Privacy, Security and GDPR FAQ’s

Yes, please read our Privacy Policy to help you understand the nitty gritty of our compliance. All users need to read and acknowledge this Privacy Policy to use our service.

Yes, we were compliant in all technical aspects to the best of our knowledge before GDPR came into effect in 2018. Fortunately, we’ve always gone out of our way to only collect information that we need to make our products work. Our business model isn’t built on invading your privacy. We apply these privacy rules worldwide, not just in the EU, to all customers because we believe it is the right thing to do.

We added additional documentation – and the requirement to agree to our policies to use the service – to help educate customers and potential customers about our data retention policies and privacy practices.

If you are part of our direct service (, then we collect your email address (for your account “user name”) and billing information (to be processed and kept at Stripe, we do not have access to your credit card information).

If you are part of our service from Heroku, then we collect your “app_name” and “owner_email” address from Heroku.

If you are part of our IBM or AppDirect service, then we collect the “creator_email” address.

When you contact us via Support, we collect your email address and IP address to verify the authenticity of the requester. Obviously, any details you send us about your account is stored in the Support software and can be deleted upon request.

First of all, our proxy is just that, a proxy. It sends data on behalf of another endpoint. To ensure proper security, you should be using an end to end encryption technology, which means that our proxy servers would only have access to the encrypted packets. HTTPS, TLS, or the like should be employed where necessary.


For HTTP or SOCKS outbound proxies, we store just enough details about the request to provide you the logs you see in the dashboard and for billing purposes (request limits). We store the time of each request, the account (username), the source (IP), the destination (URL or IP), and the status code for the request.


For inbound proxies, we store the time of the request, the account (username), the source (IP), the destination (generally a URL), the HTTP status code, the HTTP request type (GET, POST), and the number of bytes in the request.

We store the above data for what you see in the QuotaGuard dashboard for one month. After that we move it to long term storage, for a full year. No log information should be kept beyond that one year date and we are unable to retrieve any data past that one year time frame.

This is an easy one, in a word, “nothing”. We don’t rent, sell or otherwise give you data to anyone that absolutely does not need it to process the service we provide. Plain and Simple. You won’t see anyone else advertise to you on our site or because of your relationship with us.

No, we do not see or save your data in your requests.


Please keep in mind that you should secure your data in transit because other malicious third party actors may try and view your data or steal it. We very highly recommend always using HTTPS, TLS, or similar for your requests.

We store your email and proxy credentials unencrypted. Direct login passwords are encrypted.

Simple, send us an email at and we’ll verify your identity (we don’t want your competitors tricking us into deleting your account now, do we?) and either port or delete your data as requested.

We mark all of your data as “removed” in our database and it will be deleted within 30 days. Your payment information and transactions (if relevant) is kept at Stripe for tax and reporting purposes.

No, we only collect the minimum amount of data from you to run the service for you, improve it over time, and service our customers successfully. That means we don’t collect any additional or unnecessary private data other than the information listed above.

Specifically, we do not store or log request or response bodies.

We store a small amount of metadata about requests – the account (username), the source (IP), the destination (generally a URL), the HTTP status code, the HTTP request type (GET, POST), and the number of bytes in the request. We use this data to provide logs to you, and this data is deleted after one year. This data is only identifiable to you (the data controller) and not to any of your end users.

Finally, we store no PII about your users – the only user data we store is about you, the data controller, and it is minimal – if you are using QuotaGuard via Heroku, for example, it is just the Heroku app name and the contact email address provided by the Heroku API.

Many companies seem to blanket the “third party” aspect of their business, but we wanted to share with you exactly who we use to provide our service so you can better understand the limit of our data sharing.

Some of these providers are used to allow us to run our service and have no access to customer data, others require a minimum amount of data to know what services are needed.

Third Party Customers Type of Data Shared Link to Third Party policies
Stripe Payment Processing Only Direct Customers [ LINK ]
Quaderno Invoice Generation Only Direct Customers [ LINK ]
Freshdesk Support team software Only for customers that write our support [ LINK ]
Baremetrics Financial and Retention Metrics (via Stripe integration) Only Direct Customers [ LINK ]
GSuite (Google) Company email All Customers [ LINK ]
Google Analytics Website analytics Only customers that view [ LINK ]
Google Search in AdWords Business Advertisement Only users that opt-in for Advertising via, then Search for QuotaGuard services, and then click on one of our advertisements [ LINK ]
OLark Online Chat Support Only customers that view [ LINK ]
AWS (Amazon Web Services) Proxy Support, RDS, EC2, ELB, and S3 All Customers [ LINK ]
Mongo / Compose Cloud based data storage All Customers [ LINK ]
GitHub Software Repository No Customer Data [ LINK ]
Softlayer Proxy and Cloud Infrastructure Only IBM Customers [ LINK ]
Heroku Repository Hosting and Rails app All Customers [ LINK ]
Cloudflare DNS Servies All Customers [ LINK ] Logging All Customers [ LINK ]
Redis Labs Usage Metrics All Customers [ LINK ]

Each request goes through a proxy on Amazon Web Services ELB (with no logging) and goes to AWS Server (with logging) then to the remote server dictated by your request. We store metadata of the packet, which includes the account (username), the source (IP), the destination (URL or IP), and the status code for the request.

We are a global company serving customers around the world and our infrastructure reflects that mission. As a reflection of this mission, a majority of our services are outside the EU.

Even if you choose a EU-based proxy, there is a chance that your data may leave the EU in order for us to adequately provide our service to you and your clients.

Additionally, we obviously have no control over whether a company or customer chooses to send data via our proxies outside the EU.

If you are using our service via a Heroku Addon, Heroku only “assists with the provisioning and billing of the add-ons“. They do not make any contractual representations for third-party add-ons as they do not manage them (for example, QuotaGuard) directly, therefore “we (Heroku) direct customers to work with third-party add-on providers to negotiate any contractual terms (including GDPR)”.

If you need a Data Processing Agreement with QuotaGuard as a Heroku user, please email us at Support.

Of course! Just email us at Support and we can get the process started for your company.

Yes, apart from the URL will only have a hostname not the actual URL.

Got a different question, send us an email at Support!

We use cookies to understand how you use our site and to improve your experience. This includes personalizing content and advertising. To learn more, click here.
By continuing to use our site, you accept our use of cookies, revised Privacy Policy and Terms of Use. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.