Data Protection

Privacy Policy

What we collect, why we collect it, where it goes, and what we never do. Written for humans, compliant with GDPR and CCPA.

Effective: January 1, 2026 Last Updated: January 1, 2026 GDPR & CCPA Compliant

🔒 TL;DR — The Short Version

  • We collect the minimum necessary — email, IP, basic server logs. That's it.
  • We never sell your data — not to advertisers, data brokers, or anyone else. Ever.
  • We never look inside your VPS — your server contents are private unless a court order says otherwise
  • No behavioral advertising — we don't profile you, don't track you across sites, don't serve targeted ads
  • Minimal cookies — session authentication only. No third-party tracking cookies.
  • You can delete everything — request full data deletion anytime and we'll comply within 30 days
  • GDPR & CCPA compliant — full rights for EU and California residents

1. Data Controller

FreeVPS.it.com ("we," "our," "us") is the data controller responsible for processing your personal data when you use the freevps.it.com website and associated services.

Data Controller: FreeVPS.it
Website: freevps.it.com
Data Protection Contact: privacy@freevps.it.com

If you have any questions about how we handle your data, contact us at privacy@freevps.it.com before anything else. We respond to privacy inquiries within 72 hours.

2. What We Collect

We collect only what's necessary to operate the service. Here's every category of personal data we process, with no exceptions or hidden addendums.

2.1 Information You Provide

  • Email address — required at registration for account creation, verification, and service notifications
  • Password — stored as a bcrypt hash. We never store or have access to your plaintext password
  • Name (optional) — if you choose to provide it during registration
  • Support correspondence — the content of support tickets, emails, and live chat messages you send us
  • Payment information (paid plans only) — processed and stored by our payment processor, not by us directly

2.2 Information Collected Automatically

  • IP address — logged when you access the website or control panel
  • Browser user agent — browser type, version, and operating system
  • Access timestamps — date and time of panel logins and page views
  • Server provisioning data — the OS, region, and configuration you select when deploying a VPS
  • Resource usage metrics — CPU, RAM, bandwidth, and disk usage statistics for your VPS instance (aggregate, not content-level)

2.3 Information We Never Collect

  • Contents of your VPS (files, databases, application data)
  • Network traffic content flowing through your VPS
  • SSH/RDP session content or keystrokes
  • Biometric data
  • Social media profiles or contact lists
  • Location data beyond IP-based geolocation
  • Device fingerprints for cross-site tracking
Your server is a black box to us. We can see that your VPS is using 67% of its RAM. We cannot see what's in that RAM. We can see that you transferred 12GB of data this month. We cannot see what that data contained. This is by design.

3. Data Map — What Goes Where

Complete transparency on every piece of data, why we have it, and how long we keep it.

Data Point Purpose Legal Basis Retention Shared?
Email address Account creation, notifications, password reset Contract Until account deletion + 30 days Payment processor only
Password hash Authentication Contract Until account deletion Never
IP address Security, abuse prevention, fraud detection Legitimate interest 90 days (access logs) Only if required by law
Browser user agent Security, compatibility debugging Legitimate interest 90 days Never
VPS config data Service provisioning and management Contract Until service termination Infrastructure provider (hosting)
Resource metrics Fair-use enforcement, capacity planning Legitimate interest 30 days (granular), 1 year (aggregate) Never
Support tickets Customer support, dispute resolution Contract 2 years after resolution Never
Payment data Billing (paid plans) Contract As required by tax law (typically 7 years) Payment processor (Stripe)
VPS contents N/A — we don't access this Not processed Deleted within 30 days of account termination Never (unless court order)

4. How We Use Your Data

Every use of your personal data falls into one of these categories:

4.1 Service Delivery

  • Creating and managing your account
  • Provisioning and maintaining your VPS instance
  • Sending essential service notifications (maintenance, security alerts, account-related emails)
  • Processing payments for paid plans
  • Providing customer support

4.2 Security & Abuse Prevention

  • Detecting and preventing unauthorized access to accounts
  • Identifying and blocking abusive behavior (spam, DDoS, crypto mining) per our Acceptable Use Policy
  • Investigating security incidents and responding to abuse reports
  • Enforcing fair-use resource limits on shared infrastructure

4.3 Infrastructure Improvement

  • Aggregated, anonymized usage statistics to plan capacity
  • Identifying performance bottlenecks in our network
  • Improving the control panel user experience

4.4 Legal Compliance

  • Responding to valid legal requests (court orders, subpoenas)
  • Meeting tax and financial reporting obligations
  • Reporting child exploitation material to NCMEC and law enforcement as required by law
We never use your data for: Advertising, user profiling, behavioral targeting, selling to third parties, training AI models, or any purpose not listed above.

