← Back to home

Privacy policy

Last updated: April 2026

In plain English. We only collect what we need to run your probes and send your alerts. We don't sell your data. Everything is hosted on Microsoft Azure in either the US or EU. You can export or delete it at any time. This page goes into the legal detail — you can also read the security posture for how we protect it, or the GDPR compliance page for the feature-by-feature mapping to the regulation.

1. Who we are

StatusPulse is a service operated by Tesla Tech, a company registered in Portugal. When we say "we", "us", or "StatusPulse", we mean the company providing the monitoring and status page service at statuspulse.ai and at any custom domains you configure on your status pages.

For the purposes of the EU General Data Protection Regulation (GDPR), Tesla Tech is the data controller for data about our account holders (you) and the data processor for data you upload into StatusPulse about the people and services you probe. You remain the controller for that data.

Contact for anything in this policy: privacy@statuspulse.ai.

2. What this policy covers

This policy explains:

The personal data we collect, and why.
The legal basis we rely on under GDPR.
Who we share it with (our sub-processors).
How long we keep it.
Your rights, and how to exercise them.

It covers the StatusPulse website, the authenticated dashboard, the public status pages hosted by us on behalf of our customers, and the email / SMS notifications we send on behalf of our customers.

3. Data we collect

3.1 Account data

When you sign up, we collect:

Email address (used to log in and to receive service-related emails).
Display name.
Company / tenant name.
Password — never stored in plaintext; authentication is handled by Microsoft Entra External ID (CIAM), which stores only a salted hash.
Plan selection and billing status.

3.2 Probe configuration

You create probes that describe what services to watch. We store:

The probe name, type (HTTP, ping, TCP, etc.), and target URL or host.
Check interval, expected response codes, HTTP headers and request body (which may contain API keys you add — treat the probe configuration as confidential).
Check results: timestamp, status, latency, error messages. Historical check results are retained according to your plan's history retention limit.

3.3 Incident recipients ("Persons" and "Groups")

To alert the right people when a probe fails, you add Persons. For each person you add, we store:

Name and email address (always).
Phone number and country code (only if you configure SMS alerts for that person).
An unsubscribe token tied to that person.
Their subscription preferences (which probes, which events).
Whether they're blocked from receiving emails or SMS (hard opt-out).

You are the controller for this data. When you add someone as a Person, you are representing that you have a lawful basis to contact them about incidents on the services you probe (for example: they are on-call, they work at a company whose service you've agreed to probe, or they are a customer who asked to be alerted).

3.4 Status page subscribers

When a public status page offers email subscriptions, subscribers enter their email address. We store the email, the status page they subscribed to, and an unsubscribe token. They are the controller of their own subscription; we are the processor.

3.5 Notification log

For every email or SMS we send (incident alerts and test messages), we log: timestamp, recipient name / email / phone (as it was at send time), channel, outcome (sent or failed), and the error reason if it failed. This is an audit trail for you — it answers "did we actually send that alert?" — and is accessible to our support team to help you diagnose delivery problems.

3.6 Technical and usage data

IP addresses — where we store them (abuse prevention, rate limiting), we store only a salted hash, not the raw address.
Browser user-agent string, on the waitlist signup and sign-in.
Basic web server logs (request path, response code, timestamp) retained for a limited period for debugging and security monitoring.
Error logs when something breaks in the app, including the relevant user id and request path.

3.7 Payment data

When StatusPulse launches paid plans, payment will be processed by a PCI-DSS-compliant payment provider. We will store the plan you selected and billing status. We will never see or store your full card number — only the last four digits and a tokenised reference from the provider.

3.8 Cookies and local storage

We use a minimal set of cookies:

Authentication cookies to keep you signed in (first-party, essential).
Theme preference (light/dark), stored in local storage, first-party, essential.
Anti-forgery tokens for form submissions, first-party, essential.

We do not use third-party analytics, advertising, or tracking cookies on the dashboard. The marketing site may use a privacy-respecting analytics tool (e.g. Plausible or a self-hosted equivalent) in aggregate form only — we'll update this policy before turning it on.

4. Why we use your data (purposes and legal basis)

Under GDPR Article 6, each processing activity needs a legal basis. Here's ours:

Providing the service (running your probes, storing results, sending alerts, hosting status pages): performance of contract (Art. 6(1)(b)).
Billing and account management: performance of contract and legal obligation (Art. 6(1)(b) and 6(1)(c)) — we need to keep invoicing records for tax purposes.
Service-related emails (password resets, plan changes, incident alerts): performance of contract (Art. 6(1)(b)).
Abuse prevention, rate limiting, security monitoring: legitimate interest (Art. 6(1)(f)) — keeping the service up for everyone.
Product improvement and debugging based on aggregate usage and error logs: legitimate interest (Art. 6(1)(f)).
Marketing email from us to our own customers: legitimate interest, with an unsubscribe link in every email.
Waitlist emails before sign-up: consent (Art. 6(1)(a)) given when you joined the list.

