VPSLAYER

Privacy Policy

Last Update: May 2026

Who is responsible

Joel Krause (Sole Proprietorship), trading as VpsLayer

Emil-Bosbach-Str. 10, 47226 Duisburg, Germany

Privacy contact: [email protected]

The simple version

We respect your privacy and collect only the minimum personal data necessary to provide our services, process billing, maintain security, and comply with legal obligations.

  • We do not sell your data
  • We do not track you across websites
  • We do not use invasive analytics
  • We do not routinely inspect or monitor your server content

What we collect

Account information

  • Name
  • Email address
  • Billing address
  • Company name (if applicable)
  • VAT ID / tax number (if applicable)

Payment information

Payments are processed through third-party payment providers.

Supported payment methods: PayPal, Credit Card, Apple Pay, Google Pay, Amazon Pay, Revolut Pay, EPS, iDEAL, Belfius, Przelewy24, MobilePay, Cryptocurrency

Payment processors may include: PayPal, Mollie B.V., Stripe, Inc.

We do not store full card numbers, CVV codes, or other payment credentials on our systems.

Cryptocurrency payments are processed via public blockchain networks. Transactions may be publicly visible and cannot be deleted.

Server and security logs

To maintain service security, reliability, and abuse prevention, we process limited technical logs including:

  • IP addresses
  • Connection timestamps
  • Authentication attempts
  • Error logs
  • Technical diagnostics

Access to server content

We do not routinely access or inspect customer server content unless necessary for:

  • Technical support requested by you
  • Abuse investigations
  • Service integrity
  • Legal obligations

Verification data

We may request identity or payment verification when legally required or necessary to prevent fraud.

Support communications

We retain support tickets and correspondence to improve service quality and provide continuity of assistance.

What we do not do

  • We do not sell your personal data
  • We do not use advertising trackers
  • We do not use invasive analytics tools
  • We do not use automated decision-making or profiling under Art. 22 GDPR

Legal basis for processing

Contract performance (Art. 6(1)(b) GDPR)

  • Service provision
  • Account management
  • Billing
  • Technical support

Legitimate interest (Art. 6(1)(f) GDPR)

  • Network and service security
  • Fraud prevention
  • Operational logging
  • Service reliability

Legal obligation (Art. 6(1)(c) GDPR)

  • Tax records
  • Accounting obligations
  • Law enforcement requests

Consent (Art. 6(1)(a) GDPR)

  • Non-essential cookies
  • Optional preferences

How long we keep it

  • Account data: while active + 1 year
  • Billing records: up to 10 years
  • Server logs: up to 30 days
  • Support tickets: up to 2 years

Your rights under GDPR

  • Right to access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3))

To exercise your rights, email: [email protected]

Data processors and third parties

Infrastructure providers

Hetzner (Germany / Finland)

External resources and content delivery

Our website may load technical resources from third-party providers including: Google Fonts, Cloudflare CDN, jsDelivr, jQuery CDN, DataTables CDN, Tailwind CDN, Font Awesome CDN

Google Fonts

Our website may use Google Fonts. If loaded directly from Google servers, your IP address may be transmitted to Google LLC in the United States. Where technically possible, we aim to host fonts locally.

Where possible, fonts are hosted locally to avoid external data transfers.

hCaptcha

We use hCaptcha to protect our services against abuse and automated attacks. hCaptcha may process: IP address, browser and device information, mouse movements, timing patterns. This is based on our legitimate interest in security (Art. 6(1)(f) GDPR).

More information: https://www.hcaptcha.com/privacy

International data transfers

Where personal data is transferred outside the EU/EEA, we rely on adequacy decisions or Standard Contractual Clauses under Art. 46 GDPR.

Security measures

  • TLS 1.2+ encryption
  • Password hashing (bcrypt / Argon2)
  • Internal access controls
  • Security monitoring
  • Patch management

Cookies

Essential cookies for:

  • Login sessions
  • CSRF protection
  • Payment verification
  • Security functions

Optional preference cookies may be used with your consent. We do not use advertising cookies or third-party analytics cookies.

Data breach notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where legally required (Art. 33 GDPR), and affected users where necessary (Art. 34 GDPR).

Changes to this policy

We may update this Privacy Policy as needed. Material changes will be communicated via email or account notice.

Complaint right with supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence or place of work. Responsible authority in North Rhine-Westphalia: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) https://www.ldi.nrw.de

Data processing (Art. 28 GDPR)

Where necessary, we enter into data processing agreements (DPAs) with service providers in accordance with Art. 28 GDPR. For customer-hosted services, the customer remains the data controller.