WatchPage Privacy Policy
WatchPage monitors webpages, stores evidence of changes, sends alerts, provides reports, and may generate AI summaries. This policy explains what data we collect, why we use it, who helps us process it, and what choices and rights you have.
1. Scope, controller, and processor roles
ScopeThis Privacy Policy applies to WatchPage, our website, dashboard, APIs, emails, reports, browser push features, and related services.
For account, billing, marketing, analytics, security, and support data, WatchPage acts as the controller. For monitored page content that a workspace chooses to submit to the service, WatchPage generally acts as a processor or service provider on behalf of that workspace, unless we need to use limited information for security, abuse prevention, service operation, or legal compliance.
- If an order form, invoice, data processing agreement, or written contract identifies a different legal provider, that provider controls the relationship for that customer.
- Workspace owners and administrators are responsible for configuring monitors lawfully and informing their own users, customers, or employees when required.
2. Data we collect
DataWe collect the minimum categories of information needed to create accounts, run monitors, prove changes, send alerts, generate reports, manage subscriptions, secure the platform, and provide support.
- Account and workspace data: email address, authentication identifiers, display name, workspace name, role, permissions, invitations, preferences, and support messages.
- Monitoring data: monitored URLs, monitor names, target modes, selectors, regions, intervals, hashes, extracted text, HTML snippets, screenshots or visual captures when enabled, snapshots, diffs, reports, and check metadata.
- Alert and integration data: email destinations, webhook URLs, Slack, Discord, Telegram, browser push, RSS, API, and delivery status/error logs.
- Billing data: plan, subscription status, Stripe customer/subscription identifiers, invoices, payment status, tax and billing metadata. We do not store full card numbers.
- Usage, security, and diagnostics: IP address, user agent, device/browser details, referrer, session events, API usage, rate-limit events, failed auth events, logs, and approximate location derived from technical data.
- AI data: change inputs, extracted content, prompts, generated summaries, model metadata, token/usage data, and failure logs when AI features are enabled.
3. How and why we use data
PurposeWe use data to provide, secure, maintain, improve, and bill for the service, and to communicate with users about service activity. Where GDPR or similar laws apply, our legal bases may include contract performance, legitimate interests, consent, and legal obligations.
- Provide the service: create accounts, run checks, store baselines, compare changes, deliver alerts, generate AI summaries, export reports, and power API access.
- Secure the platform: detect fraud, abuse, spam, credential attacks, SSRF attempts, rate-limit abuse, suspicious API usage, and service misuse.
- Operate the business: process subscriptions, taxes, invoices, support, product analytics, reliability diagnostics, and administrative workflows.
- Improve WatchPage: understand feature adoption, errors, conversion funnels, onboarding friction, and performance.
- Comply with obligations: enforce our terms, respond to lawful requests, preserve records when required, and protect our legal rights.
4. Monitored content and customer responsibilities
MonitoringMonitored content can include public webpage text, HTML, metadata, visual captures, screenshots, and change evidence. It may also include personal data if a customer chooses to monitor a page that contains it.
You are responsible for choosing lawful monitor targets and avoiding content that should not be submitted to WatchPage.
- Do not monitor pages containing passwords, authentication tokens, private keys, payment card data, medical data, highly sensitive personal data, private inboxes, or private third-party accounts unless you have explicit rights and appropriate safeguards.
- Do not use WatchPage to bypass access controls, robots restrictions, paywalls, technical restrictions, rate limits, or website terms that apply to you.
- If you use WatchPage for client work, employee monitoring, compliance, legal evidence, or regulated data, you must make sure your own privacy notices, contracts, and legal bases are sufficient.
5. AI summaries and automated analysis
AIWhen AI summaries are enabled, relevant change content may be sent to an AI provider or AI gateway to produce summaries, categories, severity labels, or report narratives. AI output can be incomplete or inaccurate, so it should be reviewed before making important decisions.
We design AI features to summarize website changes, not to provide legal, financial, medical, or professional advice.
- Customers should avoid sending sensitive or confidential content into AI features unless their plan, contract, and own policies permit it.
