Privacy & Security

Panelbear is committed to the highest standards of data protection and security

Designed for privacy

  • We do not sell personal data
  • We do not use tracking cookies, and do not track people across the Internet
  • We automatically strip out personal data from all analytics we collect
  • We delete analytics data older than 24-months
  • We store the analytics data within the EU (Germany)
  • We cannot trace the analytics data back to an individual
  • We're profitable and funded by charging a monthly subscription for our software

Data ownership

  • You retain full ownership over your data
  • You can use, export or delete your data as you see fit
  • You can close your account or delete your data anytime - no questions asked

GDPR compliance

  • We carefully assess every sub-processor including their privacy and security practices, as well as the laws of the countries they're subject to
  • We have a Data Processing Agreement in place with every sub-processor that helps us run our business
  • We continuously review our Personal Data Inventory and perform a Transfer Impact Assessment for every sub-processor we use
  • We do not sell or rent personal data about our customers or their end users


Data is always encrypted, both while on transit and at rest. In transit using strong, modern TLS. And at rest we use one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256). Additionally, all secret keys are automatically rotated on a regular basis.

Data location

We securely store all data within the European Union (Germany). Our data centers have world-class security standards and compliance certifications, and have strong technical, organizational and legal guarantees to protect the data we process with them.

Threat detection

We have automated vulnerability scanning, threat detection, and bot protection across our infrastructure. These systems automatically monitor audit logs and all activity in our cloud providers to notify us in case of unauthorised access or suspicious activity

Site reliability

Our systems continuously monitor for failures, and escalate to our team as needed to minimize downtime and prevent issues for our users. We commit to 99.9% uptime for customers with SLAs on their plan, but in practice achieve 99.995% uptime.

Application security

Our web application is designed and frequently tested with OWASP Top 10 in mind. This accounts for the most common types of attacks such as injection, broken authentication, XSS, CSRF, and several others.

Security best practices

We enforce two-factor authentication on all accounts with access to our infrastructure, and use hardware authentication whenever possible. All secrets are encrypted, and rotated regularly. All development equipment uses disk encryption.

Principle of Least Privilege

We follow the Principle of Least Privilege at all levels of our infrastructure:

  • Every API key has been given minimal permissions
  • Our IAM roles have permission boundaries to limit the impact of a security breach
  • Our authentication tokens have short expiry times
  • We limit the subset of the data each sub-processor is able to access

Have a security concern?

If you have found a vulnerability in Panelbear, please contact us by email at

We ask you to:

  • Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts you own or with explicit permission of the account holder.