Your Data, Your Rights

1. Scope & Applicability

The General Data Protection Regulation (GDPR) is an EU law (Regulation 2016/679) that governs the processing of personal data of individuals located in the European Economic Area (EEA). The UK GDPR is the post-Brexit version that applies in the United Kingdom.

Although HostStack is incorporated and operates in India, GDPR applies to us when we offer services to people in the EU or UK, or monitor their behaviour. By providing web hosting to EU/UK customers, we are subject to GDPR's requirements.

This statement applies to:

• All EU/EEA residents who use or inquire about HostStack's services
• All UK residents covered by the UK GDPR and Data Protection Act 2018
• Any visitor to hoststack.in or hoststack.pro from within the EU or UK

2. Data Controller & Processor Roles

HostStack as Controller

When you sign up for a HostStack account, we act as the data controller for your personal information (name, email, billing details, support communications). We determine the purposes and means of processing your data.

HostStack as Processor

When you host your website or application with us and your end-users interact with it, we act as a data processor on your behalf. You are the controller of your end-users' data; we only process it to provide the hosting service. A formal Data Processing Agreement (DPA) governs this relationship.

3. What Data We Collect & Why

4. Legal Basis for Processing

We rely on the following legal bases under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): Processing your name, email, and billing details to provide the hosting service you purchased.
• Legal obligation (Art. 6(1)(c)): Retaining billing records for tax and accounting purposes.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud detection, and service improvement — where these don't override your rights.
• Consent (Art. 6(1)(a)): Analytics cookies and marketing communications — only with your explicit opt-in.

5. Your Rights Under GDPR

If you are an EU or UK resident, you have the following rights regarding your personal data:

To exercise any of these rights, email us at [email protected] with subject line "GDPR Data Request". We will respond within 30 days (and sooner in most cases).

You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU) if you believe we have not handled your data correctly.

6. International Data Transfers

HostStack is based in India, which means personal data from EU/UK customers is transferred to a third country (India is not on the EU's adequacy list). We ensure such transfers are protected by:

• Standard Contractual Clauses (SCCs): EU Commission-approved legal clauses (2021 version) incorporated into our Data Processing Agreement. These bind both parties to GDPR-level protections regardless of where data is stored.
• Technical Safeguards: All data in transit is encrypted using TLS 1.2+ and data at rest is encrypted using AES-256.
• Minimisation: We only transfer the data strictly necessary to deliver the hosting service.

Our primary data center is located in Kolkata, India. We are actively working to add EU-region server options to allow EU customers to keep their data within the EEA.

7. Sub-Processors

We use the following trusted third-party sub-processors who may access your personal data in the course of providing our services:

All sub-processors are required to maintain appropriate GDPR-level data protection standards. We review this list quarterly.

8. Data Retention

• Account data: Retained for the duration of your account plus 90 days after termination (to allow for reinstatement requests).
• Billing records: Retained for 7 years to comply with Indian tax law (IT Act 2000).
• Support tickets: Retained for 3 years for quality assurance.
• Server logs (IP, access): Retained for 90 days for security purposes.
• Analytics data: Aggregated and anonymised; raw data deleted after 26 months.

Upon account deletion, we will erase all personal data within 30 days, unless retention is required by law.

9. Security Measures

We implement the following technical and organisational measures (TOMs) to protect your data:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Imunify360 / DDoS protection at infrastructure level
• Two-factor authentication (2FA) on all administrative systems
• Regular automated backups with off-site storage
• Access control — principle of least privilege for staff
• Regular security audits and vulnerability scanning
• Incident response plan with 72-hour breach notification procedure (GDPR Art. 33)

In the event of a personal data breach affecting EU/UK customers, we will notify the relevant supervisory authority within 72 hours and affected customers without undue delay.

10. Cookies & Tracking

We use a granular cookie consent system that lets you control which cookies are set. On your first visit you will see our cookie preference panel.

• Essential cookies: Always active — required for login sessions, shopping cart, and security. No consent required.
• Analytics cookies (Google Analytics): Only set with your explicit consent. Used to understand how visitors use our site so we can improve it.
• No advertising/tracking cookies — we do not use third-party advertising cookies or sell data to advertisers.

For full details, see our Cookie Policy.

11. Contact Our Privacy Team

For all data protection enquiries, GDPR requests, or DPA requests, please contact:

You may also contact the relevant supervisory authority in your country:

• EU: Your national Data Protection Authority (DPA) — find yours at edpb.europa.eu
• UK: Information Commissioner's Office (ICO) — ico.org.uk