- AI usage may be limited by plan, quota, model availability, cost controls, provider policies, or abuse controls.
6. Vendors, subprocessors, and integrations
SharingWe share data only as needed to operate WatchPage, process payments, deliver alerts, host infrastructure, store databases, analyze usage, provide support, secure the service, and comply with law. We do not sell personal data.
- Core infrastructure and database: Supabase and hosting/runtime providers such as Vercel.
- Payments and billing: Stripe for checkout, subscriptions, invoices, tax, fraud prevention, and payment processing.
- Email and messaging: Resend and configured alert providers such as Slack, Discord, Telegram, browser push, webhooks, and RSS consumers.
- Reliability, analytics, and security: Sentry, Upstash, Vercel Analytics, Google Analytics, Meta Pixel, or similar tools when configured.
- AI providers: Vercel AI Gateway, Google/Gemini, OpenAI, or other configured model providers used to produce summaries.
- Customer-controlled integrations receive the alert payloads and metadata that the customer configures them to receive.
7. International transfers
TransfersWatchPage and its vendors may process data in countries other than where you live or where your organization is located. Where required, we rely on appropriate transfer mechanisms such as contracts, standard contractual clauses, adequacy decisions, data processing terms, and vendor security commitments.
- Customers with specific data residency, transfer, or DPA requirements should contact us before submitting regulated or sensitive content.
- Third-party integrations you configure may independently transfer data based on their own infrastructure and settings.
8. Cookies, analytics, and tracking
CookiesWe use strictly necessary storage for authentication, security, preferences, active workspace selection, and cookie consent. We may use analytics cookies or similar technologies when enabled and allowed by your consent settings or applicable law.
- Necessary cookies and local storage keep you signed in, remember workspace settings, protect the service, and store your consent choice.
- Analytics tools help us understand visits, conversions, onboarding, product usage, errors, and performance.
- You can block or clear cookies in your browser, but doing so may break login, dashboard features, alerts, or preferences.
9. Retention and deletion
RetentionWe keep data for as long as needed to provide the service, comply with legal obligations, resolve disputes, maintain security, prevent abuse, and support billing/account records. Retention can vary by plan, workspace settings, feature, and data category.
- Account and workspace records are kept while the account is active and for a reasonable period after closure for security, support, billing, and legal purposes.
- Monitor snapshots, diffs, evidence, reports, and check logs may be retained according to plan limits, retention settings, storage limits, or operational needs.
- Billing records, invoices, tax records, audit logs, and fraud/security records may be retained longer where law or legitimate business needs require it.
- When deletion is requested, backups and logs may take additional time to expire through normal backup and security retention cycles.
10. Security
SecurityWe use administrative, technical, and organizational safeguards designed to protect data, including role-based access, secret redaction, HTTPS, database access controls, SSRF protections, rate limiting, audit logs, webhook signature verification where applicable, and vendor security controls.
- No internet service can guarantee absolute security. Customers must protect passwords, API keys, webhooks, integrations, team permissions, and monitored URLs.
- If you believe you found a security issue, contact us immediately and do not access, alter, or disclose data that is not yours.
11. Your rights and choices
RightsDepending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal data, and to withdraw consent where processing depends on consent.
- To exercise rights, contact support@watchpage.app. We may need to verify your identity and workspace authority before acting on a request.
- Some rights are limited when data is needed for security, billing, legal compliance, dispute resolution, or another lawful basis.
- Workspace end users should usually contact the workspace owner first because WatchPage may process monitored content on behalf of that workspace.
12. Children and policy updates
UpdatesWatchPage is a business service and is not intended for children. You may not use the service if you are under the age required to form a binding contract in your jurisdiction.
We may update this Privacy Policy to reflect product, legal, vendor, or operational changes. Material changes will be posted on this page and may also be communicated through the dashboard or email when appropriate.
- Questions about this policy can be sent to support@watchpage.app.
- If you need a data processing agreement, security documentation, or subprocessor information for a business purchase, contact support before submitting sensitive or regulated data.