Privacy, in plain English.

What StatiBeat Is

StatiBeat is a hosted status-page and incident-communication platform. Teams use it to run public or private status pages, model service hierarchies, publish incidents and maintenance updates, manage subscribers, run Beats synthetic monitoring, connect Slack, and use AI-assisted workflows with human confirmation.

This Privacy Policy explains how we collect and use personal data across the marketing site, the self-serve trial, managed workspaces, public and private status pages, subscriber management links, integrations, and support conversations.

Our default is practical minimization: collect the data needed to run status communication, protect the platform, deliver notifications, support customers, and make the product work as configured.

Data We Collect

The exact data depends on whether you are a visitor, trial owner, workspace admin, page viewer, subscriber, Slack user, or integration operator. It may include:

• Website and contact data: name, work email, company, message content, support context, and basic browser, device, IP, referrer, and request-log information.
• Trial data: company name, requested status-page name, work email, selected managed region, approval token state, provisioning state, owner account credentials, trial expiry, deletion requests, and abuse-prevention signals such as Turnstile results.
• Workspace identity data: organization records, page memberships, admin users, roles, RBAC bindings, SSO provider configuration, viewer access settings, sessions, API-token metadata, and audit or notification-event records.
• Status-page content: page names, public slugs, managed domains, hierarchy levels and components, custom views, RSS feeds, preset messages, incidents, maintenance windows, post-incident reports, status definitions, page branding, and customer-facing update text.
• Subscriber and viewer data: subscriber email addresses, names, phone numbers where enabled, verification state, unsubscribe state, delivery preferences, scoped subscriptions, management-link records, hygiene states such as bounced or complained, private-page viewer sessions, and viewer SSO state.
• Beats and automation data: synthetic monitor configuration, target URLs or hostnames, methods, expected status codes, headers you configure, response checks, event history, status codes, timing data, DNS/TCP/SSL/ICMP results, browser-journey steps, optional screenshots or MTR evidence, Private Beat agent metadata, external event trigger payload metadata, and review decisions.
• Integration data: Slack workspace, channel, user, thread, OAuth, command, reminder, channel-link, and Work Object metadata; SSO provider metadata; webhook destination metadata; AI provider configuration and AI workflow records; Terraform export and token metadata; and email, SMS, RSS, or webhook delivery metadata.
• Billing data for paid plans: plan, subscription state, checkout and customer-portal identifiers, billing contact details supplied through checkout, invoice and payment-state metadata, and payment-method labels such as card brand and last four digits when returned by the payment processor. The self-serve trial form does not collect payment details.

How We Use Data

• Provision and operate managed workspaces, including trial workspaces in the managed EMEA region.
• Authenticate admins and viewers, enforce organization and page permissions, support SSO, issue sessions, and validate scoped API tokens.
• Publish public and private status pages, render hierarchy and custom-view pages, deliver RSS feeds, and show incident, maintenance, metrics, and history views.
• Send subscriber notifications, verification emails, management links, Slack notifications, webhook deliveries, reminders, and trial-ready or deletion-approval emails.
• Run Beats synthetic monitoring, store bounded evidence, route reviewable actions, create internal alerts, and support customer-facing automation when you configure it.
• Power AI-assisted workflows, such as incident drafting, Beat investigation, hierarchy creation, and Slack or admin-agent planning, while keeping write actions confirmation-first.
• Process paid subscriptions, plan changes, cancellations, billing-portal links, account lifecycle events, and related billing communications.
• Detect abuse, investigate security or reliability issues, rate-limit risky flows, debug errors, maintain auditability, and respond to support, sales, security, or legal requests.

Legal Bases

Where data protection law requires a legal basis, we rely on the basis that fits the purpose. This may include performing a contract or taking steps before entering one, our legitimate interests in running and protecting StatiBeat, consent where we ask for it, and legal obligations we need to meet.

You can object to processing based on legitimate interests by contacting us. We will review the request and respond based on the context and applicable law.

Sharing

We do not sell personal data. We share data only when it is needed to run StatiBeat, when a workspace admin enables an integration, when a public page or subscriber workflow intentionally publishes or sends content, or when required for legal or security reasons.

• Infrastructure providers for hosting, databases, object storage, logging, monitoring, email delivery, certificates, DNS, and security operations.
• Lemon Squeezy or another payment processor when you deliberately choose paid checkout or manage a paid subscription.
• Slack when you install the StatiBeat Slack app or use Slack workflows, including commands, linked users, channel metadata, reminders, and thread context needed for the requested workflow.
• Identity providers when you configure OIDC, SAML, viewer SSO, or organization SSO.
• AI providers when you enable Platform Provided AI or page-scoped BYOK AI. Depending on the workflow, StatiBeat may send your prompt, recent conversation history, Slack context, page configuration, hierarchy, incident, maintenance, Beat, Beat Group, analytics, or AI action-history context needed for the requested task.
• Email, SMS, webhook, and RSS delivery systems when StatiBeat sends subscriber or operational notifications.
• Professional advisers, regulators, law enforcement, or courts when required or appropriate.
• A successor organization if StatiBeat is involved in a merger, acquisition, financing, or sale of assets.

