🔒 TLS Probe

Privacy Policy

Last updated: 2026-05-14

This Privacy Policy describes how BitHaven ("we", "us", "our") collects, uses, and shares information when you use TLS Probe (the "Service") at https://tlsprobe.com.

This document is provided for transparency. It is not legal advice.

1. Who we are

If you are in the EEA or UK, BitHaven is the data controller for personal data processed through the Service.

2. Information we collect

2.1 Account data

When you register, we collect:

  • Email address
  • Password (stored hashed, never in plaintext)
  • Display name (optional)
  • Email verification status

When you create or join an Organization:

  • Organization name
  • Your role in the Organization (admin or member)
  • Invitations you send or receive (recipient email, role, token, expiry)

2.2 Endpoint and certificate data

For each endpoint you ask us to monitor:

  • Hostname and port
  • TLS certificate metadata returned by the server (subject, issuer, SAN list, validity dates, signature algorithm, key size)
  • Probe history (timestamps, success/failure, error messages)

We do not retrieve, store, or inspect content served by your endpoint beyond the TLS handshake.

2.3 Notification configuration

If you enable a notification channel, we store the credentials needed to deliver alerts:

  • Slack, Microsoft Teams, generic webhook URLs
  • Telegram bot token and chat id
  • Email recipients (derived from verified Organization members)

These credentials are stored to deliver alerts on your behalf and are not shared with third parties.

2.4 Billing data

Paid plans use Stripe as a payment processor. We store:

  • Stripe customer id and subscription id
  • Subscription status, current period end, cancellation flag
  • Plan tier (free, starter, pro)

We do not store full card numbers, CVV, bank details, billing address, or VAT id. Payment instruments, billing address, and tax id are collected and stored by Stripe under its own Privacy Policy: https://stripe.com/privacy.

We push your primary admin email up to Stripe so its receipts, dunning, and payment-action-required emails reach a real person.

2.5 Operational data

  • IP address and user agent for security and abuse prevention
  • Session identifier (cookie) and "remember me" token (7-day)
  • CSRF tokens
  • Server logs (request path, status code, latency)

3. How we use information

We use collected information to:

  • Provide the Service (run probes, deliver alerts, render dashboards)
  • Authenticate you and protect your account
  • Enforce plan limits and process payments
  • Send transactional email (verification, invitations, alerts, password reset)
  • Send Stripe-originated billing email (receipts, dunning, payment-action-required, trial-ending). Stripe is the sender; you can manage these in your Stripe customer portal.
  • Diagnose failures and improve reliability
  • Comply with legal obligations (tax, accounting, lawful requests)

We do not sell personal data. We do not use your endpoint or certificate data to train machine-learning models.

4. Legal bases (GDPR / UK GDPR)

If you are in the EEA or UK, we rely on the following legal bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)): account, organization, endpoint, billing, and notification data. We need this to deliver what you signed up for.
  • Legitimate interests (Art. 6(1)(f)): security logs, abuse prevention, service diagnostics. We balance these against your rights.
  • Legal obligation (Art. 6(1)(c)): tax and accounting records, response to lawful requests.
  • Consent (Art. 6(1)(a)): only where explicitly requested (e.g. optional marketing email, if offered).

5. Sharing

We share personal data only with:

  • Stripe (payments, Ireland / United States), subject to Stripe's DPA and Standard Contractual Clauses.
  • Railway (hosting and database, United States), subject to Railway's DPA.
  • Our transactional email provider, used to deliver verification, invitation, alert, and password-reset email.
  • Notification endpoints you configure (Slack, Teams, Telegram, your own webhook). You control these and they receive alert payloads about your endpoints.
  • Authorities, when compelled by valid legal process.

We do not share data with advertisers or data brokers.

6. International transfers

The Service is hosted on Railway (United States). If you access from the EEA or UK, your data is transferred outside your region. We rely on Standard Contractual Clauses with sub-processors. A copy of the relevant SCCs can be requested at [email protected].

7. Retention

  • Account, organization, endpoint, and notification configuration: retained while your account is active.
  • Probe history: retained while the endpoint exists, then deleted within 30 days of endpoint removal.
  • Billing records: retained for the period required by applicable tax and accounting law (typically 7 to 10 years).
  • Server logs: retained up to 90 days.
  • Closed accounts: personal data is deleted or anonymised within 90 days of closure, excluding records we must keep for legal reasons.

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data
  • Restrict or object to certain processing
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your local data protection authority

To exercise these rights, email [email protected]. We respond within 30 days.

EEA/UK supervisory authorities: edpb.europa.eu.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

9. Cookies

We use strictly necessary cookies only:

  • Session cookie (PHPSESSID or equivalent)
  • "Remember me" cookie (7-day)
  • CSRF cookie

We do not use analytics, advertising, or third-party tracking cookies. If this changes we will update this policy and ask for consent where required.

10. Security

  • Passwords hashed with a modern algorithm (bcrypt/argon2).
  • TLS in transit between you and the Service.
  • Database access scoped to the application; backups encrypted at rest by the hosting provider.
  • Stripe handles all payment instruments under PCI DSS Level 1.
  • Organization-scoped authorization on every request, enforced via voters.

No system is perfectly secure. Report suspected vulnerabilities to [email protected].

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

12. Changes

We may update this policy. Material changes will be announced by email or in-app notice at least 14 days before taking effect. The "Last updated" date at the top reflects the current version.

13. Contact

Questions, requests, or complaints:

BitHaven, the Netherlands
[email protected]

See also: Terms of Service.