Traxo
← Back to home

GDPR Compliance

Last updated: March 11, 2026

Our Commitment

Traxo is committed to protecting the privacy and rights of individuals in the European Union (EU) and European Economic Area (EEA) in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with the GDPR and details your rights as a data subject.

We have implemented comprehensive technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. We regularly review and update our data protection practices to maintain compliance with evolving regulatory requirements.

Data Controller

Traxo acts as the data controller for personal data collected through our platform. This means we determine the purposes and means of processing your personal data.

When you use Traxo to monitor your own services, you remain the data controller for any personal data contained within the URLs, responses, or services you monitor. In this context, Traxo acts as a data processor on your behalf, processing data solely according to your instructions (i.e., the monitors you configure).

Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

  • Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Traxo service, including account management, running uptime checks, delivering alerts, and managing billing. When you sign up for Traxo and accept our Terms of Service, we process your data to fulfill our contractual obligations.
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided these do not override your fundamental rights. This includes improving our service, ensuring security, preventing fraud, and conducting analytics to enhance the user experience.
  • Consent (Article 6(1)(a)): Where we rely on consent, such as for sending marketing communications or using non-essential cookies, you may withdraw your consent at any time without affecting the lawfulness of processing performed before withdrawal.
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax reporting and responding to lawful requests from public authorities.

Data We Process

We process the following categories of personal data:

  • Identity data: Full name, email address, profile picture (from OAuth providers)
  • Account data: Password hash (bcrypt), organization membership, role assignments
  • Service data: Monitor configurations, check results, incident records, alert channel settings, status page configurations, maintenance windows
  • Technical data: IP address, browser type, device information, session data (JWT tokens)
  • Billing data: RevenueCat app user ID, subscription details, plan type (full payment details are processed by RevenueCat)
  • Communication data: Phone numbers (for SMS alerts), email addresses (for alert notifications), Slack webhook URLs

Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at support@traxo.dev. We will respond to your request within 30 days.

Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed. We will provide the data in a commonly used electronic format.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most account information directly through the Traxo dashboard settings.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten") when the data is no longer necessary for its original purpose, you withdraw consent, or there is no overriding legitimate ground for continued processing. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller. This includes your account information, monitor configurations, and historical check data.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful but you prefer restriction over erasure.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights and freedoms.

Data Processors (Sub-processors)

We use the following sub-processors to provide the Traxo service. Each processor is bound by data processing agreements that require GDPR-compliant data handling:

Sub-processorPurposeLocationData Processed
RevenueCatSubscription and payment processingUnited StatesBilling information, subscription data
GoogleOAuth authenticationUnited StatesName, email, profile picture
ResendEmail deliveryUnited StatesEmail addresses, email content
TwilioSMS deliveryUnited StatesPhone numbers, SMS content

We will notify you of any changes to our sub-processor list. If you object to a new sub-processor, you may terminate your account and we will assist with data portability.

International Transfers

Some of our sub-processors are located in the United States. When personal data is transferred outside the EU/EEA, we ensure adequate protection through one or more of the following mechanisms:

  • Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with sub-processors to ensure adequate data protection for international transfers
  • EU-US Data Privacy Framework: Where applicable, we rely on sub-processors that have certified under the EU-US Data Privacy Framework
  • Supplementary measures: We implement additional technical and organizational measures, including encryption and access controls, to supplement the protections provided by SCCs

You can request a copy of the relevant Standard Contractual Clauses by contacting us at support@traxo.dev.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: Retained for the duration of your account plus 30 days after deletion
  • Check results and monitoring data: 90 days (Free), 1 year (Pro), 2 years (Business/Enterprise)
  • Billing records: 7 years as required by tax regulations
  • Server logs: 30 days
  • Support communications: 2 years after last interaction

After the retention period expires, data is securely deleted or anonymized so that it can no longer be associated with an identified or identifiable person.

Data Protection Officer

For questions or concerns about our data protection practices or to exercise your GDPR rights, you can reach our Data Protection Officer:

We will acknowledge your request within 3 business days and provide a substantive response within 30 days. If we need more time due to the complexity of your request, we will inform you of the extension and the reasons within the initial 30-day period, as permitted by the GDPR.

Supervisory Authority

If you are located in the EU/EEA and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority. You can find contact details for EU data protection authorities at the European Data Protection Board website.

We encourage you to contact us first so we can try to resolve your concern directly. However, this does not affect your right to contact a supervisory authority at any time.

Contact Us

For any GDPR-related questions, requests, or concerns: