Legal
Privacy policy
Last updated 24 June 2026
Contents
01 Who we are
Hesklo ("Hesklo", "we", "us") provides a monitoring and on-call service that checks the availability of websites and servers and delivers alerts according to rules you configure. For the purposes of the EU General Data Protection Regulation (GDPR), Hesklo is the data controller for the personal data described in this policy. Our full legal and registration details will be published here once finalised.
This policy explains what personal data we handle, why, and what control you have over it.
02 Data we collect
Account data
When you register we store your email address, an optional display name, and a hashed (bcrypt) form of your password. We never store passwords in plain text.
Configuration data
The monitors, flows, schedules and connections you create. Connection credentials such as webhook URLs, API tokens and SMS provider secrets are encrypted at rest. Recipient details you enter, such as alert email addresses and phone numbers, are stored so we can deliver alerts.
Operational data
Check results, uptime history, incident events and the notifications we send on your behalf, retained for the window included in your plan.
Technical data
Standard server logs including IP address, browser user-agent and timestamps, kept for security and abuse prevention. We use Cloudflare Turnstile to tell humans from bots at sign-in; this processes limited technical signals from your browser.
Billing data
If you subscribe to a paid plan, payments are handled by Stripe. We do not see or store your full card number. We retain your plan, subscription status and Stripe customer reference.
03 How we use it
- To run the service: perform your checks, evaluate your flows and deliver alerts.
- To authenticate you, including email-based two-factor codes and account confirmation.
- To process payments and manage subscriptions through Stripe.
- To keep the service secure, prevent abuse and diagnose faults.
- To contact you about service matters such as security notices and account changes.
We do not sell your personal data, and we do not use it for advertising.
04 Legal basis
Under GDPR we rely on: performance of a contract to provide the service you signed up for; legitimate interests for security, abuse prevention and keeping the service working; consent where you actively confirm an alert recipient address; and legal obligation for records we are required to keep, such as billing records.
05 Sharing and processors
We share data only with service providers ("processors") who help us run Hesklo, and only as needed. These currently include:
- Stripe — payment processing.
- Cloudflare — bot protection (Turnstile) and network services.
- Maileroo — transactional and alert email delivery.
- Reoon — email address verification.
- An SMS provider — SMS alert delivery, for accounts that use SMS notifications.
- Our hosting provider — infrastructure hosting.
When you configure a notify step, the relevant alert content is also sent to the destination you chose (Slack, Discord, Teams, PagerDuty, Jira or your own webhook). Those services process that data under their own terms.
06 Retention
Account and configuration data are kept while your account is active. Check results and incident history are kept for the window included in your plan, then aged out. If you delete a monitor, its history and incident state are removed. If you close your account we delete or anonymise your personal data within a reasonable period, except records we must keep by law such as billing records.
07 Security
Passwords are hashed with bcrypt. Integration secrets are encrypted at rest. Access to the service is over HTTPS, sign-in supports email-based two-factor authentication, and your monitors, connections and history are scoped to your account. No system is perfectly secure, but we take reasonable measures to protect your data.
08 Your rights
Subject to GDPR, you have the right to access your data, correct it, delete it, restrict or object to processing, and receive a portable copy. You can update your email, display name and password, and delete monitors, from inside the dashboard. For anything else, contact us using the details below. You also have the right to lodge a complaint with your local supervisory authority; in Sweden this is the Integritetsskyddsmyndigheten (IMY).
09 Cookies
We use a small number of strictly necessary cookies to keep you signed in and to operate Cloudflare Turnstile. We do not use advertising or third-party tracking cookies. Because these cookies are essential to the service, they are set without a consent banner; if you block them, sign-in will not work.
10 International transfers
Some of our processors operate outside the European Economic Area. Where data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
11 Changes
We may update this policy from time to time. When we do, we will revise the "last updated" date above and, for material changes, notify you by email or in the dashboard.
12 Contact
For privacy questions or to exercise your rights, contact us at [email protected].