PRIVACY POLICY

WHO WE ARE

HyplexServers ("we", "us", "our") operates hyplexservers.com and provides high-performance game server and cloud hosting services. This policy explains how we collect, process, store, and protect your personal data in full compliance with the General Data Protection Regulation (GDPR).

This policy applies to account holders, authorized users, and website visitors. We act as data controller for data collected directly from you and as data processor for data stored within your hosted services.

Where we act as data processor, our Data Processing Agreement governs how we handle that data on your behalf.

DATA WE COLLECT

We collect only what is necessary. Nothing more.

• Account data: Name, email, billing address, company details, phone number, payment information for service delivery and invoicing. Collected directly from you during registration.
• Technical data: IP addresses, browser type, operating system, device identifiers, referring URLs, API request logs, connection metadata. Collected automatically for diagnostics and security monitoring.
• Usage data: Server metrics (CPU, RAM, bandwidth, storage), login timestamps, session durations, feature utilization, game server configurations. Used for maintenance, capacity planning, and performance optimization.
• Communications: Support tickets, emails, feedback — everything exchanged with our team for issue tracking, quality assurance, and service improvement.

WHY

• → Service delivery and account management
• → Billing, payment processing, and invoicing
• → Security monitoring and threat detection
• → DDoS mitigation and abuse prevention
• → Performance optimization and capacity planning
• → Technical support and issue resolution
• → Enforcing Terms of Service and Acceptable Use Policy
• → Service updates and maintenance notifications
• → Fraud prevention and unauthorized access detection
• → Legal and regulatory compliance

No automated decision-making. No profiling. No data used for advertising. Your data is never sold to marketers.

LEGAL BASIS

• Contract (Art. 6(1)(b)): Processing required to deliver your purchased services — provisioning, server deployment, billing, support.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, DDoS mitigation, service improvement, capacity planning. Your fundamental rights are never overridden.
• Legal Obligation (Art. 6(1)(c)): Tax record-keeping, financial reporting, regulatory compliance, lawful authority requests.
• Consent (Art. 6(1)(a)): Where applicable. Withdrawable at any time. Prior processing remains lawful.

STORAGE & SECURITY

All data resides in European facilities. AES-256 encryption at rest, TLS 1.3 in transit. Infrastructure is isolated per customer — your environment is not shared. Redundant power, environmental controls, physical access restrictions.

• → Role-based access controls with mandatory MFA
• → Network segmentation and multi-layer firewall protection
• → Automated vulnerability scanning and patch management
• → DDoS-protected infrastructure with multi-Tbps mitigation
• → Continuous monitoring with automated threat response
• → Regular penetration testing by independent third parties
• → Physical security with biometric access and CCTV
• → Full audit logging on all administrative access

Breach protocol: affected users and supervisory authority notified within 72 hours per GDPR Article 33. Documented incident response procedures for containment, investigation, and remediation.

RETENTION

• Account data: Active account + 60 days post-closure to handle outstanding matters.
• Billing records: 7 years (tax/financial regulation compliance within the EU).
• Server access logs: 30 days for security monitoring and troubleshooting.
• Support tickets: Duration of active account + 60 days for quality assurance.
• Game configs: Deleted upon account closure.

Post-retention: cryptographic erasure for encrypted data, multi-pass overwrite for unencrypted data. Earlier deletion available on request, subject to legal retention obligations.

YOUR RIGHTS

Full GDPR compliance. Your data, your control.

• → Access (Art. 15): Get a copy of your data and processing details.
• → Rectification (Art. 16): Correct inaccurate or incomplete data without undue delay.
• → Erasure (Art. 17): Request deletion when no longer necessary, subject to legal retention.
• → Portability (Art. 20): Export in machine-readable format (JSON/CSV) and transmit to another controller.
• → Restriction (Art. 18): Limit processing in specific circumstances, e.g. contested accuracy.
• → Objection (Art. 21): Object to processing based on legitimate interests or direct marketing.
• → Withdraw Consent (Art. 7): Revoke consent at any time without affecting prior processing.
• → Complaint: Lodge a complaint with your local data protection supervisory authority.

All requests acknowledged within 5 business days, processed within 30 days. Extensions of up to 60 additional days for complex requests, with notification.

COOKIES

Session cookies only. Zero tracking. Zero analytics cookies. Zero third-party advertising technologies.

• → Authentication: Maintains login state and prevents unauthorized account access.
• → CSRF: Prevents cross-site request forgery attacks and ensures form integrity.
• → Session: Load balancing and session management across infrastructure.
• → Preferences: Language and timezone settings for consistent experience.

No pixel trackers. No web beacons. No fingerprinting. Cookies cannot be disabled without impairing platform functionality. Legal basis: legitimate interest (platform operation).

THIRD PARTIES

• Payment processor: PCI DSS-compliant. Card data never touches our servers. Minimum data shared for transaction processing. We only receive transaction confirmations.
• Email provider: Transactional emails only — invoices, notifications, password resets. No marketing via third-party platforms.

All providers bound by GDPR-compliant data processing agreements. Regular compliance reviews conducted. No data sales. Ever. If compelled by law to disclose data, we will notify you where legally permitted.

INTERNATIONAL TRANSFERS

All data stored and processed within the EEA. No routine transfers outside the EEA.

Where a third-party provider operates outside the EEA, safeguards are enforced: EU adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or supplementary technical measures. Request copies of safeguards at any time.

CHILDREN'S PRIVACY

Services not directed at individuals under 16. No data knowingly collected from minors. If you believe a child has provided personal data, contact us for immediate deletion.

If we become aware of collection without parental consent, data will be deleted within a reasonable timeframe.

CHANGES

Updates to this policy will be posted on this page with a revised date. Material changes affecting data collection, use, or sharing will be notified via email at least 14 days before taking effect.

Continued use of our services after changes constitutes acknowledgment. Previous versions available upon request.