Privacy Policy
Effective Date: March 20, 2026 · Last Updated: March 20, 2026
Company: Net Partner 011 AB, Stockholm, Sweden · info@np011.se
1. Introduction
Net Partner 011 AB (“we”, “us”, or “our”) operates the Tiny Owl observability platform, available at tiny-owl-kit.io (the “Service”). This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights as a user.
By using the Service, you agree to the collection and use of information as described in this policy.
2. Who We Are
Tiny Owl is a Software-as-a-Service (SaaS) observability platform that enables development teams to log, monitor, and analyse application events in real time.
3. Information We Collect
3.1 Account & Organisation Data
When you register, we collect:
- Email address — used for authentication, billing notifications, and support
- Name (optional) — displayed in the dashboard
- Organisation name — used to scope your workspace
- Password — stored as a bcrypt hash; never stored in plaintext
3.2 Event Data (Submitted by You)
When you use the Tiny Owl SDK or REST API to ingest events, we store:
- Event message — the log message you send
- Severity level —
info,warning, orerror - Context metadata — key/value pairs you choose to include (e.g. user IDs, trace IDs, environment names)
- Timestamp — when the event was received
- Project association — which of your projects the event belongs to
3.3 Usage & Technical Data
- IP address — for security, rate limiting, and audit logging
- Browser/device user agent — for compatibility and security purposes
- Authentication tokens — stored as HTTP-only cookies; not accessible via JavaScript
- API key usage — which API keys are used, when, and from which IP addresses
3.4 Billing Data
For paid plans, billing is handled by Stripe. We do not store your credit card details. We receive from Stripe: subscription status, billing cycle and plan tier, invoice history, and payment success/failure notifications. Stripe’s privacy policy applies to payment processing: stripe.com/privacy.
3.5 Audit Log Data
The Service maintains a comprehensive audit log of all administrative and account actions, including login/logout events, project changes, API key operations, and role changes. Audit log entries include the acting user’s ID, role, IP address, user agent, timestamp, and the before/after state of changed resources.
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Service | Contract performance |
| Send billing invoices and payment reminders | Contract performance |
| Send usage alerts | Legitimate interest / Contract performance |
| Detect and prevent fraud or abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Improve the Service | Legitimate interest |
| Respond to support requests | Legitimate interest / Contract performance |
We do not sell your personal data to third parties. We do not use your event data for advertising or training AI/ML models without your explicit consent.
5. Data Retention
| Plan | Event & log data retained |
|---|---|
| Free (Observe) | 7 days |
| Starter (Insight) | 30 days |
| Pro (Command) | 90 days |
| Enterprise | Custom (up to unlimited) |
6. How We Protect Your Data
| Layer | Measure |
|---|---|
| Authentication | JWT stored in HTTP-only cookies — not accessible via JavaScript (XSS protection) |
| Event ingestion security | HMAC-SHA256 request signing with timestamp and nonce-based replay protection |
| Encryption at rest | Project secrets encrypted with AES-256-GCM, PBKDF2 key derivation (100,000 iterations, SHA-512) |
| Encryption in transit | All traffic over TLS (HTTPS) |
| Access control | Role-based access control (RBAC) — team members, team admins, org owners |
| Audit logging | All sensitive actions logged with IP, user agent, and change history |
| Rate limiting | Applied to all API endpoints |
| Secret exposure | Project secrets displayed only once at creation; cannot be retrieved afterwards |
7. Data Sharing & Third Parties
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, subscription data |
| AWS | Cloud infrastructure / hosting | All data (processed on our behalf) |
| MongoDB Atlas | Database hosting | All data (processed on our behalf) |
8. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| tiny_owl_session | HTTP-only | Stores JWT authentication token — no JavaScript access | Session / configurable |
| tiny_owl_csrf | Secure | CSRF protection token | Session |
9. Your Rights
Depending on your location, you may have the following rights:
- Access — Request a copy of the personal data we hold about you
- Rectification — Correct inaccurate or incomplete data
- Erasure — Request deletion of your personal data
- Portability — Receive your data in a machine-readable format
- Restriction — Request that we restrict processing of your data
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at info@np011.se. We will respond within 30 days.
10. International Data Transfers
Our servers are primarily located in us-east-1 (AWS). If you access the Service from outside this region, your data may be transferred internationally. We ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses for EU/EEA transfers).
11. Children’s Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@np011.se and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date, send an email notification to all registered account owners, and show an in-app notification banner. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.
13. Contact
If you have questions, concerns, or requests regarding this Privacy Policy:
Tiny Owl is a product of Net Partner 011 AB. All rights reserved.