Privacy Policy

Overview

UnderHost.com ("UnderHost," "we," "us," or "our") respects the privacy of customers, visitors, users, partners, and people who interact with our hosting, domain, support, billing, network, security, and related services.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use UnderHost websites, CustomerPanel, shared hosting, offshore hosting, VPS services, dedicated servers, reseller hosting, domain registration, SSL certificates, CDN-related services, managed hosting, support systems, abuse reporting channels, AI-assisted support tools, and related services.

UnderHost provides international hosting services. Our infrastructure and service providers may operate in multiple jurisdictions, including Canada, Hong Kong, Singapore, the United Kingdom, Caribbean Islands, the United States, Sweden, Russia, Moldova, Ukraine, Bulgaria, the Netherlands, and other locations where UnderHost or its vendors provide services.

This policy is designed to address applicable privacy laws, including the GDPR, UK GDPR where applicable, PIPEDA, and other data protection laws that may apply to our services.

1. Scope of This Policy

This Privacy Policy applies to personal information processed by UnderHost in connection with:

• Customer account registration and account management.
• Billing, invoicing, payment processing, refunds, disputes, and fraud prevention.
• Hosting, VPS, dedicated server, reseller, domain, SSL, CDN, and managed services.
• Technical support, abuse handling, network security, and service monitoring.
• Website visits, cookies, analytics, affiliate tracking, referral tracking, and marketing communications.
• Winston AI and other AI-assisted support or customer service tools.
• Compliance, legal requests, dispute handling, and enforcement of UnderHost policies.

This Privacy Policy does not replace any Data Processing Addendum, Terms of Service, Acceptable Use Policy, Abuse Policy, Domain Registration Policy, Service Level Agreement, or other contractual terms that may also apply to your use of UnderHost services.

2. UnderHost's Role: Controller and Processor

UnderHost as Data Controller

UnderHost acts as a data controller when we determine the purposes and means of processing personal information for our own business operations, including account creation, billing, fraud screening, support, abuse investigations, service communications, website analytics, marketing, legal compliance, dispute resolution, and risk management.

UnderHost as Data Processor or Service Provider

When customers use UnderHost services to host, transmit, store, or process their own content, websites, databases, email, files, applications, or end-user data, the customer is generally the controller or business responsible for that data, and UnderHost acts as a processor or service provider.

Customers are responsible for ensuring that their use of UnderHost services complies with applicable privacy, data protection, security, consumer protection, email, and content laws. Business customers requiring GDPR data processing terms may contact UnderHost to request a Data Processing Addendum, where applicable.

3. Personal Information We Collect

We collect information reasonably necessary to provide, secure, bill, support, improve, and protect our services.

Account and Contact Information

• Name, company name, email address, phone number, billing address, country, region, city, and postal code.
• Account username, customer ID, service IDs, account status, communication preferences, support history, and account notes.

Billing and Payment Information

• Invoice details, payment status, transaction IDs, payment method type, billing address, payer information, refund records, failed-payment records, dispute records, and chargeback records.
• Partial card details provided by payment processors, such as card brand and last four digits. UnderHost does not store full credit card numbers.
• Fraud-screening indicators and order review information.

Card payments and other electronic payments are processed by third-party payment providers subject to their own security and privacy obligations.

Where cryptocurrency payments are used, transaction information may include wallet or payment metadata, blockchain transaction IDs, payment status, exchange-rate information, and related records. Cryptocurrency transactions may be irreversible and may be visible on public blockchains depending on the currency and payment method used.

Service and Technical Information

• IP addresses, login timestamps, browser type, device information, operating system information, session identifiers, and control panel activity.
• DNS, HTTP, FTP, SFTP, SSH, SMTP, IMAP, POP3, and related access logs.
• Server, firewall, mail, web server, proxy, CDN, security, and network monitoring logs.
• Bandwidth, CPU, memory, disk, process, resource-usage metrics, error logs, crash logs, diagnostic information, and service configuration details.
• Abuse evidence, spam reports, malware indicators, phishing reports, blacklist records, IP reputation issues, and network security alerts.

Depending on applicable law, IP addresses, device identifiers, logs, and similar technical data may be considered personal information.

Support and Communications Data

• Support ticket content, email messages, chat messages, screenshots, logs, file paths, domain names, error messages, diagnostic details, technical metadata, staff notes, and internal handling records.

