Privacy Policy

What we collect

We collect the minimum data needed to run the service. For the free tier (anonymous URL checks): we never store your IP address. We salt-and-hash an IP prefix with the current hour for rate-limiting purposes only. The hash is one-way and discarded after one hour.

For paid accounts: we store your email address (used for sign-in via magic link, GitHub, or Google OAuth), your subscription details (handled by our payment processor Polar.sh), the URLs you choose to monitor, and the check results we generate over time.

For paid accounts we also collect billing-identity data (address, date of birth, country of birth) under EU Know Your Customer rules — see the dedicated section below.

Billing identity & KYC (Know Your Customer)

EU regulation requires any platform serving paid customers in the European Union to identify those customers and keep that record on file. Concretely, when you start a paid subscription on web-down.com we ask you to fill in the following on the account settings page:

• Full billing address (street, postal code, city, state, country)
• Date of birth
• Country of birth

Why we're obliged to collect this. Three layered legal obligations apply:

• EU VAT Directive (2006/112/EC) — a valid billing address is required on every invoice issued to an EU customer, and the applicable VAT rate is calculated from your country of residence.
• EU AML / KYC framework — the EU Anti-Money-Laundering Directives (most recently the AMLR / Regulation (EU) 2024/1624) and the merchant-of-record obligations Polar.sh operates under require us to identify our paying customers and retain that identification on file.
• Contract performance— without a valid address we cannot legally invoice you, and without a date of birth we cannot confirm you meet the minimum age to enter into a subscription contract under your jurisdiction's civil code.

Legal bases under GDPR. The above is collected under:

• Article 6(1)(c) GDPR — compliance with a legal obligation (VAT and AML rules above).
• Article 6(1)(b) GDPR— performance of the subscription contract (we can't bill you without an address).

Where it's stored. The fields above are saved in our self-hosted PostgreSQL database, on our own VPS in Belgium. A copy of your billing address and country is also held by Polar.sh, our merchant of record, for invoice generation and VAT remittance. Both are EU-friendly processors with GDPR-compliant DPAs in place.

Retention. Active subscribers: kept for the lifetime of the account. After account deletion: tax-relevant fields (address, invoice records) are retained for up to 7 yearsas required by EU VAT record-keeping rules. Non-tax-relevant fields (date of birth, country of birth) are deleted immediately on account deletion. We can't shorten the 7-year retention — it's set by tax authorities, not us.

Free-tier users are not affected. The anonymous URL checker on the homepage does not collect any of this — KYC only applies once you start a paid subscription.

International sanctions screening. Your declared country of residency is checked against our restricted-jurisdictions list. As of June 2026, that list contains Cuba, Iran, Mali, Nigeria, North Korea, Syria, and Venezuela. We're unable to onboard paying customers from those jurisdictions. Polar.sh, our merchant of record, applies its own broader OFAC screening at checkout independently — so even countries we don't pre-block here may be rejected at payment if Polar's check flags them. Free-tier URL checking is not subject to either gate.

Cookies and analytics

We use only strictly-necessary cookies by default (sign-in session, theme preference, consent choice). On first visit we ask you whether to enable analytics. If you opt in, we use our own self-hosted analytics (simple analytics) — no third-party cookies, no IP collection, no cross-site tracking.

Our analytics consent also enables session recording on a 15% sample: roughly 1 in 7 visits is recorded as an anonymized replay so we can spot UX issues we wouldn't otherwise notice. Recordings are stored on our own self-hosted analytics instance, capped at 5 minutes per session, and use moderate masking — input fields, password fields, and elements marked sensitive on the page are obscured. We do not share recordings with third parties.

You can change your choice anytime via “Manage cookies” in the footer. Declining analytics turns off both page-view tracking and session recording entirely.

Email

Transactional emails (magic links, alerts, billing) are sent from noreply@web-down.com using our own mail service. Replies go to our support inbox. We do not send marketing emails without explicit consent.

Third parties

Our processors are: Cloudflare (CDN/DNS), Hostinger (hosting, including the self-hosted database and mail service), Polar.sh (payments and VAT), Anthropic (AI features for Pro tier only). All have GDPR-compliant DPAs in place.

Your rights

You can export, modify, or delete all your data from the account settings page. Account deletion is irreversible and removes all monitors, results, incidents, AI reports, and anomalies.

One exception: tax-relevant billing records (invoices and the address linked to them) are retained for up to 7 years after account deletion as required by EU VAT record-keeping rules — see the “Billing identity & KYC” section above. These records are isolated from the application data and not used for any purpose other than tax compliance.

Contact

For privacy-related questions, use the contact form.

Data controller

The data controller for the personal data described above is: