Privacy Policy
RackWatch is a self-hosted product. The fleet telemetry your agents collect goes to a platform instance you run on hardware you own. We never see it. We have no access to your dashboard, your servers, or your data.
The only personal data we hold is what you give us through this website (rackwatch.io) — for example, your email when you sign up for a paid plan or send us a security report. That's it. No analytics, no cookies, no third-party tracking.
1. Who we are
RackWatch is a product operated by Mondaluk Data Solution LLC, a Minnesota limited liability company. Mondaluk Data Solution LLC is the data controller for information collected via this website and for any personal data processed by the marketing site or billing flow. For privacy questions, write to privacy@rackwatch.io.
2. What we collect on rackwatch.io
| What | When | Why |
|---|---|---|
| Email address | Signup for paid plan, contact form, security reports | Account creation, support replies, billing |
| Billing details (name, address, card last-4, VAT ID) | Subscribing to a paid tier | Processing payment via our billing provider; legal/tax compliance |
| Server / agent metadata (counts, hostnames you choose to share with us) | Only if you email us debugging info; never automatic | Customer support |
| HTTP request logs (IP, user agent, path, timestamp) | Every request to rackwatch.io | Security, abuse prevention; rotated within 30 days |
3. What we do not collect
- No analytics. No Google Analytics, Plausible, Fathom, Mixpanel, Amplitude, Segment, or anything else. The website doesn't load any third-party scripts. More on this.
- No tracking cookies. The only cookie set is a first-party authentication cookie when you sign in to the dashboard, and only on the page where you signed in.
- No fleet telemetry. Your agents post to your platform. We don't see CPU graphs, host names, IPs, patch lists, or any data your agents collect.
- No data sales, no ad networks, no profiling.
4. The product itself (running RackWatch on your hardware)
When you install the platform on a server you own, you become the data controller for the data your agents collect. We're not in the loop. Fleet telemetry never leaves your network.
Your license key is an offline-verified ed25519 token. The platform checks the signature against a public key embedded in the binary at build time — there is no daily check-in, no phone-home, no outbound call to RackWatch. This applies to every tier (Homelab, Standard, Scale, Enterprise) — air-gap is the default, not a paid feature. The only systems that ever see your fleet data are the agents and the platform you run; RackWatch the company has no path to it. See security policy for cryptographic details.
If you self-host on a public-cloud provider (AWS, GCP, Hetzner, etc.), that provider is your subprocessor, not ours.
5. Subprocessors we use for the website / billing
For the website, billing, and email, we rely on a small number of vendors. The current list lives at /subprocessors.html and is updated whenever we add or remove one. We notify B2B customers under DPA 30 days before a new subprocessor handles their data.
6. Cookies
Browser cookies set by RackWatch:
rackwatch_session— first-party, HTTPOnly, Secure, SameSite=Lax. Set when you sign in to the dashboard. Holds your auth token. Cleared on sign-out.
That's the entire cookie list. No tracking, no analytics, no third-party cookies.
7. Data retention
- Account email + billing data: kept while your account is active, plus statutory retention (typically 7 years for invoices) after closure.
- Support emails: 24 months, then deleted.
- HTTP request logs: 30 days.
- Cancelled trials with no conversion: deleted within 60 days.
8. Your rights (GDPR / UK GDPR / CCPA)
You can request:
- A copy of the personal data we hold about you
- Correction of inaccurate data
- Deletion of your data (subject to legal retention obligations like tax records)
- Export of your data in a portable format
- Opt-out of any non-essential processing
Email privacy@rackwatch.io. We respond within 30 days.
California (CCPA / CPRA)
California residents have the right to know what personal information we hold about them, request its deletion, opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising, and not be discriminated against for exercising these rights. RackWatch does not sell or share personal information for behavioral advertising. Exercise rights via privacy@rackwatch.io.
EU / UK (GDPR / UK GDPR)
Where we process personal data of individuals in the EU or UK, RackWatch acts as data controller for marketing-site visitors and as data processor for B2B customers (see §9). The legal basis for processing is contract performance (paying customers), legitimate interest (security and abuse prevention), or consent (where required and given). You have the right to access, rectify, erase, port, restrict, or object to processing of your personal data. You may also lodge a complaint with your local supervisory authority.
Other jurisdictions
If your jurisdiction grants additional rights (Brazil LGPD, Canada PIPEDA, Australian Privacy Act, etc.), those rights apply in addition to the rights listed above. Email us and we'll honor them.
9. Data Processing Addendum (B2B)
If you're a business customer in the EU, UK, or other GDPR-equivalent jurisdictions, our Data Processing Addendum (DPA) is available on request. Email privacy@rackwatch.io with your company name and we'll send the current version (countersigned within 10 business days).
Summary of DPA terms
When RackWatch processes personal data on a customer's behalf — for example, agent telemetry that includes user identifiers from monitored servers — the customer is the data controller and RackWatch is the data processor under GDPR Article 28. We:
- Process personal data only on documented instructions from the customer (these Terms and the DPA)
- Require confidentiality from personnel who access personal data
- Implement appropriate technical and organizational security measures (described in our security policy)
- Don't engage subprocessors without prior authorization (general authorization granted via the subprocessor list; 30-day notice for material changes)
- Assist the customer with data-subject requests and security incident notifications
- Delete or return personal data at the end of the engagement, except where retention is required by law
EU → US transfers
For personal data transferred from the EU/UK to the US, we rely on the EU–US Data Privacy Framework where the receiving subprocessor is certified, and on the European Commission's Standard Contractual Clauses (Module 3, processor-to-processor) otherwise. Transfer mechanisms per subprocessor are documented at /subprocessors.html.
10. International transfers
RackWatch's marketing site, billing, and email infrastructure are hosted on subprocessors that may store data in the US and the EU. Where personal data is transferred from the EU/UK to a third country, we rely on the EU–US Data Privacy Framework (where the subprocessor is certified) or on the European Commission's Standard Contractual Clauses, with supplementary measures (encryption in transit and at rest, access controls, audit logs) addressing the post-Schrems II requirements.
Each subprocessor's transfer mechanism is documented at /subprocessors.html. Enterprise customers can request the corresponding transfer impact assessment under NDA.
11. Changes to this policy
We'll announce material changes with at least 30 days' notice via email to the account contact. The version date at the top of this page will reflect the most recent update.
12. Contact
Privacy questions or rights requests: privacy@rackwatch.io. Security reports: security@rackwatch.io.