Privacy Policy
Last updated: April 30, 2026
SiteLetter is operated by Donatas Petrauskas, acting as a sole proprietor under individuali veikla (individual activity) registered in Lithuania ("we", "us", "our").
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use SiteLetter's website monitoring services at siteletter.com (the "Service"). We are committed to complying with the General Data Protection Regulation (GDPR) and applicable Lithuanian data protection laws.
1. Our Role: Controller and Processor
SiteLetter plays two distinct data-protection roles depending on the data in question:
- Controller - for data we collect about you as a SiteLetter user (your account, billing, login sessions, settings, usage logs). We determine the purposes and means of processing this data and are directly accountable for it under the GDPR.
- Processor - for data you ask us to collect on your behalf when you use SiteLetter to monitor websites, including sites belonging to your clients (for example, if you are an agency). When SiteLetter fetches pages, captures screenshots, or aggregates analytics from a website you configure, you (the SiteLetter account holder) are the controller of the resulting records, and SiteLetter is the processor acting on your documented instructions. You are responsible for ensuring you have a lawful basis to monitor those sites and, where required, a data processing agreement in place with their owners.
Agency customers monitoring client sites: a Data Processing Agreement (DPA) that reflects this processor relationship is available on request at support@siteletter.com. By using the Service to monitor sites you do not own, you confirm that you have the necessary rights and agreements to do so.
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Name and email address
- Agency display name (the company name you enter at signup, shown on reports and emails)
- Optional organization branding: logo URL (a pointer to an image you host on your own domain or a public CDN, not uploaded to our infrastructure), wordmark text, brand color, and white-label preference
- Single-use email login tokens and session access tokens
- Account preferences and settings
2.2 Billing Data
When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store:
- Stripe customer ID and subscription ID
- Plan type and billing status
We do not store your credit card number, CVC, or full payment details. These are handled exclusively by Stripe in accordance with PCI DSS standards.
2.3 Monitoring Data
When you add websites to monitor, we collect and store:
- Website URLs and hostnames you configure
- Lighthouse performance, accessibility, SEO, and best practices scores
- Screenshots of monitored pages
- SSL certificate details and domain registration data
- Uptime check results and response times
- Sitemap data from your websites
2.4 Technical Data
When you use the Service, we automatically collect:
- IP address (for security and bot prevention)
- Browser type and version (via standard HTTP headers)
- Backend error-trace metadata captured by Sentry (stack trace, request URL, headers, IP) when a server error occurs so we can diagnose bugs
We do not use advertising cookies or cross-site profiling. The only analytics we use is Cloudflare Web Analytics, which is cookieless, anonymous, and collects no personal data — see Section 5 for details. The anti-bot challenge on signup and login (Cloudflare Turnstile) is used purely for fraud prevention — see Section 7 for details.
3. How We Use Your Data
We use your data for the following purposes:
- Providing the Service: Running website scans, generating reports, sending alerts and email notifications.
- Account management: Authentication, billing, team management, and customer support.
- AI-powered analysis: Screenshot images may be sent to the Google Gemini API to classify visual changes as dynamic content, intentional updates, or broken pages. Only screenshot image data is sent - no personal data.
- Service improvement: Diagnosing technical issues and improving reliability.
- Legal compliance: Meeting our legal obligations under applicable law.
4. Legal Basis for Processing
Under the GDPR, we process your data on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements.
- Consent (Art. 6(1)(a)): Where we rely on your consent (e.g., optional marketing emails), you may withdraw it at any time.
5. Third-Party Services and Sub-processors
We use the following third-party services to operate SiteLetter. Your data may be processed by these providers in accordance with their own privacy policies:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, compute, storage, email delivery | All service data | EU (Stockholm, eu-north-1) |
| MongoDB Atlas | Database | All account and monitoring data | EU |
| Stripe | Payment processing | Email, billing details, payment methods | US (PCI DSS compliant) |
| Cloudflare | CDN, DDoS protection, bot prevention | IP address, request metadata | Global (EU-compliant) |
| Cloudflare Turnstile | Anti-bot challenge on signup and login | IP address, browser metadata, behavioral signals | Global (EU-compliant) |
| Cloudflare Web Analytics | Anonymous traffic statistics on the marketing site | Page URL, referrer, country, browser, device type (no IP stored, no cookies, no fingerprinting) | Global (EU-compliant) |
| Sentry | Backend error tracking | Error stack traces, request URL/method/headers, IP address | US (EU Standard Contractual Clauses) |
| Google (Gemini API) | AI visual change classification | Website screenshot images only | US (EU Standard Contractual Clauses) |
If you configure the optional Slack integration, alert notifications will be sent to the webhook URL you provide. We do not control how Slack processes the data.
