Privacy Policy

XeroHost is committed to protecting your privacy and handling your personal data responsibly and transparently. This Privacy Policy explains how we collect, use, store, and protect your information when using our services.

1.1 Policy Scope: This policy applies to all XeroHost services, including: • Our website and client portals. • Hosting services (game servers, VPS, dedicated, web hosting). • Interactions with technical support and sales. • Marketing communications and newsletters.

1.2 Acceptance: By creating an account, using our services, or providing us with personal information, you accept the practices described in this policy. If you do not agree, you must discontinue use of our services immediately.

1.3 Policy Updates: This policy may be updated periodically to reflect changes in our practices or legal requirements. Material changes will be notified via email or prominent notice on our website. Continued use after changes constitutes acceptance of the revised policy.

Last Updated: June 7, 2026

We collect different types of information depending on how you interact with our services:

2.1 Account Information (Required): • Identity Data: Full name, username. • Contact Data: Email address, phone number (optional), postal address. • Billing Data: Credit/debit card information (processed by third parties), billing address, transaction history. • Access Credentials: Username, hashed password, authentication tokens.

2.2 Technical Information (Automatic): • Connection Data: IP address, approximate geolocation, ISP. • Device Information: Browser type, operating system, screen resolution. • Usage Data: Pages visited, session duration, clicks, feature interactions. • Server Logs: Access records, HTTP requests, server errors, control panel commands executed.

2.3 Service Information: • Server Data: Configurations, hosted files (accessible only for support with consent), databases, backups. • Performance Metrics: CPU, RAM, disk, bandwidth usage, uptime. • Support Tickets: Conversations, attachments, shared screenshots.

2.4 Cookies and Similar Technologies: • Essential Cookies: Necessary for basic functionality (user session, shopping cart). • Analytics Cookies: Google Analytics, Cloudflare Analytics to understand site usage. • Marketing Cookies: For remarketing and personalized ads (with your consent). • Third-Party Cookies: From integrated services like support chat (Crisp, Tawk.to), payment gateways, CDNs.

2.5 Third-Party Information: We may receive information from: • Payment processors (transaction confirmation, fraud detection). • Anti-fraud services (IPQS, FraudRecord) to validate identity. • Social networks if you link your account (Facebook, Discord, Google).

2.6 Sensitive Minor Information: If you are 13-18 years old, we collect your information only with verifiable parental consent. For users under 13, we require the parent/guardian to create and manage the account. We never knowingly solicit personal information from children without proper parental consent.

We use collected data for the following legitimate purposes:

3.1 Service Provision: • Activate, maintain, and manage your contracted services. • Process payments and generate invoices. • Provide technical support and resolve issues. • Perform backups and data recovery. • Monitor performance and detect infrastructure issues.

3.2 Security and Fraud Prevention: • Detect and prevent unauthorized account access. • Identify suspicious activities or terms of service violations. • Protect against spam, malware, and DDoS attacks. • Comply with fraud investigations and cooperate with authorities.

3.3 Customer Communication: • Send important account notifications (expirations, suspensions, service changes). • Respond to support inquiries and assistance requests. • Send product updates and scheduled maintenance notices. • Request feedback and satisfaction surveys (optional).

3.4 Marketing and Promotions (With Consent): • Send special offers, discounts, and product news. • Display personalized advertising on our site and social media. • Referral and affiliate programs.

You can opt out of marketing communications at any time using the "unsubscribe" link in emails or by adjusting account preferences.

3.5 Service Improvement: • Analyze usage patterns to improve performance and features. • Develop new products based on detected needs. • Perform A/B testing and UX optimizations. • Generate aggregated and anonymous statistics for internal reports.

3.6 Legal Compliance: • Comply with tax and accounting obligations. • Respond to subpoenas, court orders, or legal requests. • Enforce our terms of service and resolve disputes. • Protect the rights, property, and safety of XeroHost, customers, and the public.

XeroHost does NOT sell your personal information. However, we share data with third parties in specific circumstances:

4.1 Essential Service Providers: We share information with companies that help us operate: • Payment Processors: Stripe, PayPal, Coinbase Commerce (to process transactions). • Infrastructure Providers: OVH, Hetzner, Vultr (datacenters where servers are hosted). • CDN and Security Services: Cloudflare (DDoS protection, content delivery). • Communication Platforms: SendGrid (transactional emails), Crisp (support chat). • Analytics Tools: Google Analytics, Mixpanel (user behavior, anonymized when possible).