Under the General Data Protection Regulation (GDPR), every instance of data processing requires a lawful basis. Here's ours:

  • Performance of contract (Article 6(1)(b)): Processing your email, password hash, and VPS configuration is necessary to deliver the service you signed up for
  • Legitimate interest (Article 6(1)(f)): Logging IP addresses and browser data for security, abuse prevention, and infrastructure management. We've conducted a balancing test and determined these interests do not override your fundamental rights
  • Legal obligation (Article 6(1)(c)): Retaining financial records as required by tax law; reporting illegal content to authorities as required by law
  • Consent (Article 6(1)(a)): For any optional communications (e.g., product updates, newsletters) — you can withdraw consent at any time

6. What We Explicitly Don't Do

This section exists because the industry has eroded trust to the point where "what we don't do" matters as much as what we do.

We do NOT sell your personal data to anyone — not advertisers, not data brokers, not "partners"
We do NOT serve behavioral or targeted advertising
We do NOT read, scan, or analyze the contents of your VPS
We do NOT use third-party tracking pixels, analytics scripts, or fingerprinting
We do NOT share your data with government agencies without a valid legal order
We do NOT use your data to train machine learning models

7. Cookies & Tracking Technologies

We use the bare minimum number of cookies required to operate the website and control panel. No tracking cookies, no advertising cookies, no third-party analytics cookies.

Cookie Name Type Purpose Duration Required?
session_id Essential Maintains your login session in the control panel Until browser close or 24h Yes
csrf_token Essential Prevents cross-site request forgery attacks on forms Session Yes
remember_me Essential Keeps you logged in if you check "Remember me" 30 days Optional (user-initiated)
theme_pref Preference Stores your dark/light mode preference 1 year No
cookie_consent Essential Records whether you've acknowledged the cookie notice 1 year Yes (for EU compliance)
No Google Analytics. No Facebook Pixel. No Hotjar. No Mixpanel. We don't load any third-party analytics or tracking scripts. Your browsing behavior on our site stays between you and our server logs (which are deleted after 90 days).

7.1 Managing Cookies

You can control cookies through your browser settings. Blocking essential cookies will prevent you from logging into the control panel, but the public website will function normally.

  • Chrome: Settings → Privacy and Security → Cookies
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Edge: Settings → Cookies and Site Permissions

8. Third-Party Services

We use a small number of third-party services to operate. Each one receives only the data strictly necessary for its function.

Service Purpose Data Shared Their Privacy Policy
Stripe Payment processing (paid plans only) Email, payment card details, billing address stripe.com/privacy
Cloudflare CDN, DDoS protection, DNS IP address, request headers (transient) cloudflare.com/privacypolicy
Transactional Email Provider Sending account emails (verification, alerts) Email address, email content Provider-specific (disclosed on request)

We do not use:

  • Google Analytics or any Google marketing services
  • Facebook/Meta tracking or conversion APIs
  • Any advertising network SDKs
  • Customer data platforms (CDPs) or data management platforms (DMPs)
  • Session recording tools (Hotjar, FullStory, etc.)

9. Data Storage & Security

9.1 Where Data Is Stored

Account data (email, password hash, support tickets) is stored on servers located in the United States and the European Union. Your VPS instance data resides in the datacenter region you selected during deployment.

9.2 Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encryption in transit: All connections to our website and control panel are encrypted with TLS 1.2+ (HTTPS enforced sitewide)
  • Encryption at rest: Account databases are stored on encrypted NVMe arrays (AES-256)
  • Password hashing: bcrypt with per-user salt, minimum cost factor 12
  • Access controls: Internal access to user data is restricted to authorized personnel only, with role-based access and audit logging
  • Network segmentation: Management infrastructure is separated from customer VPS networks
  • Regular security audits: Vulnerability scanning and penetration testing on a quarterly basis
  • Two-factor authentication: Available and recommended for all account holders
Your VPS security is your responsibility. We secure the host infrastructure and management plane. The security of your VPS instance — SSH configuration, firewall rules, application patching — is entirely under your control.

10. Data Retention

We retain data only as long as it's needed. Here are the specific retention periods:

  • Account data: Retained until you delete your account, then purged within 30 days
  • Web server access logs (IP, user agent): 90 days, then automatically deleted
  • VPS resource metrics (detailed): 30 days
  • VPS resource metrics (aggregated/anonymized): 1 year (for capacity planning)
  • Support tickets: 2 years after resolution, then deleted
  • Payment records: 7 years (as required by tax law)
  • Abuse investigation records: 3 years (to identify repeat offenders)
  • VPS instance data: Deleted within 30 days of account termination

When retention periods expire, data is permanently deleted — not just flagged for deletion. We run automated purge jobs weekly to enforce these schedules.

11. Your Privacy Rights

Regardless of where you live, we extend the following rights to all FreeVPS.it users:

Right to Access

Request a copy of all personal data we hold about you. Delivered in machine-readable format (JSON) within 30 days.

Right to Rectification

Correct inaccurate personal data. Update your email or profile directly in the control panel, or contact support.

Right to Erasure

Request complete deletion of your account and all associated data. Completed within 30 days. Irreversible.

