Privacy Policy
Last updated: April 12, 2026
updatealert.io is a product of devicebase GmbH. This Privacy Policy describes how we collect, use, and protect your personal data when you use http://updatealert.io ("the Service"). It complies with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
The controller responsible for data processing is:
devicebase GmbH — Heßstraße 41 — 80798 München — Germany
Phone: +49 (0) 89 20000209 — Email: privacy@updatealert.io
For further company details, please see our Imprint.
2. Scope
The Service is offered exclusively to businesses, freelancers, and other entities acting in a professional or commercial capacity (B2B). Accordingly, this Privacy Policy primarily addresses the processing of contact data of representatives of such entities. Consumers are not an intended audience.
3. Data We Collect
3.1 Data you provide
When you register and use the Service, we process the following data:
- Account data: Name, business email address, company name, password (stored in hashed form)
- Tracking configuration: Products and vendors you track, notification preferences, webhook endpoints
- Billing data (for paid subscriptions): Billing address, VAT ID, invoice history
- Communication data: Messages you send to us via email or support forms
3.2 Data collected automatically
When you interact with the Service, the following data is processed automatically:
- Log data: IP address, browser type and version, operating system, referrer URL, pages visited, timestamps
- Usage data: Features used, tracking activity, notifications sent and opened
- Cookies and similar technologies: See Section 9
3.3 Data from third parties
We do not purchase or receive personal data from third-party data brokers.
4. Purposes and Legal Basis of Processing
We process personal data only for specified purposes and on the following legal bases under Art. 6 GDPR:
| Purpose | Data categories | Legal basis |
|---|---|---|
| Providing the Service (account, tracking, notifications) | Account, tracking, usage data | Art. 6(1)(b) GDPR - contract performance |
| Processing paid subscriptions and invoicing | Billing data | Art. 6(1)(b) GDPR - contract performance |
| Security, abuse prevention, system stability | Log data | Art. 6(1)(f) GDPR - legitimate interest |
| Support and customer communication | Communication data | Art. 6(1)(b) GDPR - contract performance |
| Product improvement (aggregated, anonymized) | Usage data | Art. 6(1)(f) GDPR - legitimate interest |
| Legal obligations (tax, accounting) | Billing data | Art. 6(1)(c) GDPR - legal obligation |
| Marketing emails (if you opt in) | Email address | Art. 6(1)(a) GDPR - consent |
5. Data Sharing and Recipients
We do not sell or rent personal data. We share data only with processors and partners strictly necessary for operating the Service:
5.1 Service providers (processors under Art. 28 GDPR)
We engage the following categories of service providers under data processing agreements (DPAs):
- Hosting and infrastructure: Hetzner Online GmbH, Germany
- Email delivery: In-house development
- Payment processing: Stripe Payments Europe, Ltd.
5.2 Transfers outside the EU/EEA
Where a processor is based outside the EU/EEA (e.g., in the United States), transfers are only made on the basis of:
- An adequacy decision of the European Commission, or
- Appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses), or
- Your explicit consent (Art. 49 GDPR) in specific cases
Details on individual transfers are available on request.
5.3 Legal authorities
We may disclose personal data to public authorities where required by law (e.g., court orders, tax authorities).
6. Data Retention
We retain personal data only for as long as necessary:
| Data category | Retention period |
|---|---|
| Account data (active account) | For the duration of the contract |
| Account data (after termination) | 30 days, then deletion (see ToS §15) |
| Billing and invoicing data | 10 years (German tax law, § 147 AO / § 257 HGB) |
| Log data | 30 days, unless required for security investigations |
| Support communication | 3 years after case closure |
| Marketing consent records | Until consent is withdrawn |
7. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): Obtain confirmation whether we process your data and a copy thereof
- Right to rectification (Art. 16 GDPR): Correct inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR): Request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18 GDPR): Limit the processing of your data
- Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests
- Right to withdraw consent (Art. 7 GDPR): Withdraw any consent given, with effect for the future
-
Right to lodge a complaint (Art. 77 GDPR): File a complaint with a supervisory authority, for example:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) — Promenade 18 — 91522 Ansbach — Germany — www.lda.bayern.de
To exercise your rights, contact us at privacy@updatealert.io. We will respond within one month (Art. 12(3) GDPR).
8. Data Security
We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect personal data, including:
- TLS/SSL encryption for all data in transit
- Encrypted storage of sensitive data (passwords hashed with modern algorithms)
- Access controls and least-privilege principles for internal systems
- Regular security reviews and backups
- EU-based hosting where feasible
No method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to maintain industry-standard protection.
9. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Service. We distinguish between:
9.1 Essential cookies
Required for core functionality (login sessions, security). These do not require consent (Art. 6(1)(f) GDPR, § 25 (2) TTDSG).
9.2 Functional cookies
Improve user experience (e.g., language preferences). Where applicable, consent is obtained via our cookie banner.
9.3 Managing cookies
You can manage or revoke cookie preferences at any time via browser settings. Disabling essential cookies may impair the functionality of the Service.
10. Data Processing Agreement (DPA) for Business Customers
If you use the Service in a context where you process personal data of third parties (e.g., your own employees or clients), we act as a processor under Art. 28 GDPR. A data processing agreement is available on request at privacy@updatealert.io.
11. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Art. 22 GDPR.
Note: While the Service uses automated processing to generate summaries of vendor release notes, these summaries concern public technical content, not personal data, and do not fall under Art. 22 GDPR.
12. Children's Privacy
The Service is intended for professional use and not directed at children. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected personal data from a minor, we will delete it promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our Service or legal requirements. The "Last updated" date at the top indicates the most recent revision. For material changes, we will notify registered users by email.
14. Contact
Questions regarding this Privacy Policy or your personal data:
devicebase GmbH — Heßstraße 41 — 80798 München — Germany — Email: privacy@updatealert.io