Privacy Policy
How we collect, use, and protect your data.
Last updated: March 5, 2026
1 Introduction
onduty.sh ("we," "us," or "our") operates an incident management and on-call alerting platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Service.
2 Information We Collect
2.1 Account Information
When you register for an account, we collect your name, email address, and password. If you are invited by an organization, we also collect your role and team membership information.
2.2 Contact Information
To deliver incident alerts, we collect contact details you provide, including phone numbers, email addresses, and push notification tokens. These are used solely for the purpose of delivering on-call notifications and alerts.
2.3 Incident & Operational Data
We collect and store incident data, alert histories, escalation records, on-call schedules, service configurations, and integration settings that you create or manage through the Service.
2.4 Usage & Log Data
We automatically collect information about how you interact with the Service, including IP addresses, browser type, device information, pages visited, and timestamps. This data helps us maintain and improve the Service.
2.5 Integration Data
When you connect third-party monitoring tools (e.g., Datadog, CloudWatch, Sentry) via webhooks, we receive and process alert payloads from those services. We only store the data necessary to create and manage incidents.
3 How We Use Your Information
We use the information we collect to:
- • Provide, operate, and maintain the Service, including delivering real-time incident alerts via phone calls, SMS, email, and push notifications.
- • Manage on-call schedules, escalation policies, and team assignments.
- • Process and route incoming alerts from your integrated monitoring tools.
- • Communicate with you about your account, service updates, and support requests.
- • Monitor and analyze usage trends to improve the Service's reliability and performance.
- • Enforce our terms of service and protect against fraudulent or unauthorized use.
4 Third-Party Services
We use trusted third-party service providers to deliver core functionality. These providers only receive the minimum data necessary to perform their function:
4.1 Communication Providers
We use Twilio (or similar providers) to deliver phone call and SMS alerts. When an incident triggers an alert, your phone number and a brief alert message are transmitted to the provider. These providers are bound by their own privacy policies and data processing agreements.
4.2 Push Notification Services
We use Firebase Cloud Messaging (FCM) to send push notifications to your mobile device. Your device token is shared with Google's FCM service solely for notification delivery.
4.3 Email Delivery
We use third-party email services to send alert notifications and transactional emails. Your email address and alert content are shared with these providers for delivery purposes only.
4.4 Hosting & Infrastructure
Our Service is hosted on cloud infrastructure providers. All data is stored on servers with industry-standard security measures in place.
5 Data Retention
We retain your personal information for as long as your account is active or as needed to provide you the Service. Incident data, timelines, and alert histories are retained according to your organization's subscription plan.
Upon account deletion or at the request of your organization's administrator, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain information.
6 Data Security
We implement industry-standard security measures to protect your data, including:
- ✓ Encryption of data in transit (TLS/SSL) and at rest.
- ✓ Secure password hashing using bcrypt.
- ✓ Role-based access controls within organizations.
- ✓ Regular security audits and monitoring.
While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7 Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- • Access — Request a copy of the personal data we hold about you.
- • Correction — Request correction of inaccurate or incomplete data.
- • Deletion — Request deletion of your personal data, subject to legal obligations.
- • Portability — Request your data in a structured, machine-readable format.
- • Objection — Object to processing of your personal data for certain purposes.
To exercise any of these rights, please contact us at the email address provided below.
8 Cookies & Tracking
We use essential cookies to maintain your session and authenticate you when you log in. These cookies are strictly necessary for the Service to function and cannot be disabled.
We may use analytics cookies to understand how users interact with the Service. You can opt out of non-essential cookies through your browser settings.
9 Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.
10 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date.
Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.
11 Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
onduty.sh
Email: privacy@onduty.sh