Privacy Policy

This Privacy Policy explains how Media Luna ("we", "us", or "our") collects, uses, discloses, and safeguards your information when you use our uptime monitoring services.

Last updated: March 21, 2026

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Your name and email address
  • Organization/company name
  • Password (stored as a one-way cryptographic hash — we never store plaintext passwords)
  • Role and team membership within your account

1.2 Billing Information

When you subscribe to a paid plan, we collect billing details which are processed and stored by our payment processor, Stripe. We do not store credit card numbers on our servers. We may store:

  • Billing email, company name, and address
  • Tax/VAT identification numbers
  • Stripe customer and subscription identifiers

1.3 Monitor Configuration Data

We store the monitoring configurations you create, including:

  • URLs, hostnames, IP addresses, and ports of monitored endpoints
  • Check intervals, timeout settings, and expected response values
  • Custom HTTP headers and authentication credentials you provide for monitoring (encrypted at rest)

1.4 Monitoring Results & Metrics

As part of operating the service, we collect and store:

  • Response times, HTTP status codes, and SSL certificate details
  • Up/down status history and incident records
  • Aggregated performance metrics

Monitoring data is retained according to your subscription plan's retention limits.

1.5 Usage & Log Data

We automatically collect:

  • IP addresses and browser user-agent strings when you access the dashboard
  • Feature usage patterns (which pages you visit, actions you take)
  • Timestamps of account activity (login times, configuration changes)

1.6 Cookies

We use strictly necessary httpOnly cookies for session authentication. These cookies:

  • Are essential for the service to function (you cannot log in without them)
  • Cannot be read by JavaScript (httpOnly flag)
  • Are encrypted in transit (Secure flag)
  • Are not used for tracking or advertising

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Execute monitoring checks, detect downtime, and deliver notifications
  • Process Billing: Manage subscriptions, process payments, and send invoices
  • Send Notifications: Alert you about monitor status changes via your configured channels (email, Slack, SMS, PagerDuty, webhook, Telegram)
  • Improve the Service: Analyze usage patterns to improve performance, reliability, and features
  • Provide Support: Respond to your support requests and troubleshoot issues
  • Ensure Security: Detect and prevent fraud, abuse, and unauthorized access
  • Communicate Updates: Send service announcements, maintenance notifications, and policy updates

We do not sell your personal data. We do not use your data for advertising purposes.

3. Data Sharing & Third Parties

We share your information only with the following categories of service providers who assist in operating our platform:

Provider Purpose Data Shared
Stripe Payment processing Billing email, payment details
AWS / Cloud Provider Infrastructure hosting All service data (encrypted at rest)
Email Provider Transactional emails Recipient email, notification content
Twilio SMS notifications Phone number, alert message
Slack / PagerDuty / Telegram Notification delivery Alert content via user-configured webhooks

We may also disclose your information if required by law, court order, or to protect our rights and safety.

4. Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active, deleted within 30 days of account deletion
  • Monitoring metrics: Retained according to your plan's retention period (1–365 days depending on plan)
  • Incident history: Retained according to your plan's retention period (7–365 days depending on plan)
  • Billing records: Retained for 7 years as required by tax and accounting regulations
  • Server logs: Automatically rotated and deleted after 90 days

5. Data Security

We implement industry-standard security measures:

  • Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
  • Encryption at rest: Database and storage volumes are encrypted using AES-256
  • Password security: Passwords are hashed using bcrypt with per-user salts
  • Access controls: Role-based access control (RBAC) with ADMIN, EDITOR, and VIEWER roles
  • Two-factor authentication: Optional TOTP-based 2FA for user accounts
  • API security: Scoped API keys with least-privilege principles
  • Multi-tenancy isolation: Strict account-level data isolation — users can never access another account's data
  • Security headers: HSTS, CSP, X-Frame-Options, and other protective headers

6. Your Rights (GDPR & Privacy Laws)

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate personal data via your account settings
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data
  • Right to Data Portability: Export your data in a machine-readable JSON format
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights

You can exercise most of these rights directly through the Media Luna dashboard:

  • Data Export: Go to Settings → Account → "Export My Data" to download a JSON export of all your account data
  • Account Deletion: Go to Settings → Account → Danger Zone → "Delete Account" to permanently erase all data
  • Profile Updates: Go to Settings → Profile to update your personal information

For any other requests, contact us at [email protected]. We will respond within 30 days.

7. International Data Transfers

Our services are hosted in the United States and European Union. If you access our services from outside these regions, your data may be transferred internationally. We ensure appropriate safeguards through:

  • EU Standard Contractual Clauses (SCCs)
  • Data processing agreements with all sub-processors
  • Adequacy decisions where applicable

8. Children's Privacy

Media Luna is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or through a prominent notice on our dashboard. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us:

For EU residents, you also have the right to lodge a complaint with your local Data Protection Authority.