This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website, create an account, purchase Services, or communicate with us. It also clarifies the roles and responsibilities where we process personal data in Customer Content as a hosting provider.
This policy applies alongside the Terms of Service, the Data Processing Addendum (DPA), and the Cookie Policy. Capitalized terms not defined here have the meanings given in the Terms of Service.
We act as a "controller" (UK GDPR / EU GDPR) or "business" (CCPA/CPRA) for personal data we collect and use to operate our business, including account registration data, billing and payment data, support communications, security logs, and marketing preferences. This Privacy Policy applies to that processing.
For personal data contained in Customer Content hosted on the Services (for example, your website database containing end‑user records), we typically act as a "processor" (UK GDPR / EU GDPR) or "service provider" (CCPA/CPRA) on behalf of the Customer. In this context, the Customer determines what data is collected and the purposes of processing. Our processing is limited to providing the hosting infrastructure and support and complying with legal obligations. The Data Processing Addendum (DPA) governs this processing.
This policy applies to individuals who visit our website, create an Account, purchase or use our Services, or communicate with us. It does not apply to data that we process solely as a processor on behalf of Customers — for that, please refer to the relevant Customer's privacy policy.
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Service delivery | Create and manage Accounts, provision Services, authenticate users, provide customer support | Contract |
| Billing and accounting | Process payments via our payment processor(s), issue invoices, handle taxes, maintain financial records | Contract; Legal obligation |
| Security and abuse prevention | Protect the platform, investigate incidents, prevent fraud, enforce Terms/AUP, maintain audit logs | Legitimate interests; Legal obligation |
| Identity verification (KYC) | Verify identity and business details where required by law, payment processors, or risk assessment | Legal obligation; Legitimate interests |
| Communications | Send service notices, invoices, renewal reminders, policy updates, respond to requests | Contract; Legitimate interests |
| Product improvement | Analyse usage and reliability trends, improve performance and user experience | Legitimate interests |
| Marketing (optional) | Send product updates, offers, or newsletters. You may opt out at any time | Consent (where required); Legitimate interests (existing customers, soft opt‑in where permitted) |
Where we rely on "legitimate interests", we have assessed that our interests do not override your fundamental rights and freedoms. You may request information about our balancing assessments by contacting us.
We share personal data only as needed for the purposes above:
We do not sell your personal data. Where you consent to marketing cookies on our website or client portal (such as Facebook Pixel, Google Ads conversion tracking, and Bing UET), data about your visit may be transmitted to these advertising platforms, which may constitute "sharing" of personal information for cross‑context behavioural advertising under certain U.S. state privacy laws. This sharing occurs only with your consent and can be stopped at any time by declining marketing cookies through our cookie consent tool or by enabling a Global Privacy Control (GPC) signal in your browser. See our Cookie Policy for details.
We use third‑party payment processors to handle all payment transactions. Currently, our primary payment processor is Mollie B.V., registered in the Netherlands. When you make a payment, your payment details (such as card number, bank account, or other payment method data) are transmitted directly to the payment processor and are not stored on our servers.
Our payment processor(s) may collect and process data in accordance with their own privacy policies. We receive only the information necessary to confirm a transaction (such as transaction ID, payment status, last four digits of a card, and billing address for fraud checks).
We may add or change payment processors in the future to expand payment options or improve service. If we do, we will update this policy and, where required, the subprocessor list in the DPA. Current and future payment processors may include Mollie, Stripe, GoCardless, Cryptomus, or similar providers.
All actions you perform in the client portal are automatically recorded in an audit log. This includes (by way of example): account login and logout events; changes to account settings, contact details, or payment methods; orders and cancellations; domain management actions; support ticket creation; password changes and 2FA configuration; and administrative actions such as billing or plan changes.
Audit logging serves several purposes: security and fraud prevention (detecting unauthorized access), dispute resolution (verifying what actions were taken and when), compliance (maintaining records required by law or payment processors), and service improvement.
You can view your own audit log at any time within the client portal. The audit log shows the action performed, the date and time, the IP address, and the user agent. This allows you to monitor your own account activity and detect unauthorized access.
Audit logs are retained for the period described in Section 8 (Retention). You may request deletion of audit log data in accordance with your rights described in Section 9, subject to our legal obligations to retain certain records (for example, financial transaction records required by tax law, or security logs needed for ongoing fraud investigations). Deletion requests can be submitted online through the client portal or by contacting [email protected].
We may process data in the United Kingdom, the European Union/EEA, and other locations where our subprocessors operate. Specifically:
Where personal data is transferred outside the UK or EU/EEA to a country that does not benefit from an adequacy decision, we implement appropriate safeguards as required by Applicable Law, including:
You may request a copy of the safeguards we rely on by contacting [email protected].
