Privacy

Privacy Policy

What we collect, why we collect it, who we share it with, and how to exercise your rights. We try to keep this short — but not at the expense of being honest.

Effective: 2026-05-21 Last updated: 2026-05-21

1.At a glance

Ambih Monitor is built to be honest about what it processes and why. Here is the short version:

  • We collect what we need to deliver the Service, and nothing else. That includes an overview of performance signals from the projects you monitor, so the Service can compute history, baselines, anomaly verdicts and the other analytics features.
  • An Account is only required for the Pro Subscription; the Free Tier does not require one.
  • We never sell your personal data. We do not use it for advertising and we do not share it with advertising networks.
  • Payments go through a third-party payment provider. We never see your card number.
  • The Site uses only first-party server-side analytics. No Google Analytics, no Meta pixel, no third-party advertising trackers.
  • You have rights. You can request access, correction, deletion or export of your data at any time by writing to [email protected].

2.Who is responsible for your data

For the purposes of applicable data-protection law (such as the GDPR, where it applies to you), the "data controller" of your personal data is the independent operator of Ambih Monitor (the "Operator"). You can reach us at [email protected] for any privacy matter, and at [email protected] for general legal correspondence.

We do not currently have a designated "Data Protection Officer". If the law applicable to you requires you to deal with a local representative as a precondition for using the Service, please contact us first — depending on volume we may not yet meet the thresholds that require us to appoint one.

3.Personal data we collect

We collect personal data in a small number of specific situations. We have summarised them in the table below; the sections that follow explain each one in more detail.

When What we collect Why
You browse the Site IP address, user agent, page URL and referrer, theme/locale preferences To deliver the page, remember your preferences, and produce aggregate server-side traffic statistics
You create an Account Email address, password (hashed), display name (optional) To create and secure your Account; to send you transactional emails
You buy a Pro Subscription Billing email, country, the last 4 digits of your card, plan choice, billing history; the full card number stays with our payment provider To process payment, issue receipts, manage renewal and cancellation, and comply with tax and accounting rules
You connect the Desktop App to your Account Account identifier, a device fingerprint, a refresh token bound to that device To verify your Pro Subscription on this specific device and to revoke it cleanly if you sign out
You use the Desktop App on a monitored project An overview of performance signals from your monitored projects — including resource statistics (CPU, memory, disk, network), derived analytical signals (anomaly scores, baselines, regression verdicts, launch-phase metrics), session metadata (timestamps, exit codes, project identifier) and the application version To deliver the analytics, history, baseline and regression features of the Service; to compute and surface verdicts; to keep the relevant signals available for the lifetime of your Account
The Desktop App is running and signed in Periodic session and licensing signals (timestamp, Account identifier, device fingerprint, app version) To confirm that your subscription is still valid; if the check fails the app reverts to Free Tier features
You contact support Your email address and the contents of your message, including any data you choose to attach To answer your request and to keep an internal record of it

What we do not collect

  • we do not collect the contents of your stdout/stderr log lines, your source code or your environment variables;
  • we do not collect biometric data, precise geolocation data, or any "special category" data as defined by the GDPR;
  • we do not use any third-party advertising or behavioural-profiling tracker, on the Site or in the Desktop App;
  • we do not sell, rent or otherwise make your personal data available to data brokers.

4.How the Desktop App handles your data

When you launch a project through the Desktop App, the Service samples resource usage from the operating system, computes derived statistics (averages, percentiles, peaks) and applies its analytical algorithms — for example, scaled median absolute deviation for spike detection, one-sided CUSUM for memory-drift detection, and weighted multi-factor robust z-score for cross-session regression detection. The Service then surfaces the resulting verdicts and history back to you.

What we collect from the Desktop App

As described in section 3, the Desktop App reports to us an overview of performance signals from the projects you monitor — resource statistics, derived analytical signals, session metadata and the application version — together with the session and licensing signals needed to confirm that your subscription is valid. We use this information to deliver the analytics, history and cross-session features of the Service, to surface verdicts back to you, to debug the Service, and to improve it over time.

What we do not collect from your projects

We do not collect the contents of your stdout/stderr log lines, your source code or your environment variables. The Desktop App processes those streams only to surface them back to you inside the application.

Authentication and licensing

When you sign in to link the Desktop App to your Account, the Service exchanges a one-time OAuth authorisation code for an access token and a refresh token bound to that device. While the Desktop App is signed in, it periodically reports session and licensing signals (timestamp, Account identifier, device fingerprint, application version) so that the Service can confirm your Pro Subscription remains active. If those checks fail, the Desktop App reverts to Free Tier features.

Crash reports and diagnostics

If the Desktop App crashes, we do not collect a crash report automatically. If you decide to send us one to help us reproduce a bug, the file you send will be treated as a support message: whatever you have chosen to include in it will be processed solely to answer your request, and retained in line with the retention windows in section 8.

5.Why we process your data (and our legal bases)

Where the GDPR applies to you, we rely on the following legal bases:

  • Performance of a contract — to provide the Service to you. This covers Account creation, payment, subscription management, the OAuth flow, the heartbeat, and any support we provide.
  • Compliance with a legal obligation — to keep tax and accounting records relating to your payments, and to respond to lawful requests from public authorities.
  • Our legitimate interests — to keep the Service secure (preventing fraud, abuse and unauthorised access), to produce aggregate server-side traffic statistics, and to improve the Service. Where we rely on legitimate interests we balance them against your rights and freedoms, and you have the right to object (see section 9).
  • Your consent — for any optional feature we may introduce in the future that processes personal data beyond what is strictly necessary to deliver the Service. You can withdraw consent at any time.

