Privacy Policy
Last updated: April 30, 2026
SiteLetter is operated by Donatas Petrauskas, acting as a sole proprietor under individuali veikla (individual activity) registered in Lithuania ("SiteLetter").
This Privacy Policy explains how SiteLetter collects, uses, stores, and protects your personal data when you use SiteLetter's website monitoring services at siteletter.com (the "Service"). SiteLetter is committed to complying with the General Data Protection Regulation (GDPR) and applicable Lithuanian data protection laws.
1. SiteLetter's Role: Controller and Processor
SiteLetter plays two distinct data-protection roles depending on the data in question:
- Controller - for data SiteLetter collects about you as a SiteLetter user (your account, billing, login sessions, settings, usage logs). SiteLetter determines the purposes and means of processing this data and is directly accountable for it under the GDPR.
- Processor - for data you ask SiteLetter to collect on your behalf when you use SiteLetter to monitor websites, including sites belonging to your clients (for example, if you are an agency). When SiteLetter fetches pages, captures screenshots, or aggregates analytics from a website you configure, you (the SiteLetter account holder) are the controller of the resulting records, and SiteLetter is the processor acting on your documented instructions. You are responsible for ensuring you have a lawful basis to monitor those sites and, where required, a data processing agreement in place with their owners.
Agency customers monitoring client sites: a Data Processing Agreement (DPA) that reflects this processor relationship is available on request at support@siteletter.com. By using the Service to monitor sites you do not own, you confirm that you have the necessary rights and agreements to do so.
2. Data SiteLetter Collects
2.1 Account Data
When you create an account, SiteLetter collects:
- Name and email address
- Agency display name (the company name you enter at signup, shown on reports and emails)
- Optional organization branding: logo URL (a pointer to an image you host on your own domain or a public CDN, not uploaded to SiteLetter's infrastructure), wordmark text, brand color, and white-label preference
- Single-use email login tokens and session access tokens
- Account preferences and settings
2.2 Billing Data
When you subscribe to a paid plan, payment processing is handled entirely by Stripe. SiteLetter stores:
- Stripe customer ID and subscription ID
- Plan type and billing status
SiteLetter does not store your credit card number, CVC, or full payment details. These are handled exclusively by Stripe in accordance with PCI DSS standards.
2.3 Monitoring Data
When you add websites to monitor, SiteLetter collects and stores:
- Website URLs and hostnames you configure
- Lighthouse performance, accessibility, SEO, and best practices scores
- Screenshots of monitored pages
- SSL certificate details and domain registration data
- Uptime check results and response times
- Sitemap data from your websites
2.4 Technical Data
When you use the Service, SiteLetter automatically collects:
- IP address (for security and bot prevention)
- Browser type and version (via standard HTTP headers)
- Backend error-trace metadata captured by Sentry (stack trace, request URL, headers, IP) when a server error occurs so SiteLetter can diagnose bugs
SiteLetter does not use advertising cookies or cross-site profiling. The only analytics SiteLetter uses is Cloudflare Web Analytics, which is cookieless, anonymous, and collects no personal data — see Section 5 for details. The anti-bot challenge on signup and login (Cloudflare Turnstile) is used purely for fraud prevention — see Section 7 for details.
3. How SiteLetter Uses Your Data
SiteLetter uses your data for the following purposes:
- Providing the Service: Running website scans, generating reports, sending alerts and email notifications.
- Account management: Authentication, billing, team management, and customer support.
- AI-powered analysis: Screenshot images may be sent to the OpenAI API to classify visual changes as dynamic content, intentional updates, or broken pages. Only screenshot image data is sent, never your account or billing details. Because a screenshot can incidentally capture personal data shown on the monitored page (for example a name or photo), OpenAI processes these images as SiteLetter's data processor under a Data Processing Agreement and does not use them to train its models.
- Service improvement: Diagnosing technical issues and improving reliability.
- Legal compliance: Meeting SiteLetter's legal obligations under applicable law.
4. Legal Basis for Processing
Under the GDPR, SiteLetter processes your data on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements.
- Consent (Art. 6(1)(a)): Where SiteLetter relies on your consent (e.g., optional marketing emails), you may withdraw it at any time.
5. Third-Party Services and Sub-processors
SiteLetter uses the following third-party services to operate. Your data may be processed by these providers in accordance with their own privacy policies:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, compute, storage, email delivery | All service data | EU (Stockholm, eu-north-1) |
| MongoDB Atlas | Database | All account and monitoring data | EU |
| Stripe | Payment processing | Email, billing details, payment methods | US (PCI DSS compliant) |
| Cloudflare | CDN, DDoS protection, bot prevention | IP address, request metadata | Global (EU-compliant) |
| Cloudflare Turnstile | Anti-bot challenge on signup and login | IP address, browser metadata, behavioral signals | Global (EU-compliant) |
| Cloudflare Web Analytics | Anonymous traffic statistics on the marketing site | Page URL, referrer, country, browser, device type (no IP stored, no cookies, no fingerprinting) | Global (EU-compliant) |
| Sentry | Backend error tracking | Error stack traces, request URL/method/headers, IP address | US (EU Standard Contractual Clauses) |
| OpenAI (API) | AI visual change classification | Website screenshot images only | US (EU Standard Contractual Clauses) |
If you configure the optional Slack integration, alert notifications will be sent to the webhook URL you provide. SiteLetter does not control how Slack processes the data.
