Privacy Policy
Last updated: April 11, 2026
This Privacy Policy explains how Glassmkr ("we", "us", "our") collects, uses, and protects personal data when you use forge.glassmkr.com (Forge), bench.glassmkr.com (Bench), the Crucible monitoring agent, and related services. This policy is written in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Czech Act No. 110/2019 Sb. on Personal Data Processing.
1. Who We Are (Controller)
The data controller responsible for your personal data is:
- Name: Simon Rybisar (IČO 03700585)
- Address: Korunni 1963/119, Praha, 130 00, Czech Republic
- Email: [email protected]
We are not required to appoint a Data Protection Officer under Article 37 of the GDPR. Our core activity is infrastructure monitoring, which does not constitute large-scale monitoring of individuals, nor do we process special categories of personal data on a large scale.
2. What Data We Collect
Account data. When you create a Forge account, we collect your email address, a hashed password (bcrypt), and, if you use OAuth login, an OAuth provider identifier. We never store your password in plain text.
Server monitoring data. When you install Crucible and connect it to Forge, the agent sends periodic health snapshots. This data includes:
- CPU metrics: aggregate utilization, per-core utilization, load averages
- Memory metrics: RAM usage, swap usage, allocation breakdowns
- Disk metrics: space usage per mount point, inode usage, mount options, I/O rates, latency
- Storage health: SMART attributes, NVMe wear indicators
- IPMI/BMC data: sensor readings (temperatures, fan speeds, voltages), System Event Log entries, ECC error counts, PSU status
- Network metrics: interface traffic, error counts, link speed, connection states
- RAID status: array health, component drives, rebuild progress
- Security posture: firewall status, open ports, failed login attempts, unattended upgrades status
- System information: hostname, OS, kernel version, uptime
This data describes your server hardware and operating system. It does not include file contents, application data, database contents, user data stored on your servers, network traffic payloads, or any data processed by applications running on your servers.
Billing data. If you subscribe to a paid plan, payment is processed by Stripe. We store only your Stripe customer ID and subscription status. We do not store credit card numbers, CVVs, or full card details. Stripe's own privacy policy governs their handling of your payment information: stripe.com/privacy.
Notification channel data. If you configure alert channels, we store the configuration you provide: Telegram chat IDs, email addresses, or Slack webhook URLs. These are used solely to deliver alerts you have configured.
Technical logs. We log API requests (endpoint, timestamp, response status, IP address) for security monitoring and incident response. We do not log request bodies beyond what is necessary for the service to function.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing the monitoring service (dashboards, data storage, API access) | Art. 6(1)(b) GDPR: performance of a contract |
| Processing payments and managing subscriptions | Art. 6(1)(b) GDPR: performance of a contract |
| Evaluating alert rules and sending notifications | Art. 6(1)(b) GDPR: performance of a contract |
| AI-powered health analysis (Pro plan) | Art. 6(1)(b) GDPR: performance of a contract |
| Security monitoring, incident detection, and abuse prevention | Art. 6(1)(f) GDPR: legitimate interest in maintaining service security |
| Retaining invoices and billing records for Czech tax obligations | Art. 6(1)(c) GDPR: compliance with a legal obligation |
AI processing. For Pro customers, health snapshots may be analysed by a self-hosted Gemma 4 model running on our own infrastructure in Amsterdam. This processing happens entirely on our servers. No data is sent to third-party AI providers (OpenAI, Google, Anthropic, or others).
We do not sell your data. We do not use your data for advertising. We do not share your server data with other customers.
4. Subprocessors and Third Parties
| Subprocessor | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Stripe | Payment processing | United States | EU-US DPF + SCCs |
| Cloudflare | DNS, CDN, DDoS protection | United States | EU-US DPF + SCCs |
| Telegram | Alert delivery (if configured by you) | Various | User-initiated transfer |
| Slack | Alert delivery (if configured by you) | United States | EU-US DPF + SCCs |
Telegram and Slack only receive data when you actively configure them as notification channels. We do not sell data to any third party. We do not use any analytics, tracking, or advertising services.
5. International Data Transfers
All primary data (account data, monitoring snapshots, AI analysis results) is stored on dedicated servers in Amsterdam, Netherlands, within the European Union.
Certain subprocessors are based in the United States. These transfers are covered by the European Commission's adequacy decision for the EU-US Data Privacy Framework (DPF), adopted on 10 July 2023. As an additional safeguard, we maintain Standard Contractual Clauses (SCCs) with each US-based subprocessor.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Monitoring snapshots (Free plan) | 7 days |
| Monitoring snapshots (Pro plan) | 90 days |
| Alert history | 1 year |
| AI analysis reports | Duration of your account |
| Account data | Duration of your account + 30 days after deletion |
| Billing records | 10 years (Czech legal requirement, Act No. 563/1991 Sb.) |
| Security logs | 12 months |
Retention periods are enforced automatically. When you delete a server from Forge, all associated snapshots, alerts, and analyses are permanently deleted. When you delete your account, all your data is permanently deleted after the 30-day grace period, except billing records retained under legal obligation.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy.
- Right to rectification (Art. 16): correct inaccurate personal data we hold about you.
- Right to erasure (Art. 17): request deletion of your personal data when it is no longer necessary for its original purpose.
- Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests. For security logs processed under Art. 6(1)(f), you may object at any time.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days. You may also export your data at any time via the Forge API or dashboard.
Supervisory authority. You have the right to lodge a complaint with the Czech Data Protection Authority:
- Name: Urad pro ochranu osobnich udaju (UOOU)
- Address: Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
- Email: [email protected]
- Website: uoou.cz
8. Cookies
| Cookie Name | Purpose | Type | Duration |
|---|---|---|---|
guardian_token | Authentication (maintains your login session) | Strictly necessary / functional | Session |
This cookie is HttpOnly, Secure, and SameSite=Lax. It is scoped to the domain .glassmkr.com. We do not use analytics cookies, tracking cookies, or advertising cookies. We do not use Google Analytics or similar tracking services.
Under the ePrivacy Directive (2002/58/EC, Art. 5(3)), strictly necessary cookies do not require user consent. Because our only cookie is essential for authentication, no cookie consent banner is required.
9. Children
Glassmkr is a server monitoring service intended for system administrators and IT professionals. Our services are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will delete that data promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when the policy was last revised.
For material changes that affect how we process your data or reduce your rights, we will notify you by email at the address associated with your Forge account at least 14 days before the changes take effect.
11. Contact and Complaints
For any privacy-related questions, requests, or complaints, contact us at:
- Controller: Simon Rybisar, IČO 03700585
- Address: Korunni 1963/119, Praha, 130 00, Czech Republic
- Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the Czech supervisory authority, the Urad pro ochranu osobnich udaju (UOOU), at Pplk. Sochora 27, 170 00 Praha 7, Czech Republic; email: [email protected]; website: uoou.cz.