These providers can only use your information to provide services to us and are contractually obligated to protect your data.

4.2 Anti-Fraud and Security Services: • IPQS, MaxMind: IP verification and VPN/proxy detection. • FraudRecord: Industry database to prevent fraud (only name, email, suspension reason in severe violation cases).

4.3 Legal Compliance and Rights Protection: We may disclose information when: • Required by valid court order or subpoena. • Requested by government authorities in criminal investigations (with appropriate warrant). • Necessary to protect physical safety of persons. • We must enforce our terms of service or investigate violations. • Responding to DMCA or other intellectual property claims.

4.4 Corporate Transfers: In case of merger, acquisition, sale of assets, or bankruptcy of XeroHost, your information may be transferred to the successor or acquiring entity as part of company assets. We will notify you of such transfer and any changes in how your data is handled.

4.5 Explicit Consent: With your specific permission, we may share information with: • Marketing partners for joint offers. • Third-party services you choose to integrate (Discord, Google Drive, etc.).

4.6 Aggregated and Anonymized Data: We may share aggregate statistics that don't individually identify users (e.g., "50% of our clients use Minecraft servers") with partners or in public reports.

5.1 Standard Retention Period: We retain your personal information while your account is active and for an additional period after termination:

• Active Account Data: Throughout the business relationship. • Transaction Data (invoices, payments): 7 years for tax and accounting compliance. • Support Tickets: 3 years for historical reference and service improvement. • Server and Security Logs: 12 months (unless investigation is ongoing). • Marketing Data (newsletter subscribers): Until you request deletion or after 2 years of inactivity.

5.2 Post-Cancellation Retention: After canceling your account: • Server data and files: Deleted after 7 days (unless extension requested). • Account information (name, email, payment history): Retained 5 years for legal/tax purposes. • System backups: Rotating backups may contain your data for up to 60 additional days.

5.3 Retention for Legal Reasons: In cases of disputes, fraud investigations, or legal requirements, we may retain data longer than the standard period: • Abuse Suspensions: Up to 3 years to prevent fraudulent account reopenings. • Pending Litigation: Until final resolution of the legal case. • Criminal Investigations: As required by competent authority.

5.4 Secure Deletion: When we delete data: • Files are securely overwritten or deleted (not just marked as deleted). • Databases are permanently purged. • Old backups are rotated and destroyed on schedule. • Information in third-party providers is requested for deletion where applicable.

5.5 Deletion Exceptions: Certain data may be kept indefinitely in anonymized/aggregated form for: • Business statistics (without personal identification). • Security algorithm improvements (attack pattern detection). • Regulatory compliance requiring permanent retention.

Under applicable data protection laws (GDPR, CCPA, etc.), you have the following rights:

6.1 Right of Access: You can request a copy of all personal data we hold about you. We will provide: • Exportable copy in JSON or CSV format. • List of data categories processed. • Information on how it is used and who it is shared with.

6.2 Right of Rectification: You can update inaccurate or incomplete information: • Edit profile data directly in your client panel. • For historical billing data corrections, open a support ticket.

6.3 Right of Erasure ("Right to be Forgotten"): You can request deletion of your personal data when: • No longer necessary for original purposes. • You withdraw consent (for consent-based processing). • Data was processed unlawfully. • Must be deleted to comply with legal obligation.

Limitations: We cannot delete data if necessary to: • Comply with legal obligations (tax retention). • Establish, exercise, or defend legal claims. • Protect rights of other users or XeroHost.

6.4 Right of Portability: You can request your data in structured, commonly used, machine-readable format to transfer to another provider. We provide exports of: • Server files (full backups). • Databases (SQL dumps). • Service configurations and metadata.

6.5 Right to Object: You can object to certain processing: • Direct marketing: Opt-out anytime (unsubscribe link in emails). • Automated profiling: Request human review of automated decisions. • Legitimate interests: Object if your fundamental rights outweigh our commercial interests.