Right to Restrict Processing

Request that we limit how we use your data while a dispute or inquiry is being resolved.

Right to Data Portability

Export your personal data in a structured, machine-readable format (JSON). VPS data can be exported via SCP/SFTP at any time.

Right to Object

Object to processing based on legitimate interest. We'll stop unless we can demonstrate compelling grounds that override your interests.

Right to Withdraw Consent

For any processing based on consent (e.g., marketing emails), withdraw at any time. One click in the email footer or contact us.

Right to Lodge Complaint

File a complaint with your local data protection authority if you believe we're handling your data incorrectly.

How to Exercise Your Rights

Send a request to privacy@freevps.it.com from the email address associated with your account. We'll verify your identity and respond within 30 days. There is no fee for exercising your rights.

12. GDPR-Specific Provisions

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional provisions apply:

12.1 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer:

DPO Email: dpo@freevps.it.com

12.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

12.3 Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. Abuse detection systems may flag accounts automatically, but all enforcement actions are reviewed and approved by a human before execution.

12.4 Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party sub-processors listed in Section 8. Copies are available upon request to dpo@freevps.it.com.

13. CCPA-Specific Provisions

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

13.1 Categories of Personal Information

Under CCPA categorization, we collect:

  • Identifiers: Email address, IP address, account ID
  • Internet activity: Browsing history on our site (access logs), interaction with our control panel
  • Commercial information: Purchase history (paid plans only)

13.2 Sale of Personal Information

We do NOT sell your personal information as defined under the CCPA. We have not sold personal information in the preceding 12 months. We have no plans to begin selling personal information.

13.3 Your CCPA Rights

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we've collected
  • Right to Delete: Request deletion of personal information we've collected
  • Right to Opt-Out of Sale: Not applicable — we don't sell your data
  • Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights (no service degradation, no price increases)

13.4 How to Submit a CCPA Request

Email privacy@freevps.it.com with the subject line "CCPA Request." We'll verify your identity and respond within 45 days (with a possible 45-day extension if reasonably necessary).

Authorized agents: You may designate an authorized agent to submit CCPA requests on your behalf. The agent must provide written authorization signed by you, and we may still verify your identity directly.

14. International Data Transfers

Your data may be processed in countries outside your country of residence, primarily in the United States and European Union.

14.1 Transfer Safeguards

When transferring personal data from the EEA/UK to the United States or other countries without an EU adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) — approved by the European Commission, incorporated into our agreements with sub-processors
  • EU-US Data Privacy Framework — where applicable for certified third-party services
  • Supplementary measures — including encryption in transit and at rest, access controls, and data minimization

14.2 Your VPS Data Location

The contents of your VPS instance remain in the datacenter region you selected at deployment. We do not replicate or transfer your VPS data to other regions unless you explicitly request it (e.g., migrating to a different datacenter).

15. Children's Privacy

FreeVPS.it is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, contact us at privacy@freevps.it.com and we will delete the data within 72 hours.

For users between 16 and 18, a parent or legal guardian should review these Terms and Privacy Policy and may be asked to provide consent on the minor's behalf.

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

16.1 Notification Timeline

  • Supervisory authority: Notified within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
  • Affected users: Notified without undue delay when the breach is likely to result in high risk to your rights (GDPR Article 34)

16.2 Notification Content

Our breach notifications will include:

  • Nature of the breach — what data was affected
  • Approximate number of users impacted
  • Likely consequences of the breach
  • Measures taken to address and mitigate the breach
  • Contact information for our data protection team
  • Recommendations for steps you can take (e.g., password changes)

16.3 Breach Response

Our incident response protocol includes:

  1. Immediate containment and assessment
  2. Forensic investigation to determine scope
  3. Notification to affected parties per timelines above
  4. Root cause analysis and remediation
  5. Post-incident review and security improvements
We will never cover up a breach. If your data is compromised, you will be told clearly, quickly, and with full transparency about what happened and what we're doing about it.

17. Changes to This Privacy Policy

We may update this Privacy Policy as our practices or legal requirements evolve.

17.1 Material Changes

For changes that materially expand data collection, introduce new processing purposes, or affect your rights:

  • Email notification sent at least 14 days before the changes take effect
  • Prominent notice in the control panel
  • Updated "Last Updated" date at the top of this page

17.2 Non-Material Changes

Minor clarifications, formatting updates, or legal language refinements may be made without advance notice. The "Last Updated" date will always reflect the latest revision.

17.3 Your Continued Use

Continued use of the Service after the effective date of policy changes constitutes acceptance. If you disagree with material changes, you may delete your account before the effective date.

18. Contact & Data Protection Officer

For any privacy-related questions, data requests, or concerns:

Privacy Inquiries: privacy@freevps.it.com
Data Protection Officer: dpo@freevps.it.com
General Support: support@freevps.it.com
Website: freevps.it.com

We respond to all privacy inquiries within 72 hours and complete data access/deletion requests within 30 days.

Related Policy Documents