Privacy Policy

Our Promise

At CloudLodge, your privacy is a fundamental part of the trust we build with every customer. We collect only what we need, we protect it carefully, and we never use it in ways you wouldn't expect. This policy explains exactly how we handle your personal information when you use our hosting services at cloudlodge.io.

This policy applies to everyone who interacts with our services — account holders, authorized team members, and website visitors alike. We act as a data controller for information collected directly from you, and as a data processor for any personal data stored within your hosted services.

Where we act as a data processor, our Data Processing Agreement governs how we handle that data on your behalf.

What We Gather

We collect the information necessary to provide our services, and nothing more:

• Account details: Your name, email address, billing address, company name (if applicable), phone number (if provided), and payment information, collected during registration and account management.
• Technical data: IP addresses, browser type and version, operating system, device identifiers, referring URLs, and connection metadata, collected automatically when you access our platform for diagnostics and security monitoring.
• Usage patterns: Resource consumption metrics (CPU, memory, bandwidth, storage), login activity, session durations, and feature utilization that help us maintain and improve performance, as well as plan capacity for growth.
• Communications: Support tickets, emails, and feedback you share with our team, so we can help you effectively, track issue resolution, and improve our service quality over time.

How We Use It

We use your information for delivering your hosting services, processing payments, communicating important service updates, improving the reliability and performance of our infrastructure, and responding to your support requests.

We also use it to monitor security, prevent fraud, plan capacity, enforce our terms of service, and meet our legal obligations.

We do not use your data for advertising, profiling, automated decision-making, or any purpose unrelated to the services you've chosen. Your data is never sold to marketers.

The Legal Basis

Under GDPR, every bit of data processing needs a lawful basis. Here's ours:

• Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the hosting services you've purchased — account provisioning, server deployment, billing, and technical support.
• Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and capacity planning — essential to running a reliable platform without overriding your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Tax record-keeping, financial reporting, and responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)): Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Where We Keep It

We store all data exclusively in European data centers equipped with redundant power, environmental controls, and physical access restrictions. Your information is protected with AES-256 encryption at rest and TLS 1.3 encryption in transit.

Our comprehensive security measures include:

• — Role-based access controls with mandatory multi-factor authentication
• — Network segmentation and multi-layer firewall protection
• — Automated vulnerability scanning and patch management
• — DDoS mitigation with multi-Tbps capacity
• — Regular third-party security audits and penetration testing
• — 24/7 infrastructure monitoring and intrusion detection
• — Physical security controls including biometric access at facilities
• — Full audit logging on all administrative access

In the unlikely event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours, in accordance with GDPR Article 33. Our incident response team follows documented procedures for rapid containment and remediation.

How Long We Hold It

We retain your data only as long as it's needed:

• Account data: While your account is active, plus 90 days after closure for recovery purposes and to handle outstanding matters.
• Billing records: 7 years, as required by tax and financial regulations within the EU.
• Server access logs: 60 days for security monitoring and troubleshooting.
• Support correspondence: Duration of your active account plus 60 days for quality assurance.

Once the retention period expires, data is permanently deleted using cryptographic erasure for encrypted data and multi-pass overwriting for unencrypted data. You may request earlier deletion at any time, subject to our legal retention obligations.

Your Control

Under the GDPR, you have full control over your personal data. Your rights include:

• — Access (Art. 15): Request a copy of your data and details of how it's processed.
• — Rectification (Art. 16): Correct any inaccurate or incomplete information without undue delay.
• — Erasure (Art. 17): Request deletion of your data when it's no longer necessary, subject to legal retention.
• — Portability (Art. 20): Receive your data in a machine-readable format (JSON/CSV) and have it transmitted to another controller.
• — Restriction (Art. 18): Limit how we process your data in certain situations, such as contested accuracy.
• — Objection (Art. 21): Object to processing for specific purposes, including direct marketing.
• — Withdraw Consent (Art. 7): Revoke consent at any time without affecting prior processing.
• — Complaint: Lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, simply contact us. We'll acknowledge your request within 5 business days and respond within 30 days, or notify you if we need additional time.

Cookies

We use only the essentials — cookies that are strictly necessary for our platform to function:

• — Authentication cookies to maintain your login session securely
• — Session cookies for load balancing and security
• — CSRF protection tokens to prevent forgery attacks
• — Preference cookies for language and timezone settings

We do not use analytics cookies, tracking pixels, web beacons, fingerprinting technologies, or any third-party advertising technologies. Your browsing behavior is not tracked or shared. Essential cookies are set under the legal basis of legitimate interest.

Sharing

We never sell your data. We work with a small number of trusted providers:

• Payment processor: PCI DSS-compliant, receives only what's needed to process transactions. Card data is never stored on our servers. We only receive transaction confirmations.
• Email provider: Transactional communications only — invoices, notifications, password resets. No marketing through third-party platforms.

All providers are bound by GDPR-compliant data processing agreements. We conduct regular compliance reviews. We may disclose information if required by law, but we will notify you whenever legally permitted to do so.

International Transfers

Your data is stored and processed exclusively within the European Economic Area (EEA). We do not transfer personal data outside the EEA as part of our standard operations.

In the limited circumstances where a third-party provider may operate outside the EEA, we ensure appropriate safeguards are in place — including EU adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or supplementary technical measures. You may request details about these safeguards at any time.

Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we'll take immediate steps to delete it.

If we become aware that we've collected data from a child under 16 without parental consent, we will delete it from our systems within a reasonable timeframe.

Updates

We'll notify you via email of any meaningful changes to this privacy policy at least 14 days before they take effect. Minor wording adjustments may be made without notification, but any changes to how we collect, use, or share your data will always be communicated in advance.

Continued use of our services after changes constitutes acknowledgment. Previous versions of this policy are available upon request.