location or home address
Content of forms you fill out (text is masked by default)

Your choices:

Our scripts respect the "Do Not Track" (DNT) browser setting when configured by website operators
We do not set persistent tracking cookies by default
To exercise your data rights, contact the website operator directly—they are the Data Controller for your data
You can also contact us at privacy@vitalsentinel.com with questions about our data processing practices

Data Controller vs. Data Processor:

The website you visited is the Data Controller and decides what data to collect and why. VitalSentinel acts as a Data Processor, processing this data on their behalf according to their instructions.

6. Automatically Collected Information (Our Website)

When you access our website or dashboard, we automatically collect:

Log Data: IP address, access times, pages viewed, referring URL
Device Information: Browser type, operating system, device type
Usage Data: Features used, actions taken within the dashboard

7. How We Use Your Information

We use the collected information to:

Provide, operate, and maintain the Service
Create and manage your account
Process monitoring data and generate reports
Send alerts and notifications based on your configured rules
Process payments and manage subscriptions
Respond to support inquiries
Send administrative communications (security alerts, service updates)
Analyze usage patterns to improve the Service
Detect, prevent, and address security issues
Comply with legal obligations

Anonymized Data for Research and Improvement

We may use anonymized and aggregated data at scale from all accounts, workspaces, and domains across our platform for:

Improving our algorithms, models, and service quality
Conducting research and analyses on web performance trends
Creating industry benchmarks, statistics, and reports
Training and improving AI-powered features
Developing new features and services

This anonymized and aggregated data excludes all personally identifiable information and cannot be traced back to any individual user, website visitor, account, or specific domain. By using our Service, you consent to this use of anonymized data.

8. Legal Basis for Processing (GDPR)

Under the GDPR, we process personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide the Service you requested
Legitimate Interests: Improving our Service, security, fraud prevention, and analytics
Consent: For optional features like marketing communications
Legal Obligation: Compliance with applicable laws and regulations

For data collected via tracking scripts from website visitors, we process data as a Data Processor on behalf of our customers (the Data Controllers).

9. Data Sharing and Sub-processors

We share data with the following categories of third-party service providers:

9.1 Infrastructure and Hosting

Contabo (Germany, EU) - Primary server hosting and infrastructure
Amazon Web Services (AWS) - Cloud infrastructure and email delivery via AWS SES
Cloudflare - CDN, DDoS protection, and security services

9.2 Payment Processing

Stripe - Payment processing, subscription management, and billing

9.3 Analytics and Integrations

Google Cloud Platform - Google Analytics, Search Console, CrUX, and PageSpeed Insights APIs

9.4 Geolocation Services

MaxMind - IP-to-location database for geographic reporting

9.5 AI Services

Anthropic - AI-powered analysis and features

We may also share information when:

Required by law, regulation, or legal process
Necessary to protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets (with notice)

We do not sell personal information to third parties.

10. Google API Services User Data Policy

VitalSentinel's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

10.1 Google Data We Access

When you connect your Google account, we may access:

Google Analytics: Website traffic data, user behavior metrics, and audience insights for domains you own
Google Search Console: Search performance data, indexing status, and search queries for your verified properties
PageSpeed Insights API: Performance scores and recommendations for your URLs
Chrome UX Report (CrUX): Real-world performance metrics from Chrome users

10.2 How We Use Google Data

We use data obtained from Google APIs solely to:

Display your website analytics and search performance in your VitalSentinel dashboard
Generate performance reports and alerts based on your configured thresholds
Provide insights and recommendations to improve your website performance
Correlate Google data with our own monitoring data to give you a complete picture

10.3 Google Data Protection and Prohibited Uses

We protect your Google data with the following measures:

Google OAuth tokens are stored securely encrypted and are only used to fetch data on your behalf
Access to Google data is limited to the minimum necessary to provide the Service
We use encryption to protect your information during transmission and storage
Security procedures are in place to protect the confidentiality of your data

We do NOT use Google user data for any of the following purposes:

Selling to third parties, data brokers, or information resellers
Targeted, personalized, retargeted, or interest-based advertising
Determining creditworthiness or for lending purposes
Training artificial intelligence (AI) or machine learning (ML) models
Building user profiles for advertising purposes
Any purpose other than providing or improving VitalSentinel's user-facing features

We do not transfer or disclose your Google user data to third parties except as necessary to provide and improve VitalSentinel's functionality (such as secure cloud hosting infrastructure).

10.4 Google Data Retention and Deletion

Google data is cached temporarily to improve performance and reduce API calls. You can revoke VitalSentinel's access to your Google data at any time by:

Disconnecting the integration from your VitalSentinel dashboard settings
Removing VitalSentinel from your Google Account's connected apps at myaccount.google.com/permissions

When you disconnect Google integrations or delete your account, all cached Google data is deleted within 30 days.

11. International Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards including:

Standard Contractual Clauses approved by the European Commission
Transfers to countries with adequate data protection laws
Other legally recognized transfer mechanisms

Our primary infrastructure is hosted in Germany (EU) via Contabo.

12. Data Retention

We retain data for different periods depending on the type:

Account Data: Retained while your account is active and for 90 days after deletion request
RUM and Analytics Data: Retained according to your subscription plan (1-12 months)
Audit Logs: Retained for up to 12 months for security purposes
Support Communications: Retained for up to 3 years after resolution
Billing Records: Retained as required by tax and accounting laws

Upon account deletion, we will delete or anonymize your data within 90 days, except where retention is required by law.

13. Cookies and Tracking Technologies

We use cookies and similar technologies:

13.1 Essential Cookies

Authentication: Secure cookies to keep you logged in
Security: Cookies to protect against unauthorized actions

13.2 Analytics Cookies

Website analytics: To understand how visitors use our marketing website

13.3 Our Tracking Scripts

The RUM script does not set persistent cookies by default. The Analytics script may use:

Session storage: Temporary data cleared when browser closes
Local storage: Visitor ID for returning visitor recognition (if configured)

Website operators can configure storage consent levels: "none", "session", or "persistent".

14. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Restrict Processing: Request limitation of data processing
Right to Data Portability: Receive your data in a portable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at privacy@vitalsentinel.com. We will respond within 30 days.

For website visitors: If you visited a website using VitalSentinel tracking, please contact that website operator directly to exercise your rights, as they are the Data Controller for that data.

You have the right to lodge a complaint with a supervisory authority, particularly in your EU Member State of residence.

15. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit and at rest
Secure password storage
Two-factor authentication (2FA) support
Secure session management
Regular security assessments and updates
Access controls and activity logging
Encrypted backups

While we strive to protect your data, no method of transmission over the Internet is 100% secure.

16. Email Communications

We send the following types of emails:

16.1 Transactional Emails (Required)

Account verification and password reset
Security notifications (login from new device, 2FA changes)
Billing confirmations and invoices
Service announcements and critical updates

16.2 Alert Notifications (Configurable)

Domain monitoring alerts (uptime, performance, SSL)
Weekly domain summary reports (opt-in per domain)

You can manage notification preferences in your account settings.

17. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date
Sending email notification for significant changes

We encourage you to review this Privacy Policy periodically.

19. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@vitalsentinel.com

Address:
mountain explorer, s. r. o.
Karpatske namestie 7770/10A
83106 Bratislava
Slovakia (European Union)