Privacy Policy

Last updated: [EFFECTIVE DATE]

Template — review before publishing. This is a good-faith draft generated from Lapseguard's data model. It is not legal advice. Replace every [PLACEHOLDER] and have qualified counsel review it before you rely on it.

1. Who we are

Lapseguard (“Lapseguard”, “we”, “us”) is a TLS certificate renewal monitoring service operated by [COMPANY NAME], [COMPANY ADDRESS]. For any privacy question, contact us at [CONTACT EMAIL]. Where required, our data protection contact is [DPO / PRIVACY CONTACT].

2. Scope

This policy explains what personal data we collect when you create an account and use the Lapseguard application and website, why we collect it, who we share it with, and the choices and rights you have. It does not cover third-party services you choose to connect (such as Slack or PagerDuty), which are governed by their own privacy policies.

3. Information we collect

Account information

Your email address.
A cryptographic hash of your password (we never store your password in plaintext). If you sign in via a third-party identity provider, we store the provider name and the identifier they give us instead.
Your organisation name, where you provide one.

Monitoring configuration you provide

The hostnames and ports you ask us to monitor.
Escalation contact details you configure for alerts — these may include email addresses, phone numbers, Slack channel or user identifiers, and PagerDuty routing keys.

Data generated by the service

Certificate metadata observed from your endpoints and from public Certificate Transparency logs (serial number, fingerprint, issuer, validity dates, and the domain names listed on the certificate).
Incidents we open, and a record of who acknowledged them and any notes they added.

Technical data

A strictly-necessary session cookie used to keep you signed in (see our Cookie Policy).
Operational logs needed to run and secure the service.

4. How we use your information

To provide the monitoring service — probing your endpoints, polling public logs, computing renewal expectations, and opening and resolving incidents.
To authenticate you and keep your account secure.
To send alerts and escalations through the channels you configure.
To operate, maintain, debug, and improve the service.
To comply with our legal obligations.

We do not sell your personal data, and we do not use it for advertising or automated profiling.

5. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the service you sign up for); our legitimate interests (to secure, operate, and improve the service); your consent where we ask for it; and compliance with legal obligations.

6. Cookies

Lapseguard uses a single strictly-necessary cookie for authentication and no analytics or advertising cookies. See the Cookie Policy for details.

7. Sub-processors and sharing

We share data with the third-party service providers listed on our Sub-processors page, only as needed to run the service (for example, sending an alert through your chosen notification provider). We may also disclose information where required by law, or to protect our rights, users, or the public. We do not otherwise sell or rent your data.

8. International transfers

Our providers may process data in [REGIONS / COUNTRIES]. Where data is transferred across borders, we rely on appropriate safeguards such as [STANDARD CONTRACTUAL CLAUSES / OTHER MECHANISM].

9. Retention and deletion

We keep your data for as long as your account is active. When you delete a monitored target, its certificate observations and incidents are deleted with it. When an organisation is deleted, its users, targets, incidents, and observations are deleted. You can ask us to delete your account at any time; we may retain limited records where required for legal or security reasons.

10. Security

We protect your data with measures including encryption in transit, password hashing, hashed session and recovery tokens, and tenant isolation. See our Security page for more, including how to report a vulnerability.

11. Your rights

Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. To exercise these rights, email [CONTACT EMAIL]. If you are in the EEA or UK, you also have the right to lodge a complaint with your supervisory authority.

12. Children

Lapseguard is a tool for organisations and is not directed to children. We do not knowingly collect personal data from anyone under [16/18].

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “last updated” date above and, where appropriate, notify you.

14. Contact

Questions about this policy? Email [CONTACT EMAIL] or write to [COMPANY NAME], [COMPANY ADDRESS].