Please do not provide passwords, private keys, seed phrases, full payment card details, unnecessary identity documents, or highly sensitive personal information through ordinary support tickets or chat unless specifically requested through a secure process.

Domain Registration Data

• Registrant, administrative, technical, and billing contact details.
• Domain name, registration dates, expiry dates, registrar status, WHOIS/RDAP-related information, registry-required verification information, EPP code handling records, transfer records, lock/unlock records, dispute records, abuse records, and compliance records.

Domain registration information may be disclosed to registrars, registries, escrow providers, ICANN-related systems, dispute providers, or authorities where required by applicable rules or law.

Fraud, Abuse, and Security Information

• Fraudulent orders, stolen-card indicators, chargebacks, payment disputes, identity or account verification, suspicious ordering patterns, and relevant proxy, VPN, TOR, or anonymization indicators.
• Spam complaints, phishing reports, malware, botnet, ransomware, brute-force, scanning, DDoS, intrusion indicators, CSAM or severe illegal-content reports, copyright or trademark complaints, network abuse reports, IP blacklist records, reputation records, and deliverability issues.

Website, Cookie, Analytics, and Marketing Data

• IP address, browser and device information, pages viewed, referral source, session duration, interaction with website features, affiliate or referral attribution data, cookie identifiers, and similar technologies.
• Email address, service interests, consent status, unsubscribe preferences, campaign attribution, and email open or click metrics where permitted by law.

4. Winston AI and AI-Assisted Support

5. How We Use Personal Information

UnderHost uses personal information to:

• Create, verify, secure, and manage customer accounts.
• Process orders, payments, invoices, renewals, refunds, taxes, and disputes.
• Provision and manage hosting, VPS, dedicated server, reseller, domain, SSL, CDN, and managed services.
• Provide technical support, customer service, service notices, security alerts, billing notices, abuse notices, maintenance notices, and policy updates.
• Monitor service performance, uptime, availability, abuse, security, and network integrity.
• Troubleshoot errors, outages, configuration problems, and resource issues.
• Detect, investigate, prevent, and respond to fraud, spam, phishing, malware, DDoS attacks, botnets, CSAM, stolen-card use, unauthorized access, and other abuse.
• Enforce UnderHost's Terms of Service, Acceptable Use Policy, Abuse Policy, Refund Policy, SLA, and other applicable policies.
• Protect customers, third parties, UnderHost infrastructure, IP reputation, datacenter relationships, and network integrity.
• Send marketing communications where permitted by law or with consent where required.
• Manage affiliate, referral, promotional, and campaign tracking.
• Comply with legal obligations, regulatory requirements, court orders, lawful requests, tax obligations, and dispute-resolution requirements.
• Defend UnderHost against claims, chargebacks, fraud, abuse reports, litigation, or contractual disputes.
• Improve our websites, services, customer experience, documentation, automation, and support tools.

6. Legal Bases for Processing

For users in the European Economic Area, the United Kingdom, and other regions with similar legal-basis requirements, UnderHost relies on one or more lawful bases depending on the processing activity:

• Performance of a contract: account creation, provisioning, hosting, billing, renewals, domain registration, support, and service administration.
• Legal obligations: tax, accounting, legal, regulatory, domain registry, law-enforcement, court, and compliance obligations.
• Legitimate interests: fraud prevention, abuse handling, network security, service improvement, support, risk management, chargeback defense, IP reputation protection, policy enforcement, and prevention of harmful activity.
• Consent: certain marketing communications, non-essential cookies, referral tracking, analytics, or other processing that requires consent under applicable law.
• Vital or emergency interests: limited situations where processing or disclosure is necessary to protect the life, safety, or security of a person, customer, network, system, or the public.

7. Customer-Hosted Content

Customers are responsible for the content, files, databases, websites, applications, emails, scripts, user data, logs, and other materials they upload, host, transmit, store, or process using UnderHost services.

UnderHost does not routinely review private customer-hosted content. However, we may access, review, preserve, scan, restrict, suspend, remove, or disclose customer-hosted content or related metadata where reasonably necessary to:

• Provide technical support requested by the customer.
• Maintain, secure, or troubleshoot services.
• Investigate abuse, spam, phishing, malware, DDoS activity, CSAM reports, botnets, intrusion attempts, or other harmful activity.
• Enforce UnderHost policies.
• Comply with law, court orders, registry or registrar obligations, datacenter requirements, or lawful requests.
• Protect UnderHost, our customers, third parties, networks, infrastructure, IP reputation, or the public.

