LEGAL

Privacy Policy

Last updated: April 15, 2026

This Privacy Policy describes how NightOwl ("we", "us") handles personal information when you use the NightOwl dashboard and marketing website. Our core principle is simple: your application telemetry lives in your own PostgreSQL database, not ours.

1. What we collect

Account information. Name, email address, and password (hashed) when you register.

Connected app configuration. Database connection details you provide so the dashboard can query your PostgreSQL. Database passwords are stored encrypted at rest.

Billing metadata. Subscription status, plan, and payment events received from our payment processor, Polar. We do not store your full card number or bank details — Polar handles all payment data.

Product analytics. PostHog collects usage events (page views, feature interactions, approximate location derived from IP, browser and device information) on the marketing site and dashboard to help us improve the product. A pseudonymous identifier is stored in your browser so we can understand how users navigate across a session. See Section 5 for how this is gated by region and consent.

Operational logs. Standard server logs (IP address, user agent, timestamp, request path) for security and debugging, retained on a rolling basis.

2. What we do not collect

NightOwl does not store your Laravel application telemetry — requests, exceptions, queries, jobs, logs, user records, or any data the agent captures. All of that is written directly from the agent to the PostgreSQL database you control. The dashboard reads it live and does not keep a copy.

3. How we use information

  • Provide, operate, and secure the service;
  • Process subscriptions and send billing-related notices;
  • Send transactional emails (trial expiry, alerts you configure, security notices);
  • Diagnose issues and improve product quality;
  • Comply with legal obligations.

We do not sell personal information. We do not use your data to train machine-learning models.

4. Subprocessors

We share the minimum data required with a short list of third-party providers (billing, analytics, hosting). The current list, including what each one processes and where, is maintained at /subprocessors.

5. Cookies and analytics

Strictly necessary cookies. The dashboard sets authentication cookies (Sanctum session, CSRF token). These are required for you to sign in and do not need consent.

Analytics on the marketing site. We use PostHog for product analytics. We apply a region-based approach:

  • Visitors from the EU, EEA, United Kingdom, or Switzerland. A consent banner is shown on your first visit. No analytics script, cookies, or identifiers load until you click "Accept". If you click "Decline" or ignore the banner, nothing is captured. Your choice is remembered in your browser's local storage.
  • Visitors from other regions. PostHog analytics is enabled on page load under our legitimate interest in understanding site usage, with no consent banner displayed. You can opt out at any time (see below).

Region is detected at the edge via a lightweight lookup (Cloudflare trace endpoint) that returns only a two-letter country code; we do not log this lookup.

Do Not Track. If your browser sends a Do Not Track signal, we never load PostHog, regardless of your region.

How to opt out or change your mind. You can disable analytics for this site at any time by one of the following:

  • Enable Do Not Track in your browser;
  • Open browser devtools on this site, go to Application → Local Storage → usenightowl.com, and set nightowl-analytics-consent to declined;
  • Or clear site data for usenightowl.com in your browser to reset all stored preferences.

If you would like us to delete analytics data already collected, email legal@usenightowl.com and we will process the deletion through PostHog.

6. Retention

Account and billing records are kept for as long as your account is active and for a reasonable period afterward to meet legal and accounting obligations. Operational logs are retained on a short rolling window. You can delete your account at any time; we will remove associated personal data except where retention is legally required.

7. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict processing. To exercise these rights, email legal@usenightowl.com.

8. Security

We use TLS in transit, encrypt sensitive credentials at rest, and follow common application-security practices. No system is perfectly secure, so we cannot guarantee absolute security. If you discover a vulnerability, please report it to legal@usenightowl.com.

9. International transfers

Our dashboard, API, and marketing site are hosted in the United States (Hetzner, Ashburn, VA). If you access the service from outside the United States, your account and operational data will be transferred to and processed in the US. For visitors in the EU/UK, we rely on Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework for these transfers. Your application telemetry is never transferred by us because it remains in the PostgreSQL database you control (BYOD).

10. Children

NightOwl is not directed at children under 16 and we do not knowingly collect personal information from them.

11. Changes

We may update this Policy. Material changes will be announced by email or in-app notice. The "Last updated" date above reflects the latest revision.

12. Contact

For privacy questions or requests: legal@usenightowl.com.