Data Compliance

downdetectordowndetectordowndetector.com is owned and operated by Hasher Technologies LLC and is committed to protecting your privacy and complying with applicable data protection regulations. This page outlines the main frameworks that may apply.

For users in the European Economic Area (EEA), our practices are designed to align with key General Data Protection Regulation (GDPR) requirements where applicable:

• Lawful bases: legitimate interests (service operations/security), performance of a contract (account features), and consent where applicable
• Data minimization: we collect only data needed to provide and protect the service
• Access and correction: you may request access to and correction of your personal data
• Erasure: you may request deletion, subject to legal/operational exceptions
• Objection/restriction: you may object to or request restriction of certain processing where applicable

For California residents, our practices are designed to align with the California Consumer Privacy Act as amended by CPRA:

• Right to know/access: you may request disclosure of personal information categories and sources
• Right to delete: you may request deletion of personal information, subject to exceptions
• Right to correct: you may request correction of inaccurate personal information
• Right to opt out of sale/share: we do not sell personal information or share it for cross-context behavioral advertising
• Non-discrimination: We will not discriminate against you for exercising your rights

We do not sell your personal information. This site has no advertising and does not participate in data broker networks.

Categories of data processed:

• Server logs (IP addresses, browser information, timestamps)
• First-party web-vitals and client-error telemetry (page path, performance metrics, error messages, and timestamps; reported page URLs omit query strings, while diagnostic error details may include technical message, filename, line, column, and stack data)
• Contact form submissions (name, email, message content)
• Account and security records (email address, password hash, role, verification state, failed-login and lockout state, last login time, and refresh-session records)
• Optional MFA data (encrypted TOTP secrets and related security flags when MFA is enabled or pending setup)
• Authentication data (secure session cookies used to keep you signed in)
• Account preferences (for example, whether incident email alerts are enabled)
• API key records (key label, secure hash, prefix, last four characters, creation/revocation timestamps, revocation reason, and limited last-use metadata)
• Historical account or support metadata from prior versions of the product, if any, retained only when needed for support or compliance
• Notification settings needed to deliver incident emails when those features are enabled
• Administrator-configured alert destinations, when used, such as webhook provider/URL settings and SMS recipient numbers. SMS delivery uses Twilio when that channel is enabled and configured.
• Privileged-action audit records (actor email, request ID, and IP where available)
• Monitor history (status snapshots and incident records about our checks of downdetector.com)

Purposes of processing:

• Providing and maintaining the service
• Responding to inquiries
• Providing login and account-related features
• Issuing, listing, rate-limiting, and revoking API keys
• Handling questions that depend on historical records, if any, from prior versions of the product
• Sending incident notifications to users who explicitly opt in and to administrator channels configured for service operations
• Security and abuse prevention

This site is hosted on infrastructure that may transfer data internationally. Where personal data crosses borders, we rely on provider safeguards made available for those services (for example, contractual protections published by providers). Email, webhook, and SMS delivery may also pass through the providers configured to deliver those messages.

• Server logs: retained for a limited period for reliability and security purposes
• Account records: retained until you request deletion
• Email verification tokens: expire automatically after 24 hours
• Password reset tokens: expire automatically after 1 hour
• Underlying status snapshots: stored with automatic expiry (currently up to about 90 days). Queryable history for users is limited to the current public history window (currently up to 7 days). Incident records may be retained longer for transparency.
• API key records: retained with the account unless deleted or retained for security, abuse prevention, or legal reasons. API key secrets are not stored in plaintext.
• Administrator alert destinations: retained until changed or removed by an administrator.
• Contact form messages: delivered by email; not stored in a database (email retention depends on provider policies)
• Historical support or account records, if any: retained only as needed for support, fraud prevention, or legal compliance
• Privileged-action audit entries: retained for security, abuse prevention, and accountability

To exercise any of your data protection rights, please use our contact form. We respond to verified requests within timelines required by applicable law.

Given the minimal data we collect, most requests can be fulfilled quickly.

This page provides practical information about our current practices and is not legal advice.

This compliance information may be updated to reflect changes in law or our practices. Check this page periodically for updates.