Privacy Policy
Last updated: April 25, 2026
Overview
CronBeacon is a cron job monitoring service operated by Robert Szumlas (sole proprietor / jednoosobowa działalność gospodarcza), ul. Powstańców Warszawskich 23/3, 80-152, Gdańsk, Poland, NIP: 5833552217, email: contact@cronbeacon.dev (“we”, “our”, “us”).
We take your privacy seriously. This policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Polish law (RODO).
Data We Collect
Account Information
When you create an account, we collect your email address. This is used for authentication, sending alerts, and service communications.
Monitor and Check-in Data
We store monitor names, schedules, check-in history, and alert configurations. This data is essential to provide the monitoring service.
Ping Data
When your cron jobs ping our service, we store the timestamp, outcome, and any optional metadata you send (such as exit codes or duration). We do not inspect or store request bodies beyond what you explicitly send. Ping data is processed and stored by both our Next.js application (Vercel) and our background monitoring job (Google Cloud Platform — Cloud Run).
Our hosting platforms (Vercel, Google Cloud Platform) may temporarily log source IP addresses in their server logs for security, rate limiting, and abuse prevention. We do not store IP addresses in our application database. Platform server logs containing IP addresses are retained according to the platform provider's standard retention policy (typically up to 30 days) and are not used for tracking or profiling.
You should not include personal data (such as names, email addresses, or identifiers of natural persons) in check-in metadata. The content of metadata is your responsibility, and CronBeacon processes it solely as part of the monitoring service.
Usage Analytics
We use Vercel Web Analytics to understand how visitors use our website. Vercel Analytics is cookieless — it sets no cookies, uses no localStorage, and does not track individual users across sites or sessions. It generates a temporary, anonymized signal derived from your IP address, user agent, and a daily rotating salt; this hash is discarded after 24 hours and no IP address is stored. The data collected is limited to: page URL, referrer, approximate geolocation (country / region / city), device type, browser, and OS. This data is aggregated and anonymous. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — improving the service through anonymized, non-invasive usage patterns.
Performance Monitoring
We use Vercel Speed Insights to measure the real-world performance of our website. Speed Insights collects anonymous Web Vitals samples (such as Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift, First Contentful Paint, and Time to First Byte) on page load, along with the page URL, referrer, approximate geolocation, device type, operating system, and browser. It sets no cookies, uses no localStorage, and does not track individual users across sites or sessions. The data is aggregated and anonymous. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — monitoring and improving the operational performance of the Service.
Payment Data
Payments are processed by Paddle.com. We do not store your payment card details. Paddle may collect billing information as described in their Privacy Policy at paddle.com/legal/privacy.
Legal Basis for Processing
We process your personal data on the following legal bases under GDPR:
| Data Category | Lawful Basis |
|---|---|
| Email address, account name | Contract performance (Art. 6(1)(b)) |
| Monitor names, schedules, grace periods | Contract performance (Art. 6(1)(b)) |
| Check-in timestamps, outcomes, check-window data | Contract performance (Art. 6(1)(b)) |
| Check-in metadata (optional payload from your jobs) | Contract performance (Art. 6(1)(b)) |
| Alert notification emails to addresses you configure | Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) for third-party recipients |
| IP addresses in platform server logs | Legitimate interests (Art. 6(1)(f)) — security, rate limiting, abuse prevention |
| Aggregated, anonymized usage analytics (Vercel Analytics) | Legitimate interests (Art. 6(1)(f)) — service improvement |
| Billing and transaction records (via Paddle) | Legal obligation (Art. 6(1)(c)) — Polish tax law |
In summary, we rely on contract performance (Art. 6(1)(b)) to provide the monitoring service you subscribed to, legitimate interests (Art. 6(1)(f)) to maintain security, prevent abuse, and improve the service through anonymized analytics, and legal obligation (Art. 6(1)(c)) to comply with applicable Polish and EU law.
How We Use Your Data
- To provide and maintain the monitoring service
- To send alert notifications when your monitors fail or recover
- To send important service updates and security notices
- To process payments via Paddle
- To improve our service based on aggregated, anonymized usage data
Data Sharing and Subprocessors
We do not sell your data. We share data only with the following third-party services required to operate CronBeacon:
| Processor | Purpose | Country | Transfer Basis |
|---|---|---|---|
| Clerk | Authentication and session management | USA | EU-US DPF; SCCs as fallback |
| Neon | Database hosting (PostgreSQL) | USA | EU-US DPF; SCCs as fallback |
| Vercel | Website hosting, cookieless analytics, and performance monitoring (Web Vitals) | USA | EU-US DPF; SCCs as fallback |
| Google Cloud Platform | Backend infrastructure — monitoring job (Cloud Run) | USA / EU | EU-US DPF; SCCs as fallback |
| Resend | Email delivery for alerts and notifications | USA | EU-US DPF; SCCs as fallback |
| Paddle | Payment processing and billing | UK | UK Adequacy Decision |
All US-based processors are certified under the EU-US Data Privacy Framework (DPF). Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 GDPR) are in place as a supplementary transfer mechanism.
We will notify you by email at least 30 days before adding or replacing a subprocessor. If you object to a new subprocessor, you may terminate your account before the change takes effect.
Data Retention
- Account data and monitor configurations: retained for as long as your account is active
- Check-in history: per your plan (7 days on Free, 90 days on Pro, 365 days on Unlimited)
- Billing and transaction records: retained for 5 years after the end of the tax year in which the transaction occurred, as required by Polish tax law (Ordynacja podatkowa). These records are held by Paddle as Merchant of Record and by us for accounting purposes
- After account deletion: all personal data permanently deleted within 30 days
Data Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, secure authentication via Clerk, HTTP-only server-side cookies for sensitive temporary data, and hashed storage of ingestion tokens.
Your Rights (GDPR / RODO)
You have the following rights regarding your personal data:
- Access (Art. 15) — Request a copy of your data
- Correction (Art. 16) — Correct inaccurate data
- Deletion (Art. 17) — Request deletion of your account and data
- Restriction (Art. 18) — Request restriction of processing
- Portability (Art. 20) — Download your data in a standard format
- Objection (Art. 21) — Object to processing based on legitimate interests
To exercise any of these rights, contact us at contact@cronbeacon.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Polish data protection authority (UODO) at uodo.gov.pl.
Automated Decision-Making
CronBeacon does not engage in automated decision-making or profiling as defined in Article 22 of the GDPR. Alert notifications are triggered by deterministic schedule-based rules that you configure, not by profiling or scoring of personal data.
Cookies
We use only strictly necessary cookies. These cookies are exempt from consent requirements under Art. 361(3)(2) of the Polish Electronic Communications Act (Prawo komunikacji elektronicznej) and Art. 5(3) of the ePrivacy Directive, as they are essential for the Service to function. No cookie consent banner is displayed because we do not use any tracking, analytics, or advertising cookies.
| Cookie | Purpose | Set by | Duration |
|---|---|---|---|
| __clerk_* | Authentication and session management | Clerk | Session / up to 1 year |
| __cb_new_token | One-time, server-set, HTTP-only cookie used to securely display your ingestion token once immediately after monitor creation. Automatically deleted on first read — never persisted. | CronBeacon server | Seconds |
Vercel Analytics does not set any cookies or store any data on your device.
Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or by posting a notice on the Service.
Data Controller and Contact
Robert Szumlas
ul. Powstańców Warszawskich 23/3, 80-152, Gdańsk, Poland
NIP: 5833552217
Email: contact@cronbeacon.dev