8. How We Share Personal Information

UnderHost does not sell personal information. We may share personal information only where reasonably necessary for the purposes described in this Privacy Policy.

Service Providers

We may share information with trusted service providers, including payment processors, fraud-prevention providers, datacenters, network providers, domain registrars, registries, registry operators, ICANN-related systems, escrow providers, SSL certificate authorities, CDN providers, DNS providers, security providers, email delivery providers, support systems, ticketing systems, chat systems, AI-assistance providers, analytics providers, affiliate providers, marketing providers, backup providers, monitoring vendors, logging vendors, infrastructure vendors, professional advisers, accountants, auditors, insurers, and legal counsel.

Abuse, Security, and Network Protection

We may share relevant information with datacenters, upstream providers, security vendors, anti-abuse organizations, payment processors, registrars, registries, law-enforcement agencies, affected parties, or reporting organizations where reasonably necessary to investigate or respond to spam, phishing, malware, botnets, DDoS attacks, brute-force attacks, network scanning, CSAM or child-safety reports, stolen-card use, fraudulent orders, chargebacks, copyright complaints, domain abuse, or threats to infrastructure, customers, or third parties.

Legal and Regulatory Disclosures

We may disclose personal information where we believe disclosure is required or permitted by law, including in response to court orders, warrants, subpoenas, regulatory requests, law-enforcement requests, tax or accounting obligations, domain registry or registrar compliance requirements, valid legal process, and emergency requests involving risk of serious harm.

UnderHost may review legal requests for validity and scope. Where permitted and appropriate, we may challenge, narrow, reject, or seek clarification of overbroad, informal, or invalid requests.

Business Transfers and Related Entities

If UnderHost is involved in a merger, acquisition, sale, financing, restructuring, transfer of assets, bankruptcy, or similar transaction, personal information may be transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards. We may also share information with UnderHost affiliates, subsidiaries, brands, or related entities where necessary for account administration, support, billing, security, abuse handling, service delivery, or business operations.

9. International Data Transfers

UnderHost provides services internationally. Personal information may be processed in countries where UnderHost, its infrastructure, customers, datacenters, vendors, payment providers, domain registrars, support providers, or security providers operate. These jurisdictions may have privacy laws different from those in your country.

Where required by applicable law, UnderHost uses appropriate safeguards for international transfers, which may include contractual protections, data processing agreements, standard contractual clauses, vendor due diligence, security controls, and other lawful transfer mechanisms.

10. Data Retention

UnderHost retains personal information only for as long as reasonably necessary for service delivery, billing, tax, accounting, security, fraud prevention, abuse handling, legal compliance, dispute resolution, and enforcement of agreements.

• Account data: retained while the account is active and for a reasonable period after closure for legal, tax, fraud-prevention, support, and dispute-resolution purposes.
• Billing and payment records: retained as required for tax, accounting, audit, chargeback, and legal compliance.
• Support tickets and communications: retained for customer service history, dispute resolution, operational continuity, fraud prevention, and security review.
• Technical logs: retained for operational, security, troubleshooting, abuse, and legal purposes, with periods varying by log type and service.
• Abuse and fraud records: retained as necessary to protect UnderHost, prevent repeat abuse, respond to complaints, defend claims, and comply with law.
• Domain registration records: retained according to registrar, registry, ICANN, legal, contractual, and operational requirements.
• Marketing records: retained until you unsubscribe, withdraw consent, or the data is no longer reasonably needed.
• AI support records: retained as necessary for support quality, security, abuse prevention, and operational purposes, subject to deletion requests where legally permissible.
• Backups: deleted data may remain in backups for a limited period until backup cycles overwrite or delete it.

Deletion requests may be limited where information must be retained for billing, tax, accounting, fraud prevention, chargeback defense, abuse investigations, security investigations, legal claims, compliance, registry or registrar requirements, court orders, or system integrity.

11. Cookies and Similar Technologies

UnderHost uses cookies and similar technologies to operate, secure, improve, and personalize our websites and services. Cookies may be used for:

• Essential cookies: login sessions, shopping cart functions, account access, security, fraud prevention, and service functionality.
• Preference cookies: language, region, display, and user preferences.
• Analytics cookies: website usage, performance, traffic patterns, and service improvement.
• Affiliate and referral cookies: attribution of referrals, promotions, and affiliate commissions.
• Security cookies: bot detection, abuse prevention, fraud screening, and protection of accounts and infrastructure.
• Marketing cookies: promotional measurement and campaign performance where permitted by law.

