Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, information that is generated automatically when you use the Service, and information from third-party sources. The categories of information we collect include: account registration data (name, email address, company name, billing address), payment information (processed and stored by our payment processor; we store only a tokenised card reference and last four digits), and any communications you send us.

When you use the Service, we automatically collect usage data including: IP addresses of API requests, API endpoint paths and parameters, HTTP response codes and latency metrics, browser type and version for web sessions, and referring URLs. This data is used exclusively for operating and improving the Service and is not linked to individual user profiles beyond what is necessary for billing and abuse prevention.

We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, health data, or biometric identifiers. If you believe we have inadvertently collected such data, please contact our Data Protection Officer (DPO) at [email protected] immediately.

2. How We Use Your Data

We use the information we collect to provide, operate, and maintain the Service; to process your subscription payments and send billing-related communications; to respond to your support requests; to send product updates, security notices, and promotional communications (you may opt out of marketing emails at any time); and to monitor for abuse, fraud, and violations of our Terms of Service.

Our legal basis for processing your personal data under the GDPR is primarily the performance of a contract (providing the Service you have subscribed to), our legitimate interests (security monitoring, fraud prevention, product improvement), and, where required, your explicit consent (marketing communications). We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

We do not sell your personal data to third parties. We do not use your data to train AI models or for advertising targeting outside of the Service. Aggregate, anonymised usage statistics may be used internally for business analytics and product development.

3. Data Storage & Security

Your data is stored on servers located in the European Union (Frankfurt, Germany) and the United States (Northern Virginia). Transfers of personal data from the EEA to our US infrastructure are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission. We maintain a current Data Processing Agreement (DPA) with all sub-processors that handle EU personal data.

We implement appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised disclosure, or unlawful processing. These measures include: AES-256 encryption at rest for all stored data, TLS 1.2 or higher encryption in transit, access controls and role-based permissions for internal systems, regular third-party penetration testing, and a formal incident response plan. Passwords are hashed using bcrypt with a minimum cost factor of 12.

Despite our security measures, no system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with applicable law.

4. Sharing & Third Parties

We share your personal data only with the following categories of third parties, and only to the extent necessary: (a) payment processors (Stripe, Inc.) to handle subscription billing; (b) cloud infrastructure providers (AWS) to host the Service; (c) transactional email providers to send account and billing notifications; and (d) analytics providers, using anonymised or pseudonymised data only. A full list of our sub-processors is available on request.

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of HostInfo, our users, or the public. We will notify you of such requests where legally permitted to do so.

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

5. Cookies

We use cookies and similar tracking technologies on our website. Strictly necessary cookies are required for the Service to function (session management, CSRF protection, authentication state) and cannot be disabled. These cookies do not require your consent under applicable law.

We use functional cookies to remember your preferences, such as your selected dark or light theme. We use analytics cookies (anonymised) to understand how visitors navigate the website so we can improve it. We do not use third-party advertising cookies or behavioural tracking pixels. You may manage your cookie preferences through your browser settings, though disabling certain cookies may affect Service functionality.

Our API does not use cookies. API authentication is performed exclusively via API key tokens passed in HTTP headers. If you use our JavaScript SDK or embed widgets, those components may set session-scoped cookies documented in the relevant SDK documentation.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR and applicable national data protection laws. We will respond to all verified requests within 30 days (or within the timeframe required by applicable law).

• Right of access — You may request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to rectification — You may request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure — You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you have withdrawn consent and no other legal basis applies.
• Right to data portability — You may request a copy of your personal data in a structured, commonly used, machine-readable format, and the right to transmit that data to another controller.
• Right to object — You may object to processing based on our legitimate interests, including for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

To exercise any of these rights, contact our DPO at [email protected]. You also have the right to lodge a complaint with your local supervisory authority. For EEA residents, our lead supervisory authority is the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), given our primary EU data processing location in Frankfurt.

7. Data Retention

We retain your account data for as long as your account remains active and for a period thereafter as required by law or legitimate business needs. Upon account deletion, we will delete or anonymise your personal data within 90 days, except where retention is required by applicable law (for example, financial records which we are required to retain for seven years under accounting regulations).

API access logs are retained for 90 days for security and abuse-prevention purposes, after which they are automatically deleted or aggregated into anonymised statistical records. Server-level access logs containing IP addresses are retained for no longer than 30 days. Anonymised, aggregated usage statistics may be retained indefinitely for product analytics.

Backup copies of data may persist for up to 35 days in encrypted offline storage after live deletion, after which they are overwritten or destroyed. If you submit a data erasure request, we will confirm in our response whether any backup copies remain and the expected timeline for their deletion.

8. Contact & DPO

HostInfo has appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with GDPR and applicable data protection laws. Our DPO can be reached at the contact details below and is based at our EU data processing office in Frankfurt, Germany.

For general privacy questions or to exercise your data rights, email us at [email protected]. We will acknowledge your request within 72 hours and provide a substantive response within 30 days. For urgent security-related concerns, include "URGENT" in the subject line.