Privacy Policy

We collect information you provide directly:

• Account data — name, email, profile picture (via Google Sign-In).
• KYC data — first/last name, government ID number, phone, country (basic verification); biometric face captures (three angles), document photos, and a short liveness video (full verification, processed in-house on Webhostric infrastructure). Stripe Identity is offered only as a fallback if our in-house verifier cannot make a determination.
• Billing data — top-up amounts and timestamps. Card details are processed by Polar and never stored on our servers.
• Content — the files, sites, and domains you create or register through the platform.

We also collect information automatically:

• Technical logs — IP address, browser/user-agent, timestamps, requested URLs.
• Cookies — a session cookie (session) for authentication and a PHP session cookie (PHPSESSID) for flash messages and CSRF protection. We do not use third-party advertising cookies.

We use your information to:

• Provide, maintain, and improve the Service.
• Verify your identity (KYC) and prevent fraud, abuse, or money-laundering.
• Process payments and manage your account balance.
• Send transactional emails — login notifications, invoice confirmations, security alerts, and service updates. You can disable login notifications from your account settings.
• Comply with legal obligations and enforce our Terms.

We share limited data with the following service providers, each bound by their own privacy commitments:

• Google — OAuth sign-in.
• Namecheap — ICANN-accredited registrar; domain registration and WHOIS contact storage (your KYC L1 name, country, phone, email is sent as the registrant — masked from public WHOIS by WhoisGuard).
• Hetzner Cloud — server infrastructure (data centre in Germany / Finland).
• Stripe Identity — full KYC verification.
• Polar — payment processing and merchant of record.
• Anthropic — AI assistant ("Hostie") completions; chat content is sent to Anthropic's API for response generation. Anthropic does not retain your prompts for training.

For users in the European Economic Area, we process your personal data under one or more of the following legal bases: (a) contract — to deliver the services you have signed up for; (b) legitimate interests — security, fraud prevention, and product improvement; (c) legal obligation — KYC, tax, and accounting; (d) consent — for optional emails or features that explicitly request your consent.

Different categories of data have different retention windows:

• Account & billing records — active for the life of your account, then up to seven (7) years after closure as required by US tax and accounting law.
• KYC raw biometric & document files — encrypted at rest, retained ninety (90) days from successful verification, then automatically deleted. Failed verifications are deleted within 30 days.
• KYC outcome & cryptographic hash — kept for five (5) years after account closure, as required by anti-money-laundering and registry compliance, to detect re-submission abuse without re-storing the underlying images.
• Server & abuse audit logs — Caddy access logs, authentication events, abuse-scan results, and admin actions are written to an append-only, integrity-sealed (SHA-256) audit trail and retained for twelve (12) months. This log is the authoritative record we provide to law-enforcement on lawful request.
• DMCA takedown notices & counter-notices — retained indefinitely for safe-harbor recordkeeping.
• Site content — retained while your account is active; deleted within 30 days of account termination unless a legal hold applies.
• Anti-fraud signals — IP geolocation, card BIN country, and risk scores attached to top-ups are retained for two (2) years for chargeback dispute defense.

Authenticated user actions and abuse signals are recorded to an immutable audit log (chattr +a, gzipped daily, SHA-256 sealed). We respond to lawful requests for records — subpoenas, court orders, search warrants — addressed to our designated agent. We require the request to be specific (account identifier, time range) and respond only with the records that match. We notify affected users unless legally prohibited.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion (subject to retention obligations).
• Export your data in a portable format.
• Object to or restrict processing.
• Withdraw consent at any time (where processing is based on consent).

To exercise these rights, email us at [email protected]. We will respond within 30 days.

We are a US company; our servers are operated by Hetzner in the European Union. Personal data may be transferred to the US (Anthropic, Stripe, Namecheap, Polar) or other jurisdictions where our service providers operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

We use HTTPS/TLS for all connections, encrypted database backups, restricted server access, and automated patching. No system is perfectly secure: if we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities as required by law.

Webhostric is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We use a strict-necessary set of cookies needed for authentication, sessions, and CSRF protection. We do not run third-party analytics, advertising, or tracking cookies. The "Hostie" assistant stores conversation history in your browser's localStorage only — never on our servers.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through the panel. The "Last updated" date at the top of this page reflects the most recent revision.