1. Scope and Applicability
This Privacy Policy describes how EXIMHOST LIMITED ("we", "us", "our") collects, processes, stores, and discloses personal data in connection with the following activities:
- Visits to our website at www.eximhost.com
- Registration for and use of the Client Area
- Purchase and use of VPS, dedicated server, or ancillary services
- Interaction with our support team via ticket, email, or chat
EXIMHOST LIMITED is committed to compliance with the UK GDPR and Data Protection Act 2018 as the primary legal framework, and additionally with the EU GDPR (for EEA residents) and the CCPA (for California, USA residents).
2. Personal Data We Collect
2.1 Account and Identity Data
- Full legal name
- Billing address (street address, city, postal code, country)
- Email address (primary communication channel)
- Phone number (optional; collected for fraud prevention and 2FA)
- IP address recorded at registration and at each login
- Company name and VAT number (where applicable)
2.2 Payment Data (via Stripe)
EXIMHOST LIMITED does not store, process, or transmit full payment card numbers. Stripe handles all payment processing in full compliance with PCI DSS. The following limited data is made available to us by Stripe for internal records:
- Last 4 digits of the payment card
- Card brand (e.g., Visa, Mastercard, American Express)
- Card expiry month and year
- Billing postal/ZIP code
- Stripe customer and payment intent reference IDs
For full details of Stripe's data practices, refer to the Stripe Privacy Policy.
2.3 Service and Usage Data
- Assigned IPv4 and IPv6 addresses
- Inbound and outbound bandwidth consumption (total GB per billing period)
- Operating system type and version deployed on your server
- Anonymised server resource metrics (average CPU/RAM utilisation)
- Timestamped records of server start, stop, reboot, and reinstall actions
2.4 Support and Communication Data
- Content of all support tickets, email correspondence, and live chat transcripts
- Files, logs, or screenshots voluntarily submitted to our support team
- SSH/RDP session logs if remote access is granted by the client for troubleshooting
2.5 Automated Technical Data (Cookies and Server Logs)
We collect limited automated data to ensure the security and functionality of our platform:
- Login session tokens and browser fingerprint data (fraud prevention)
- IP geolocation data for access anomaly detection
- Web server access logs (URL, timestamp, HTTP status code, referring URL)
We do not deploy advertising trackers (Google Analytics, Meta Pixel, or similar) without explicit user consent via the cookie consent banner.
3. Legal Bases and Purposes for Processing
| Processing Purpose | Legal Basis (UK/EU GDPR) |
|---|---|
| Provisioning and managing VPS / dedicated servers | Performance of contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (Art. 6(1)(b)) |
| Generating and sending invoices | Legal obligation (Art. 6(1)(c)) |
| Fraud prevention and network abuse monitoring | Legitimate interests (Art. 6(1)(f)) |
| Responding to support and technical requests | Performance of contract (Art. 6(1)(b)) |
| Complying with law enforcement requests | Legal obligation (Art. 6(1)(c)) |
| Sending operational notices (maintenance, outages) | Legitimate interests (Art. 6(1)(f)) |
| Improving platform performance and security | Legitimate interests (Art. 6(1)(f)) |
4. Data Sharing with Third Parties
We share personal data only where strictly necessary, and only with the following categories of recipients:
4.1 Stripe – Payment Processing
Data shared: name, email address, billing address, IP address, transaction amount. Purpose: card authorisation and fraud screening. Stripe processes data under its own Privacy Policy and is PCI DSS Level 1 certified.
4.2 Datacentre and Network Providers
Data shared: assigned IP address ranges and aggregated bandwidth metrics. Purpose: network routing, capacity planning, and abuse reporting. All datacentre providers are bound by confidentiality agreements and do not have access to your server contents.
4.3 Software Licence Providers
Data shared: server hostname and IP address only. Purpose: licence key validation for cPanel, Plesk, or DirectAdmin. No personal identifying information is transmitted to licence providers.
