1. Who we are
PerfLabs (“we”, “us”, “our”) is a web performance monitoring service. Our registered contact email is privacy@updates.perflabs.dev.
2. Data we collect
- Account data: email address, name, and OAuth provider ID when you sign in via Google or GitHub.
- Configuration data: the URLs and monitor settings you create.
- Performance data: Lighthouse scores and Core Web Vitals fetched from Google PageSpeed Insights for the sites you monitor.
- Usage data: page visits and feature interactions, collected via PostHog analytics (see Section 5).
- Diagnostic data: error reports, stack traces, and anonymized session replays, collected via Sentry for debugging purposes (see Section 6).
- API keys: stored as SHA-256 hashes — we never store the raw key.
3. How we use your data
- To provide and operate the PerfLabs service.
- To send weekly performance digest emails (if you have enabled this).
- To detect performance regressions and send alert notifications.
- To improve the product through aggregated, anonymized usage analytics.
We do not sell your data to third parties.
4. Legal basis for processing (GDPR)
For users in the European Economic Area, we process your data on the following legal bases:
- Contract performance: processing necessary to provide the service you signed up for.
- Legitimate interests: improving product reliability, preventing fraud, and diagnosing errors and performance issues (including via Sentry error monitoring).
- Consent: for non-essential analytics cookies (PostHog), obtained via our cookie banner.
5. Analytics (PostHog)
We use PostHog for product analytics. PostHog may set cookies to identify your browser session across visits. We proxy PostHog requests through our own domain (/ingest/...) to reduce latency and improve reliability. PostHog data is processed in the United States under Standard Contractual Clauses.
You can opt out of analytics cookies at any time via the cookie consent banner or by emailing privacy@updates.perflabs.dev.
6. Error monitoring & session replay (Sentry)
We use Sentry (sentry.io) to capture errors, performance traces, and session replays. This helps us identify and fix bugs quickly and improve service reliability.
Session replay records anonymized UI interactions for approximately 1 in 5 sessions (and all sessions in which a JavaScript error occurs). All text inputs are fully masked — Sentry never sees what you type. No passwords, form fields, or sensitive content are captured.
Sentry data is processed in the United States by Functional Software, Inc. (Sentry) under Standard Contractual Clauses. We process this data under our legitimate interests in maintaining a reliable service (GDPR Art. 6(1)(f)). Session replays are retained by Sentry for 90 days.
To object to session replay processing, email privacy@updates.perflabs.dev and we will configure your account to be excluded.
7. Data retention
- Performance run data is retained while your account is active.
- Screenshot data is automatically deleted after 30 days.
- On account deletion, all your data is permanently erased within 30 days.
8. Your rights
You have the right to:
- Access the data we hold about you (export available in Settings → Account).
- Delete your account and all associated data (Settings → Account → Delete account).
- Rectification — correct inaccurate data by contacting us.
- Portability — download your data in JSON format from Settings.
- Object to processing based on legitimate interests.
To exercise any right, email privacy@updates.perflabs.dev. We will respond within 30 days.
9. Data security
We use industry-standard security measures including TLS in transit, encrypted database connections, and hashed API key storage. Access to production systems is restricted to authorized personnel.
10. Third-party services
- Google PageSpeed Insights: we send your monitored URLs to Google's API to retrieve performance data. Google's Privacy Policy applies.
- Resend: used to send transactional emails (digest, alerts). Your email address is shared only to deliver these messages.
- Vercel: our hosting provider. Infrastructure data (logs, IP addresses) is processed per Vercel's privacy policy.
- Sentry: error monitoring and session replay (see Section 6). Data processed in the US under Standard Contractual Clauses. Sentry Privacy Policy.
11. Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. We will notify you by email for material changes. Continued use of PerfLabs after changes constitutes acceptance.