Skip to content

PRIVACY NOTICE

Last updated May 21, 2026

This privacy notice for Nicholas Phillips, doing business as Otterwatch ("Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

  • Visit our website at otterwatch.dev, or any website of ours that links to this privacy notice
  • Sign up for an account and use Otterwatch to monitor SSL certificates and website uptime
  • Engage with us in other related ways — including support, feedback, or product updates

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice, but you can find out more details about any of these topics by using our table of contents below.

What personal information do we process? We collect the email address you provide at signup, the URLs of websites you ask us to monitor, and operational data we generate from those checks (HTTP status codes, certificate metadata, response times). We also collect minimal server log data (IP address, user agent) for security and rate limiting.

Do we process any sensitive personal information? No. We do not process sensitive personal information.

Do we receive any information from third parties? Only if you choose to sign in using Google or GitHub, in which case we receive your email address and basic profile information from those providers.

How do we process your information? We process your information to operate the monitoring service, send you notifications about your certificates and sites, communicate with you about your account, and keep our service secure.

With whom do we share personal information? Only with the sub-processors required to run the service (hosting, database, email delivery, DNS). We do not sell personal information, do not run advertising, and do not share data with marketers.

How do we keep your information safe? We use organizational and technical safeguards including encryption in transit, access controls, and modern hosting infrastructure. No system can be guaranteed 100% secure, but we work to protect your information.

What are your rights? Depending on where you live, you may have rights to access, correct, or delete your personal information. You can delete your account at any time from the dashboard.

How do I exercise my rights? Email [email protected] or use the self-serve controls in your account.

TABLE OF CONTENTS

  1. WHAT INFORMATION DO WE COLLECT?
  2. HOW DO WE PROCESS YOUR INFORMATION?
  3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
  4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
  5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?
  6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
  7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
  8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
  9. HOW LONG DO WE KEEP YOUR INFORMATION?
  10. HOW DO WE KEEP YOUR INFORMATION SAFE?
  11. DO WE COLLECT INFORMATION FROM MINORS?
  12. WHAT ARE YOUR PRIVACY RIGHTS?
  13. CONTROLS FOR DO-NOT-TRACK FEATURES
  14. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
  15. DO VIRGINIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
  16. DO WE MAKE UPDATES TO THIS NOTICE?
  17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
  18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you voluntarily provide to us.

We collect personal information that you voluntarily provide to us when you register for an account, use the Services, or contact us. The personal information we collect includes:

  • Email address — required to create an account and to send notifications about your monitors.
  • Monitor URLs — the URLs of websites you ask us to check. You provide these.
  • Optional preferences — notification settings and similar account configuration you provide.

Sensitive Information. We do not process sensitive personal information.

Payment Data. We do not currently process payment information. The Services are free at this time. If we introduce paid tiers in the future, this notice will be updated to describe payment processing accurately.

Social Login Data. You can sign in to Otterwatch using your Google or GitHub account. If you do, we receive only your email address and basic profile information from those providers, used solely to create or authenticate your Otterwatch account. See "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

All personal information you provide must be true, complete, and accurate, and you must notify us of any changes.

Information automatically collected

In Short: We automatically collect minimal technical information needed to operate the Services securely.

When you use the Services, we automatically collect:

  • Log and usage data. Standard server logs including your IP address, user agent, the pages and endpoints you access, and timestamps. Used for security, rate limiting, and troubleshooting. Retained for 30 days.
  • Check result data. When we check the websites you've added as monitors, we record the results: HTTP status codes, response times, and SSL certificate metadata (issuer, subject, expiry date, fingerprint, key details). We do not record the content of the pages we check — only headers and certificate information from the TLS handshake.

We do not use cookies for tracking or analytics. The only cookie we set is a strictly-necessary session cookie to keep you signed in. Our analytics is self-hosted and cookieless: we store an anonymized visitor identifier derived from your IP and User-Agent using a salt that rotates every 24 hours, so the identifier cannot be used to recognize you across days. We do not use a third-party analytics provider.

Information collected from other sources

We do not buy or receive data about you from data brokers, marketing partners, or public databases.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to operate Otterwatch, send you notifications, and keep the service secure.

