Legal

Privacy policy

Last updated 24 June 2026

This policy explains, in plain language, what personal data Hesklo handles and the control you have over it. Some operational details are still being finalised and will be added here as they are confirmed.

Contents

  1. Who we are
  2. Data we collect
  3. How we use it
  4. Legal basis
  5. Sharing and processors
  6. Retention
  7. Security
  8. Your rights
  9. Cookies
  10. International transfers
  11. Changes
  12. Contact

01 Who we are

Hesklo ("Hesklo", "we", "us") provides a monitoring and on-call service that checks the availability of websites and servers and delivers alerts according to rules you configure. For the purposes of the EU General Data Protection Regulation (GDPR), Hesklo is the data controller for the personal data described in this policy. Our full legal and registration details will be published here once finalised.

This policy explains what personal data we handle, why, and what control you have over it.

02 Data we collect

Account data

When you register we store your email address, an optional display name, and a hashed (bcrypt) form of your password. We never store passwords in plain text.

Configuration data

The monitors, flows, schedules and connections you create. Connection credentials such as webhook URLs, API tokens and SMS provider secrets are encrypted at rest. Recipient details you enter, such as alert email addresses and phone numbers, are stored so we can deliver alerts.

Operational data

Check results, uptime history, incident events and the notifications we send on your behalf, retained for the window included in your plan.

Technical data

Standard server logs including IP address, browser user-agent and timestamps, kept for security and abuse prevention. We use Cloudflare Turnstile to tell humans from bots at sign-in; this processes limited technical signals from your browser.

Billing data

If you subscribe to a paid plan, payments are handled by Stripe. We do not see or store your full card number. We retain your plan, subscription status and Stripe customer reference.

03 How we use it

  • To run the service: perform your checks, evaluate your flows and deliver alerts.
  • To authenticate you, including email-based two-factor codes and account confirmation.
  • To process payments and manage subscriptions through Stripe.
  • To keep the service secure, prevent abuse and diagnose faults.
  • To contact you about service matters such as security notices and account changes.

We do not sell your personal data, and we do not use it for advertising.

Under GDPR we rely on: performance of a contract to provide the service you signed up for; legitimate interests for security, abuse prevention and keeping the service working; consent where you actively confirm an alert recipient address; and legal obligation for records we are required to keep, such as billing records.

05 Sharing and processors

We share data only with service providers ("processors") who help us run Hesklo, and only as needed. These currently include:

  • Stripe — payment processing.
  • Cloudflare — bot protection (Turnstile) and network services.
  • Maileroo — transactional and alert email delivery.
  • Reoon — email address verification.
  • An SMS provider — SMS alert delivery, for accounts that use SMS notifications.
  • Our hosting provider — infrastructure hosting.

When you configure a notify step, the relevant alert content is also sent to the destination you chose (Slack, Discord, Teams, PagerDuty, Jira or your own webhook). Those services process that data under their own terms.

06 Retention

Account and configuration data are kept while your account is active. Check results and incident history are kept for the window included in your plan, then aged out. If you delete a monitor, its history and incident state are removed. If you close your account we delete or anonymise your personal data within a reasonable period, except records we must keep by law such as billing records.

07 Security

Passwords are hashed with bcrypt. Integration secrets are encrypted at rest. Access to the service is over HTTPS, sign-in supports email-based two-factor authentication, and your monitors, connections and history are scoped to your account. No system is perfectly secure, but we take reasonable measures to protect your data.

08 Your rights

Subject to GDPR, you have the right to access your data, correct it, delete it, restrict or object to processing, and receive a portable copy. You can update your email, display name and password, and delete monitors, from inside the dashboard. For anything else, contact us using the details below. You also have the right to lodge a complaint with your local supervisory authority; in Sweden this is the Integritetsskyddsmyndigheten (IMY).

09 Cookies

We use a small number of strictly necessary cookies to keep you signed in and to operate Cloudflare Turnstile. We do not use advertising or third-party tracking cookies. Because these cookies are essential to the service, they are set without a consent banner; if you block them, sign-in will not work.

10 International transfers

Some of our processors operate outside the European Economic Area. Where data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

11 Changes

We may update this policy from time to time. When we do, we will revise the "last updated" date above and, for material changes, notify you by email or in the dashboard.

12 Contact

For privacy questions or to exercise your rights, contact us at [email protected].

Questions about your data?

We're happy to explain anything in this policy.

Email us