Hostander
Legal

Privacy Policy.

We are an EU company, our infrastructure is in the EU, our staff is in the EU, and we built Hostander so that running on us is GDPR-aligned by default.

Last updated: April 2026

1. Controller

Hostander is the controller of personal data we collect about visitors to our website, prospects who contact us, and the individual contacts of our customers. For data you store or process on our infrastructure, you are the controller and we are the processor; that relationship is governed by our Data Processing Agreement.

2. What we collect

  • Account and billing data: company name, billing address, VAT number, contact name, email, phone.
  • Service data: hostnames, IP addresses, support tickets, technical logs related to your service.
  • Website data: minimal request logs (IP, user agent, page) for security and abuse prevention. We do not run third-party advertising trackers.

3. Why we process it

  • To deliver, support and bill the services you order.
  • To keep our network and our customers safe (security, abuse handling, fraud prevention).
  • To comply with our legal and tax obligations in the EU.
  • To respond to your sales or support enquiries.

4. Where data lives

All personal data we process as a controller is stored on infrastructure we operate inside the EU, specifically in the Tier III data centers we host in in Tallinn and Amsterdam. We do not transfer personal data outside the EU/EEA. We do not use US hyperscalers (AWS, Google Cloud, Microsoft Azure) anywhere in our stack.

5. Sub-processors

We use a small, EU-only set of sub-processors for billing, email delivery and customer communications. The current list is available on request and is also referenced in our DPA. We notify customers of changes before they take effect.

6. Retention

We keep account and billing data for as long as you are a customer and for the period required by EU and Estonian tax law after termination (typically 7 years for accounting records). Support tickets and technical logs are kept for up to 12 months unless a longer retention is required for security investigations.

7. Your rights

Under the GDPR you have the right to access, correct, delete, restrict, port and object to the processing of your personal data, and to lodge a complaint with a supervisory authority. Send requests to privacy@hostander.com; we respond within 30 days.

8. Security

We apply layered technical and organizational measures: encrypted transport, principle of least privilege, hardware we own end-to-end, segregated management networks, 24/7 monitoring, and physical access limited to vetted Hostander engineers at the facilities we use.

9. Cookies

Our marketing site uses only strictly necessary cookies for session and security. We do not set advertising or cross-site tracking cookies, and we do not require a consent banner for non-essential tracking because we don't do any.

10. Contact

For privacy questions or to exercise your rights, write to privacy@hostander.com. Our data protection contact is reachable at the same address.

Questions about this policy?

Our legal and engineering teams are based in the EU and happy to walk you through the details.

Contact us