The short version
We're a crypto-paid, No-KYC hosting provider. We collect the minimum data we need to run the service and bill you, and nothing more. In particular:
- We do not log the traffic that flows through your servers.
- We do not mirror your disks for inspection, backup, or analysis.
- We do not share your account data with anyone absent a Saint Kitts court order.
- We do not sell advertising or train machine-learning models on anything.
The sections below explain the specifics. If you prefer the signed, weekly update: see the warrant canary.
Data we collect
Account-level data
- Email address — required, for invoices, password reset, and urgent operational notices. Disposable/forwarder addresses are accepted.
- Hashed password — Argon2id, never stored in plain.
- 2FA seed (optional) — TOTP / WebAuthn, stored encrypted at rest.
- PGP public key (optional) — stored in your profile for signed support correspondence.
Billing data
- Invoice records — amount, USD value, crypto asset, settlement TXID, timestamp. Retained for 7 years per standard corporate record-keeping practice.
- Crypto addresses used to pay — recorded against the invoice for reconciliation.
Operational data
- API action logs — who provisioned/rebooted/destroyed which server and when. Retained 90 days.
- Panel session IP addresses — logged for 24 hours for brute-force protection, then purged.
What we explicitly do NOT collect
- Traffic passing through your VPS or dedicated server (no netflow, no PCAP, no mirroring).
- MAC/ARP tables beyond 24 hours (the minimum needed for network operation).
- File-level contents of your disks.
- Government-issued identity documents, phone numbers, real names, or proof of residence.
Legal basis for processing
Under the Data Protection (Privacy of Personal Information) Act 2018 of Saint Kitts and Nevis and, where relevant, the EU GDPR for customers based in the EU, we process personal data on the following bases:
- Contract performance — the data we need to provide the Services you have ordered.
- Legitimate interest — fraud prevention, abuse handling, network-integrity protection.
- Legal obligation — narrow, and only under Saint Kitts law (e.g. seven-year retention of invoices).
- Consent — for optional profile data (PGP key, display name).
Data sharing & disclosure
We share nothing voluntarily
We do not sell data, do not rent it, do not share it for advertising, and do not participate in data-broker exchanges. We have no integrations with Google Analytics, Facebook Pixel, or any third-party tracker.
When we do disclose
Only in response to a lawful order from a court of competent jurisdiction under the law of the Federation of Saint Kitts and Nevis. We do not respond to:
- Subpoenas or National Security Letters issued by US authorities.
- MLAT requests routed through Saint Kitts without local judicial review.
- Administrative data requests from EU or UK regulators absent a Saint Kitts court order.
- DMCA take-down notices (these are not court orders — see DMCA Stance).
All lawful orders we act on are counted and categorised in our semi-annual Transparency Report. Upstream, our Warrant Canary is re-signed every Monday.
Retention periods
| Data category | Retention | Basis |
|---|
| Account email & hashed password | Duration of account + 30 days | Contract |
| Invoices & payment records | 7 years | Corporate records law (SKN) |
| API action logs | 90 days | Abuse / security investigation |
| Panel session IPs | 24 hours | Brute-force protection |
| Support ticket correspondence | 2 years | Service continuity |
| VPS / dedicated disk contents on termination | 7 days (voluntary), 0 (AUP) | Recovery / security |
| Warrant-canary archives | Indefinite (signed & public) | Transparency |
Your rights
You have the following rights over your personal data, regardless of which jurisdiction you are in:
- Access — a full export of the account data we hold, in JSON format, delivered via signed email within 30 days of request.
- Rectification — update your email, password or PGP key from the panel at any time.
- Erasure — close your account and trigger the 30-day purge cycle (invoices retained for 7 years per law).
- Portability — your Content is always portable by definition (it's your server, take it with you).
- Objection — you may object to any processing we do for legitimate-interest purposes; we will either cease or justify the processing in writing.
To exercise any right: [email protected], preferably with a PGP-signed message using our public key.
Cookies & tracking
Our website uses one (1) cookie: a session cookie named cs_session, HttpOnly, Secure, SameSite=Strict. No third-party analytics, no tracking pixels, no advertising cookies. We do not implement Do-Not-Track handling because we have no tracking to disable.
International transfers
Our infrastructure runs in Iceland, the Netherlands, Romania and Switzerland; our corporate office is in Saint Kitts and Nevis. Your data therefore moves between these jurisdictions as needed for service delivery. All inter-PoP traffic is encrypted with TLS 1.3 and WireGuard; backend credentials are stored in HashiCorp Vault.
For customers subject to the EU GDPR: transfers to Saint Kitts are based on Standard Contractual Clauses (SCC, 2021 module) contained in our Data Processing Addendum, available on request.
Children
Our Services are not directed at individuals under the age of 18. We do not knowingly process data of minors. If you believe we are processing data of a minor, notify us at [email protected] and we will erase it promptly.
Changes to this Policy
Material changes are announced thirty (30) days ahead, to your account email and on this page (with a bumped version number and updated date). Non-material corrections take effect immediately. Archived versions are available on request.
