Privacy Policy

1. Data Controller

Ionhour LLC is the data controller responsible for your personal data. For data protection matters, you can reach our Data Protection Officer at [email protected].

2. Information We Collect

We collect information in three ways:

Information You Provide Directly

• Account information: name, email address, and password when you create an account
• Organisation information: company name, team size, and workspace settings
• Billing information: billing address and payment card details (processed and stored by Paddle, our merchant of record; we do not store raw card numbers)
• Communications: messages you send to our support team or through our feedback form

Information Collected Automatically

• Usage data: features used, pages visited, dashboard interactions, and time spent
• Log data: IP addresses, browser type and version, operating system, referring URLs, and access timestamps
• Signal data: HTTP ping metadata sent by your cron jobs, including timestamps, HTTP method, response latency, and optional request bodies you include

Information from Third Parties

• If you sign in via OAuth (e.g., GitHub, Google), we receive your name, email, and profile picture from that provider
• Payment status and billing events are received from Paddle
• If you use AI-powered features (such as MCP), your queries and workspace context are processed by OpenRouter and routed to third-party AI model providers

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Ionhour platform
• Send monitoring alerts, incident notifications, and account-related transactional emails
• Process payments and manage your subscription
• Respond to your support requests, questions, and feedback in a timely manner
• Detect, investigate, and prevent fraudulent activity, abuse, and security incidents
• Analyse usage patterns and product performance to improve our Service (using aggregated, anonymised data wherever possible)
• Send product update announcements and occasional marketing communications — you can opt out of marketing emails at any time via the unsubscribe link
• Comply with applicable laws and legal obligations

SMS and WhatsApp Messaging

If you configure an SMS or WhatsApp alert channel within your Ionhour workspace, you expressly consent to receive monitoring alert notifications via text message or WhatsApp message to the phone number you provide. Message frequency varies based on your monitor configuration and incident volume. Message and data rates may apply. You may revoke consent at any time by removing the alert channel from your workspace settings. Ionhour will never send marketing or promotional messages via SMS or WhatsApp — these channels are used exclusively for operational alert notifications that you configure.

AI-Powered Features

If you use AI-powered features (such as MCP workspace queries), your workspace data — including check configurations, incident details, and related metadata — may be processed by third-party AI providers through OpenRouter to generate responses to your queries. This data is processed solely to provide the requested AI functionality. Ionhour does not use your workspace data to train AI models. The third-party AI providers we use are contractually prohibited from training on API inputs. You may disable AI/MCP features at any time through your workspace settings to prevent this processing.

We never sell your personal data to third parties for advertising or any other commercial purpose.

4. Cookies and Tracking

We use cookies and similar technologies to:

• Essential cookies: maintain your authenticated session and store your preferences (e.g., colour theme)
• Analytics cookies: understand how users interact with our platform using PostHog, a product analytics tool. PostHog may set cookies to track usage sessions and feature interactions. These cookies are only loaded after you provide consent through our cookie banner

We do not use advertising cookies, cross-site tracking cookies, or behavioural profiling cookies. You can disable non-essential cookies through the cookie banner or your browser settings. Disabling essential cookies may affect your ability to log in or use the Service.

What Are Cookies

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently, provide a better user experience, and give site owners useful information. Similar technologies include local storage and session storage, which serve comparable purposes.

Essential Cookies

These cookies are strictly necessary for the platform to function. They cannot be disabled without affecting your ability to use the Service. We do not require your consent for essential cookies as they are necessary for the service you have requested.

Analytics Cookies

These cookies help us understand how visitors interact with our platform. They are only set after you provide consent through our cookie banner.

PostHog analytics data is processed in the European Union. For more information, see PostHog’s privacy policy.

Analytics data collected through cookies is used solely for aggregate product improvement. We do not use cookie data for automated decision-making or profiling as defined in GDPR Article 22.

Cookies We Do Not Use

We do not use advertising or retargeting cookies, cross-site tracking cookies, behavioural profiling cookies, or third-party social media cookies.

Managing Your Preferences

When you first visit our platform, a cookie banner allows you to accept or reject non-essential cookies.

You can change your preference at any time using the button below, or by clicking “Cookie Preferences” in the site footer.

You can also disable cookies through your browser settings. Note that disabling essential cookies may prevent you from logging in or using the Service. Most browsers allow you to:

• View cookies currently stored on your device
• Delete individual or all cookies
• Block third-party cookies
• Block all cookies from specific sites
• Set preferences for specific websites

5. Data Sharing and Disclosure

We share your information only in the following limited circumstances:

• Service providers: trusted sub-processors who help us run the platform — including Cloudflare (CDN, DNS, and DDoS protection), Paddle (payments), Google Cloud Platform (cloud infrastructure and data processing), Postmark (transactional email), PostHog (product analytics), OpenRouter (AI query processing), AWS (SMS alert delivery via SNS), Twilio (voice call alert delivery), and Ubicloud (CI/CD pipeline operations). Each is bound by data processing agreements
• Your team members: within a shared workspace, your name and email address are visible to other members of the same workspace
• Legal obligations: we may disclose information if required by law, court order, or to protect the rights, property, or safety of Ionhour, our users, or the public
• Business transfers: in the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and a prominent notice before your data is transferred and becomes subject to a different privacy policy

A complete, up-to-date list of our sub-processors is maintained in our Data Processing Agreement.

