1. Who We Are
MetricsHub Systems Ltd. is a company registered in England and Wales (Company No. 14782391), with its registered office at 52 Gracechurch Street, London, EC3V 0EH, United Kingdom. We operate the MetricsHub API Gateway platform at dev-metrics-hub.net and related developer tools.
For UK GDPR purposes, MetricsHub Systems Ltd. is the data controller. For services provided to enterprise customers under a Data Processing Agreement, we may also act as a data processor.
Our Data Protection Officer can be contacted at: dpo@metricshub.io
2. Data We Collect
2.1 Account and Registration Data
When you register for a developer account, we collect:
- Full name and email address
- Company name and job title
- Password (stored as a salted bcrypt hash — never in plaintext)
- Billing address and payment method details (processed by Stripe; we store only the last 4 digits and card type)
- VAT / tax registration number (enterprise accounts)
2.2 API Usage and Technical Data
When you use the MetricsHub API, we automatically collect:
- API key identifier (not the secret key itself)
- Request timestamps, HTTP method, endpoint path, response status codes
- Source IP address (truncated to /24 subnet for aggregated analytics; full IP retained in security logs for 30 days)
- Request and response payload sizes (not content)
- SDK name and version from the
User-Agentheader - Ingest region and routing metadata
2.3 Log and Telemetry Data You Send
Data you submit to the ingest, metrics, or logs endpoints is processed and stored on your behalf. We treat this as customer data and access it only as necessary to provide the service (e.g., debugging a pipeline issue) or as required by law. See our Terms of Service §8 for data ownership provisions.
2.4 Support and Communication Data
- Email correspondence with our support team
- Feedback forms and feature requests
- Survey responses (optional)
2.5 Cookie and Browser Data
See Section 9 for a full breakdown of cookies we use.
3. How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Service delivery — authenticate API requests, route traffic, enforce rate limits | Account data, API usage data | Contract |
| Billing — calculate usage charges, issue invoices, process payments | Account data, usage metrics | Contract |
| Security & fraud prevention — detect anomalies, investigate abuse | API logs, IP addresses | Legitimate interests |
| Service improvement — aggregate performance analytics, latency optimisation | Anonymised usage data | Legitimate interests |
| Support — respond to tickets and incidents | Account data, submitted logs | Contract / Legitimate interests |
| Marketing — product updates, feature announcements (opt-in) | Email address | Consent |
| Legal compliance — respond to lawful requests, tax obligations | Account & billing data | Legal obligation |
4. Legal Basis for Processing
We process personal data only where we have a valid legal basis under UK/EU GDPR Article 6:
- Contractual necessity (Art. 6(1)(b)): Processing required to provide the service you have signed up for.
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud detection, aggregate analytics. We have conducted Legitimate Interests Assessments (LIAs) for each such purpose, balancing our interests against your rights.
- Legal obligation (Art. 6(1)(c)): Tax records, responding to lawful government requests.
- Consent (Art. 6(1)(a)): Marketing emails and non-essential cookies. You may withdraw consent at any time with no effect on your account.
5. Data Sharing and Sub-processors
We do not sell personal data. We share data only with trusted sub-processors under contractual data processing agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, object storage, CDN | EU (Frankfurt), US (N. Virginia) |
| Stripe, Inc. | Payment processing | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
| PagerDuty | On-call alerting (operations team only) | United States |
| Cloudflare, Inc. | DDoS protection, DNS | Global |
We may also disclose data when required by law, court order, or to protect the rights and safety of MetricsHub, our customers, or the public.
6. Retention Periods
| Data category | Retention period |
|---|---|
| Account profile data | Duration of account + 30 days after closure |
| API access logs (full IP) | 30 days (security), then anonymised |
| Aggregated usage metrics | 24 months |
| Customer-submitted telemetry data | Per your plan (default 90 days); configurable |
| Billing records & invoices | 7 years (UK tax law requirement) |
| Support correspondence | 3 years from ticket closure |
| Marketing consent records | Until consent withdrawn + 3 years |
7. International Data Transfers
Some of our sub-processors (e.g., Stripe, Postmark) are based in the United States. Where we transfer personal data outside the UK or EEA, we rely on:
- UK International Data Transfer Agreements (IDTAs) with US processors
- EU Standard Contractual Clauses (SCCs) where applicable
- Adequacy decisions for transfers to countries recognised as providing adequate protection
Copies of our transfer mechanisms are available on request at privacy@metricshub.io.
8. Your Rights
Under UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact privacy@metricshub.io. We respond within 30 days (extensions possible for complex requests).
- Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
- Rectification (Art. 16): Correct inaccurate or incomplete data.
- Erasure / "Right to be Forgotten" (Art. 17): Request deletion, subject to legal retention obligations.
- Restriction (Art. 18): Restrict processing while a dispute is resolved.
- Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV).
- Objection (Art. 21): Object to processing based on legitimate interests or for direct marketing (absolute right).
- Withdraw consent: At any time, for consent-based processing (marketing, non-essential cookies).
- Complain to a supervisory authority: You have the right to lodge a complaint with the ICO (UK) or your local data protection authority (EU).
9. Cookies and Tracking Technologies
We use cookies and similar technologies on our website and developer portal. You can manage your preferences at any time via the cookie banner or by clearing your browser storage.
| Category | Examples | Purpose | Duration |
|---|---|---|---|
| Essential | mh_session, mh_csrf |
Session authentication, CSRF protection, security | Session / 1 hour |
| Functional | mh_prefs, mh_region |
Remember language, dashboard layout, preferred region | 1 year |
| Analytics | mh_anon |
Aggregate page views and feature usage (no cross-site tracking; self-hosted) | 90 days |
| Marketing | (none by default) | Used only if you opt in; product announcement relevance | 6 months |
We do not use third-party advertising trackers. Our analytics are self-hosted and do not share data with ad networks.
10. Security
We implement industry-standard technical and organisational measures including: TLS 1.3 for all data in transit, AES-256 encryption at rest, bcrypt password hashing, SOC 2 Type II-aligned access controls, and quarterly penetration testing by an independent firm. See our Security page for details.
11. Children's Data
The MetricsHub platform is intended solely for use by businesses and developers aged 18 or over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact privacy@metricshub.io and we will delete it promptly.
12. Policy Changes
We may update this policy from time to time. Material changes will be notified by email to registered account holders at least 30 days before taking effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the service after the effective date constitutes acceptance of the revised policy.
Previous versions of this policy are available on request.
13. Contact Us
For privacy enquiries, data subject requests, or to request a copy of our DPA:
- Email: privacy@metricshub.io
- Post: Data Protection Officer, MetricsHub Systems Ltd., 52 Gracechurch Street, London, EC3V 0EH, United Kingdom
- Response time: Within 5 business days for general enquiries; 30 days for formal data subject requests