We process your personal information for the following reasons:

  • To operate your account — create and authenticate your account, manage your monitors, deliver the service.
  • To send you notifications — email alerts about SSL certificate expiry, downtime, and account-related matters.
  • To respond to your inquiries — provide support, answer questions, and resolve issues.
  • To send administrative information — changes to our terms, policies, or important service updates.
  • To protect the Services — security monitoring, rate limiting, fraud prevention, abuse detection.
  • To improve the Services — understand aggregate usage patterns to improve the product (via cookieless analytics).
  • To comply with legal obligations — respond to lawful requests where required.

We process your information only when we have a valid reason to do so.

In Short: We only process your personal information when we have a valid legal basis to do so.

If you are located in the EU or UK, the GDPR and UK GDPR require us to explain the valid legal bases we rely on. We rely on the following:

  • Performance of a Contract — to provide the Services you've signed up for (running monitors, sending notifications).
  • Legitimate Interests — to keep the Services secure, prevent fraud and abuse, and understand aggregate usage to improve the product.
  • Consent — where you've explicitly opted in (e.g., to optional communications).
  • Legal Obligations — to comply with applicable laws and respond to lawful requests.

You can withdraw consent at any time. We are the "data controller" of the personal information described in this notice.

If you are located in Canada, we may process your information with your express or implied consent, or in the limited exceptional cases permitted by Canadian law.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information only with the third-party service providers required to operate the Services.

We use the following sub-processors, each under contractual obligations to protect your data:

  • Cloudflare — DNS, CDN, and DDoS protection. May process your IP address and request metadata.
  • DigitalOcean — application hosting (US).
  • Neon — Postgres database hosting (US).
  • Resend — transactional email delivery. Processes your email address when we send you notifications.
  • Google and GitHub — only if you choose to sign in using these providers, in which case they handle authentication and provide us with your email and basic profile info.

We may also share information in these specific situations:

  • Business Transfers. If Otterwatch is ever sold, merged, or acquired, your information may be transferred as part of that transaction. We will notify you before any such transfer.
  • Legal Requirements. We may disclose your information if required by law, subpoena, or court order, or to protect the rights, property, or safety of ourselves or others.

We do not sell personal information. We do not share data with advertisers or marketers. We do not use offer walls, retargeting platforms, or ad networks.

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

In Short: We are not responsible for the safety of any information you share with third-party websites.

Otterwatch monitors websites you ask us to check, but we don't control those websites and their privacy practices don't fall under this notice. The Services may also link to third-party websites (for example, in our changelog or documentation). We are not responsible for the content or privacy practices of those third parties.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use only a strictly-necessary session cookie to keep you signed in. No tracking cookies, no advertising cookies, no fingerprinting.

The only cookie we set is a session cookie used to maintain your signed-in state. This cookie is required for the Services to function and is not used for tracking or advertising.

We use a self-hosted, cookieless analytics tracker to understand aggregate traffic patterns. It stores an anonymized visitor identifier derived from your IP and User-Agent using a salt that rotates every 24 hours, so the identifier cannot be used to recognize you across days. No third-party analytics provider receives your data.

We do not use third-party trackers, advertising pixels, fingerprinting, session replay, or any similar technology.

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you sign in using Google or GitHub, we receive only your email and basic profile information.

You can register for and sign in to Otterwatch using your Google or GitHub account. When you do, we receive your email address and basic profile information (e.g., name) from the provider. We use this information only to create or authenticate your Otterwatch account.

We do not request access to your contacts, friends list, posts, repositories, or any other data beyond what's needed for authentication. We recommend reviewing the privacy notices of Google and GitHub to understand how they handle your data.

8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: Our servers are located in the United States. If you access the Services from elsewhere, your data is transferred to and processed in the United States.

If you are accessing the Services from outside the United States, please be aware that your information will be transferred to, stored, and processed by us and our sub-processors in the United States and other countries where our sub-processors operate.

If you are a resident in the European Economic Area (EEA) or the United Kingdom, these countries may not have data protection laws as comprehensive as those in your country. We rely on Standard Contractual Clauses with sub-processors where applicable to protect your data.

9. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as your account is active, or as needed to comply with legal obligations.

We retain your account information for as long as your account exists. When you delete your account, we remove your personal information from active systems within 30 days. Some information may persist briefly in encrypted backups before being overwritten.

