Privacy Policy
Last updated: 11 May 2026
This Privacy Policy describes how OT4J handles personal data in connection with the OT4J performance-monitoring service.
1. Data controller
INDIVIDUAL STARTUP s.r.o., ID No. 08949671, with registered office at Rybná 716/24, Staré Město, 110 00 Prague, Czech Republic, is the controller of personal data processed under this Policy. We have not appointed a Data Protection Officer (we are below the GDPR threshold), but privacy questions go to info@ot4j.com.
2. What we collect
2.1 Account data
When you sign up: your work email, full name (if provided), the company name, hashed password, and the verification status of your email. We use this to operate the account, authenticate you, and send transactional emails (verification, billing, security).
2.2 Billing data
When you start a paid plan: the legal name of the billing entity, billing address, tax/VAT identifiers, billing email, and metadata about each invoice. Payment card details are never stored on our servers — they are tokenised by our payment processor.
2.3 Telemetry from the agent (Customer Data)
The OT4J agent attached to your JVM sends us:
- HTTP request metadata (method, path, status code, duration, response size);
- SQL query templates (with placeholders, not parameter values, unless you opt in);
- Outbound HTTP call metadata (target host, status, duration);
- JVM samples (CPU usage, heap, GC counts) and per-thread stack samples from hot paths;
- Service and environment names you configure on the agent.
The agent does not send request bodies, response bodies, query parameters or SQL parameter values by default. These are opt-in flags you toggle in the agent configuration.
2.4 Server logs
Our servers keep operational logs (IP addresses, user agents, timestamps, paths) for security and abuse-detection purposes. Logs older than 30 days are deleted.
2.5 Cookies
The dashboard sets a single session cookie (HTTP-only, Secure, SameSite=Lax) to keep you signed in. The marketing site uses no tracking cookies. We use Google Analytics with IP anonymisation on the marketing site only to understand traffic patterns; this can be opted out via standard browser controls and the GA opt-out add-on.
3. Why we process it (legal basis)
| Purpose | Categories | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account, billing, telemetry | Art. 6(1)(b) — contract |
| Process payments & tax compliance | Billing, invoices | Art. 6(1)(c) — legal obligation |
| Security & abuse prevention | Server logs, telemetry | Art. 6(1)(f) — legitimate interests |
| Service announcements (transactional) | Account email | Art. 6(1)(b) — contract |
| Product marketing email | Account email | Art. 6(1)(f) — legitimate interests; opt-out at any time |
4. How long we keep it
- Account data — for the duration of the account, plus 5 years after closure to handle disputes and statutory claims.
- Invoices & accounting records — 10 years, as required by Czech accounting law.
- Telemetry on Cloud tariff — 24 hours rolling. Older telemetry is automatically deleted by our retention policy.
- Telemetry on Enterprise tariff — as agreed in the Enterprise contract (typically 30 days, configurable).
- Server logs — 30 days.
5. Who we share it with (sub-processors)
We share personal data only with the following sub-processors, each bound by a written data-processing agreement:
- Stripe Payments Europe Ltd. (Ireland) — payment processing. Card data is captured directly by Stripe and tokenised; we never see it. Stripe's privacy policy: stripe.com/privacy.
- Zoho Corporation (EU data centre) — transactional and marketing email delivery.
- Hetzner Online GmbH (Germany) — infrastructure hosting (servers, databases, object storage). All compute and storage is in Germany.
- Google LLC (United States) — Google Analytics on the marketing site only (with IP anonymisation). Data transferred to the United States under Standard Contractual Clauses.
We do not sell personal data and we do not share it with third parties for their marketing purposes.
6. International transfers
All Customer Data is stored within the European Union. The Stripe and Google relationships involve transfers of metadata to entities outside the EU; we rely on Standard Contractual Clauses (Commission Decision 2021/914) and the EU–U.S. Data Privacy Framework where applicable.
7. Your rights
Under the GDPR you have the right to:
- Access your personal data and obtain a copy;
- Have inaccurate data corrected;
- Have your data erased ("right to be forgotten") subject to our legal retention obligations;
- Restrict or object to processing;
- Receive your data in a portable format;
- Withdraw consent where consent is the legal basis (does not affect prior lawful processing);
- Lodge a complaint with a supervisory authority — for Czech residents, the Úřad pro ochranu osobních údajů (uoou.cz).
To exercise any of these rights, email info@ot4j.com. We respond within one month.
8. Security
Data is transmitted over TLS 1.2+, stored encrypted at rest, and protected by access controls. Passwords are hashed with bcrypt. Agent ingest tokens are randomly generated, scoped per company, and revocable from the dashboard. We log security-relevant events and review them regularly. No system is perfectly secure; if a breach affecting your data occurs we will notify you without undue delay as required by Article 33 of the GDPR.
9. Children
The Service is intended for business users. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes
We may update this Policy as our practices evolve. Material changes will be communicated by email to the billing contact and posted here with an updated "Last updated" date.
11. Contact
Privacy enquiries: info@ot4j.com
Postal: INDIVIDUAL STARTUP s.r.o., Rybná 716/24, 110 00 Prague, Czech Republic