Legal

Privacy Policy

This policy describes how IoTMan collects, uses, and protects personal data, and what cookies we set when you use the service.

Last updated: April 2026

Who we are

IoTMan is a managed IoT data service operated in the European Union. The service is provided by the operator of iotman.io. All data is stored on EU-based infrastructure. For questions or requests regarding your data, contact us at iotman@iotman.io.

What personal data we collect

We collect and process the following personal data:

  • Email address โ€” required for passwordless authentication. Used to send sign-in codes and to identify your account. Not shared with third parties.
  • Sensor data โ€” payloads submitted to your workspace endpoints are stored on your behalf. You control what data is submitted. You can export or delete it at any time.
  • Session information โ€” timestamps of sign-in events and token issuance, retained for security purposes.

We do not collect analytics, advertising, or tracking data. We do not sell or share personal data with third parties.

Cookies

IoTMan uses only strictly necessary cookies. These cookies are required for the service to function and cannot be disabled. No consent banner is required under the ePrivacy Directive for strictly necessary cookies, but we disclose them fully here.

All cookies are set on the iotman.io domain, are HttpOnly (not accessible to JavaScript), and use Secure (HTTPS only).

CookiePurposeExpiresRequired
session_cookieAuthenticates your management dashboard session after sign-in.30 daysYes
oauth_sessionIdentifies you during the OAuth2 consent step when authorising a third-party application.30 daysYes
_oauth_returnStores OAuth2 parameters while you are redirected to the login page during an authorisation flow.10 minutesYes

No analytics, advertising, or third-party cookies are set by IoTMan.

Legal basis for processing

We process personal data under Art. 6(1)(b) GDPR โ€” processing is necessary for the performance of a contract. Your email address and session data are required to provide the service you have signed up for. Sensor data is stored on your behalf as an explicit part of the service.

Data retention

  • Session cookies expire as shown in the table above.
  • Account data (email address, session records) is retained until you request deletion.
  • Sensor data retention depends on your plan (30 days for Free; configurable for Enterprise).

Your rights

Under GDPR you have the right to access, correct, export, or delete your personal data. To exercise any of these rights, contact us at iotman@iotman.io. We will respond within 30 days.

Third-party processors

IoTMan does not use third-party analytics or advertising processors. Infrastructure is hosted on EU-based servers. Workspace owners who use IoTMan OAuth2 to authenticate their own end-users are acting as independent data controllers for those users' data and are responsible for their own privacy disclosures.