AI and LLM Usage

AI is optional and page-scoped. Page admins can use StatiBeat-managed Platform AI where available, or configure a Bring Your Own Key provider such as OpenAI, Anthropic, or an OpenAI-compatible endpoint.

AI-assisted write workflows are confirmation-first. The model may help draft, summarize, investigate, answer, or plan, but StatiBeat shows a normalized preview and checks permissions again before a human confirms changes to incidents, maintenance windows, Beats, Beat Groups, hierarchy items, branding, homepage layout, or similar resources.

StatiBeat sends only the context needed for the workflow, but that context can still be operationally sensitive. Beat investigation can include monitor names, target URLs or hostnames, check types, recent status codes, latency, error summaries, thresholds, evidence highlights, linked incidents, and recent updates. Slack and admin-agent answers can include the user prompt, recent conversation turns, current admin route, Slack channel or thread identifiers, page summary, hierarchy, active or resolved incidents, maintenance windows, Beat inventory, pending Beat actions, analytics summaries, and recent AI action-plan audit metadata when the user has audit-log access.

AI action planning stores workflow records in StatiBeat so people can review, answer clarifying questions, confirm, execute, troubleshoot, and audit the request. Those records can include the original prompt, generated summary, assumptions, warnings, questions, answers, preview data, execution data, result data, target references, source surface, capability key, Slack channel ID, Slack thread timestamp, requester, responder, confirmer, and timestamps.

We do not send provider API keys to the model. For BYOK providers, saved keys are encrypted, page-scoped, and not re-shown after save. For Platform Provided AI, StatiBeat routes through the managed platform AI service. Third-party AI providers apply their own terms, retention, training, security, and privacy practices to data they receive outside StatiBeat.

If you connect Slack, SSO, webhooks, AI, Terraform, email, SMS, or other third-party services, their own terms and privacy notices also apply to how they handle data outside StatiBeat.

Trial Workspaces

The self-serve trial creates a real managed workspace so you can test a status page, hierarchy, custom views, incidents, maintenance, subscribers, admin access, and evaluation workflows with your own setup.

Trial signup asks for company name, page name, work email, password, and security-check data. We do not ask for payment details, a purchase order, or a billing contact during trial signup.

Trial approval links expire after 24 hours. Standard self-serve trial workspaces run for 30 days unless upgraded, extended, or deleted earlier. When a trial ends, the workspace may become read-only rather than silently becoming a paid subscription.

Trial deletion is an explicit workflow. When requested, StatiBeat sends an approval link to the trial owner email and schedules cleanup after confirmation, giving the owner time to catch a mistaken deletion request.

Retention

We keep personal data only as long as needed for the purposes described in this policy, including product operation, customer communication history, security, legal compliance, billing, and dispute resolution.

Retention depends on the data type. Trial approval links are short-lived. Trial workspaces have a fixed trial period unless changed. Status-page content, incident history, maintenance records, subscriber preferences, AI workflow records, audit records, API-token metadata, security logs, and billing records may need to be kept longer so the workspace remains useful, accountable, and recoverable.

Workspace admins can remove many resources directly in the product, such as subscribers, incidents, maintenance windows, views, Beats, tokens, and integrations. You can also ask us to delete a trial workspace or review personal data connected to you.

Your Rights

Depending on where you live and the law that applies, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You may also have the right to withdraw consent where processing is based on consent.

You can contact us to exercise these rights. If you are in the UK or EEA, you may also have the right to complain to your local supervisory authority.

Security

StatiBeat uses safeguards designed for a shared managed status-page platform, including scoped roles, page-level authorization, SSO support, scoped API tokens, private-page viewer controls, rate limiting, request validation for sensitive URL fields, encrypted storage for selected integration secrets, security headers, logging, and tenant isolation controls.

No online service can guarantee perfect security. Customers are also responsible for their side of the boundary: choosing appropriate admins, protecting passwords and API tokens, reviewing public updates before publishing, and avoiding secrets in incidents, maintenance updates, public pages, subscriber imports, Beat targets, request headers, or integration payloads unless the workflow is designed for them.

Contact

Questions, rights requests, security concerns, and deletion requests can be sent to hello@statibeat.com or through our contact page.

We may update this policy as the product, providers, or legal requirements change. The date at the top shows the latest version.