CheckyWorky
Use CasesIntegrationsPricingGuides
Log inStart free

Privacy policy

Last updated: February 2026

What we collect

Account information (email, team name), check configuration data, and synthetic run results including screenshots and logs.

How we use data

To run your workflow checks, send alerts, display results in your dashboard, and improve the service. We do not sell your data.

Data processors

We use Supabase (database), Cloudflare (CDN and storage), and SendGrid (email delivery) as subprocessors. A full list is available on request.

Cookies and analytics

We use minimal analytics to understand how the marketing site is used. The dashboard uses session cookies for authentication. No third-party tracking cookies.

Data retention

Run data is retained per your plan (7\u201390 days). Account data is retained while your account is active. You can request deletion at any time.

Your rights

You have the right to access, correct, or delete your personal data. If you're in the EU (GDPR) or California (CCPA), additional rights apply. Contact us at privacy@checkyworky.com.

Contact

For privacy questions, email privacy@checkyworky.com.

By the numbers

The average cost of a data breach was $4.45 million (global average).

IBM, Cost of a Data Breach Report (2023)

83% of organizations experienced more than one data breach.

IBM, Cost of a Data Breach Report (2023)

Global GDPR fines have reached into the billions of euros since enforcement began, with large penalties increasingly tied to transparency, lawful basis, and data handling practices.

DLA Piper, GDPR Fines and Data Breach Survey (2024)

The majority of web traffic is automated (bots), which increases the importance of careful logging, rate limiting, and avoiding over-collection of identifiable data in telemetry.

Imperva, Bad Bot Report (2024)

Real-world examples

Masking sensitive fields in synthetic login checks

Scenario: A 6-person SaaS team monitors a critical login flow with a headless browser. Early on, failed runs included screenshots showing the test user’s email and occasionally a one-time code on screen.

Outcome: They enabled screenshot masking for email/OTP elements and reduced artifact retention from 90 days to 14 days. Debugging remained effective while eliminating the primary source of personal data in stored artifacts.

Cookie consent and analytics minimization for EU visitors

Scenario: The marketing site uses analytics to understand signups, but the team wants to avoid setting non-essential cookies before consent in the EU/UK.

Outcome: They separated essential cookies (auth/session) from optional analytics cookies and added a consent banner. Analytics events were limited to page views and signup conversions with IP anonymization, reducing privacy risk while preserving funnel visibility.

Subprocessor transparency prevents procurement delays

Scenario: A mid-market customer’s security review asks for a list of subprocessors (hosting, email, support, payments) plus breach notification terms and data residency details.

Outcome: Because the privacy policy linked to a maintained subprocessor page and DPA, the review completed in days instead of weeks, and the customer approved production use without custom contract edits.

Fast deletion workflow for accidental PII in logs

Scenario: A synthetic check hits a misconfigured staging endpoint that echoes query parameters containing a real user email, which then appears in monitoring logs.

Outcome: The team used a documented deletion request path to purge the affected artifacts and added URL allowlists + query-string redaction rules. Future runs no longer stored accidental PII.

Key insights

1.

Synthetic monitoring can unintentionally capture personal data (screenshots, URLs, console logs). Clear configuration guidance (test accounts, masking, retention limits) is as important as legal language.

2.

Customers increasingly expect a DPA, subprocessor list, and clear international transfer mechanism (e.g., SCCs). Having these ready reduces sales friction, especially for B2B SaaS.

3.

Cookie policies should distinguish essential vs optional tracking and explain controls; teams can often meet product needs with privacy-preserving analytics configurations (reduced retention, IP anonymization, limited events).

4.

Retention is a practical privacy lever: shorter retention for screenshots/HAR files reduces exposure while keeping enough history for incident debugging.

5.

Operational security and privacy overlap: minimizing logged identifiers and encrypting secrets reduces breach impact (IBM breach-cost research highlights the financial stakes).

6.

Bot-heavy traffic (Imperva) makes it easy to over-collect IPs and user agents in logs; teams should document purpose, retention, and access controls for such telemetry.

7.

Transparency (what you collect, why, and how long you keep it) is a major driver of trust and reduces the risk of complaints and regulatory scrutiny (GDPR enforcement trends tracked by DLA Piper).

Pro tips

💡

Default to privacy-safe synthetic checks: use dedicated test accounts, avoid real customer data, and enable masking for common sensitive selectors (password, OTP, email, tokens) before you create your first production check.

💡

Publish a living subprocessor list + change notification process (even a simple webpage + email list). It’s one of the fastest ways to unblock security reviews for small teams.

💡

Set retention tiers: keep high-level uptime/timing metrics longer (e.g., 90–365 days) but store heavy artifacts (screenshots/HAR/console logs) for a shorter window (e.g., 7–30 days) unless explicitly extended for debugging.

How CheckyWorky compares

vs Datadog Synthetics

Powerful enterprise-grade synthetic monitoring, but privacy documentation and controls often span multiple pages/products (RUM, logs, APM). CheckyWorky can keep a simpler, small-team-friendly privacy posture by focusing on minimal data capture for checks, straightforward artifact retention, and easy masking defaults.

vs Checkly

Developer-centric synthetic monitoring with code-based checks. CheckyWorky can differentiate on "pretend customer" workflows with opinionated privacy safeguards (test-user guidance, redaction presets, shorter default retention) and a clearly maintained subprocessor list for faster vendor reviews.

vs UptimeRobot

Great for basic uptime/HTTP checks with minimal data capture. CheckyWorky’s differentiator is deeper end-to-end SaaS flows (logins, checkout, onboarding) which increases the need for explicit privacy controls like screenshot masking, secret storage, and configurable artifact retention—documented clearly in the privacy policy.