How PingReports handles your personal data under the EU General Data Protection Regulation (GDPR).
Last updated: 14 May 2026
The data controller responsible for the processing described below is:
Enrico Kern
Südstraße 26, 01877 Demitz-Thumitz, Germany
E-mail: infopingreports.com
Phone: +49 (0) 152 26814501
German-speaking data subjects are welcome to correspond with us in German. Full operator details are on our legal notice.
Under Art. 37 GDPR we are not required to designate a Data Protection Officer: we are a small enterprise, we do not process special categories of personal data (Art. 9 GDPR) on a large scale, and our core activities do not consist of regular and systematic monitoring of data subjects on a large scale. Privacy enquiries are handled directly by the controller named in section 1. You may reach us at any time by e-mail or post.
We process personal data only on the legal bases listed in the table below. Where the legal basis is “contract” (Art. 6 (1) (b) GDPR), providing the data is required to operate your account; if you do not provide it, we cannot deliver the service. Where the basis is “legitimate interest” (Art. 6 (1) (f)), we have weighed our interest against yours and explain the purpose for each row.
| Category | What | Purpose & legal basis | Retention |
|---|---|---|---|
| Account | E-mail address, optional first and last name, optional company name, password (stored as a salted modern cryptographic hash; never in plaintext), sign-up IP address and user-agent string, timezone, account-creation timestamp. | Performance of contract (Art. 6 (1) (b)) — operating a multi-tenant service account. | Until you delete your account. Sign-up IP and user-agent are kept up to 12 months for abuse prevention. |
| Authentication & session | Session cookies and related security tokens, login timestamp, last-seen IP address, second-factor secret when 2FA is enabled. Sensitive credentials are protected by modern cryptography. | Performance of contract and legitimate interest (Art. 6 (1) (b) and (f)) — protecting your account from unauthorised access. | Session: 1 hour, or 30 days if you select “remember me”. Revocation entries: until the underlying token would have expired. |
| Workspace configuration | Monitors, channels, alert policies, scheduled reports, tags, comments — i.e. the configuration you create inside the application. | Performance of contract (Art. 6 (1) (b)). | For the lifetime of your workspace; deletable at any time from within the application. |
| Probe results | Outcomes of the synthetic checks you configure: success or failure, latency, error code, response phase timings, traceroute hop information. We do not store HTTP response bodies. | Performance of contract (Art. 6 (1) (b)). | Default 90 days; configurable on paid plans. |
| Agent metrics | Host inventory and metrics you opt in to by installing our agent: CPU, memory, disk, network, processes, containers, virtual machines. We do not read filesystem contents and do not read Kubernetes secrets. | Performance of contract (Art. 6 (1) (b)). | 30 days at raw resolution; longer at aggregated resolution. |
| Audit log | Records of operator actions performed in support of your account (e.g. account assistance or configuration changes carried out at your request), the operator's identity, the affected resource, IP address and timestamp. | Legitimate interest (Art. 6 (1) (f)) and legal obligation (Art. 6 (1) (c)) — traceability and security. | 365 days. |
| Billing (paid plans) | Billing name and address, invoices, payment-processor transaction identifiers. We do not store payment card numbers. | Performance of contract (Art. 6 (1) (b)) and legal obligation (Art. 6 (1) (c)) — commercial and tax-law retention. | Up to 10 years (§ 147 AO, German Fiscal Code). |
| Support correspondence | E-mails you send us, in-app support tickets you raise, and our replies. | Legitimate interest (Art. 6 (1) (f)) — providing support. | 24 months after last contact. |
We use only first-party cookies that are strictly necessary to operate the service: a session cookie that keeps you logged in, and a related security cookie that protects against cross-site request forgery. Both are flagged HttpOnly where appropriate, Secure (HTTPS-only) and SameSite=Lax, and expire with your session (1 hour, or 30 days if you select “remember me”).