4.4 Law Enforcement and Regulatory Bodies
We disclose personal data to authorities only in the following circumstances:
- Receipt of a valid court order, warrant, or subpoena issued under the laws of England and Wales
- Emergency disclosures where there is a credible and imminent risk of death or serious physical harm
- Mandatory reporting of child sexual exploitation material (CSAM) to the Internet Watch Foundation (IWF) and National Crime Agency (NCA)
5. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account identity data (name, email, address) | 7 years post account closure | Tax and legal record-keeping (HMRC) |
| Payment transaction references (Stripe) | 10 years | Financial audit requirements |
| VPS/dedicated server usage logs | 12 months | Abuse investigation and billing reconciliation |
| Support tickets and correspondence | 3 years | Dispute resolution and service improvement |
| Server disk images (post-termination) | Deleted within 14 days | Secure data sanitisation |
| Network flow logs (IP, port, protocol) | 30 days | Real-time security monitoring |
6. Your Data Subject Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights with respect to your personal data:
- Right of Access (Subject Access Request): Obtain a copy of all personal data we hold about you, including the purposes for which it is processed.
- Right to Rectification: Request correction of inaccurate or incomplete personal data. You may also update most data directly via the Client Area.
- Right to Erasure: Request deletion of your personal data where we no longer have a lawful basis to retain it, subject to legal retention obligations.
- Right to Restriction of Processing: Request that we restrict processing of your data in specified circumstances (e.g., where accuracy is disputed).
- Right to Data Portability: Receive a structured, machine-readable export (JSON or CSV) of your account and service data.
- Right to Object: Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to Lodge a Complaint: You may file a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local supervisory authority if you reside in the EEA.
7. Exercising Your Rights
To exercise any of the rights listed above, submit a written request to [email protected] including the following information:
- Your registered account email address
- The specific right(s) you wish to exercise
- Proof of identity (government-issued photo ID or a signed declaration)
We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days. For complex or multiple requests, we may extend this period by a further 60 days with written notice. No charge applies unless requests are manifestly unfounded or excessive.
8. Technical and Organisational Security Measures
EXIMHOST LIMITED applies the following security controls to protect personal data:
- Transport encryption: All website, Client Area, and API traffic is encrypted using TLS 1.3
- Data at rest: Customer databases are encrypted using AES-256
- Access control: Access to production systems and customer data is restricted to authorised senior personnel; all access is logged and audited
- Offsite backups: Operational backups are encrypted and stored in geographically separated locations
- Security training: All staff with data access complete annual privacy and information security training
- Breach notification: In the event of a confirmed personal data breach, affected clients will be notified within 72 hours in accordance with UK GDPR Article 34
9. International Data Transfers
EXIMHOST LIMITED may process or store data on infrastructure located in the United Kingdom, the Netherlands, and the United States. Where data is transferred from the UK or EEA to a country not covered by an adequacy decision, we rely on one or more of the following transfer mechanisms:
- UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy regulations issued by the UK Secretary of State
- Your explicit consent, obtained during account registration
10. Children's Privacy
Our services are not directed to, and are not intended for use by, individuals under the age of 18. EXIMHOST LIMITED does not knowingly collect personal data from minors. If we become aware that an account is held by a person under 18, we will terminate the account and delete all associated personal data without delay.
11. Cookie Policy
We use only strictly necessary cookies to operate our website and Client Area. The following cookies are deployed:
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
session_id | Authenticated login session management | Session (browser close) | Strictly Necessary |
cart_token | Persists shopping cart contents | 24 hours | Strictly Necessary |
stripe_sid | Stripe payment fraud detection | 30 minutes | Strictly Necessary |
csrf_token | Cross-site request forgery protection | Session | Strictly Necessary |
You may disable cookies via your browser settings; however, doing so may impair the functionality of the Client Area and checkout process.
12. Changes to This Privacy Policy
We review and update this Privacy Policy periodically. Where changes are material, we will:
- Send a notification to the email address associated with your account
- Display a prominent notice on our website for a minimum of 30 days
- Update the "Last Updated" date at the top of this document
Continued use of our Services following the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
13. Contact Details for Privacy Matters
| Enquiry Type | Contact | Response Time |
|---|---|---|
| Data subject rights requests | [email protected] | 30 calendar days |
| General privacy enquiries | [email protected] | 5 business days |
| Security incidents / data breaches | [email protected] | 24/7 — immediate triage |
| Abuse and illegal content reports | [email protected] | 24/7 — immediate triage |