Skip to content

Legal

Privacy Policy

Last updated: April 2026. What we collect, why we collect it, how long we keep it and what you can do about it.

1. Who the data controller is

Blue Spirit Hosting, Gl. Kongevej 1, Copenhagen, Denmark, is the data controller for personal data collected through our websites and client accounts. Contact: [email protected].

2. What we collect

Account data: name, email address, company name, billing address, VAT ID where applicable, payment method metadata (we do not store card numbers). Collected at signup and when you update your profile.

Service data: server hostnames, IP addresses, support tickets, access logs (for security and billing), resource usage metrics (bandwidth, storage). Generated by your use of the services.

Communication data: email correspondence, WhatsApp and ticket threads with our support team. Retained to maintain continuity of support and for legal compliance.

Website analytics: aggregated, privacy-respecting analytics (Plausible or similar) without cookies. We do not use Google Analytics or similar tracking products.

3. What we do not collect

We do not collect or analyse the content you host (email bodies, website content, database contents) unless required by valid legal process or to address a specific abuse investigation. We do not sell, rent or share your data with marketing partners. We do not run advertising trackers on our websites.

4. Legal bases for processing

Contract (GDPR Art 6(1)(b)): data strictly necessary to operate your account and deliver services.

Legitimate interest (GDPR Art 6(1)(f)): security logging, fraud prevention, maintaining service integrity.

Legal obligation (GDPR Art 6(1)(c)): compliance with Danish and EU law on invoicing retention, anti-money-laundering checks (for high-value accounts) and valid judicial orders.

Consent (GDPR Art 6(1)(a)): for optional newsletters or similar communications, with one-click unsubscribe at any time.

5. Retention

Account data: while your account is active plus 12 months, after which it is archived and then deleted consistent with Danish statutory retention (5 years for accounting records). Security logs: 90 days by default, longer where a specific legal hold applies. Support tickets: 3 years from closure, to preserve continuity. Service data: while the service is active; deleted 30 days after account closure unless legally required to retain longer.

6. Sub-processors and transfers

We use a minimal set of sub-processors necessary to operate the service: datacenter operators (where your servers live), payment processors (Stripe, Paddle, crypto settlement partners), email delivery for transactional notifications (Postmark), analytics (Plausible). A current list with locations is available on request via our contact channels.

Data is processed primarily in the EU/EEA. Transfers outside the EU are made only where adequacy decisions apply or where Standard Contractual Clauses are in place. For servers you provision in Moldova, data will sit in Moldova, which is subject to its own legal regime documented in our Data Processing Agreement.

7. Your rights

Under GDPR and equivalent regimes you have the right to: access your personal data, correct it, request deletion (subject to retention obligations), restrict processing, receive data in portable format, object to certain processing, and lodge a complaint with your national data protection authority (Datatilsynet in Denmark).

To exercise any right, email [email protected]. We verify identity and respond within 30 days.

8. Security

TLS everywhere. Encrypted backups. Access to production data limited to staff with signed confidentiality agreements and business need. Security incidents involving personal data are notified to affected clients and regulators consistent with GDPR Art 33-34.

9. Law enforcement and legal requests

We respond only to valid legal process from the jurisdiction where the server involved is physically located. We do not respond to informal requests, foreign subpoenas without MLAT process, or private-party demands without a court order. We log all legal requests and, where permitted, notify affected clients. Annual transparency report forthcoming.

10. Cookies and tracking

Our websites use essential cookies (session, CSRF, language preference) and a privacy-respecting, cookieless analytics tool. We do not use advertising cookies, cross-site trackers, or fingerprinting. The client area may use additional operational cookies disclosed at login.

11. Changes to this Policy

We update this Policy when our practices or the applicable law change. Material changes are notified by email and in-app at least 30 days before they take effect.

12. Contact

Privacy questions or rights requests: [email protected]. Complaints can be addressed to the Danish data protection authority (Datatilsynet).

Chat with us on WhatsApp