Skip to main content

Privacy Policy

v1.1.0

This Privacy Policy explains how ChangeSentry collects, uses, shares, and protects personal data when you visit our website, create an account, use the dashboard, configure monitors, receive alerts, contact support, or otherwise interact with the service. The legal operator is ParamountTD LLC, doing business as ChangeSentry. Formal notices should be sent to P.O Box 123, Phoenix AZ, 85001 and privacy requests may be sent to privacy@changesentry.com.

1. Who we are and when this policy applies

ChangeSentry provides website change monitoring, diff history, AI-assisted change summaries, and notification workflows. For account, billing, support, website visitor, and product analytics data, ChangeSentry generally acts as the controller or business. For monitored webpages, URLs, selectors, monitor intent, notification destinations, and change content that you choose to submit, you are responsible for making sure you have the right to monitor and process that content. Where applicable, ChangeSentry acts as your processor or service provider for customer-provided monitoring content.

2. Personal data we collect

  • Account and profile data: name, email address, authentication provider details, account status, login events, two-factor authentication status, profile settings, phone or avatar details if provided, policy acceptance status, and onboarding information.
  • Billing data: plan, subscription status, invoices, payment metadata, billing contact details, and payment processor identifiers. Full card numbers are handled by our payment processor, not stored by ChangeSentry.
  • Monitor and change data: URLs, labels, CSS selectors, check intervals, tags, monitor intent, notification preferences, page titles, timestamps, hashes, extracted text, before-and-after excerpts, diffs, snapshots where enabled, and change history needed to provide the service.
  • Notification data: email, in-app, Discord, Telegram, or other integration configuration, delivery logs, error states, and encrypted secrets where supported by the product configuration.
  • Support, contact, and legal request data: messages, attachments or screenshots you choose to send, ticket metadata, replies, security reports, privacy requests, and vendor-review materials.
  • Usage and device data: IP address, browser and device information, pages visited, referral data, product events, approximate location derived from IP, and cookie or consent preferences.

3. How we use personal data

  • Provide, secure, maintain, and improve ChangeSentry.
  • Create and manage accounts, sessions, subscriptions, invoices, and support requests.
  • Crawl monitored pages, detect changes, create diffs, store history, and send notifications.
  • Prevent abuse, enforce limits, troubleshoot failures, protect users, and maintain audit logs.
  • Analyze product usage and website performance, subject to cookie consent where required.
  • Send service messages, security notices, policy updates, product updates, and marketing communications where permitted.
  • Comply with legal, tax, accounting, security, dispute, and regulatory obligations.

4. GDPR and UK GDPR lawful bases

Where GDPR or UK GDPR applies, we rely on one or more lawful bases depending on the processing activity: contract to provide the service you requested; legitimate interests for security, fraud prevention, service improvement, and business communications that do not override your rights; consent for optional cookies, certain analytics, and marketing where required; and legal obligation for tax, accounting, sanctions, consumer protection, or compliance requests.

5. AI summaries and automated assistance

If AI summaries, classification, or filtering are enabled, relevant before-and-after change text, diff summaries, monitor label, URL, page title, customer-stated monitoring intent, and related metadata may be sent to an AI provider to classify or summarize the change. ChangeSentry currently supports provider paths that may include OpenRouter, Anthropic, and OpenAI depending on configuration. Do not monitor pages containing secrets, sensitive personal data, regulated data, or content you are not authorized to process. AI output is informational assistance and should be reviewed before you rely on it for important decisions. Provider retention, training, and opt-out terms should be confirmed against the applicable vendor terms before using AI features for regulated or sensitive workflows.

AI-assisted features produce automated outputs that inform your awareness of page changes. These outputs do not produce legal, financial, or other significant effects on individuals and are not subject to Article 22 GDPR automated decision-making rules. You remain responsible for reviewing AI output and taking your own decisions based on it.

6. Cookies and similar technologies

We use strictly necessary cookies and local storage for authentication, security, session continuity, consent preference storage, and core product operation. Optional analytics or performance tools, which may include PostHog, Google Analytics, and Hotjar when configured, are used only where permitted and, where required, after consent. See the Cookie Policy for categories, examples, and choices.