6. International Data Transfers

Your data may be processed in the following regions where our infrastructure is hosted, all on Google Cloud Platform:

• United States (us-east-1)
• European Union (eu-central-1)
• Middle East (me-central-1)

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to countries that have not received an adequacy decision from the European Commission:

• We rely on Google Cloud’s Data Processing Addendum, which incorporates the European Commission’s Standard Contractual Clauses (SCCs) for international data transfers
• Google LLC is certified under the EU-US Data Privacy Framework, providing an additional legal basis for transatlantic data transfers
• We ensure that all sub-processors who process data outside the EEA are bound by appropriate data transfer mechanisms, including SCCs where required

For more details on how your data is protected during international transfers, please refer to our Data Processing Agreement.

7. Data Security

We take the security of your data seriously and implement industry-standard safeguards:

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256
• Access to production systems is restricted to authorised personnel on a need-to-know basis
• We conduct periodic security reviews and penetration tests
• Passwords are never stored in plain text; authentication is delegated to Keycloak with industry-standard hashing

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected]. See our Security & Vulnerability Disclosure Policy for details.

8. Data Retention

We retain your personal information for as long as your account is active or as necessary to provide the Service and comply with our legal obligations:

• Account data is retained for the lifetime of your account and deleted within 30 days of account termination
• Signal history is retained according to your plan’s limits: 3 days (Free), 30 days (Pro), or 365 days (Business)
• Billing records are retained for 7 years to comply with tax and accounting regulations
• Support communications are retained for 3 years unless you request deletion

You may request the deletion of your personal data at any time (see Your Rights below). Certain data may be retained longer where required by applicable law.

9. Your Rights

GDPR Rights (EEA/UK Users)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: obtain a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete personal data
• Right to erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements
• Right to restriction of processing: request that we restrict processing of your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on our legitimate interests
• Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates the GDPR

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. This period may be extended by a further 60 days where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within 30 days of receiving your request. We may need to verify your identity before fulfilling your request.

Legal Basis for Processing (EEA/UK Users)

Under the GDPR, we process your personal data on the following legal bases:

• Account creation and management: Contractual necessity (Art. 6(1)(b))
• Sending monitoring alerts and incident notifications: Contractual necessity (Art. 6(1)(b))
• Processing payments and billing: Contractual necessity (Art. 6(1)(b))
• Product analytics and Service improvement: Legitimate interests (Art. 6(1)(f)) — our legitimate interest in understanding usage patterns to improve the Service
• Marketing communications: Consent (Art. 6(1)(a)) — you may withdraw consent at any time
• Security and fraud prevention: Legitimate interests (Art. 6(1)(f))
• Compliance with legal obligations: Legal obligation (Art. 6(1)(c))
• AI/MCP feature processing: Consent (Art. 6(1)(a)) — by enabling and using AI features

Your Rights Under the CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: what personal information we collect, use, disclose, and sell
• Right to delete: request deletion of personal information we hold about you
• Right to opt out of sale or sharing: we do not sell or share your personal information as defined under the CCPA/CPRA
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights
• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond what is necessary to provide the Service
• Authorised agents: you may designate an authorised agent to make a request on your behalf. We may require verification that you authorised the agent

Automated Decision-Making

We do not use automated decision-making or profiling (as defined in GDPR Article 22) that produces legal effects or similarly significant effects on you. Our monitoring alerts are based on deterministic rules you configure, not automated profiling.

10. Children’s Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible.

If you are located in the European Economic Area, the relevant age threshold may be up to 16 years, depending on the member state in which you reside. We do not knowingly collect personal data from children below the applicable age threshold in their jurisdiction.

If you believe we may have such information, please contact us at [email protected].

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with your account and will include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

Where required by applicable law, we will also notify the relevant supervisory authority within the same timeframe.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify registered users via email at least 14 days before the changes take effect. We encourage you to review this policy periodically to stay informed about how we protect your information.

Your continued use of the Service after any changes become effective constitutes your acceptance of the revised Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact our privacy team:

• Data Protection Officer: [email protected] — for all GDPR rights requests and data protection enquiries
• Privacy enquiries: [email protected]
• General support: [email protected]
• Security vulnerabilities: [email protected]
• Company: Ionhour LLC
• Address: 16192 Coastal Highway, Lewes, Delaware 19958