Privacy Policy & RGPD

1. Data controller

MCS (in the process of incorporation)
5Q Avenue des Naudières
44800 Saint-Herblain
France

Contact for privacy requests: use the support channels available after login or the company address above.

2. Data we collect

• Account information: email address and authentication details (password hash or OAuth tokens from Google/GitHub).
• Resources you monitor: hostnames, ports, full URLs, monitor configuration (method, expected status, keywords, intervals). These are chosen and controlled by you.
• Alert destinations: the email addresses, Slack incoming webhooks, or custom HTTP endpoints you configure for notifications.
• Public checker usage: only the hostname submitted. Protected by Cloudflare Turnstile and rate limiting. No account required.
• Operational data: check results, certificate details (public information), check history, and idempotency records for alerts.

3. Why we process it (purposes)

We use the data strictly to deliver the service: performing scheduled certificate and uptime checks, storing results for your dashboard, and sending the alerts you configured. Legal basis is performance of the contract + legitimate interest for abuse prevention and security.

4. Data minimization & security

• We only read the certificate presented on port 443 (passive TLS). We never perform active vulnerability scans or port sweeps.
• Public endpoints are heavily rate-limited and protected by Turnstile.
• Sessions use short-lived tokens stored in Cloudflare KV (httpOnly, Secure, SameSite=Lax).
• No third-party marketing or analytics trackers on the marketing site or application.

5. Storage locations & subprocessors

• Primary database and cache: Cloudflare D1 and Workers KV (data residency depends on your Workers account configuration; we prioritize EU-friendly routing where possible).
• Email delivery: Resend (we configure EU endpoints when available).
• TLS probe: short-lived processing on Google Cloud europe-west1 (Europe). Only the hostname is sent; the probe returns public certificate metadata and immediately discards the connection.
• Certificate Transparency: public queries to crt.sh (no user data transmitted).

6. Retention

Monitors, domains and their check history remain until you delete them or close your account. Idempotency records for alerts are kept for a limited window (to prevent duplicate notifications). You can export or delete your data directly from the dashboard.

7. Your rights under the RGPD

You can exercise the following rights at any time:

• Right of access and portability
• Right to rectification and erasure ("right to be forgotten")
• Right to restriction and objection
• Right to lodge a complaint with the CNIL or your local supervisory authority

To exercise any right, contact us using the details above. We will handle requests without undue delay.

8. Changes to this policy

We will update this page when practices change. The date at the bottom indicates the last revision. Significant changes will be communicated via the app or email where appropriate.