Loading review card…
Loading review card…
Loading review card…
HostingProf is run by a single founder. We keep what we collect small, we tell you why, and we let you take it away. This policy explains the data we touch when you visit the site or run a tool, the third-party processors that touch it on our behalf, and your rights under GDPR and CCPA.
We collect three categories of data, in order of how much there is:
We collect the minimum data needed to (a) keep the site fast and online, (b) prevent abuse of the free tools, (c) provide bookmarks and saved reports to logged-in users, and (d) understand what content is useful so we can write more of it. We do not sell or rent data, we do not run an ad network, and we do not buy data from third parties to enrich your profile.
The processors below act on our behalf under written Data Processing Agreements. Each is engaged only for the purpose listed, and each is independently certified for the regulatory regimes that apply to its category.
Postgres database, authentication, and file storage. Supabase processes account data (email, hashed session tokens, bookmarks) and tool-execution logs. Hosted on AWS in our chosen region. See the Supabase DPA at https://supabase.com/legal/dpa.
Hosting, edge functions, and CDN. Vercel terminates TLS, runs our serverless functions, and serves the site. Vercel Analytics is enabled (no cookies, no per-visitor identifiers) for traffic counting. See the Vercel DPA at https://vercel.com/legal/dpa.
Rate-limit counters and short-lived tool-result cache. Upstash stores irreversibly hashed IP addresses and rate-limit windows (typically expiring within 60 seconds). No user-identifying data is written to Upstash.
Transactional email (magic-link login) and the newsletter Audience. Resend processes your email address only when you sign in or subscribe. We never send marketing email without an explicit opt-in.
Product analytics — funnels and replays of the tool flows so we can fix bugs and improve UX. PostHog is consent-gated for visitors in the EU, EEA, UK, Switzerland, Norway, and Iceland (detected at the edge from the Vercel country header). Outside those regions PostHog runs by default; you can opt out via the cookie banner.
Error tracking and performance monitoring. Sentry receives JavaScript exceptions and server-side error traces, with PII scrubbed at capture time. Sentry never receives the content of forms you submit.
DNS for the hostingprof.com domain (and, in the future, a Web Application Firewall layer for the tool endpoints). Cloudflare sees DNS queries to our domain; it does not see your session content because TLS terminates at Vercel.
Whether you are in the EU, the UK, California, or elsewhere, you can ask us to show you what we have, hand it over in a portable form, or delete it. Two regulatory regimes cover the bulk of these requests:
To exercise any of these rights, email privacy@hostingprof.com from the address tied to your account. We verify identity by reply-to before fulfilling the request.
Tool execution logs (hashed IP + tool slug + timestamp) are retained for 90 days for abuse detection, then purged by a daily cron job. Account data is retained for as long as the account is active; on account deletion, every record is purged within 30 days. Aggregate analytics (page-view counts with no per-visitor identifier) are retained indefinitely. Magic-link tokens expire within 10 minutes of issue and are deleted on consumption.
Privacy questions, GDPR/CCPA rights requests, or anything else covered by this policy — email privacy@hostingprof.com. For general support unrelated to privacy, the contact form at /about reaches the same inbox.