intro
Servermillion ("we", "us", "our") operates servermillion.com and provides cloud infrastructure services. This policy describes how we collect, process, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR).
This policy applies to account holders, authorized users, website visitors, and anyone who communicates with us. We act as data controller for data collected directly from you and as data processor for data stored within your hosted services.
Where we act as data processor, our Data Processing Agreement governs how we handle that data on your behalf.
data.collected
account: name, email address, billing address, company name, phone number, payment details required for service delivery and invoicing. collected directly from you during registration and account management.
technical: IP addresses, browser type and version, operating system, device identifiers, referring URLs, connection metadata, API request logs. collected automatically when you access our platform for diagnostics and security monitoring.
usage: resource consumption (CPU, memory, bandwidth, storage), login timestamps, session durations, feature utilization. used for platform maintenance, capacity planning, and performance optimization.
communications: support tickets, emails, feedback, and any other messages exchanged with our team. used for issue tracking, quality assurance, and service improvement.
data.purpose
- → delivering and maintaining cloud infrastructure services
- → processing billing, payments, and generating invoices
- → providing technical support and resolving issues
- → monitoring infrastructure security and detecting threats
- → DDoS mitigation and abuse prevention
- → enforcing terms of service and acceptable use policies
- → communicating service updates and maintenance windows
- → capacity planning and performance optimization
- → preventing fraud and unauthorized access
- → meeting legal and regulatory obligations
no automated decision-making. no profiling. no data used for advertising or sold to marketers.
data.legal_basis
contract (Art. 6(1)(b)): processing required to deliver the services you purchased — account provisioning, server deployment, billing, and support.
legitimate_interest (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement, capacity planning. your fundamental rights are never overridden by our interests.
legal_obligation (Art. 6(1)(c)): tax record-keeping, financial reporting, responding to lawful requests from public authorities.
consent (Art. 6(1)(a)): where applicable, withdrawable at any time without affecting prior processing.
data.storage
location: European Union data centers exclusively. AES-256 encryption at rest. TLS 1.3 in transit. tenant isolation enforced at network and storage layers. redundant power, environmental controls, physical access restrictions.
security stack: role-based access controls, mandatory MFA for administrative access, network segmentation, multi-layer firewall protection, automated vulnerability scanning, patch management, DDoS mitigation with multi-Tbps capacity.
monitoring: 24/7 intrusion detection, continuous threat response, full audit logging on all administrative access, physical security with biometric access controls and CCTV.
breach protocol: notification to affected users and supervisory authority within 72 hours per GDPR Article 33. documented incident response procedures for containment, investigation, and remediation.
data.retention
account_data: active account + 30 days post-closure to handle outstanding matters.
billing_records: 7 years (tax/financial regulation compliance within the EU).
server_logs: 14 days for security monitoring and troubleshooting.
access_logs: 90 days for security monitoring and abuse prevention.
support_tickets: duration of active account + 30 days for quality assurance.
post-retention: cryptographic erasure for encrypted data, multi-pass overwrite for unencrypted data. earlier deletion available on request, subject to legal retention obligations.
data.rights
- → access — obtain a copy of your data and processing details (Art. 15)
- → rectification — correct inaccurate or incomplete data without undue delay (Art. 16)
- → erasure — request deletion when data is no longer necessary, subject to legal retention (Art. 17)
- → portability — receive data in machine-readable format (JSON/CSV) and transmit to another controller (Art. 20)
- → restriction — limit processing in specific circumstances, e.g. contested accuracy (Art. 18)
- → objection — object to processing based on legitimate interests or direct marketing (Art. 21)
- → withdraw_consent — revoke consent at any time without affecting prior processing (Art. 7)
- → complaint — lodge a complaint with your local data protection supervisory authority
all requests acknowledged within 5 business days, processed within 30 days. extensions of up to 60 additional days for complex requests, with notification. contact: [email protected].
data.cookies
essential only. no tracking. no analytics. no advertising.
session: maintains login state across page requests and prevents unauthorized access. csrf: prevents cross-site request forgery attacks and ensures form integrity.
load_balancer: distributes requests across infrastructure for optimal performance. preferences: stores language and timezone settings for consistent experience.
no pixel trackers, web beacons, or fingerprinting technologies are used. cookies cannot be disabled without impairing platform functionality. legal basis: legitimate interest (required for platform operation).
data.third_parties
payment_processor: PCI DSS-compliant. card data never stored on our servers. minimum data shared for transaction processing. we only receive confirmation of transaction outcomes.
email_provider: transactional emails only — invoices, service notifications, password resets. no marketing via third-party platforms.
all providers bound by GDPR-compliant data processing agreements (DPAs). regular compliance and security reviews conducted. we never sell, rent, or trade personal data. disclosure only if required by law — you'll be notified where legally permitted.
data.transfers
primary processing: EEA only. no routine transfers outside EEA.
where a third-party provider operates outside the EEA, safeguards are enforced: EU adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or supplementary technical measures as recommended by the EDPB.
you may request copies of transfer safeguards at any time by contacting our privacy team.
data.children
services not directed at individuals under 16. no data knowingly collected from minors.
if you believe a child has provided us with personal data, contact [email protected] for prompt deletion. if we become aware of collection without parental consent, data will be deleted within a reasonable timeframe.
data.updates
posted here with revised date. material changes affecting data collection, use, or sharing notified via email at least 14 days before taking effect.
continued use after changes constitutes acknowledgment. previous versions available upon request.
data.contact
we aim to resolve all privacy inquiries promptly and transparently. if unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority within the European Economic Area.