For SSL certificate and domain expiry checks we query public RDAP and WHOIS servers operated by domain registrars and registries. These queries carry the hostname being checked (not your personal data) and rely on open directory services, not a commercial sub-processor.
If you use SiteLetter on behalf of a third party (for example, an agency monitoring client websites), a Data Processing Agreement (DPA) under GDPR Article 28 is available on request — email support@siteletter.com and we'll send you our standard DPA for signing.
6. Data Storage and Retention
- Infrastructure location: All primary data is stored in the EU (AWS eu-north-1, Stockholm, Sweden). Uptime probes also run from AWS us-east-1 and ap-southeast-1 as cross-region verifiers (they only return an up/down result for hostnames you already added; no monitoring data, screenshots, or account data are stored outside the EU).
- Monitoring data (subscribers): Scan results, screenshots, and reports are retained for 730 days (24 months), after which they are automatically deleted by a daily retention job.
- Monitoring data (non-subscribers): For accounts without an active paid subscription, monitoring data is retained for 90 days.
- Audit log: Security and team-activity audit entries expire automatically after 730 days via a database TTL index.
- Account data: Retained while your account is active. When you delete your account from Settings, your personal data is purged from our live database immediately and from any database backup snapshots within 30 days at the latest.
- Billing records: Your payment and invoice records are held by our payment processor Stripe, which retains them for at least 10 years in accordance with its own legal and tax-compliance obligations (including, for EU merchants, Lithuanian VAT Law Art. 88). When you delete your account we remove your customer record from Stripe via API; Stripe keeps the historical invoices associated with your past transactions under its retention policies, with personal identifiers stripped on their side. If Lithuanian tax authorities request our records, we produce them by exporting from Stripe. We do not mirror invoice line-items in our own database - only the minimum operational state (active subscription status, organization id) needed to run your account while it is active.
7. Cookies
We use only strictly necessary cookies and browser signals. None of them are used for advertising or cross-site tracking. Our analytics (Cloudflare Web Analytics) is cookieless and sets nothing on your browser:
- Session cookie: keeps you logged in. Expires when you log out or your session ends.
- Cloudflare Turnstile: on signup and login only, Turnstile may set short-lived cookies or read browser signals to verify that you are not a bot. This is a security measure for fraud prevention — no personal profile is built.
Because all of the above are strictly necessary (essential session management and fraud prevention) and our analytics is cookieless, no cookie consent banner is required under ePrivacy Directive Article 5(3). If we ever introduce optional cookies (for example, cookie-based analytics or advertising) we will present a banner and will not set them until you opt in. See our full Cookie Policy for details.
8. Your Rights Under GDPR
As an EU resident, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data. You can delete your account directly from your account settings.
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a machine-readable format.
- Right to object: Object to data processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at support@siteletter.com. We will respond within 30 days as required by law.
You also have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) at vdai.lrv.lt.
9. International Data Transfers
Our primary infrastructure is in the EU. Some third-party services (Stripe, Google, Sentry) may process data in the United States. These transfers are protected by:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
10. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Secure password hashing
- Access controls and least-privilege principles
- Regular security reviews
No system is 100% secure. If we discover a personal data breach we will notify the Lithuanian State Data Protection Inspectorate (VDAI) within 72 hours as required by GDPR Article 33, and where the breach is likely to result in a high risk to your rights we will notify you directly without undue delay as required by GDPR Article 34.
11. Children's Privacy
SiteLetter is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
13. Data Controller and Contact
The data controller responsible for your personal data is Donatas Petrauskas, operating as a sole proprietor under individuali veikla (individual activity) registered in Lithuania.
For questions about this Privacy Policy, to exercise any of your GDPR rights, or to report a data-protection concern, reach out at support@siteletter.com.