We retain personal data only as long as necessary for the purposes described. The following table provides indicative retention periods:
| Data category | Retention period | Reason |
|---|---|---|
| Account registration data | Duration of the Account + up to 12 months after closure | Service delivery; reactivation period; dispute resolution |
| Billing and transaction records | Up to 7 years after the transaction | UK/EU tax and accounting law (e.g., HMRC requirements) |
| Support communications | Duration of the Account + up to 24 months | Service continuity; dispute resolution; legal claims |
| Security and authentication logs | Up to 12 months | Security incident investigation; fraud prevention |
| Client portal audit logs | Up to 24 months (or longer where required by law or ongoing investigation) | Security; compliance; dispute resolution |
| Verification (KYC) data | Duration of the Account + up to 5 years | Anti‑money laundering obligations; fraud prevention |
| Customer Content (processor context) | Deleted within 30 days after Service termination | Contractual obligation (Terms of Service Section 9.4) |
| Marketing preferences | Until you opt out or Account closure | Consent / legitimate interests |
| Cookies and analytics data | As described in the Cookie Policy | See Cookie Policy |
Where we are required to retain data for legal, tax, or regulatory purposes beyond the periods above, we will do so for the minimum period required. Where data is no longer needed, it is securely deleted or anonymised.
If the UK GDPR or EU GDPR applies to you, you have the following rights (subject to certain conditions and exceptions):
You can exercise many of these rights directly through the client portal:
We will respond to rights requests without undue delay and in any event within one month of receiving the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within the first month. We may request verification of your identity to protect against unauthorized requests.
See Section 14 for additional rights that may apply to U.S. residents.
We implement technical and organizational measures designed to protect personal data, including: role‑based access controls and least‑privilege principles; encryption in transit (TLS) for website, client portal, and API connections; encrypted storage for sensitive data (such as KYC documents); monitoring of authentication events and suspicious activity; malware scanning and quarantining (where enabled); network firewalls, WAF, and DDoS mitigation; secure backup processes; and incident response procedures.
No system is perfectly secure. You are responsible for securing your own applications, credentials, and access to Self‑Managed Services. If you discover a security concern, please report it to [email protected].
We use essential cookies to operate the website and client portal. Where required by law (including the UK Privacy and Electronic Communications Regulations and the EU ePrivacy Directive), we ask for your consent before setting non‑essential cookies (such as analytics cookies). You can manage cookie settings through our cookie consent tool and through your browser settings.
For full details on the cookies we use, their purposes, and how to control them, please see our Cookie Policy.
Where you consent, we use third‑party analytics cookies (Google Analytics, including Enhanced Ecommerce on the client portal) and marketing cookies / tracking pixels (Facebook Pixel, Google Ads, Bing UET) on our website and client portal. These are loaded only after you give consent. For full details, see our Cookie Policy.
The Services are not directed to children. We do not knowingly collect personal data from children under 16 in the EU/EEA/UK, or under 13 in the United States (or the relevant minimum age required by local law). If you believe a child has provided personal data to us, please contact us at [email protected] and we will take appropriate steps to delete the data promptly.
We use service providers ("subprocessors" when acting as a processor) to help operate the Services. Current categories include:
| Category | Example provider(s) | Location |
|---|---|---|
| Payment processing | Mollie B.V. | Netherlands (EU) |
| Datacenter / cloud infrastructure | [Provider name(s)] | Germany (EU) |
| Support ticketing / email delivery | [Provider name(s)] | [Location] |
| Monitoring and security tooling | [Provider name(s)] | [Location] |
| Domain registrars/registries | ResellerClub / applicable registries | Various |
| Identity verification (KYC) | [Provider name(s), if applicable] | [Location] |
Note: placeholders marked [Provider name(s)] and [Location] should be replaced with actual provider details before publication.
We contractually require all providers to protect data and use it only for our instructions. The full, up‑to‑date subprocessor list (including entity names, purposes, and locations) is maintained as part of the DPA. Changes to subprocessors are notified in accordance with the Terms of Service (Section 7.6). Where we act as a processor, customers may request a current subprocessor list at any time.
This Section provides additional disclosures required by U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), and other applicable state privacy laws (collectively, "U.S. State Privacy Laws").
In the preceding 12 months, we have collected the following categories of personal information (using CCPA categories):
| CCPA category | Examples | Sources | Business purpose |
|---|---|---|---|
| A. Identifiers | Name, email, postal address, phone, IP address, Account ID | You; automatic collection | Service delivery; billing; security |
| B. Personal information (Cal. Civ. Code § 1798.80(e)) | Name, address, phone, financial information (transaction references) | You; payment processor | Billing; accounting; KYC |
| D. Commercial information | Purchase history, subscription details, invoices | You; our systems | Billing; service delivery |
| F. Internet or network activity | Log data, IP address, user agent, audit log events, cookie data | Automatic collection | Security; product improvement |
| G. Geolocation data | Approximate location derived from IP address | Automatic collection | Security; fraud prevention; tax compliance |
| K. Inferences | Fraud risk scores, abuse pattern detection | Our systems | Security; fraud prevention |
We do not collect sensitive personal information (such as Social Security numbers, precise geolocation, racial/ethnic origin, health data, biometric data, or sexual orientation data) in our capacity as controller.
