Skip to content

Privacy Policy

Last updated: April 2026

Who we are

GDPR Privacy Monitor is operated by SkuBee s.r.o. We provide an independent GDPR compliance scanning tool for web agencies, professional users, and site owners.

What data we process

When you submit a URL for scanning, we process:

  • The URL you submit.
  • Technical data collected during the scan: cookies, network requests, consent-banner interactions, and page screenshots.
  • Your IP address and browser User-Agent for rate-limiting and abuse prevention.

We do not retain raw cookie values as part of stored scan evidence. Where cookie data appears in exported artifacts such as HAR files, sensitive values are masked. If you create an account, we also process your email address, authentication data, subscription status, and notification preferences to operate the service.

Lawful basis

We process scan requests, account data, monitoring settings, and paid subscriptions as necessary for the performance of a contract under Article 6(1)(b) GDPR. We process limited IP address and service-security data under Article 6(1)(f) GDPR to protect the service against abuse, fraud, and unauthorized access.

Data retention

Scan results are retained for the following periods and then deleted automatically:

  • Free tier: 7 days.
  • Starter tier: 30 days.
  • Pro / Agency Pro tier: 90 days.

Scan artifacts such as PDF reports and HAR files are deleted from storage once the retention period expires. Expired scan rows are removed from the database in the same cleanup run. If you delete your account, associated account data and monitor configuration are deleted within 30 days unless a shorter retention period already applies.

Data transfers

Scan data and account data are hosted within the EU, including Hetzner infrastructure in Frankfurt, Germany. Current material sub-processors are Hetzner Online GmbH for hosting and object storage, Stripe for billing and subscription management, and Resend for transactional email delivery. Where personal data is processed outside the EU/EEA by Stripe or Resend (United States), we apply Article 46 GDPR safeguards via Standard Contractual Clauses (Module 2 - Controller-to-Processor under EC 2021/914).

Payment processing is handled by Stripe. Your payment details are processed directly by Stripe under their own privacy terms. We will update this policy before adding any new material sub-processors that handle customer personal data. We will notify registered users of material changes to this policy by email at least 30 days before the changes take effect.

Account data

If you create an account, we store your email address, hashed password, subscription tier, workspace and monitor configuration, and notification preferences. You can request account deletion at any time from Account Settings. We do not store payment card numbers on our servers. Providing this account data and (for paid plans) the payment data Stripe collects on our behalf is a contractual requirement to use the Service; without it we cannot create an account or activate paid features. You are not under a statutory or contractual obligation to provide it, but the consequence of not doing so is inability to use the Service.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, or object to processing of your personal data, and the right to data portability where applicable. You also have the right to lodge a complaint with a supervisory authority, including the Slovak Office for Personal Data Protection or the authority in your country of residence. Free scans expire automatically under the retention policy above. If you need help with a specific request, contact us below.

Minors

The Service is intended for business and professional users. We do not knowingly collect personal data of minors under 16. If you become aware that a minor has provided us with personal data, contact us at [email protected] and we will delete it.

Data breach notification

In the event of a personal-data breach likely to result in a high risk to your rights, we will notify you without undue delay and not later than 72 hours after we become aware, in accordance with Articles 33–34 GDPR.

Cookies

We use only strictly-necessary cookies on this site: gpm_locale (language preference, 365 days) and session (authentication, session-bound). The full cookie inventory, including third-party operational cookies set by Cloudflare, is at /cookies. We use Umami self-hosted, cookieless analytics - no analytics cookies, no consent banner required. For conversion analytics we generate a random identifier (gpm_conversion_id) stored in your browser's localStorage and pass it through Stripe metadata so we can measure signup-to-paid conversion; this identifier is opaque, contains no personal data, and is never created if your browser sends Do Not Track.

Scan-target website visitors

When you submit a website for scanning, our scanner may incidentally observe pseudonymous identifiers belonging to visitors of that website (cookie values, network requests, fingerprinting tokens). Raw cookie values are masked in stored evidence. Where the Customer is a Processor of those visitors' data, the onward Processor relationship with SkuBee s.r.o. is governed by the DPA at /dpa. We do not contact those visitors directly under Article 14 GDPR because we hold only pseudonymous technical identifiers (no contact details), and providing notice would be impossible or would involve a disproportionate effort within the meaning of Article 14(5)(b) GDPR; the Customer (acting as Controller or Processor for the underlying Controller) remains responsible for any direct-notice obligations toward those visitors.

Data Protection Officer

SkuBee s.r.o. has not appointed a Data Protection Officer (DPO). We do not meet the mandatory-DPO thresholds under Article 37(1) GDPR - we are not a public authority, our core activities do not consist of regular and systematic monitoring of data subjects on a large scale, and we do not process special-category data on a large scale. Privacy enquiries are handled by our privacy team at [email protected].

Automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Risk-score outputs from a scan are advisory technical indicators about a website you submit, not automated decisions about the data subject submitting the scan.

Contact

SkuBee s.r.o.
Doležalova 3424/15C
821 04 Bratislava, Slovakia
Company ID (ICO): 57 113 998
Tax ID (DIC): 2122575576
VAT ID: SK2122575576
For data protection enquiries: [email protected]