For SSL certificate and domain expiry checks SiteLetter queries public RDAP and WHOIS servers operated by domain registrars and registries. These queries carry the hostname being checked (not your personal data) and rely on open directory services, not a commercial sub-processor.
If you use SiteLetter on behalf of a third party (for example, an agency monitoring client websites), a Data Processing Agreement (DPA) under GDPR Article 28 is available on request — email support@siteletter.com and SiteLetter will send you its standard DPA for signing.
6. Data Storage and Retention
- Infrastructure location: All primary data is stored in the EU (AWS eu-north-1, Stockholm, Sweden). Uptime probes also run from AWS us-east-1 and ap-southeast-1 as cross-region verifiers (they only return an up/down result for hostnames you already added; no monitoring data, screenshots, or account data are stored outside the EU).
- Monitoring data (subscribers): Scan results, screenshots, and reports are retained for 730 days (24 months), after which they are automatically deleted by a daily retention job.
- Monitoring data (non-subscribers): For accounts without an active paid subscription, monitoring data is retained for 90 days.
- Audit log: Security and team-activity audit entries expire automatically after 730 days via a database TTL index.
- Account data: Retained while your account is active. When you delete your account from Settings, your personal data is purged from SiteLetter's live database immediately and from any database backup snapshots within 30 days at the latest.
- Billing records: Your payment and invoice records are held by SiteLetter's payment processor Stripe, which retains them for at least 10 years in accordance with its own legal and tax-compliance obligations (including, for EU merchants, Lithuanian VAT Law Art. 88). When you delete your account SiteLetter removes your customer record from Stripe via API; Stripe keeps the historical invoices associated with your past transactions under its retention policies, with personal identifiers stripped on their side. If Lithuanian tax authorities request these records, SiteLetter produces them by exporting from Stripe. SiteLetter does not mirror invoice line-items in its own database - only the minimum operational state (active subscription status, organization id) needed to run your account while it is active.
7. Cookies
SiteLetter uses only strictly necessary cookies and browser signals. None of them are used for advertising or cross-site tracking. SiteLetter's analytics (Cloudflare Web Analytics) is cookieless and sets nothing on your browser:
- Session cookie: keeps you logged in. Expires when you log out or your session ends.
- Cloudflare Turnstile: on signup and login only, Turnstile may set short-lived cookies or read browser signals to verify that you are not a bot. This is a security measure for fraud prevention — no personal profile is built.
Because all of the above are strictly necessary (essential session management and fraud prevention) and SiteLetter's analytics is cookieless, no cookie consent banner is required under ePrivacy Directive Article 5(3). If SiteLetter ever introduces optional cookies (for example, cookie-based analytics or advertising) a banner will be presented and they will not be set until you opt in. See the full Cookie Policy for details.
8. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data SiteLetter holds about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data. You can delete your account directly from your account settings.
- Right to restrict processing: Request that SiteLetter limit how your data is used.
- Right to data portability: Request your data in a machine-readable format.
- Right to object: Object to data processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact SiteLetter at support@siteletter.com. SiteLetter will respond within 30 days as required by law.
You also have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) at vdai.lrv.lt.
9. International Data Transfers
SiteLetter's primary infrastructure is in the EU. Some third-party services (Stripe, Google, Sentry, OpenAI) may process data in the United States. These transfers are protected by:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
10. Security
SiteLetter implements appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Secure password hashing
- Access controls and least-privilege principles
- Regular security reviews
No system is 100% secure. If SiteLetter discovers a personal data breach SiteLetter will notify the Lithuanian State Data Protection Inspectorate (VDAI) within 72 hours as required by GDPR Article 33, and where the breach is likely to result in a high risk to your rights SiteLetter will notify you directly without undue delay as required by GDPR Article 34.
11. Children's Privacy
SiteLetter is not intended for use by children under 16 years of age. SiteLetter does not knowingly collect personal data from children. If you believe a child has provided SiteLetter with personal data, please get in touch and SiteLetter will delete it.
12. Changes to This Policy
SiteLetter may update this Privacy Policy from time to time. If material changes are made, SiteLetter will notify you by email or by posting a notice on the Service. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
13. Data Controller and Contact
The data controller responsible for your personal data is Donatas Petrauskas, operating as a sole proprietor under individuali veikla (individual activity) registered in Lithuania.
For questions about this Privacy Policy, to exercise any of your GDPR rights, or to report a data-protection concern, reach out at support@siteletter.com.