Privacy Policy

Last updated: May 16, 2026

1. Who we are

QuietLS is operated by Dmytro Spivak, an individual entrepreneur based in Ukraine, trading as "QuietLS". For the purposes of the EU General Data Protection Regulation (GDPR) and equivalent laws, Dmytro Spivak is the data controller for personal data processed in connection with the QuietLS service (the "Service").

Controller: Dmytro Spivak (trading as QuietLS), Ukraine
Contact: [email protected]
Website: https://quietls.com

2. Scope

This policy describes how we collect, use, share, and protect personal data when you visit our website, create an account, or use the Service. It does not cover websites or services operated by third parties that we link to.

3. Information we collect

3.1 Information you give us

Account data: email address, password (stored as a salted hash), display name (optional), team and workspace settings.
Communications: the content of emails or support messages you send us.
Service configuration: domains and hosts you choose to monitor, alert preferences, integrations you configure (e.g. webhook URLs).

3.2 Information collected automatically

Usage data: pages viewed, features used, request timing, and approximate device/browser information from server logs.
Network data: IP address, user-agent, and request metadata, used for security, abuse prevention, and debugging.
Cookies: a session cookie that keeps you logged in and a locale-preference cookie. We do not use third-party tracking or advertising cookies.

3.3 Payment data — handled by Paddle

When you upgrade to a paid plan, payment is processed by our Merchant of Record, Paddle.com Market Limited ("Paddle"). Paddle collects and processes payment-method details (card number, billing address, tax identifiers) directly. QuietLS never receives, sees, or stores your full card details. Paddle shares with us a limited set of transaction metadata (subscription status, customer email, country, last four digits of the card) so we can provision and support your subscription.

Paddle is an independent data controller for the payment data it processes. See Paddle's Privacy Policy for details.

3.4 Public data we retrieve

To deliver the Service, we retrieve publicly available data about the domains you ask us to monitor: DNS records, TLS certificates, HTTP response headers, and Certificate Transparency log entries. This data is generally not personal data, but it may incidentally include personal information (for example, contact email addresses present in WHOIS records or HTTP headers).

4. How we use your data

We process personal data for the following purposes and on the following legal bases under GDPR Article 6:

Purpose	Legal basis
Creating and authenticating your account	Performance of a contract (Art. 6(1)(b))
Operating the monitoring Service	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (alerts, password resets, billing receipts)	Performance of a contract (Art. 6(1)(b))
Billing and tax compliance (via Paddle)	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Detecting and preventing fraud, abuse, and security incidents	Legitimate interests (Art. 6(1)(f)) — protecting the Service and its users
Debugging and improving the Service	Legitimate interests (Art. 6(1)(f)) — running a reliable product
Sending occasional product announcements (only to existing customers)	Legitimate interests (Art. 6(1)(f)); you can opt out at any time
Responding to legal requests	Legal obligation (Art. 6(1)(c))

We do not use your data to train machine-learning models, and we do not sell your data.

5. Sub-processors

We share personal data only with vetted service providers ("sub-processors") who help us deliver the Service. Each sub-processor is contractually required to protect your data and to use it only for the purposes we direct.

Sub-processor	Purpose	Region	Privacy policy
Paddle.com Market Limited	Payment processing, billing, tax, invoicing (Merchant of Record)	United Kingdom / EU	paddle.com/legal/privacy
Hetzner Online GmbH	Cloud hosting and database storage	Germany (EU)	hetzner.com/legal/privacy-policy
Resend (Resend, Inc.)	Transactional email delivery (alerts, verifications, receipts)	United States	resend.com/legal/privacy-policy
BetterStack (BetterStack, s.r.o.)	Application logging, uptime monitoring, error tracking	European Union	betterstack.com/privacy-policy

We update this list when our sub-processors change. Material changes will be communicated by email or in-app notice in advance where practical.

6. International transfers

Where personal data is transferred outside the European Economic Area (e.g. to Resend in the United States), we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism to provide an adequate level of protection. You can request a copy of the relevant safeguards by contacting [email protected].

7. Retention

We keep personal data only as long as we need it for the purposes set out above:

Account data: for as long as your account is active. Deleted within 30 days of account closure, unless retention is required by law.
Billing records: retained for the period required by tax law (typically 7 years under Paddle's records and applicable jurisdictions).
Server and application logs: typically 30 days; security-relevant logs may be retained up to 12 months.
Support correspondence: retained for up to 24 months after the last interaction.

When data is no longer needed, we delete or anonymise it.

8. Your rights

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable law, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten"), subject to legal retention requirements.
Restrict or object to certain processing, including processing based on legitimate interests.
Portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We do not charge a fee unless your request is manifestly unfounded or excessive.

9. Security

We implement reasonable technical and organisational measures to protect personal data, including:

TLS encryption for all data in transit.
Encryption at rest for production databases.
Salted, hashed password storage (we never see your password).
Least-privilege access controls for production systems.
Routine security updates and dependency scanning.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority in accordance with GDPR Article 33–34.

10. Cookies

We use only the cookies strictly necessary to operate the Service:

Session cookie — keeps you logged in.
Locale cookie (NEXT_LOCALE) — remembers your language preference.
Theme cookie — remembers your light/dark preference.

We do not use third-party analytics, advertising, or tracking cookies. If we ever add optional analytics, we will request your consent first.

11. Children's privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, contact us at [email protected] and we will delete it.

12. Automated decision-making

We do not make automated decisions that produce legal or similarly significant effects about you. The Service generates automated alerts about your monitored domains, but those alerts do not constitute automated decision-making about you within the meaning of GDPR Article 22.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be announced by email or in-app notice at least 14 days before they take effect.

14. Contact

For privacy questions, complaints, or to exercise your rights:

Email: [email protected]
Controller: Dmytro Spivak (trading as QuietLS), Ukraine
Postal contact: available on request

If we cannot resolve your complaint, you may contact the data-protection authority in your country of residence. A list of EU authorities is published at edpb.europa.eu/about-edpb/about-edpb/members.