We do not sell personal information as defined under CCPA/CPRA.
Sharing for advertising: Where you consent to marketing cookies on our website or client portal, certain personal information (such as online identifiers, browsing activity, and conversion events) may be transmitted to third‑party advertising platforms (Meta/Facebook, Google, and Microsoft/Bing) for purposes of measuring ad effectiveness and remarketing. Under CCPA/CPRA, this may constitute "sharing" of personal information for cross‑context behavioural advertising. In the preceding 12 months, we have shared the following categories of personal information with advertising platforms, but only where users provided consent through our cookie consent tool:
Your right to opt out: You can opt out of this sharing at any time by: (a) declining marketing cookies in our cookie consent tool; (b) enabling the Global Privacy Control (GPC) signal in your browser; or (c) contacting us at [email protected]. When marketing cookies are declined or GPC is detected, no sharing occurs — advertising scripts do not load and no data is transmitted to advertising platforms.
We disclose personal information to service providers and contractors for business purposes as described in Section 4 (Sharing and Disclosure). In the preceding 12 months, we have disclosed categories A, B, D, F, and G to the following categories of recipients: Infrastructure Providers, payment processors (Mollie B.V.), support tooling providers, and domain registrars/registries. Additionally, where users consented to marketing cookies, we have shared categories A and F with advertising platforms (Meta/Facebook, Google, Microsoft/Bing) as described in Section 14.2.
Depending on your state, you may have the following rights:
You may submit requests by: (a) using the online request mechanism in the client portal; (b) emailing [email protected]; or (c) contacting support. We will verify your identity before processing your request (for example, by matching your request with your Account credentials). You may designate an authorized agent to make a request on your behalf; we may require written authorization and identity verification of both you and the agent.
We will respond to verifiable requests within 45 days of receipt. This period may be extended by an additional 45 days where reasonably necessary, with notice to you.
We respect browser‑based opt‑out preference signals (such as the Global Privacy Control, "GPC") where required by Applicable Law. If we detect such a signal, we will treat it as a valid request to opt out of the sale or sharing of personal information associated with that browser.
We retain each category of personal information for the period described in Section 8 (Retention) or for the period reasonably necessary to fulfil the business purpose for which it was collected, whichever is longer, subject to legal retention requirements.
We review and update the disclosures in this Section at least once every 12 months.
When we request identity or business verification, we use the data to prevent fraud, comply with payment provider requirements, and protect platform integrity. Verification data may be processed by third‑party verification services. We restrict access to verification data on a need‑to‑know basis, encrypt it at rest where supported, and store it for the shortest period necessary, subject to legal obligations and fraud prevention needs (see Section 8 for retention periods).
We may use automated systems to detect fraud, abuse, or security anomalies (for example, login risk scoring, payment fraud detection, or abuse pattern detection). These systems may lead to temporary restrictions or requests for manual verification.
We do not make solely automated decisions that produce legal effects or significantly affect you without human review, except where: (a) necessary for entering into or performing a contract (e.g., automated fraud checks during payment processing); (b) authorized by law; or (c) based on your explicit consent.
You may contact support at any time to request human review of a decision that materially affects your access to the Services, and we will provide meaningful information about the logic involved.
If you are an end user of a website hosted by one of our customers and you want to exercise data rights regarding that website's content, you should contact the site operator (our customer) because they control the content and purposes of processing. We can assist the customer as a processor upon their instruction. We cannot independently respond to requests from end users of Customer Content without our customer's authorization.
We may update this Privacy Policy from time to time. We will post the updated version on our site and update the effective date/version number. If changes are material, we will notify you via email or the client portal at least 30 days before the effective date. We encourage you to review this policy periodically. Your continued use of the Services after the effective date of an updated policy constitutes acceptance of the changes. For Consumers, where required by Applicable Law, material changes that adversely affect your rights require your affirmative acceptance.
For privacy‑related questions, data subject requests, or complaints, please contact:
Given the nature and scale of our processing activities, we have not appointed a formal Data Protection Officer (DPO) at this time. Privacy matters are handled by our privacy contact at [email protected]. We will appoint a DPO if and when required by Applicable Law.
If you are in the UK and believe we have not adequately addressed your concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
If you are in the EU/EEA, you have the right to lodge a complaint with the data protection authority in your Member State of habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.
If you are in the EU and we have not yet designated an EU legal representative (see the Terms of Service, Section 18.3), we will publish the
Subscribe to get Exclusive offer & updates in your Email
Yhost Hosting provider uses the most up-to-date technologies in order to provide you with the most powerful, high-performing servers possible. Best Web & VPS Hosting Services, Cloud & NVMe VPS.
Copyright © 2014‐2026 Yhost. All Rights Reserved