6.6 Right to Restriction: You can request we limit processing of your data while: • We dispute the accuracy of the data. • We evaluate your objection to processing based on legitimate interests. • We no longer need the data but you require it for legal claims.

6.7 Right Not to Be Subject to Automated Decisions: You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similar effects. Currently, XeroHost does not make significant automated decisions without human intervention.

6.8 How to Exercise Your Rights: For any privacy-related request: 1. Send a support ticket titled "Privacy Request - [Right Type]". 2. Provide identity verification (copy of government ID or account info). 3. We will process the request within 30 calendar days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

XeroHost implements robust technical and organizational measures to protect your information:

7.1 Technical Security: • Encryption: All data transmissions use TLS 1.3+ (HTTPS). Sensitive data at rest is encrypted (AES-256). • Isolation: Client servers are isolated using containers, VMs, and virtual private networks. • Firewalls: Intrusion detection/prevention systems (IDS/IPS) and web application firewalls (WAF). • DDoS Protection: Multi-layer mitigation with Cloudflare and datacenter-level protection. • Updates: Regular patching of operating systems, control panels, and software.

7.2 Access Security: • Multi-Factor Authentication (MFA): Available and recommended for all accounts. • Access Control: Principle of least privilege for internal staff. • Access Audits: Detailed logs of who accesses what and when. • Secure Sessions: Rotating session tokens with automatic expiration.

7.3 Organizational Security: • Staff Training: Regular training on privacy and security. • Security Policies: Written protocols for data handling and incident response. • Background Checks: For staff with access to critical systems. • Confidentiality Agreements (NDAs): All employees sign confidentiality agreements.

7.4 Physical Security: • Certified Datacenters: SOC 2, ISO 27001 facilities with 24/7 security. • Physical Access Control: Biometrics, security guards, surveillance cameras. • Redundancy: Redundant power (UPS, generators), cooling systems, network connections.

7.5 Monitoring and Incident Response: • 24/7 Monitoring: Automated alert systems for suspicious activities. • Response Plan: Documented procedures for security breaches. • Breach Notification: Commitment to notify within 72 hours of detecting a breach affecting personal data (as required by GDPR).

7.6 Security Limitations: Despite our best efforts, no system is 100% secure. You also have responsibility: • Use strong, unique passwords. • Do not share access credentials. • Enable 2FA when available. • Keep your device and software updated. • Report suspicious activity immediately.

We cannot guarantee absolute security, but we commit to employing industry standards and responding quickly to threats.

8.1 Global Nature of Our Services: XeroHost operates internationally with datacenters and providers in multiple jurisdictions. Your data may be transferred and processed in countries outside your residence, including countries that may not have data protection laws equivalent to those in your country.

8.2 Legal Bases for Transfers: When transferring data outside the EU/EEA, we use appropriate legal mechanisms: • Standard Contractual Clauses (SCCs): Contracts approved by the European Commission with third-country providers. • Adequacy Decisions: Transfers to countries with adequate protection levels according to EU. • Explicit Consent: When you specifically agree to transfers necessary for your service.

8.3 Processing Locations: Your data may be processed in: • United States: Wyoming (XeroGroup LLC corporate HQ), other states with datacenters. • Europe: France, Germany, Netherlands (datacenters for European clients). • Latin America: Brazil, Chile (regional datacenters). • Asia-Pacific: Singapore, Australia (for clients in those regions).

8.4 Safeguards: To protect data transferred internationally: • We assess the destination country's protection level. • Implement additional technical safeguards (strong encryption). • Conduct provider compliance audits. • Maintain the right to suspend transfers if protections are insufficient.

8.5 Your Rights Regarding Transfers: You can: • Request information about countries where your data is processed. • Obtain copies of applied safeguards (SCCs, provider policies). • Object to certain transfers if you have legitimate grounds affecting your fundamental rights.

9.1 Commitment to Minor Protection: XeroHost takes the privacy of minors very seriously. Our services are designed to be accessible by young gamers safely.

9.2 Age Requirements: • Under 13: Require parent/guardian to create and manage the account. We never knowingly collect information from children under 13 without verifiable parental consent. • Ages 13-17: Can create accounts with demonstrable parental consent. We strongly recommend active parental supervision. • Over 18: Can create and manage accounts independently.

