Privacy Policy

Last updated: 2026-05-05

This is the privacy policy for Nines (nines.sh), an uptime monitoring and status page service operated by Jeremy Bush, a sole proprietor based in Illinois, United States. Throughout this document “Nines”, “we”, and “us” refer to that service and operator. “You” means the person who registers a Nines account or otherwise interacts with the service.

We have tried to write this in plain English. If anything is unclear, email [email protected] and we will explain it.

1. Who we are and how to reach us

Service: Nines — uptime monitoring and status pages.
Operator: Jeremy Bush, sole proprietor (Illinois, USA).
Privacy contact: [email protected]
General support: [email protected]

There is no separate EU or UK representative. If you’re in the EU/UK, you can still email [email protected] and we will respond.

2. What we collect, why, and on what legal basis

We only collect what we actually need to run the service. Every item below is tied to a specific reason.

2.1 Account data

Data	Why we collect it	Legal basis
Email address	Identify your account, log you in, send service emails (password reset, billing receipts, incident alerts you’ve configured)	Contract — required to provide the service
Password (hashed with industry-standard password hashing; never stored in plaintext)	Authenticate you	Contract
Organisation name and slug	Label your account; appears in your status page URL	Contract
Session tokens (stored as a SHA-256 hash, expires after 30 days)	Keep you logged in	Contract
API keys (stored as a SHA-256 hash; raw key shown only at creation)	Authenticate API requests you make	Contract

2.2 Billing data

Data	Why we collect it	Legal basis
Stripe customer ID and subscription ID	Link your Nines account to your Stripe subscription	Contract
Email address (sent to Stripe as the Customer email)	Stripe needs an identifier for your billing record	Contract

We do not store payment card data. All card numbers, billing addresses, and CVVs are handled directly by Stripe Checkout. We only see Stripe-issued IDs after a successful checkout. See Stripe’s privacy notice at stripe.com/privacy.

2.3 Operational data (your monitors and incidents)

When you use Nines you create monitors (HTTP, ping, SSL, TCP, UDP, heartbeat), incidents, and status page settings. We store:

Monitor configuration (name, target URL/host, type, interval, regions, SLO thresholds, heartbeat tokens).
Check results (response time, up/down, error category) — written to our metrics store, tagged with monitor_id and org_id.
TLS certificate snapshots from SSL/HTTPS checks (issuer, subject, expiry, SAN names — public certificate fields only).
Incidents you create, including title, status, timeline updates, and any postmortem you write.
Status page settings (custom domain, logo, favicon, OG image URL).
Notification channels (email addresses or webhook URLs you configure for alerts).
Heartbeat ping timestamps (no payload data is stored — just the time).

Legal basis: contract — this is the service you signed up for.

2.4 IP addresses

Your IP address is captured from the request and used for:

Rate limiting (login, password reset, signup, device-code, status page subscribe) to prevent abuse.
Application access logs emitted as JSON and shipped to our hosting provider’s log pipeline.
Cloudflare Turnstile verification on the contact form (the visitor’s IP and browser fingerprint are sent to Cloudflare as part of the CAPTCHA check).

IP addresses are not stored in our application database. They appear in transient log streams and in-memory rate-limiter buckets that don’t survive a restart.

Legal basis: legitimate interest — keeping the service available and defending it from abuse.

2.5 Contact form submissions

If you fill out the contact form on /contact we receive your name, email address, and message. We do not store these in our database. The submission is forwarded by email to our support inbox via Postmark and lives there.

Legal basis: legitimate interest — responding to your enquiry.

2.6 Status-page subscribers (end users of your customers’ status pages)

If you subscribe to incident updates for a status page hosted on Nines, the operator of that status page collects your email address through Nines. We store:

Email address.
A confirmation flag (we use double opt-in; you must click a confirmation link before we send any further messages).
A token used to confirm and to unsubscribe.

We act as a processor for the operator of the status page in this case. We are not the controller of subscriber email addresses; the status-page operator is. You can unsubscribe at any time from the link in any email we send you, which deletes your record immediately.

Legal basis: consent (your double opt-in). The status-page operator is responsible for their own legal basis under GDPR/CCPA.

3. What we do not collect

We do not run third-party advertising, marketing, or behavioural tracking analytics.
We do not sell or rent personal data to anyone.
We do not store payment card data.
We do not collect SMS phone numbers (we don’t offer SMS notifications).
We do not load Google Analytics, Facebook Pixel, or similar trackers.
We do not knowingly collect data from anyone under 16 (see §10).

4. Where your data is stored

Nines runs in a single US data center. All application data at rest — your account, monitors, incidents, billing IDs, status pages, TLS snapshots, check results — is stored in the United States.

There is no EU data residency option. If you require your data to be stored exclusively inside the EU/UK, Nines is not the right service for you today. We may add EU residency in the future if there is enough demand, but it is not on the roadmap and we make no commitment about timing.

System	What’s stored there	Region
Primary application database (hosted on Fly.io)	Accounts, orgs, monitors, incidents, subscriptions, status pages, API keys, sessions, status-page subscribers	United States
Time-series metrics store (hosted on Fly.io)	Check results time-series tagged with monitor_id and org_id	United States
Stripe	Billing data	Stripe US
Postmark	Outgoing transactional email	Postmark US
Cloudflare	Contact-form CAPTCHA verification and analytics beacon	Cloudflare global CDN

5. Sub-processors

We use a small number of third-party services to operate Nines. Each has its own privacy practices, linked below. We share with them only what they need to do their job.