7. Sharing and subprocessors

We may share personal data with vendors that help us operate ChangeSentry, such as hosting providers, database and storage providers, authentication providers, payment processors, email and notification services, analytics tools, error monitoring, AI providers, and customer support tools. Examples include Supabase, Stripe, Upstash Redis, Resend, Pusher, IPinfo, Sentry, PostHog, Google Analytics, Hotjar, Discord, Telegram, OpenRouter, Anthropic, OpenAI, Vercel, and Railway where those services are configured. These vendors may process data only for authorized purposes and under appropriate contractual safeguards. See the Subprocessors and Vendors page for the current public inventory. We may also disclose data if required by law, to protect rights and safety, in connection with a corporate transaction, or with your direction or consent.

8. International transfers

ChangeSentry and its providers may process personal data in the United States and other countries. Where required, we use appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum or equivalent terms, data processing terms, and technical and organizational measures designed to protect transferred data. Business customers that need a DPA may review the DPA overview and contact privacy@changesentry.com.

9. Retention

We keep personal data only as long as needed for the purposes described in this policy. Current retention categories include:

  • Account and authentication data: retained while your account is active and for a reasonable period after closure for security, fraud prevention, recovery, and legal reasons.
  • Billing and tax records: retained as required for payment, tax, accounting, chargeback, and audit obligations.
  • Monitor configuration and change history: retained according to plan limits, operational archive settings, and deletion workflows.
  • Notification channel data: retained while the channel is configured and for limited logs needed to troubleshoot delivery and abuse.
  • Support and legal requests: retained as needed to respond, maintain records, and defend or enforce rights.
  • Security, audit, analytics, and server logs: retained for security, product, troubleshooting, and compliance purposes before deletion or aggregation.
  • Backups: may persist for a limited period before rotation or deletion and may not be immediately removed from every backup copy.

Account deletion currently includes a 30-day recovery window. During deletion, ChangeSentry may anonymize selected account fields, pause or delete monitors, and retain records needed for billing, tax, security, legal, dispute, or abuse-prevention reasons.

10. Security

We use technical and organizational controls designed to protect personal data, including HTTPS in production, managed infrastructure, access controls, rate limits, crawler safeguards, two-factor authentication support, audit logging where applicable, and encryption at rest through managed providers. Production notification secrets should be encrypted at rest when the required secret configuration is present. No system is perfectly secure, and you should use strong passwords, enable 2FA, and avoid monitoring sensitive or unauthorized pages. See the Security page for responsible disclosure information.

11. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, export, restrict, object to, appeal or challenge a denial, use an authorized agent, or withdraw consent for certain processing of your personal data. You may also have the right to complain to a supervisory authority. You can manage some data in your dashboard and contact us for additional help. We may need to verify your identity, confirm account ownership, or request additional information before acting on a request. We aim to respond within legally required timeframes, such as 30 days for GDPR/UK GDPR requests and 45 days for many US state privacy requests, subject to permitted extensions and exceptions.

12. California and other US privacy rights

We do not sell personal data. We also do not knowingly share personal data for cross-context behavioral advertising as those terms are commonly used under California privacy law. If this changes, we will update this policy and provide required choices. California and other eligible US residents may request access, deletion, correction, portability, opt-out information, and information about categories of data collected, disclosed, or retained, subject to applicable exceptions.

In the last 12 months, the categories we may collect or disclose for business purposes include identifiers, commercial information, internet or electronic activity information, approximate geolocation, professional or account context you provide, inferences from product usage, and sensitive information only where you choose to submit it or where it is required for account security. Sources include you, your account activity, monitored pages you configure, integrations you enable, service providers, and device or network data. Purposes include operating the service, billing, support, security, analytics with consent where required, legal compliance, and communications.

13. Children

ChangeSentry is not directed to children under 13, and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us so we can review and delete it where appropriate.

14. Changes to this policy

We may update this policy as the product, law, vendors, or data practices change. Material updates may be announced in-product, by email, through the dashboard policy reacceptance flow, or through another reasonable notice. The date above shows when this policy was last updated.

15. Contact

For privacy questions or rights requests, email privacy@changesentry.com or use the contact page. For legal notices, email legal@changesentry.com and send formal notices to ParamountTD LLC, P.O Box 123, Phoenix AZ, 85001. Add your account email and the request type so we can route it correctly.