No consent banner is required for these under § 25 (2) TDDDG (formerly TTDSG) and the ePrivacy Directive, because they are technically necessary to provide the service you actively requested by logging in.
We do not use Google Analytics, Hotjar, Meta Pixel, LinkedIn Insight Tag, ad-network beacons or any other third-party tracking. The marketing site currently loads the Inter typeface from a Google CDN; we are migrating to a self-hosted version to remove the remaining third-party handshake.
We engage the following sub-processors to deliver the service. Each is bound by a Data Processing Agreement under Art. 28 GDPR:
| Processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Edge proxy, DDoS protection and TLS termination for PingReports' public endpoints. Cloudflare sees request metadata (IP address, user-agent, path) in transit; application payloads are not retained beyond standard log retention. | United States, with EU edge nodes | Cloudflare Data Processing Addendum + EU Standard Contractual Clauses (Module 2) |
| Amazon Web Services EMEA SARL (Amazon SES) | Outbound transactional e-mail (verification, password reset, alert notifications, scheduled reports). | Frankfurt, eu-central-1 | Intra-EU processing — no transfer to a third country |
| Deutsche Telekom AG | Internet up- and downstream connectivity for our bare-metal back-end and front-end infrastructure. We own and operate the servers themselves; Deutsche Telekom provides network transit only. | Germany | Intra-EU processing |
| Probe-host providers outside the EU | Operating synthetic-check probes in cities listed on our Features page (e.g. New York, Tokyo, Sydney, Hong Kong, São Paulo, Dubai). Probe hosts only process synthetic-check metadata; they never receive your account credentials or workspace data. | Various non-EU countries | EU Standard Contractual Clauses (Module 2) where no adequacy decision applies |
We never sell or rent personal data to third parties, and we do not transfer it to recipients outside the categories listed above except where we are legally compelled (for example by a court order or a law-enforcement request that meets the strict requirements of German and EU law).
Where we transfer personal data outside the European Union or European Economic Area, we rely on either (a) a European Commission adequacy decision where one applies, or (b) the EU Standard Contractual Clauses combined with additional technical and organisational measures — including encryption in transit, encryption at rest, and minimising the personal data made available at the relevant location. Before engaging a non-EU processor we conduct a transfer impact assessment in line with the European Data Protection Board's Recommendations 01/2020.
We do not subject you to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects (Art. 22 GDPR). Alerting and incident detection are technical functions of the service, not legally significant decisions about you.
You have the right to:
The supervisory authority competent for the controller named in section 1 is:
Die Sächsische Datenschutz- und Transparenzbeauftragte
Devrientstraße 5, 01067 Dresden, Germany
Website: www.saechsdsb.de
You may, however, lodge a complaint with the supervisory authority of your habitual residence or place of work.
To exercise any of these rights, write to infopingreports.com. We respond without undue delay and in any case within one month, extendable by a further two months for complex requests (Art. 12 (3) GDPR). Where a request is manifestly unfounded or excessive we may, in accordance with Art. 12 (5), charge a reasonable fee or refuse to act, and will explain our reasoning in writing.
We implement technical and organisational measures appropriate to the risk to protect your personal data, in line with Art. 32 GDPR. These include encryption of data in transit and at rest, secure handling of authentication credentials, multi-factor authentication for administrative access, the principle of least privilege, segregated production environments, regular software updates, and audit logging of operator actions. For security reasons we do not publish the specific algorithms, parameters, infrastructure layout or tooling we rely on. Specific compliance or security questions are answered on a case-by-case basis at the address above.
PingReports is intended for adults working in a professional context. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have, we will delete it without undue delay. Parents or guardians who believe a minor has registered may contact us at the address in section 1.
We will post any material changes to this policy on this page. For changes that materially affect how we process your personal data, we will additionally notify active workspace owners by e-mail at least 14 days before they take effect. The version date at the top of this document tells you when the policy was last revised.
For any privacy question please write to infopingreports.com or to the postal address in section 1. For our operator details and § 5 TMG information, see our legal notice.
