Legal

Privacy Policy

Effective: [pending counsel sign-off] · Last updated: 2026-04-26

The short version

RackWatch is a self-hosted product. The fleet telemetry your agents collect goes to a platform instance you run on hardware you own. We never see it. We have no access to your dashboard, your servers, or your data.

The only personal data we hold is what you give us through this website (rackwatch.io) — for example, your email when you sign up for a paid plan or send us a security report. That's it. No analytics, no cookies, no third-party tracking.

Draft — pending counsel review

The structure below is correct and the factual claims about data collection are accurate today. Final binding language for GDPR / UK GDPR / CCPA compliance will be drafted by counsel before paid plans launch.

1. Who we are

RackWatch is operated by [business entity pending — see below]. The data controller for this website's information is the same entity. For privacy questions, write to privacy@rackwatch.io.

[Operator: business entity name + registered address goes here once formed.]

2. What we collect on rackwatch.io

What	When	Why
Email address	Signup for paid plan, contact form, security reports	Account creation, support replies, billing
Billing details (name, address, card last-4, VAT ID)	Subscribing to a paid tier	Processing payment via our billing provider; legal/tax compliance
Server / agent metadata (counts, hostnames you choose to share with us)	Only if you email us debugging info; never automatic	Customer support
HTTP request logs (IP, user agent, path, timestamp)	Every request to rackwatch.io	Security, abuse prevention; rotated within 30 days

3. What we do not collect

No analytics. No Google Analytics, Plausible, Fathom, Mixpanel, Amplitude, Segment, or anything else. The website doesn't load any third-party scripts. More on this.
No tracking cookies. The only cookie set is a first-party authentication cookie when you sign in to the dashboard, and only on the page where you signed in.
No fleet telemetry. Your agents post to your platform. We don't see CPU graphs, host names, IPs, patch lists, or any data your agents collect.
No data sales, no ad networks, no profiling.

4. The product itself (running RackWatch on your hardware)

When you install the platform on a server you own, you become the data controller for the data your agents collect. We're not in the loop. Fleet telemetry never leaves your network.

Once paid plans launch, the platform performs a daily license check that transmits only the license key and current seat count to api.rackwatch.io — used to validate the subscription, surface the right tier on the dashboard, and detect seat-count overages. CPU graphs, host names, IP addresses, patch lists, and agent telemetry are not part of that check and never reach RackWatch the company. Air-gapped Enterprise deployments use signed offline keys with no check-in. Today, with billing not yet wired up, the binary makes no outbound calls of any kind. See security policy for details.

If you self-host on a public-cloud provider (AWS, GCP, Hetzner, etc.), that provider is your subprocessor, not ours.

5. Subprocessors we use for the website / billing

For the website, billing, and email, we rely on a small number of vendors. The current list lives at /subprocessors.html and is updated whenever we add or remove one. We notify B2B customers under DPA 30 days before a new subprocessor handles their data.

6. Cookies

Browser cookies set by RackWatch:

rackwatch_session — first-party, HTTPOnly, Secure, SameSite=Lax. Set when you sign in to the dashboard. Holds your auth token. Cleared on sign-out.

That's the entire cookie list. No tracking, no analytics, no third-party cookies.

7. Data retention

Account email + billing data: kept while your account is active, plus statutory retention (typically 7 years for invoices) after closure.
Support emails: 24 months, then deleted.
HTTP request logs: 30 days.
Cancelled trials with no conversion: deleted within 60 days.

8. Your rights (GDPR / UK GDPR / CCPA)

You can request:

A copy of the personal data we hold about you
Correction of inaccurate data
Deletion of your data (subject to legal retention obligations like tax records)
Export of your data in a portable format
Opt-out of any non-essential processing

Email privacy@rackwatch.io. We respond within 30 days.

[Counsel: regional rights expansion — DPA reference for B2B, jurisdiction-specific clauses.]

9. Data Processing Addendum (B2B)

If you're a business customer in the EU, UK, or other GDPR-equivalent jurisdictions, our Data Processing Addendum (DPA) is available on request. Email privacy@rackwatch.io with your company name and we'll send the current version.

[Counsel: DPA template with SCCs for EU→US transfers, list of subprocessors as Annex, security measures as Schedule.]

10. International transfers

RackWatch is hosted on infrastructure that may store data in the US and the EU. Where personal data is transferred from the EU/UK to the US or other third countries, we rely on Standard Contractual Clauses or other adequate transfer mechanisms.

[Counsel: confirm applicable transfer mechanism per subprocessor; check Schrems II posture.]

11. Changes to this policy

We'll announce material changes with at least 30 days' notice via email to the account contact. The version date at the top of this page will reflect the most recent update.

12. Contact

Privacy questions or rights requests: privacy@rackwatch.io. Security reports: security@rackwatch.io.