1. Who the data controller is
Blue Spirit Hosting, Gl. Kongevej 1, Copenhagen, Denmark, is the data controller for personal data collected through our websites and client accounts. Contact: [email protected].
2. What we collect
Account data: name, email address, company name, billing address, VAT ID where applicable, payment method metadata (we do not store card numbers). Collected at signup and when you update your profile.
Service data: server hostnames, IP addresses, support tickets, access logs (for security and billing), resource usage metrics (bandwidth, storage). Generated by your use of the services.
Communication data: email correspondence, WhatsApp and ticket threads with our support team. Retained to maintain continuity of support and for legal compliance.
Website analytics: aggregated, privacy-respecting analytics (Plausible or similar) without cookies. We do not use Google Analytics or similar tracking products.
3. What we do not collect
We do not collect or analyse the content you host (email bodies, website content, database contents) unless required by valid legal process or to address a specific abuse investigation. We do not sell, rent or share your data with marketing partners. We do not run advertising trackers on our websites.
4. Legal bases for processing
Contract (GDPR Art 6(1)(b)): data strictly necessary to operate your account and deliver services.
Legitimate interest (GDPR Art 6(1)(f)): security logging, fraud prevention, maintaining service integrity.
Legal obligation (GDPR Art 6(1)(c)): compliance with Danish and EU law on invoicing retention, anti-money-laundering checks (for high-value accounts) and valid judicial orders.
Consent (GDPR Art 6(1)(a)): for optional newsletters or similar communications, with one-click unsubscribe at any time.
5. Retention
Account data: while your account is active plus 12 months, after which it is archived and then deleted consistent with Danish statutory retention (5 years for accounting records). Security logs: 90 days by default, longer where a specific legal hold applies. Support tickets: 3 years from closure, to preserve continuity. Service data: while the service is active; deleted 30 days after account closure unless legally required to retain longer.
6. Sub-processors and transfers
We use a minimal set of sub-processors necessary to operate the service: datacenter operators (where your servers live), payment processors (Stripe, Paddle, crypto settlement partners), email delivery for transactional notifications (Postmark), analytics (Plausible). A current list with locations is available on request via our contact channels.
Data is processed primarily in the EU/EEA. Transfers outside the EU are made only where adequacy decisions apply or where Standard Contractual Clauses are in place. For servers you provision in Moldova, data will sit in Moldova, which is subject to its own legal regime documented in our Data Processing Agreement.
7. Your rights
Under GDPR and equivalent regimes you have the right to: access your personal data, correct it, request deletion (subject to retention obligations), restrict processing, receive data in portable format, object to certain processing, and lodge a complaint with your national data protection authority (Datatilsynet in Denmark).
To exercise any right, email [email protected]. We verify identity and respond within 30 days.
8. Security
TLS everywhere. Encrypted backups. Access to production data limited to staff with signed confidentiality agreements and business need. Security incidents involving personal data are notified to affected clients and regulators consistent with GDPR Art 33-34.
9. Law enforcement and legal requests
We respond only to valid legal process from the jurisdiction where the server involved is physically located. We do not respond to informal requests, foreign subpoenas without MLAT process, or private-party demands without a court order. We log all legal requests and, where permitted, notify affected clients. Annual transparency report forthcoming.
10. Cookies and tracking
Our websites use essential cookies (session, CSRF, language preference) and a privacy-respecting, cookieless analytics tool. We do not use advertising cookies, cross-site trackers, or fingerprinting. The client area may use additional operational cookies disclosed at login.
11. Changes to this Policy
We update this Policy when our practices or the applicable law change. Material changes are notified by email and in-app at least 30 days before they take effect.
12. Contact
Privacy questions or rights requests: [email protected]. Complaints can be addressed to the Danish data protection authority (Datatilsynet).