Privacy Policy

Account & Identification Data

Name, company name, billing and contact address, country, email address, phone number (optional), VAT/KVK or comparable business identifiers, account username, and — where required for verification or compliance — proof of identity, address, or beneficial ownership.

Authentication & Security Data

Hashed passwords, two-factor authentication secrets, API keys, SSH keys, session tokens, login timestamps and source IP addresses, and records of security events.

Billing & Transaction Data

Order history, invoices, services purchased, billing cycle, currency, payment method (card, SEPA, Klarna, cryptocurrency), partial payment-instrument identifiers (e.g. last four digits of a card, transaction hash for crypto), and tax information. We do not store full card numbers, CVCs, or Klarna credentials on our systems — these are handled directly by our payment service providers (see Section 7).

Service & Configuration Data

Hostnames, assigned IP addresses, plan and resource configuration, control-panel settings, technical contacts, and similar metadata necessary to provide and operate the Services.

Support & Communications Data

Tickets, emails, chat messages, abuse reports, attachments, and any information you choose to provide when contacting us.

Log & Operational Data

Server, network, authentication, mail, and application logs, including timestamps, IP addresses, user agents, request paths, error codes, and similar technical information generated by your use of the Services or by automated abuse/security monitoring.

Analytics Data (Website)

Aggregated, privacy-friendly usage statistics about our public website (see Section 6).

Compliance & Risk Data

Information processed for fraud prevention, anti-money-laundering, sanctions screening, abuse handling, and legal-request response, including records of decisions taken and the reasons for them.

Providing and operating the Services

Including account creation, provisioning, configuration, support, maintenance, and incident response. Legal basis: performance of a contract with you, or steps prior to entering into one (Art. 6(1)(b) GDPR).

Billing, payment processing, and accounting

Including invoicing, collecting payments, handling refunds, and bookkeeping. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with our legal obligations, in particular tax and accounting law (Art. 6(1)(c)).

Communication with you

Including operational notices, security alerts, service announcements, and responses to your enquiries. Legal basis: performance of a contract (Art. 6(1)(b)) and/or our legitimate interest in operating our business (Art. 6(1)(f)).

Security, fraud prevention, and abuse handling

Including authentication, rate-limiting, intrusion detection, log analysis, sanctions and fraud screening, investigation of abuse complaints, and protection of our infrastructure and third parties. Legal basis: our legitimate interest in protecting the Services, our customers, our network, and third parties (Art. 6(1)(f)), and compliance with legal obligations (Art. 6(1)(c)).

Compliance with legal obligations

Including tax retention, responding to lawful requests from authorities, and statutory data-protection obligations. Legal basis: Art. 6(1)(c) GDPR.

Website analytics

Measuring aggregated usage to improve our website. Legal basis: our legitimate interest in understanding and improving the website (Art. 6(1)(f)); see Section 6 for why no consent is required.

Establishing, exercising, or defending legal claims

Including dispute resolution, enforcement of our Terms, and defence against claims. Legal basis: our legitimate interest (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)).

Strictly necessary cookies / local storage

Our client portal and website use a small number of technical cookies and similar storage mechanisms that are strictly necessary to operate the site, keep you signed in, secure your session, remember basic preferences, and protect against attacks (e.g. CSRF). These are set on the basis of Art. 11.7a(3) of the Dutch Telecommunications Act (implementing the ePrivacy Directive) and do not require consent.

Website analytics — Rybbit (self-hosted)

We use a self-hosted instance of Rybbit for aggregated website usage analytics. Our Rybbit instance is configured in a privacy-friendly manner: it operates without tracking cookies, does not store IP addresses, does not assign persistent identifiers, and produces only aggregated statistics (such as page views, referrers, approximate country, and device class). No personal data is shared with third parties through Rybbit because the instance is operated entirely on our own infrastructure. Because the analytics are aggregated and cookieless, no consent is required under the ePrivacy Directive as implemented in the Netherlands; we rely on our legitimate interest under Art. 6(1)(f) GDPR. You can nevertheless object at any time using the contact details in Section 2.

No marketing or advertising trackers

We do not use third-party advertising networks, behavioural advertising trackers, cross-site tracking pixels, or social-media trackers on our website.

Within ClearStack B.V.

Access is restricted to authorised personnel on a need-to-know basis, subject to confidentiality obligations.

Payment service providers

Depending on the payment method you choose, personal data necessary to process the payment (such as name, billing address, email, amount, currency, and order reference) is shared with the providers below, each acting as an independent controller under its own privacy policy. We pass on only the information that is necessary to initiate, complete, reconcile, and document the transaction.

Paylinq

For payments by card and Klarna. Paylinq acts as an independent controller for payment processing, fraud prevention, and regulatory compliance under applicable financial services law.

NowPayments.io

For payments by cryptocurrency. NowPayments.io acts as an independent controller for crypto-payment processing, conversion, and related compliance.

Service infrastructure

We operate our own software stack and rely on our own and leased infrastructure located in the Netherlands and the United Kingdom. We do not transfer personal data to third-party cloud providers for the operation of our core Services.

Email

Operational and transactional emails (e.g. invoices, payment reminders, password resets, security notices) are sent from our own self-hosted mail servers. No third-party email-delivery provider is involved in this communication.

Professional advisors

Lawyers, auditors, accountants, and tax advisors, bound by professional confidentiality, where this is necessary for legal, tax, or audit purposes.

Authorities and third parties

Where required by law, court order, or binding request from a competent authority, or where necessary to establish, exercise, or defend legal claims, prevent fraud or imminent harm, or enforce our Terms.

Business transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the acquiring party, subject to appropriate safeguards and, where required, prior notice to you.

Contractual necessity

For as long as you maintain an account or use a Service, and for a reasonable period afterwards to allow for reactivation, reconciliation, or follow-up.

Legal obligations

In particular, invoices, accounting records, and related tax documentation are retained for the periods required by Dutch tax and accounting law.

Security and abuse handling

Log data and security records are retained for as long as necessary to detect, investigate, and respond to incidents and to defend against claims, in line with industry-standard practice.

Establishment, exercise, or defence of legal claims

Until the relevant limitation periods have expired.

Consent-based processing

Until you withdraw your consent, after which we delete the data unless another legal basis applies.

Right of access (Art. 15 GDPR)

To obtain confirmation of whether we process your personal data and, if so, a copy of that data and information about the processing.

Right to rectification (Art. 16 GDPR)

To have inaccurate or incomplete personal data corrected or completed.

Right to erasure / "right to be forgotten" (Art. 17 GDPR)

To have personal data deleted where one of the legal grounds applies and no overriding obligation requires us to retain it.

Right to restriction of processing (Art. 18 GDPR)

To have processing restricted in certain circumstances.

Right to data portability (Art. 20 GDPR)

To receive personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to object (Art. 21 GDPR)

To object, on grounds relating to your particular situation, to processing based on our legitimate interests, including any processing for analytics purposes.

Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal.

Right not to be subject to automated decision-making (Art. 22 GDPR)

See Section 14.

Right to lodge a complaint

See Section 16.