Information We Collect

Account Information: Name, email address, username, hashed password, billing address, phone number (optional), support ticket history, communication preferences.

Billing Information: Payment method type (card brand and last 4 digits only — we never store full card numbers), transaction history, invoice records, billing address. All payment processing handled by Stripe and PayPal.

Automatic Data: IP address (retained 90 days), browser type and version, operating system, device type, pages visited and time spent, referring URL, general geographic location (city/country level, not precise). We do NOT use browser fingerprinting.

Server Data: Minecraft server configuration files, world saves, backup files, installed plugins/mods, server console logs (retained 30 days), resource usage metrics. We do NOT access or monitor in-game chat, private messages, or player activity unless required for abuse investigation with notice.

Payment Security: We never store full credit card numbers, CVVs, or banking credentials. All payment data is tokenized and processed by PCI DSS Level 1 compliant processors (Stripe, PayPal).

How We Use Your Information

• Service Delivery: To create your account, run your servers, and process payments
• Customer Support: To respond to tickets, troubleshoot issues, and help you
• Security: To detect fraud, prevent abuse, and protect our infrastructure
• Legal Compliance: To comply with laws and respond to legal requests
• Service Improvement: To understand how our services are used and make them better (using anonymized/aggregated data)
• Communications: To send important updates, security alerts, and (with consent) promotional emails

Important: We do NOT use your data for behavioral advertising or profiling. We do NOT sell, rent, or trade your personal information.

Legal Basis for Processing (GDPR)

For users in the EU, UK, and Switzerland: Contract — to provide the hosting services you signed up for. Legitimate Interest — for security, fraud prevention, and service improvement (assessed and documented). Legal Obligation — to comply with tax laws and legal requirements. Consent — for marketing emails (you can withdraw anytime).

Legitimate Interest Assessments (LIA): We have conducted Legitimate Interest Assessments for:

• Security Monitoring: LIA conducted, our security interest outweighs privacy impact
• Service Improvement: LIA conducted, anonymized/aggregated data used to enhance platform functionality
• Fraud Prevention: LIA conducted, necessary for platform integrity and user protection

You may request a copy of our Legitimate Interest Assessments by contacting [email protected]

Information Sharing

We Do Not Sell Your Data. We never sell, rent, or trade your personal information to third parties.

Our Sub-Processors:

• Payment Processors: Stripe (stripe.com/privacy), PayPal (paypal.com/privacy)
• Infrastructure: Cloudflare (DNS, CDN, DDoS mitigation — cloudflare.com/privacypolicy)
• DDoS Protection: Evolution Host / EvoShield (DDoS mitigation API)
• Backup Storage: Backblaze B2 (encrypted cloud backup storage — backblaze.com/company/privacy)
• Communication: Discord (community support — discord.com/privacy)
• Server Management: Pterodactyl Panel (open-source, self-hosted — no data shared externally)
• Monitoring: Uptime Kuma (self-hosted status monitoring — no data shared externally)

Self-Hosted Services: Pterodactyl Panel, Uptime Kuma, and Proxmox run on our own infrastructure. Your data is NOT transmitted to third parties for these services.

We will notify you via email at least 30 days before adding new sub-processors that handle your personal data.

Legal Disclosure: We may disclose information if required by law, court order, or government request. We will notify you unless legally prohibited from doing so.

Cookies & Tracking

Essential Cookies (Required): Session authentication, CSRF protection, language preference. Cannot be disabled as they are necessary for basic functionality.

Preference Cookies (Optional): Theme settings, dashboard layout preferences. Stored locally on your device, not transmitted to our servers.

Analytics Cookies (Optional): Anonymous usage statistics to improve our services. No personally identifiable data collected.

What We Do NOT Use: We do NOT use advertising cookies, cross-site tracking, social media tracking pixels, or browser fingerprinting.

Do Not Track (DNT): We respect Do Not Track browser signals and honor your privacy preferences.

Cookie Consent: EU visitors will see a cookie consent banner upon first visit. You can modify your cookie preferences at any time from your account settings.

Data Retention

• Active Accounts: Your data is retained while your account remains active
• Cancelled Accounts: Account information retained for 30 days; server data deleted after 14 days
• Financial Records: Transaction records kept for 7 years (required by US tax law and IRS requirements)
• Support Tickets: Retained for 2 years after resolution
• Server Logs: Retained for 90 days
• IP Addresses: Retained for 90 days

Early Deletion: You may request early deletion of non-legally-required data at any time by contacting us.

