Privacy Policy
Last updated: May 2026
Dumza is an uptime monitoring service operated by Sergey Tabachnikov, an individual based in Ontario, Canada ("Dumza", "we", "us"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights. By using Dumza, you agree to the practices described here. For data we collect directly about you as a customer, Dumza is the data controller. Where you configure third-party contacts in the Service, you are the controller and we act as processor — see Section 9.
1. Data We Collect
We collect: (a) Account data you provide — name, email address, hashed password, and any other information submitted during signup or in account settings. (b) Customer-configured data — monitor configurations (URLs, check intervals), alert routing rules, and contact endpoints you configure for notifications. (c) Operational data we generate — HTTP check results (status codes, response times), incident records, and audit logs. (d) Technical data collected automatically — IP address, browser type, device and OS information, referring URL, and request timestamps. (e) Communications — support requests and emails you send us. (f) Payment metadata — we do not store payment card data; our Merchant of Record (Polar) handles that; we receive only limited transaction metadata such as subscription status, plan, and transaction IDs.
2. How We Use Your Data and Legal Bases
We process personal data to provide and operate the Service, including running monitors and delivering alerts (legal basis: performance of contract); to process payments and manage subscriptions (performance of contract); to communicate with you about your account, security incidents, and material changes to the Service (legitimate interest and legal obligation); to secure the Service against abuse and fraud (legitimate interest); to comply with applicable law (legal obligation); and to improve the Service through aggregated usage analysis (legitimate interest). We do not sell or rent your personal data, and we do not share it with third parties for their independent marketing purposes.
3. Sub-processors and Third-Party Services
We share personal data with the following sub-processors solely to operate the Service: Polar (polar.sh, United States) — Merchant of Record for payments, billing, and tax collection; Vercel (vercel.com, United States) — application and API hosting; Hetzner (hetzner.com, Germany) — worker, queue, and infrastructure hosting; Supabase (supabase.com, European Union — Ireland) — managed PostgreSQL database; Resend (resend.com, United States) — transactional email delivery. Each sub-processor is contractually bound to process personal data only for the purposes of providing services to us.
4. International Data Transfers
We are based in Canada. Some sub-processors are located in the United States or other jurisdictions. For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries not recognized as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) with the relevant sub-processors. By using the Service, you acknowledge that your data may be processed in jurisdictions other than your own.
5. Cookies
We use a single strictly necessary HTTP-only cookie (dumza_session) to keep you signed in. We may also use short-lived security cookies for CSRF protection. We do not use analytics, advertising, or cross-site tracking cookies. Our Service does not respond to Do Not Track signals because we do not track in the first place.
6. Data Retention
Account data is retained while your account is active, plus any period specified in our Terms of Service following cancellation. Raw monitoring check data is automatically deleted after 30 days; aggregated uptime statistics may be retained longer in non-identifying form. Server logs and security data are retained for up to 90 days, except where a longer period is required to investigate an incident. Financial and tax records are retained as required by applicable Canadian law (typically up to 7 years). Support communications are retained as long as necessary to provide ongoing support.
7. Data Security
We implement reasonable administrative, technical, and physical safeguards to protect personal data, including TLS encryption in transit, encryption at rest for sensitive fields, access controls, and system monitoring. No transmission or storage method is 100% secure; we cannot guarantee absolute security, but we commit to notifying affected users of any confirmed data breach as required by applicable law.
8. Your Rights
Depending on your location, you may have the following rights. EEA, UK, and Swiss residents (GDPR/UK GDPR): right to access, rectify, erase, restrict processing, port, and object to processing; right to withdraw consent; right to lodge a complaint with your local supervisory authority. California residents (CCPA/CPRA): right to know what personal information we collect and how it is used, right to delete, right to correct inaccurate information, and right to opt out of "sale" or "sharing" (we do not sell or share personal information as defined under California law). Canadian residents (PIPEDA): right to access and correct personal information, and right to file a complaint with the Office of the Privacy Commissioner of Canada. To exercise any of these rights, contact us at info@dumza.com. We may need to verify your identity before fulfilling certain requests.
9. Customer Data Processed on Your Behalf
Where you (a Dumza customer) configure third-party data in the Service — such as a team member's email address set as an alert contact — you are the controller of that personal data and we act as processor on your behalf. You are responsible for having a lawful basis to provide that data to us, for informing those individuals about our processing, and for responding to their data subject requests. We will assist you with such requests where reasonably required.
10. Children
Dumza is not directed to individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by an in-product notice before the changes take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact and Data Controller
Data controller: Sergey Tabachnikov, operating Dumza as a sole proprietor, Ontario, Canada. For privacy questions or to exercise your rights, contact info@dumza.com with "Privacy Request" in the subject line.