Privacy Policy

Last updated: 2026-05-25

This Privacy Policy explains how SteadyCron - Owner: Daniel Möß ("we", "us") collects, uses, and protects personal data when you use the SteadyCron service. It is written to comply with the EU General Data Protection Regulation (GDPR) and German data-protection law.

1. Controller & Contact

The data controller is:

  • Entity: SteadyCron - Owner: Daniel Möß
  • Address: Haubourdinstr. 36, 52428 Jülich, Germany
  • Email: contact@steadycron.com
  • Data Protection Officer (DPO): No DPO appointed. This business does not meet the mandatory appointment criteria of Art. 37 GDPR (not a public authority; processing is not carried out on a large scale, nor does it involve systematic monitoring of individuals at large scale). For GDPR-related queries, contact us at contact@steadycron.com.

2. Data We Collect

2.1 Account data

  • Email address (registration and communications).
  • Hashed password (if you use email/password authentication).
  • GitHub username and profile email (if you use GitHub OAuth).
  • Account preferences and plan information.

2.2 Job configuration data

  • HTTP job URLs, schedules, headers (may include tokens — see § 2.5), retry/timeout settings.
  • Heartbeat monitor configurations (identifier, expected interval).

2.3 Execution logs

  • HTTP job: timestamp, response status, response body excerpt, duration, retry attempts.
  • Heartbeat: timestamp, source IP address, User-Agent of the pinging client.
  • Log entries are retained per your plan's retention window (see § 6).

2.4 Usage counters

  • Aggregated counts of job executions and heartbeat pings used for plan-limit enforcement and billing.

2.5 Credentials in job headers

If you include authorization headers or API keys in your job configuration, those values are stored encrypted at rest. We recommend using short-lived or scoped credentials.

2.6 Communications data

  • Alert delivery records (email address, timestamp, delivery status).
  • Support communications you send us.

2.7 Server Log Files

When you access our marketing website or dashboard, our infrastructure automatically records technical access data sent by your browser to ensure stability and security (e.g., defending against cyberattacks). This data includes:

  • IP address (truncated or anonymized by default where possible)
  • Date and time of the request
  • Specific target file or URL accessed
  • HTTP status code and volume of data transferred
  • Browser type, version, and the operating system used (User-Agent string)
This data is processed purely for diagnostic purposes based on our legitimate interest (Art. 6(1)(f) GDPR) and is not cross-referenced with your account registration data.
  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you have signed up for — account management, job execution, alerting.
  • Legitimate interest (Art. 6(1)(f)): security and fraud prevention, service reliability, aggregated analytics to improve the product. We balance these interests against your rights.
  • Legal obligation (Art. 6(1)(c)): retaining invoicing records as required by tax law.
  • Consent (Art. 6(1)(a)): where we ask for your consent (e.g. optional communications). You may withdraw consent at any time.

4. Processors & Sub-processors

We use the following sub-processors:

  • Hetzner Online GmbH (Germany, EU) — cloud hosting for all core infrastructure. Data remains in the EU.
  • Cloudflare, Inc. (US; EU Standard Contractual Clauses apply) — DNS, CDN/WAF for the marketing site. No application data stored.
  • SMTP2GO Pty Ltd (Australia, with processing infrastructure in the US and EU) — transactional email delivery (alerts, account emails). Data transfers to Australia and the US are subject to appropriate safeguards under GDPR Art. 46.
  • Paddle.com Market Limited (UK) — payment processing and invoicing as Merchant of Record. Paddle's own privacy policy governs their data handling.
  • GitHub, Inc. (US; SCCs apply) — OAuth authentication if you sign in with GitHub. Only your GitHub email and username are transferred.

We do not sell your personal data to third parties.

5. Data Location & Transfers

Core application data (account, job config, logs) is stored on Hetzner servers located in Germany (EU). Where transfers to countries outside the EEA are required (e.g. Cloudflare, GitHub, SMTP2GO), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate safeguards under GDPR Art. 46.

6. Retention

  • Execution logs: retained per your plan's window (Free: count only; Developer: count only; Team: 90 days). Older entries are deleted automatically.
  • Account data: retained while your account is active, plus 30 days after deletion unless a longer period is required by law.
  • Invoicing data: retained for 10 years as required by German tax law (§ 147 AO).

7. Your Rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data ("right to be forgotten") where applicable (Art. 17).
  • Restrict processing in certain circumstances (Art. 18).
  • Data portability — receive your data in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent where processing is based on consent.

To exercise these rights, email us at contact@steadycron.com. We will respond within 30 days. Deleting your account from the dashboard also triggers personal data erasure (subject to legal retention obligations above).

8. Cookies

The SteadyCron application (app.steadycron.com) uses one essential cookie:

  • sc.session — an encrypted HTTP-only session cookie. Required for authentication. Expires on session end or after 30 days.

The marketing site (steadycron.com) sets no cookies unless analytics is added in the future (see § 9).

We do not use tracking, advertising, or third-party analytics cookies.

9. Analytics

No analytics are currently deployed on this site. If cookieless, EU-hosted analytics (e.g. Plausible) is added in the future, this section will be updated before activation.

10. Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority. The lead data-protection authority for SteadyCron - Owner: Daniel Möß is:

  • Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
  • Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
  • poststelle@ldi.nrw.de  ·  www.ldi.nrw.de

11. Changes to This Policy

We will notify registered users by email at least 14 days before any material change to this Privacy Policy. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Privacy questions, erasure requests, or data-subject rights: