Privacy Policy Updates - April 24th, 2026

1 month ago

Data Downloads Now Available

You can now request a copy of your stored personal data through your logged-in account, in addition to requesting deletion. Data is provided in a commonly used, machine-readable format where feasible. Requests covered by GDPR, CCPA/CPRA, or similar laws are processed within 7 days.

Expanded User Rights

Your rights are now listed explicitly rather than referenced generally. These include the right to access, correct, delete, restrict, or object to the processing of your data, as well as the right to withdraw consent at any time. EU/UK users have additional rights under GDPR (data portability, lodging a complaint with a supervisory authority), and California users have additional rights under CCPA/CPRA. We honor Global Privacy Control (GPC) signals where technically feasible.

Sub-Processor Transparency

We now publish a clear list of the third-party services that handle your data on our behalf: Stripe (payments), Cloudflare (network security and routing), and MXRoute (outbound transactional email). Each entry specifies what data is shared and why. Google Analytics has been removed from our stack and is no longer referenced in the policy.

IP Log Anonymization

Retained IP logs are now clarified to not be tied to individual accounts. They are kept solely for detecting and mitigating web traffic abuse, and we aim to purge them within approximately 6 months as part of routine maintenance.

Data Breach Notification

A new section formally commits us to notifying affected users of any confirmed data breach without undue delay, and in any case within 7 days. For users covered by GDPR, the relevant supervisory authority will be notified within 72 hours where required by law.

Cookies

The cookies section has been simplified. We use only essential first-party cookies for authentication, security, and load balancing. We do not use advertising, tracking, or marketing cookies of any kind.

International Data Transfers

A new section clarifies that our infrastructure is operated primarily in the United States and that we do not process significant volumes of EU-originating data. EU users retain all applicable GDPR rights regardless.

Children's Privacy

The children's privacy section has been clarified. Our services are not directed at users under 13. Parents or guardians who wish to create an account on behalf of a minor must contact us via support ticket prior to account creation. We do not actively verify ages, and responsibility for compliance with applicable age restrictions rests with the account holder.

Other Changes

  • A brief note explaining how MXRoute handles outbound email content

  • Explicit statement that we do not use your data for advertising, profiling, or significant automated decision-making

Unchanged

Our security practices (bcrypt password hashing, 2FA for privileged accounts, Pterodactyl access controls), email log retention (3 years for legal compliance), backup retention (up to 6 months post-termination), and our policy of never selling or trading user data remain the same.

If you have any questions about these changes, please open a support ticket. Full policy listed in the hyperlink at the bottom of this page.