Your Privacy Rights

Rights for Everyone:

• Access your personal data (response within 30 days)
• Correct inaccurate information
• Delete your account and associated data
• Opt out of marketing emails (one-click unsubscribe)
• Request data export in machine-readable format (JSON/CSV)

EU/UK Residents (GDPR Articles 15-22):

• Data portability (export within 30 days, JSON/CSV format)
• Restrict processing
• Object to processing based on legitimate interest
• Withdraw consent at any time
• Lodge complaint with your local Data Protection Authority
• Right not to be subject to automated decision-making

California Residents (CCPA/CPRA):

• Right to Know (categories and specific pieces, response within 45 days)
• Right to Delete
• Right to Correct
• Right to Opt-Out of Sale/Sharing (we don't sell, but you can still exercise this right)
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination
• Authorized agent requests accepted with written authorization

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) Residents:

Similar rights to access, delete, correct, opt-out, and data portability under your state's privacy law.

Contact: [email protected] — response within 30 days (45 days for CCPA).

Data Security

Encryption: TLS 1.3 for all data in transit, AES-256 encryption at rest for backups and sensitive data

Access Controls: Role-based access control (RBAC), multi-factor authentication required for all staff

Network Security: Enterprise DDoS protection, firewall rules, intrusion detection, VPN-secured internal infrastructure

Physical Security: Hardware owned and operated by MineXHost in secure facilities with controlled access

Security Audits: Regular vulnerability assessments and penetration testing by third-party security firms

Incident Response: Documented breach response procedures with defined escalation paths

Breach Notification: We will notify affected users AND relevant authorities (ICO, state AGs, DPAs) within 72 hours of confirmed breach. Notification includes: nature of breach, data affected, mitigation steps, and contact information.

International Data Transfers

Primary Infrastructure: Data is primarily stored on servers located in the United States. EU server infrastructure is planned to provide better compliance for European users.

EEA/UK Data Transfers: For transfers from the European Economic Area and UK, we rely on Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914.

Transfer Impact Assessment: We have conducted Transfer Impact Assessments as required. Supplementary measures include: encryption in transit and at rest, role-based access controls, and data minimization practices.

Request Documentation: You may request a copy of our SCCs and Transfer Impact Assessment by contacting [email protected]

Automated Decision-Making

Automated Systems We Use: We use automated systems for fraud detection, abuse prevention, and DDoS mitigation to protect our platform and users.

Account Restrictions: These systems may temporarily restrict access to your account if suspicious activity is detected.

Your Rights: You have the right to:

• Request human review of automated decisions
• Challenge automated decisions
• Obtain an explanation of how the decision was made

Contact [email protected] to request human review of any automated decision.

Children's Privacy

Age Policy: Our services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will delete it immediately.

Teen Users (13-17): Users aged 13-17 must have verifiable parental or guardian consent.

Parental Consent Process: A parent or guardian must either:

• Create the account directly, OR
• Send written consent to [email protected] with: parent's full name, child's username, parent's email address, and explicit confirmation of consent

Parental Rights: Parents and guardians can:

• Review their child's personal data
• Request data deletion
• Revoke consent at any time

Advertising: We do not serve behavioral advertising to users under 18.

Data Protection Officer

Data Protection Officer (DPO): We have appointed a dedicated Data Protection Officer to assist with all data protection matters.

Contact DPO: [email protected]

For EU/UK Residents: Our DPO serves as your primary contact for all data protection matters, including filing complaints with your local Data Protection Authority.

Policy Changes

We may update this Privacy Policy from time to time. For material changes involving data collection, sharing, retention, or your rights, we will:

• Notify you by email at least 30 days before changes take effect
• Post a notice on our website

Your Right to Terminate: You may terminate your account if you do not agree with policy changes.

Contact Us

Privacy Questions & Data Rights Requests:

• Email: [email protected] (general privacy inquiries and data subject requests — response within 30 days)
• DPO (EU/UK): [email protected] (Data Protection Officer for European residents)
• Support Portal: Contact Page
• Mailing Address: MineXHost LLC, Hanover, PA, United States