9.3 Information Collected from Minors: For minors with parental consent, we only collect necessary information: • Username (can be pseudonym). • Parent/guardian email for communications. • Payment information (processed by parent/guardian). • Essential technical data (IP, service usage).

We DO NOT collect from minors: • Precise geographic location. • Biometric information. • Social security numbers or other government identifiers. • Personal photos (unless uploaded as part of server content, which we do not solicit).

9.4 Parent/Guardian Rights: Parents can: • Review information collected about their child. • Request deletion of child's information. • Withdraw previously granted consent (will result in account cancellation). • Limit future collection or use of child's information.

9.5 Parental Requests: To exercise parental rights, send a support ticket with: • Proof of parental relationship (birth certificate, legal documents). • Parent/guardian identification. • Minor's account information.

9.6 Content Generated by Minor Users: We do not control what minors host on their game servers or communicate in multiplayer servers. We recommend parents: • Regularly review their child's server content. • Set up appropriate parental controls. • Educate minors about online safety (not sharing personal info, reporting inappropriate behavior).

9.7 Reporting Concerns about Minors: If you become aware that we have inappropriately collected information from a minor without proper parental consent, notify us immediately. We will delete such information within 48 hours.

10.1 What are Cookies: Cookies are small text files stored on your device by websites you visit. They allow sites to remember your actions and preferences over a period of time.

10.2 Types of Cookies We Use:

Strictly Necessary Cookies (Always Active): Do not require consent as they are essential for basic functionality: • User session authentication. • Remembering shopping cart items. • Security and fraud prevention (CSRF tokens). • Server load balancing.

Functionality Cookies (Require Consent): Improve user experience: • Remembering language and region preferences. • Remembering display settings (dark/light theme). • Remembering client panel configurations.

Analytics Cookies (Require Consent): Help us understand how our site is used: • Google Analytics: Pages visited, time on site, bounce rate. • Hotjar/Crazy Egg: Heatmaps, session recordings (anonymous). • Cloudflare Analytics: Site performance, bot detection.

Advertising Cookies (Require Consent): Allow personalized advertising and remarketing: • Google Ads: Show relevant ads based on interests. • Facebook Pixel: Conversion tracking and custom audiences. • Affiliates: Track referrals and affiliate commissions.

10.3 Third-Party Cookies: Some integrated third parties may set cookies: • Payment processors (Stripe, PayPal): For secure processing. • Support chat (Crisp, Intercom): To maintain conversations. • CDN providers (Cloudflare): For optimized content delivery.

10.4 Cookie Control: You can control cookies via: • Consent Banner: Upon visiting our site, you can accept/reject cookie categories. • Browser Settings: Configure your browser to block or alert about cookies. • Opt-Out Tools: NAI Opt-Out, DAA Opt-Out.

10.5 Consequences of Disabling Cookies: If you block necessary cookies: • You will not be able to log in to your account. • The site may not function correctly. • Settings will not be saved.

Analytics and advertising cookies are optional; you can use the site without them, but we may not be able to customize your experience.

10.6 Cookie Duration: • Session: Deleted when browser is closed. • Persistent: Expire after a set period (from 24 hours to 2 years depending on type).

10.7 Updating Preferences: You can change your cookie preferences at any time: • Click "Cookie Settings" in the footer. • Access "Privacy" in your client panel.

11.1 External Sites: Our website and services may contain links to third-party websites, services, or resources not controlled by XeroHost (e.g., game documentation, community forums, third-party tools).

11.2 No Responsibility: We are not responsible for: • Privacy practices of third-party sites. • Content of external sites (may be inaccurate, offensive, or illegal). • Products or services offered by third parties.

11.3 Reviewing Third-Party Policies: Before providing personal information to external sites, review their privacy policies. We have no control over how they process data.

11.4 Service Integrations: If you connect third-party services to your XeroHost account (e.g., Discord Webhooks, Google Drive for backups): • Review requested permissions carefully before authorizing. • You can revoke access at any time from account settings. • Data shared with integrations is subject to their own privacy policies.

12.1 Right to Modify: XeroHost reserves the right to update this Privacy Policy at any time to reflect: • Changes in our data practices. • New services or features. • Changes in applicable laws or regulations. • Improvements in security measures.

