CronFu

Privacy Policy

Version 1.0 — March 24, 2026

1. Overview

CronFu ("we", "us", "our") collects the minimum data necessary to run our cron job monitoring service. We do not sell your data, serve advertising, or share information with third parties beyond what is needed to deliver the service.

2. Data Controller

CronFu is operated from the State of Florida, United States. For the purposes of the EU General Data Protection Regulation (GDPR), CronFu acts as the data controller for the personal data described in this policy. You can reach us at privacy@cronfu.dev.

3. Data We Collect

Account Information

When you create an account, we collect your email address and display name. If you sign in with Google or Apple, we receive your email address, display name, and profile photo URL from the identity provider. We do not receive or store your Google or Apple password.

If you enable two-factor authentication or register a passkey, we store the credentials in encrypted form. Private keys never leave your device.

Telemetry Data (Pings)

Each ping sent to CronFu may include: monitor key, state (run, complete, fail), timestamp, host identifier, duration, exit code, series ID, environment tag, and custom tags. This data is used to track job execution and trigger alerts.

Log Excerpts

When using POST pings or the cronfu exec wrapper, job output is captured and stored up to your plan's log size limit. Logs are stored encrypted in Cloudflare R2 and are only accessible to members of your account.

Agent Data

If you install the CronFu agent, it reports crontab entries (verbatim), systemd timer listings, system hostname, operating system, architecture, and periodic heartbeat data. The agent connects over an authenticated WebSocket with HMAC-signed commands.

Usage Analytics

We use PostHog for product analytics. On the marketing site, PostHog uses persistent anonymous identifiers to measure page views and conversion funnels. On the dashboard, analytics events are only linked to your identity after you log in; anonymous visitors to the app are not tracked. We do not use third-party advertising trackers.

Payment Data

All payment processing is handled by Stripe. We store only your subscription state, plan tier, and billing period. We never have access to your full card number or bank account details.

Notification Channels

When you connect notification channels (Slack, Discord, PagerDuty, Microsoft Teams), we store the credentials needed to deliver alerts.

4. How We Use Your Data

We process your data on the following legal bases:

  • Contract performance — Processing your pings, running alerts, and delivering the monitoring service you signed up for.
  • Legitimate interest — Product analytics, security monitoring, fraud prevention, and service improvement.
  • Consent — Marketing emails, if you opt in. You can withdraw consent at any time.
  • Legal obligation — Responding to valid legal requests and maintaining tax and billing records.

5. Data Retention

Retention periods vary by plan. After the retention period, data is permanently deleted. Account data is retained until you request deletion.

PlanRun DataLog SearchFull Logs (R2)
Free7 days7 days7 days
Starter30 days14 days30 days
Pro90 days30 days90 days
Pro+90 days60 days90 days
Team12 months90 days12 months

6. Third-Party Services

We use the following services to operate CronFu:

ServicePurposeData Shared
StripePayment processingBilling info, email
ResendTransactional emailEmail address, alert content
PostHogProduct analyticsAnonymized usage events
Cloudflare R2Log storageEncrypted log excerpts
Cloudflare PagesMarketing site hostingRequest metadata
Upstash RedisCache, rate limitingAccount IDs, rate counters
Fly.ioApplication hostingRequest metadata
Timescale CloudDatabase hostingAll application data

7. International Data Transfers

CronFu is based in the United States. Your data is processed and stored using services located in the United States, including Fly.io (Virginia), Timescale Cloud (US East), Cloudflare R2, and Upstash Redis.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the United States. We rely on Standard Contractual Clauses (SCCs) where applicable and our sub-processors' compliance with applicable data protection frameworks.

8. Your Rights

All Users

Regardless of where you are located, you can:

  • Access your data through the dashboard or a data export.
  • Correct inaccurate data by editing your profile or monitor settings.
  • Delete your data by requesting account deletion.
  • Export your data in a machine-readable format.

EEA Residents (GDPR)

If you are in the European Economic Area, you also have the right to:

  • Restrict how we process your data.
  • Object to processing based on our legitimate interest.
  • Receive your data in a portable, machine-readable format.
  • Lodge a complaint with your local data protection authority.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you.
  • Request deletion of your personal information.
  • Opt out of the sale of your personal information. Note: we do not sell personal information.
  • Not be discriminated against for exercising your rights.

To exercise any of these rights, contact us at privacy@cronfu.dev. We will respond within 30 days (or sooner where required by law).

9. Data Export

You can request a full export of your data from Settings > Account > Export My Data. The export includes your monitors, run history, alerts, notification lists, and account information, packaged as a downloadable ZIP archive.

10. Data Deletion

To delete your account and all associated data, contact us at privacy@cronfu.dev. Upon receiving your request, all associated data (monitors, runs, logs, API keys, agent registrations) will be permanently removed within 30 days. This includes data stored by our sub-processors (Cloudflare R2, Upstash Redis, PostHog). This action is irreversible.

11. Cookies

CronFu uses a minimal set of cookies:

Marketing Site

  • PostHog cookie — First-party only. Stores a persistent anonymous identifier for page view analytics and A/B testing.

Dashboard

  • Session cookie — httpOnly, Secure, SameSite=Lax, 7-day expiry. Used for authentication.
  • PostHog cookie — First-party only. Linked to your identity only after you log in.

We do not use advertising cookies, cross-site tracking cookies, or third-party tracking pixels.

12. Children's Privacy

CronFu is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@cronfu.dev and we will promptly delete it.

13. Security

We take the following measures to protect your data:

  • All connections use TLS encryption in transit.
  • Strict data isolation between accounts is enforced at the database level.
  • API keys and passwords are hashed before storage; plaintext values are never persisted.
  • Agent commands are cryptographically signed and transmitted over authenticated encrypted connections.
  • Log excerpts are automatically scanned for secrets and redacted before storage.
  • Sensitive credentials (notification tokens, integration secrets) are encrypted at rest.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The version number and effective date at the top of this page will be updated with each revision.

15. Contact

For privacy-related questions or requests, contact us at privacy@cronfu.dev.