6.Who we share your data with

We do not sell or rent your personal data to anyone. We share it only with the following categories of recipient, and only to the minimum extent necessary:

Sub-processors

Sub-processor Purpose Where based
Our payment provider Payment processing, card-data tokenisation, subscription lifecycle, invoice generation, under recognised card-industry security standards (PCI-DSS) Disclosed on request to [email protected]
Our hosting provider Hosting of the Site, the Account portal, the OAuth flow, and the heartbeat endpoint Disclosed on request to [email protected]
Google LLC (Google Fonts) Delivery of public web fonts (IBM Plex Sans, JetBrains Mono) from fonts.googleapis.com; your IP address is briefly visible to Google when you load a page Global content-delivery network
Transactional email provider Sending Account, billing and support emails Disclosed on request to [email protected]

We require every Sub-processor to handle personal data only on our written instructions, to apply appropriate security measures, and to comply with applicable data-protection law. We update this list when it changes.

Public authorities

We may disclose your personal data if we are required to do so by law, by a competent authority, or in response to a valid legal process. We will, where legally permitted, notify you before doing so.

Business transfers

If the operator of Ambih Monitor is ever reorganised, merged, sold or acquired in whole or in part, your personal data may be transferred to the successor entity as part of that transaction. Any successor will be bound by terms at least as protective as this Privacy Policy.

7.International data transfers

The Operator, our Sub-processors and our infrastructure may be located in jurisdictions other than your own. When we transfer personal data outside the country or region in which you are located, we rely on appropriate safeguards — such as recognised standard contractual clauses or an equivalent transfer mechanism — supplemented where necessary by additional technical and organisational measures.

You can request a copy of the safeguards in place for a specific Sub-processor by writing to [email protected].

8.How long we keep your data

We keep personal data only for as long as we have a clear reason to keep it. The main retention windows are:

Data Retention period
Account data while your Account exists For as long as the Account is open
Account data after you close your Account Up to 30 days in active systems for reversal in case of mistake, then deleted or anonymised
Billing and tax records (invoices, payment status) Ten (10) years from the end of the fiscal year, as required by accounting law
Server access logs (IP, user agent, request path) Up to 180 days for security and abuse-prevention purposes, then deleted or aggregated
Aggregate, non-identifying traffic statistics Indefinitely (no longer personal data)
Support correspondence Up to three (3) years after the case is closed
OAuth refresh tokens / device fingerprints Until you sign out, until the token is rotated, or until your Account is closed — whichever comes first

We may retain data for longer where required to comply with a legal obligation, to defend a legal claim, or to investigate a security incident.

9.Your rights

Depending on your country of residence, you have some or all of the following rights over your personal data:

  • Right of access — obtain confirmation that we process your personal data, and request a copy of it;
  • Right to rectification — ask us to correct inaccurate or incomplete data;
  • Right to erasure ("right to be forgotten") — ask us to delete data we no longer have a lawful basis to keep;
  • Right to restriction — ask us to limit processing in specific circumstances (for example, while we investigate a complaint);
  • Right to data portability — receive a copy of data you provided to us in a structured, commonly-used, machine-readable format;
  • Right to object — object to processing carried out on the basis of our legitimate interests;
  • Right to withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of past processing;
  • Right to lodge a complaint — complain to the data-protection authority in your country of residence if you believe we have mishandled your data. We would prefer that you reach out to us first so we can try to put things right.

To exercise any of these rights, write to [email protected] from the email address associated with your Account. We will respond within 30 days; in complex cases we may extend that period by a further two months and we will tell you why. We may need to verify your identity before acting on a request — we will keep that verification proportionate to the sensitivity of the data involved.

10.Cookies and similar technologies

The Site uses only the cookies it needs to function properly. We do not set any cookie for advertising or for third-party behavioural tracking.

Cookie Purpose Duration
XSRF-TOKEN and the Laravel session cookie Standard CSRF protection and session management — required for the Site to work Session
Theme preference Remembers your dark / light theme choice Up to 1 year
Locale preference Remembers the language you chose (English or French) Up to 1 year

When you log in to your Account, additional cookies are set to keep you authenticated. You can clear all cookies at any time through your browser settings; doing so will sign you out and reset your preferences.

11.Security

We apply appropriate technical and organisational measures to protect your personal data, including:

  • TLS (HTTPS) for all traffic between your browser or Desktop App and our servers;
  • passwords stored as one-way salted hashes — never in plain text;
  • card numbers handled exclusively by our payment provider in tokenised form;
  • access to production systems restricted to the minimum number of trusted individuals, with strong authentication;
  • short-lived access tokens combined with device-bound refresh tokens for the Desktop App OAuth flow;
  • regular review of dependencies and prompt application of security patches.

No system is perfectly secure. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, you, in accordance with applicable law.

12.Children's privacy

The Service is not directed at children under the age set out in section 4 of the Terms of Service. We do not knowingly collect personal data from children under that age. If you believe that a child has provided us with personal data, please contact [email protected] and we will delete it.

13.Automated decision-making

We do not make decisions that produce legal effects on you, or similarly significantly affect you, on the basis of automated processing alone. The Desktop App's analytical features (anomaly detection, regression verdicts, baseline computation) are decision support for you — they do not make decisions about you.

14.Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make a material change we will:

  • update the "Last updated" date at the top of the page;
  • where reasonably practicable, notify Account holders by email at least fourteen (14) days before the change takes effect;
  • never enable a new processing activity that requires your consent without first asking you.

Older versions of this Privacy Policy are available on request.