$ cat /etc/internalhost/privacy

Privacy policy

Version 1.0 · Last updated: 2026-05-19 · Effective immediately

TL;DR

We collect the minimum needed to deliver a server and send you an invoice. No tracking, no ad networks, no data resale. We're in the EU, GDPR applies, and we never share your data with third parties unless legally required.

1. Who we are

InternalHost is a sole proprietorship (Dutch CoC 90174720), owned by Xaviero Kajafas, based in Amsterdam. Registered seat: Bijlmerdreef 910, 1103 DV Amsterdam. Office (by appointment): Nieuwe Hemweg 26, 1013 CX Amsterdam. We are the "data controller" under GDPR for the personal data you entrust to us as a customer.

2. What we collect

Three categories, nothing more:

  • Account data: name, email, company name (optional), VAT number (optional, for B2B). Provided by you at registration.
  • Billing data: invoicing address, payment method (we don't store card numbers — those live at Mollie/Revolut), payment history. Required under Dutch tax law + GDPR art. 6(1)(b) (contract).
  • Technical data: session IP, browser user-agent, login timestamps. Required for security (CrowdSec, fail2ban) and fraud prevention. Lawful basis: art. 6(1)(f) (legitimate interest).

We do not collect: third-party tracking cookies, social-media pixels, advertising IDs, geolocation beyond IP, behavioural analytics, mouse tracking, or any other surveillance tech.

3. What we use it for

  • Delivering the service you paid for (provision servers, send you mail, support).
  • Generating and sending invoices.
  • Detecting and stopping abuse on our infrastructure (see AUP).
  • Meeting legal retention obligations (Dutch tax: invoices for 7 years).

We do not use it for: profiling, personalised advertising, resale, AI model training, or any other side-hustle.

4. How long we keep it

  • Account data: while you are a customer + 30 days after cancellation for any claims.
  • Invoices: 7 years (Dutch tax law).
  • Login logs: 90 days (security forensics).
  • Server data (your VPS content): while your service is active. After cancellation 14 days for recovery, then permanently deleted.
  • Support tickets: 2 years.

5. Who we share with

Short list. Everyone here is a processor in EU jurisdiction:

  • Mollie (NL): payment processor. Receives your name, invoice amount, email. Mollie Privacy.
  • Revolut Business (LT, EU): alternative payment processor. Same scope as Mollie.
  • Cloudflare (US, EU data-region): CDN/DDoS for this website. Processes your IP + browser fingerprint for anti-bot. Standard SCCs apply. Cloudflare Privacy.
  • Qupra DC (NL): datacenter. Physical access to our hardware, no logical access to data.
  • OpenProvider (NL): domain registrar — only relevant if you register a domain through us. Receives WHOIS contact data.

That's it. No tracking pixels, no advertising platforms, no "analytics" SaaS.

6. Your rights (GDPR)

You have the right to:

  • Access all your data.
  • Correct it.
  • Request deletion (except where legal retention applies).
  • Receive a machine-readable copy (data portability).
  • Object to processing based on legitimate interest.
  • File a complaint with the Dutch Data Protection Authority.

Email [email protected]. We respond within 30 days, usually within 5.

7. Security

  • TLS everywhere (HSTS preloaded).
  • Passwords stored in bcrypt, never plaintext.
  • Production SSH via ed25519 keys only, password auth off.
  • MFA required for admin accounts.
  • CrowdSec + fail2ban on all public endpoints.
  • Daily encrypted backups of customer data.
  • Restricted access: only Nick and Jarreth have prod shell, only Xavi has Filament admin.

Data breach? We notify the DPA and affected customers within 72 hours, per GDPR art. 33-34.

8. Contact + changes

Questions, requests or complaints: [email protected] or Signal (link in footer). We reserve the right to amend this policy. Substantial changes are emailed to active customers at least 30 days before they take effect.