Privacy Policy
Last Updated: July 13, 2026
Effective Date: July 13, 2026
1. Introduction
Welcome to Drumbeats ("we," "us," or "our"). We operate a global job monitoring service. We are committed to transparency and protecting the privacy of our users ("you").
Data Controller: Samed Kahyaoğlu (sole proprietor, trading as Lucky S Software), Türkiye. For data-related inquiries: support@drumbeats.io.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and monitoring services. By using Drumbeats, you acknowledge the practices described in this policy.
2. Information We Collect
A. Information You Provide
Registration: We collect your email address to send a verification code. This is necessary to validate your identity before account creation.
Onboarding: To complete your profile, we collect your first name, last name, and country. You may optionally provide company details.
B. Monitoring Data (Ping Payloads)
The Mechanic: When your jobs ping Drumbeats, they may send data payloads (headers, body).
Your Responsibility: You control what data your jobs send. We strongly advise against sending Personally Identifiable Information (PII) of your end-users in these payloads.
Storage: Payloads are stored in our secure database or object storage (for large logs).
C. Usage and Consumption Metrics
We track and record usage metrics including, but not limited to, the number of API requests (pings), monitors created, alerts triggered, and data volume consumed. This data is collected for the legitimate purpose of accurate billing, enforcing plan limits, and maintaining service quality. If you are on a plan with overage billing, these metrics are used to calculate your usage-based charges.
D. Technical Logs: We automatically log IP addresses and timestamps for security and abuse prevention.
3. How We Use Your Information
We use the information we collect to:
- Service Provision: Authenticating you and displaying your monitoring dashboard.
- Alerting: Sending notifications to your configured channels when your jobs fail.
- Billing: Calculating usage, generating invoices, and processing payments through our Merchant of Record (DodoPayments).
- Security: Detecting DDoS attacks and preventing abuse.
- Legal Compliance: Fulfilling obligations under tax laws and data protection regulations.
4. Payment Processing and Financial Data
Credit Card Data Isolation: We do NOT store, process, or have access to your credit card numbers, CVV codes, or any sensitive financial data on our servers. All payment transactions are handled entirely by our Merchant of Record, DodoPayments.
Data Shared with DodoPayments: To enable DodoPayments to process payments, issue legally compliant invoices, and calculate applicable taxes (VAT/GST/Sales Tax), we share the following information with DodoPayments:
- Your name and email address
- Your country/region (for tax calculation)
- Your subscription plan and usage/consumption metrics (for invoice generation)
DodoPayments operates as a third-party payment processor and is subject to its own privacy policy and PCI-DSS compliance requirements. By subscribing to a paid plan, you acknowledge and consent to this data transfer.
5. Data Retention
We adhere to a "Storage Limitation" principle:
Ping History: We retain your monitoring logs based on your plan's limit (e.g., "Last 100 Pings").
Maximum Retention Cap: Regardless of your plan limit, historical ping logs that are older than 12 months may be automatically deleted to prevent indefinite storage of stale data.
Account Deletion: If you delete your account, or if your account is terminated, all personal data and monitoring logs are deleted after a 30-day grace period, unless a longer retention is required by applicable law.
Financial Records Exception: Even after account deletion, invoicing and payment records processed through DodoPayments may be retained by DodoPayments for the period required by applicable tax and financial regulations (typically 5-10 years depending on jurisdiction). This retention is outside of our control and is governed by DodoPayments' own data retention policies and legal obligations.
6. International Data Transfers
Server Location: Our primary infrastructure is hosted with Netcup GmbH in Germany.
Payment Processing: Payment data is processed by DodoPayments, which may store and process data in the United States or other jurisdictions where they operate.
Legal Basis and Your Consent: Where applicable law (including KVKK Art. 9) requires your explicit consent for these transfers, we ask for that consent separately; it is not a condition of creating an account or accepting these documents, and you may withdraw it at any time by contacting support@drumbeats.io. Because the Service runs on infrastructure located abroad, withdrawing consent may make it impossible for us to continue providing the Service to you; in that case we will assist you with data export and account closure.
Possible Risks: The countries where your data is processed (Germany, the United States) are not covered by an adequacy decision of the Turkish Personal Data Protection Board. Data transferred to these countries is subject to the laws of those jurisdictions, including lawful government access regimes, and enforcing your data-protection rights there may be more difficult than in your own country.
Safeguards: Our providers are bound by data-processing agreements (including standard contractual clauses where offered), and we apply technical and organizational measures such as encryption in transit and access controls to protect cross-border data transfers.
7. Subprocessors
We share data only with the service providers necessary to operate the Service:
- Netcup GmbH (Germany): VPS Hosting and Database.
- Brevo (France): Delivery of transactional e-mail (alerts and verification codes).
- DodoPayments (United States, Merchant of Record): Payment processing, invoicing, and tax compliance.
- Umami Cloud (EU): Cookieless, privacy-friendly website analytics.
- Cloudflare, Inc. (United States): CDN, bot protection (Turnstile), and cookieless traffic insights.
- Google LLC (United States): Optional "Sign in with Google" authentication, only if you choose to use it.
8. Cookies & Local Storage
A. Essential Cookies
We use strictly necessary cookies to ensure the website functions properly. These include:
- Session Cookies: Required for authentication and maintaining your logged-in state.
B. Cookieless Analytics
We use Umami and Cloudflare Insights for website analytics. Both are cookieless: they set no cookies, store no identifiers on your device, and collect only aggregated, anonymized usage data. We do not use advertising or cross-site tracking technologies.
C. Local Storage
We use browser local storage to store your preferences such as theme settings and selected project. This data stays on your device and is not transmitted to our servers.
For more details, please see our Cookie Policy.
9. Your Rights
Under GDPR (Europe) and KVKK (Turkey), you have the right to:
- Access your data.
- Correct inaccurate data.
- Delete your account and data ("Right to be Forgotten").
- Withdraw consent for marketing or cross-border transfers (which may require closing your account).
- Data portability — request a copy of your data in a machine-readable format.
Financial Records Exception: Please note that exercising your right to deletion ("Right to be Forgotten") applies to data stored on Drumbeats systems. Invoicing and payment records held by DodoPayments are subject to mandatory financial record-keeping requirements under applicable tax laws, and may be retained by DodoPayments even after your account and data are deleted from our systems.
To exercise these rights, email us at: support@drumbeats.io.
10. Changes
We may update this policy. Material changes will be communicated via email or dashboard notification.
11. Contact
For any questions regarding this Privacy Policy, please contact us at: support@drumbeats.io