5. Who we share data with (sub-processors)

We keep the list of sub-processors short. The current list:

Microsoft Azure — hosting infrastructure (App Service, Azure SQL, storage). Tenants are provisioned in either US or EU Azure regions.
Microsoft Entra External ID (CIAM) — user authentication, password storage.
Azure Communication Services — delivery of outbound email and SMS (including international SMS via local carriers).
Payment provider (to be named before paid plans launch) — PCI-DSS certified, card data processed directly by them.

When you configure a Slack, Microsoft Teams, or webhook integration, incident data is sent to the URL you provided. Those services are not our sub-processors — you control the destination. The webhook URL itself is stored as-is because it's the delivery address.

We will update this list before adding a new sub-processor that touches personal data, and will give existing customers reasonable notice and an opportunity to object.

6. International data transfers

Our default is to keep your data in the EU. Where a sub-processor (such as Microsoft) may process data outside the EU — for example support staff based in other regions, or backup copies replicated for disaster recovery — the transfer is covered by the EU Standard Contractual Clauses (SCCs) or, where available, the data-privacy framework adequacy decision for the destination country.

SMS delivery is intrinsically international: a recipient in Brazil or the United States receives the message via local carriers. We limit what we send to the minimum required (recipient phone number and the alert body).

7. How long we keep your data

Account data: while your account is active, and up to 30 days after cancellation, after which it is deleted or anonymised unless legal retention requires longer (tax records: up to 10 years).
Check results: up to your plan's history retention window (7 days on Free, 365 days on Business).
Notification logs: 12 months, then pruned.
Error logs and web server logs: up to 90 days.
Waitlist entries: until you're invited and sign up, or until you unsubscribe — whichever comes first.
Billing records: as required by Portuguese tax law (currently 10 years).

8. Your rights under GDPR

If you are in the EU/EEA, UK, or a country with comparable rights, you can:

Access the personal data we hold about you.
Rectify inaccurate data (most of this you can do yourself in the dashboard).
Erase your account and associated data. We'll delete within 30 days unless a legal obligation requires longer.
Export your data in a machine-readable format (JSON / CSV).
Object to processing based on legitimate interest, including marketing.
Restrict processing while a dispute is being resolved.
Withdraw consent for anything we process on that basis, at any time.

To exercise any of these, email privacy@statuspulse.ai. We'll respond within 30 days (usually faster).

If you believe we've mishandled your data, you have the right to complain to the Comissão Nacional de Proteção de Dados (CNPD) in Portugal, or to your local data protection authority.

9. Notifications sent to third parties on your behalf

When you configure StatusPulse to email or SMS someone who is not the account holder (a "Person" in our system, or a status page subscriber), the legal responsibility to have a lawful basis for that contact rests with you as the controller of that relationship. In practice:

Every email we send on your behalf includes an unsubscribe link that honours the opt-out immediately and permanently (stored as EmailsBlocked on the recipient).
SMS recipients can reply STOP to opt out at the carrier level; we also offer a per-person SmsBlocked toggle.
If a recipient asks us directly to stop, we will honour the request and notify you.

10. Security

We describe our security posture in detail on the Security page. The short version: HTTPS everywhere with HSTS, encryption at rest, Microsoft Entra for authentication, salted IP hashes, least-privilege access controls, and an audit log for privileged actions.

If we become aware of a personal data breach likely to result in risk to individuals, we will notify the relevant supervisory authority within 72 hours, and affected users as soon as reasonably possible, as required by GDPR Article 33 / 34.

11. Children

StatusPulse is a B2B service for engineers and operators. It is not intended for, and should not be used by, children under 16. We do not knowingly collect data from children. If we learn that we have, we will delete it.

12. Changes to this policy

We'll update this page when our practices change. Material changes (new sub-processors, new purposes for existing data, changes to retention) will be announced to account holders by email at least 30 days before they take effect, except where the change is required sooner by law.

The date at the top of this page always reflects the last modification.

13. Contact

For privacy questions, data subject requests, or to report a concern: privacy@statuspulse.ai.

For billing or account issues: support@statuspulse.ai.