You may control cookies through your browser settings. Disabling certain cookies may affect website functionality, login sessions, CustomerPanel access, billing, ordering, or security features. Where required by applicable law, UnderHost will obtain consent before using non-essential cookies.

12. Marketing Communications

UnderHost may send service-related communications, including billing notices, security alerts, maintenance notices, abuse notices, renewal notices, service updates, and policy changes. These are transactional communications and may be necessary to provide services.

We may also send marketing communications where permitted by law or with your consent where required. You may unsubscribe from non-essential marketing emails at any time by using the unsubscribe link or contacting us. Unsubscribing from marketing does not stop essential service, billing, security, abuse, or legal notices.

13. Security

UnderHost uses reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These safeguards may include access controls, authentication, logging, monitoring, encryption where appropriate, network security controls, DDoS protection, malware detection, firewall rules, account restrictions, staff access limitations, vendor controls, and incident-response procedures.

No hosting provider, network, website, or electronic storage system can guarantee absolute security. Customers are responsible for securing their own accounts, passwords, applications, scripts, CMS installations, plugins, themes, databases, email accounts, SSH keys, private keys, backups, and end-user data.

You must notify UnderHost promptly if you believe your account, server, website, password, private key, email, or hosted content has been compromised.

14. Security Incidents and Breach Notification

If UnderHost becomes aware of a security incident affecting personal information, we will investigate and take reasonable steps to contain, remediate, and assess the incident. Where required by applicable law, UnderHost will notify affected users, regulators, or other required parties within applicable legal timeframes.

Notification may be delayed where permitted by law, including where necessary to investigate the incident, prevent further harm, comply with law-enforcement requests, or protect system security.

15. Your Privacy Rights

Depending on your location and applicable law, you may have rights regarding your personal information, including access, correction, deletion, restriction, objection, data portability, withdrawal of consent where processing is based on consent, opt-out from marketing communications, and the right to lodge a complaint with a privacy regulator.

To exercise privacy rights, contact privacy@underhost.com or submit a request through CustomerPanel. We may need to verify your identity before fulfilling a request.

We may refuse, limit, or delay a request where permitted by law, including where necessary for security, fraud prevention, abuse handling, legal compliance, billing records, tax obligations, dispute resolution, or protection of other users' rights.

16. EEA, UK, and Similar Jurisdiction Rights

If GDPR, UK GDPR, or similar laws apply to you, UnderHost will process your personal data according to applicable data protection requirements. You may have additional rights, including the right to object to processing based on legitimate interests and the right to complain to your local supervisory authority.

17. Canadian Privacy Rights

Where PIPEDA or Canadian privacy law applies, UnderHost will handle personal information according to applicable Canadian privacy principles, including accountability, identifying purposes, consent where required, limiting collection, limiting use and disclosure, safeguards, openness, access, correction, and complaint handling.

18. Children and Minors

UnderHost services are intended for business users, website operators, and individuals who are legally able to enter into binding contracts. Our services are not directed to children under 16 or the applicable minimum age in the relevant jurisdiction. We do not knowingly collect personal information from children.

If you believe a child has provided personal information to UnderHost without appropriate authorization, contact privacy@underhost.com.

19. Third-Party Websites and Services

UnderHost websites and services may contain links to third-party websites, payment processors, domain registrars, control panels, software vendors, CDN providers, analytics providers, or other external services. UnderHost is not responsible for the privacy practices, security, content, or policies of third-party websites or services. You should review their privacy policies before providing information.

20. Customer Responsibility for End-User Privacy

If you use UnderHost services to operate a website, application, email service, database, store, community, SaaS platform, file service, or other online service, you are responsible for your own privacy notices, cookie notices, consent mechanisms, legal bases, security practices, data processing agreements, and compliance obligations toward your users.

UnderHost does not provide legal advice to customers regarding their own privacy compliance.

21. Changes to This Privacy Policy

UnderHost may update this Privacy Policy from time to time to reflect changes in law, technology, services, security practices, or business operations. Updates will be posted on this page with an updated effective date or last updated date. Where required by law or where changes are material, we may provide additional notice through CustomerPanel, email, website notice, or other appropriate means.

Your continued use of UnderHost services after an updated Privacy Policy becomes effective means you accept the updated policy, unless applicable law requires a different form of consent.