Sub-processor	What they receive	Purpose
Fly.io (Superfly Inc., US) — fly.io/legal	All application traffic, data at rest, TLS termination	Hosting infrastructure
Stripe (Stripe Inc., US) — stripe.com/privacy	Your email and `org_id` as customer metadata; payment card data goes directly to Stripe (we never see it)	Payment processing
Postmark (ActiveCampaign LLC, US) — postmarkapp.com/privacy-policy	Recipient email addresses and email content (incident alerts, password resets, subscriber confirmations, contact-form relays)	Transactional email
Cloudflare (Cloudflare Inc., US) — cloudflare.com/privacypolicy	Contact-form visitor IP and browser fingerprint for CAPTCHA; analytics beacon data from page loads	CAPTCHA (Turnstile) and lightweight analytics

We do not use any SMS provider, marketing-email provider, advertising network, session-replay tool, or third-party customer-support chat tool.

If we add or change a sub-processor we will update this list and the “Last updated” date at the top.

6. International transfers

Because Nines is hosted in the United States, your data is transferred to and stored in the US regardless of where you are. If you’re in the EU, UK, or another jurisdiction with cross-border transfer rules, our sub-processors (Stripe, Postmark, Cloudflare, Fly.io) rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms in their published DPAs to cover those transfers. Customer DPAs covering Nines’ role as a processor for B2B customers are available on request.

7. How long we keep things (retention)

We are honest about what we have today rather than promising aspirational deletion windows.

Data	Retention
User accounts	Indefinite while your account exists. We do not yet have a self-service account-deletion flow (see §8.2). To delete your account, email [email protected].
Sessions	30-day expiry per session. All your sessions are invalidated when you change your password.
Password reset tokens	1-hour expiry, purged hourly.
OAuth device codes	10-minute expiry plus 1-hour grace window, purged hourly.
Monitor configuration	Until you delete the monitor or your org. Cascade-deletes with the org.
Check results (time-series metrics)	Up to 365 days at the storage layer. The window visible to you depends on your plan: Free 30 days, Pro 90 days, Business/Founder 365 days.
Incidents and updates	Indefinite while the monitor and org exist.
TLS certificate snapshots	Indefinite while the monitor and org exist.
Heartbeat ping timestamps	Indefinite while the monitor exists.
Status-page subscribers	Until they unsubscribe (immediate hard delete) or until the status-page operator deletes them.
Contact-form submissions	Stored only in our support email inbox at Postmark, governed by Postmark’s retention.
API keys	Indefinite. Revoking a key sets a `revoked_at` timestamp; the row remains so audit history is preserved.
Stripe billing records	Retained per Stripe’s own retention policy and our tax-records obligations.
Application access logs (with IPs)	Governed by Fly.io’s log retention. We don’t archive these ourselves.

If a category here is missing a hard expiry, that’s the truth — we don’t have a scheduled job purging it yet. We are working on that.

8. Your rights and how to exercise them

Whether you’re covered by GDPR, UK GDPR, CCPA, or another privacy law, the practical answer is the same: email [email protected] and we will help. We aim to respond within 30 days.

8.1 What we can do today (self-service)

Unsubscribe from status-page emails. Every email has an unsubscribe link. Clicking it deletes your subscriber row immediately.
Delete an individual monitor. From the dashboard. Cascades to incidents, heartbeat pings, and TLS snapshots for that monitor.
Revoke an API key. From the API keys settings page.
Change your organisation name. From settings.
Log out everywhere. Resetting your password invalidates all your active sessions.

8.2 What requires emailing us today

Delete your account / organisation. We don’t have a self-service delete-account flow yet. Email [email protected] and we will delete your account, all associated orgs you control, and the metrics data tagged with your org_id. We’re working on making this self-service.
Export a copy of your data. Email [email protected].
Change the email address on your account. Email [email protected] — we will verify ownership of the new address before changing it.
Object to processing, restrict processing, or withdraw consent. Email [email protected].
Status-page subscribers requesting access to what we hold. Email [email protected]; we’ll look up your record by email.

If you’re in the EU/UK and you’re not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. We will not retaliate for exercising any privacy right.

9. Cookies

Nines uses only strictly necessary cookies. We don’t run analytics or advertising cookies, and there is no consent banner because there is nothing to consent to.

Cookie	Purpose	Lifetime
`nines_session`	Keeps you logged in. HttpOnly, SameSite=Lax, Secure in production.	30 days
`nines_csrf`	CSRF protection on form submissions.	Session
`nines_region`	Routing hint to keep you on a fast machine in your region.	Session

The Cloudflare Turnstile CAPTCHA on the contact form may set its own short-lived cookies during a verification challenge. That’s controlled by Cloudflare; see their privacy policy.

10. Children

Nines is a product for developers and businesses. We do not target children and the service is not intended for anyone under 16. If you believe a child has created an account, email [email protected] and we will delete it.

11. Security

We take reasonable technical and organisational measures to protect your data. Highlights:

TLS is enforced on all traffic (HTTPS-only with HSTS).
Passwords are hashed with industry-standard password hashing. Plaintext passwords are never stored.
Session tokens, API keys, password-reset tokens, and OAuth device codes are stored as SHA-256 hashes, not as the raw value.
CSRF protection on every state-changing request.
A strict Content Security Policy (no inline scripts, no unsafe-eval).
Per-IP and per-account rate limiting on auth-sensitive endpoints.
Request body size limits applied before parsing.
SSRF protection on outbound webhook delivery and customer-supplied monitor targets (private-address deny list).

No system is unbreakable. If we discover a breach affecting your data we will notify you without undue delay and, where required, the relevant supervisory authority.

12. Changes to this policy

If we make material changes we will update the “Last updated” date at the top and, for significant changes, notify account holders by email. Continuing to use Nines after an updated policy takes effect means you accept the changes.

13. Contact

Questions, requests, or complaints — [email protected].