Privacy Policy
1. Who we are
MineXHost LLC ("MineXHost", "we") is the data controller for personal data processed through the panel and website, as a limited liability company organized in the Commonwealth of Pennsylvania, United States. Contact: [email protected].
2. What we collect
We collect only what we need to run the Service:
- Account data — your email address and chosen username, your hashed password (never stored in plaintext), email-verification status and account role.
- Technical & security logs — IP addresses and timestamps recorded in our security/activity audit log (sign-ins including failed attempts, password and 2FA changes, API-key and key administrative actions) for fraud prevention and account security. Player IPs on your game server are obfuscated and not tracked except at the upstream DDoS-protection layer.
- Website analytics — we measure use of our own website with a first-party, self-hosted analytics system that runs entirely on our own servers. No third-party analytics or advertising service receives this data, and we do no cross-site tracking of any kind. It is cookieless — it sets no cookies and stores nothing on your device — and records only aggregate usage signals: the page path (with any query string removed), the referring site's domain, screen size, browser language and page title. Your IP address is not stored: it is used only transiently, together with a salt that rotates daily, to derive an anonymized one-way hash for same-day visit counting, after which it is discarded; hashes from different days cannot be linked back to you or to each other.
- Billing data — your orders, subscriptions, invoices and payments. Card payments are processed by Stripe; we receive a payment token and an opaque Stripe customer reference, never your full card number or CVC.
- Server data you provide — server names, configuration, and the worlds/mods/files you upload to your servers.
- Consent records — when you accept these policies at registration or checkout we record the time, the policy version, and the source IP so we can prove acceptance.
- Communications — support tickets and messages you send us.
- Website analytics — we run a self-hosted, cookieless analytics tool (umami) on our own infrastructure. It collects aggregate page-view, referrer, device/browser and performance metrics and basic interaction events (for example button clicks), first-party only. It sets no cookies, is not used to identify you, and is never used for cross-site tracking or advertising.
We do not sell your personal data, and we do not use it for third-party advertising.
3. How we use it
- To create and operate your account and provision, run and support your servers.
- To take payment, send receipts/invoices and manage subscriptions.
- To secure the Service: detect and prevent fraud, abuse and unauthorised access.
- To send service and transactional emails (verification, password reset, receipts, important notices). Marketing email, if any, is only with your consent and you can opt out at any time.
- To comply with legal obligations (e.g. tax/accounting recordkeeping).
4. Legal bases (GDPR)
Where the GDPR applies we rely on: performance of a contract (operating your account and servers); legitimate interests (security, fraud prevention, service improvement); legal obligation (financial records); and consent (optional marketing), which you may withdraw at any time.
5. Who we share it with
We share personal data only with processors who help us run the Service, under contract and only as needed: our payment processor (Stripe), email/delivery providers, and infrastructure/hosting providers. We may disclose data where required by law or to protect our rights, users or the Service. Our website analytics (umami) is self-hosted on our own infrastructure, so analytics data is not shared with any third-party analytics provider.
6. Retention
We keep account and server data for as long as your account is active. When you delete your account (or we erase it on your request) we anonymise your personal data promptly; invoices and financial records are retained for the period required by tax and accounting law in an anonymised form (no longer linked to your identifying details). Security logs are kept for a limited period appropriate to their purpose.
7. Your rights (including erasure)
Subject to applicable law you have the right to access, correct, export (portability), restrict or object to processing, and to erasure of your personal data ("right to be forgotten"). You can delete your account yourself from Account → Security in the panel; this requires you to re-enter your password, then it anonymises your email, username and stored IPs, tears down your servers and cancels your subscriptions, while retaining anonymised financial records as required by law. You can also email [email protected] to exercise any right, and you may lodge a complaint with your local data-protection authority.
8. Security
Passwords are hashed (bcrypt), secrets are encrypted at rest, access is least- privilege, and the panel supports two-factor authentication. No system is perfectly secure, but we take commercially reasonable measures to protect your data.
9. International transfers
Your data may be processed in countries other than your own. Where required we use appropriate safeguards (such as Standard Contractual Clauses) for international transfers.
10. Children
The Service is not directed to children under 13 (or the local minimum age) and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
11. Changes
We may update this Policy; material changes are posted here with a new effective date and policy version, and we notify you where required.
12. Contact
Privacy questions or requests: [email protected].