12.2 Notification of Changes: For material changes (significantly affecting how we process your data): • We will publish the updated policy on this page with a new "Last Updated" date. • We will send an email notification to your registered address at least 30 days before they take effect. • We will display a prominent notice in your client panel.

12.3 Acceptance of Changes: Your continued use of our services after the effective date of changes constitutes acceptance of the revised policy. If you disagree with the changes, you must discontinue use of services and request account deletion.

12.4 Version History: We keep archived versions of this policy. You can request copies of previous versions by contacting support.

13.1 GDPR Compliance (General Data Protection Regulation - EU): For residents of the European Union/European Economic Area:

Legal Bases for Processing: • Contract Execution: Processing necessary to provide services you contracted. • Legal Obligation: Complying with tax laws, anti-money laundering regulations. • Legitimate Interests: Fraud prevention, network security, service improvements. • Consent: Direct marketing, non-essential cookies, sensitive data processing.

Controller Entity: XeroHost operates under XeroGroup LLC, an entity registered in Wyoming, United States. Although we do not have a physical presence in the EU, we commit to complying with GDPR principles for all our European customers.

Supervisory Authority: You have the right to lodge complaints with your national data protection authority. For Spain: Agencia Española de Protección de Datos (AEPD) - www.aepd.es.

13.2 CCPA Compliance (California Consumer Privacy Act): For residents of California, USA:

Your CCPA Rights: • Right to Know: Categories and specific pieces of personal information collected. • Right to Delete: Request deletion of personal information (with legal exceptions). • Right to Opt-Out of Sale: We do not sell personal information, but you can opt-out of sharing for targeted advertising purposes. • Right to Non-Discrimination: We will not discriminate for exercising CCPA rights.

CCPA Disclosures: In the last 12 months, we have collected the following categories of personal information: • Identifiers (name, email, IP). • Commercial information (purchase history). • Internet activity (browsing behavior). • Geolocation (approximate, based on IP).

We Do Not Sell Personal Information. XeroHost does not sell personal information as defined by CCPA.

CCPA Requests: To exercise CCPA rights, submit a verifiable request via support ticket titled "CCPA Request". We will respond within 45 days (extendable to 90 if complex).

13.3 Other Jurisdictions: We also comply with: • LGPD (Brazil): General Data Protection Law. • PIPEDA (Canada): Personal Information Protection and Electronic Documents Act. • PDPA (Singapore): Personal Data Protection Act.

If you reside in a jurisdiction with specific privacy laws, contact our privacy team for information on how we comply with your local regulations.

14.1 Contact Information: For any questions, concerns, or requests related to privacy:

Legal Entity: XeroGroup LLC Filing ID: 2025-001734118 30 N Gould ST STE R Sheridan, WY 82801 United States

Available Contact Channels: • Ticket System: Open a ticket in your client area with category "Privacy/GDPR" • Discord: Join our official Discord server and open a support ticket • Live Chat: Available on our website (option "Privacy Inquiry")

Important Note: We do not handle privacy requests via direct email. All privacy matters must be channeled through our official support systems to ensure security, traceability, and timely response.

14.2 Types of Inquiries We Handle: • Exercising privacy rights (access, deletion, rectification). • Questions about how we process your data. • Concerns about security or potential breaches. • Complaints about privacy practices. • Information requests about third-party providers. • Parental consent for minors.

14.3 Response Times: • General Inquiries: 5-7 business days. • Access/Deletion Requests (GDPR/CCPA): 30 days (extendable to 60-90 if complex). • Security Breach Reports: 24-48 hours for initial confirmation.

14.4 Required Information: To process requests efficiently, provide: • Full name and email address associated with the account. • Clear description of your request or concern. • Identity verification (additional documentation may be required for sensitive requests). • Communication language preference.

14.5 Escalation: If you are not satisfied with our initial response: 1. Request review by a supervisor (mention this in your ticket reply). 2. Escalate to the compliance and privacy team directly. 3. Lodge a complaint with your jurisdiction's data protection authority.

We commit to working with you in good faith to resolve any privacy concerns.

14.6 Support Hours: Our support team processes privacy tickets: • Monday to Friday: 9:00 AM - 8:00 PM (US Eastern Time) • Weekends: Responses may be delayed until the next business day

Last Updated: June 7, 2026