Server logs containing IP addresses and similar technical data are retained for 30 days for security and troubleshooting purposes.

When we have no ongoing legitimate business need to process your personal information, we will delete or anonymize it.

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use reasonable technical and organizational safeguards to protect your information.

We implement appropriate technical and organizational security measures including encryption in transit (TLS), access controls, modern hosting infrastructure, and rate limiting. We use passwordless authentication (magic links) so there are no passwords to be stolen or leaked.

However, no electronic transmission or storage technology can be guaranteed 100% secure. While we do our best to protect your information, transmission of personal information to and from our Services is at your own risk.

11. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to anyone under 18.

The Services are intended for users 18 years of age and older. We do not knowingly solicit data from or market to children under 18. If we learn that personal information from anyone under 18 has been collected, we will deactivate the account and delete the data. If you become aware of any data we may have collected from someone under 18, please contact us at [email protected].

12. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: You may review, change, or terminate your account at any time. In some regions, you have additional rights under applicable data protection law.

You have the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to fix inaccurate information.
  • Deletion — delete your account and associated data. You can do this self-serve from the dashboard, or by emailing us.
  • Portability — request your data in a portable format.
  • Restriction or objection — restrict or object to certain processing.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.

Account information. To review or change your account information, log in and visit your account settings. To delete your account, use the delete account option in settings, or email [email protected].

Notification preferences. Notification emails (certificate expiry, downtime alerts) are part of the Service and not marketing. If you no longer want them, delete or pause the relevant monitor, or close your account.

EEA/UK residents. If you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority. You can find contact details at edpb.europa.eu/about-edpb/about-edpb/members_en.

If you have questions about your privacy rights, email [email protected].

13. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track ("DNT") feature. No uniform technology standard for recognizing DNT signals has been finalized. We do not currently respond to DNT browser signals. However, we do not engage in cross-site tracking or behavioral advertising regardless of DNT settings.

14. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Yes. California residents have specific rights regarding their personal information.

California Civil Code Section 1798.83 ("Shine The Light") permits California users to request information about categories of personal information we may have disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

CCPA Privacy Notice

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you certain rights regarding your personal information.

Categories of personal information we have collected in the past 12 months:

Category Collected
A. Identifiers (email, IP address) Yes
B. California Customer Records (name, contact info) Yes (email only)
C. Protected classification characteristics No
D. Commercial information No
E. Biometric information No
F. Internet or other network activity Limited (log data only)
G. Geolocation data No
H. Audio/visual information No
I. Professional or employment information No
J. Education information No
K. Inferences No
L. Sensitive personal information No

We have not sold or shared any personal information to third parties in the preceding twelve months. We do not engage in targeted advertising or profiling.

Your rights:

  • Right to know — what information we collect and how we use it.
  • Right to delete — request deletion of your personal information.
  • Right to correct — request correction of inaccurate information.
  • Right to non-discrimination — we will not discriminate against you for exercising your rights.
  • Right to limit use of sensitive personal information — not applicable, as we do not collect sensitive personal information.

To exercise your rights, email [email protected].

We do not offer financial incentives in exchange for personal information.

15. DO VIRGINIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Yes. Virginia residents have specific rights under the Virginia Consumer Data Protection Act (CDPA).

If you are a Virginia resident, you have the following rights:

  • Right to confirm whether we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies
  • Right to request deletion
  • Right to obtain a copy of the personal data you previously shared
  • Right to opt out of targeted advertising, sale of personal data, or profiling

Otterwatch does not sell personal data, does not engage in targeted advertising, and does not engage in profiling. We will not sell personal data in the future.

To exercise your rights, email [email protected]. We will respond within 45 days of receipt.

Right to appeal. If we decline to take action on your request, you may appeal by emailing [email protected]. We will respond within 60 days. If your appeal is denied, you may contact the Virginia Attorney General.

16. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as needed.

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date and will be effective as soon as it is accessible. For material changes, we will notify you by email or by prominently posting a notice. We encourage you to review this notice periodically.

17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you can contact us by email at [email protected], or by mail at:

Nicholas Phillips (d/b/a Otterwatch) 723 Cottonwood Lane Liberty, MO 64068 United States

18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You can review, update, or delete your personal information by logging into your account and using the settings page, or by emailing [email protected].