Privacy Policy

The controller of your personal data is:

• LIGA HOSTING LTD
• Registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom
• Registered in England and Wales
• Email for privacy matters: privacy@ligahosting.com

We are subject to the jurisdiction of the Information Commissioner's Office (ICO) in the United Kingdom. For EU/EEA clients we also act as a controller within the meaning of the European GDPR.

We collect the following categories of personal data:

• Account data: first name, last name, email, username, password (bcrypt hash), preferred language
• Billing data: address, city, postal code, country, company name (optional), VAT number (optional), phone number
• Payment metadata: method used (PayPal, Stripe, crypto), amount, date, processor transaction ID. We never store full card numbers — these are handled exclusively by Stripe (PCI-DSS Level 1 compliant)
• Service usage data: provisioned servers, chosen configurations, hostname, domain, allocated IP
• Technical logs: the IP address you connect from, browser user-agent, connection times, visited pages, API requests
• Communications: support tickets, sent/received emails, chat conversations (if available)
• Cookies: session identifier (PHPSESSID), CSRF token, affiliate cookie (lh_ref, 30 days) — see Cookies section

We do not collect sensitive data (race, religion, political opinion, health, biometric) through our forms. If such data accidentally appears in communications (e.g. in support tickets), please avoid it.

Your data reaches us through the following channels:

• Directly from you — at registration, when updating your profile, when placing orders, when opening tickets
• Automatically, through use of the services — server logs, provisioning events, network traffic
• From authorised third parties — payment confirmation from Stripe / PayPal / CoinPayments, data validation from domain registrars, fraud risk scores
• Cookies and similar technologies — for session maintenance and protection against CSRF attacks

We do not buy email lists and do not receive personal data from data brokers. All data comes from the direct relationship with you or from technical processes essential for providing you with the Service.

We use your data only for the purposes below, each with a legal basis under GDPR Article 6:

• Providing the Services (provisioning, authentication, account management) — legal basis: performance of contract (Art. 6(1)(b))
• Billing and payment collection — legal basis: performance of contract + legal obligation (Art. 6(1)(b) + 6(1)(c))
• Technical support and ticket responses — legal basis: performance of contract
• Transactional communications (payment confirmations, due-date alerts, suspension notifications) — legal basis: performance of contract
• Marketing communications (newsletter, new product announcements) — legal basis: your consent, withdrawable at any time (Art. 6(1)(a))
• Fraud prevention and security (payment pattern analysis, blocking abusive IPs) — legal basis: legitimate interest (Art. 6(1)(f))
• Legal compliance (7-year invoice retention, response to authority requests) — legal basis: legal obligation
• Service improvement (error analysis, performance) — legal basis: legitimate interest; we use aggregated/anonymised data wherever possible

We never sell your personal data to anyone. We share it only with the following categories of authorised processors, each bound by a Data Processing Agreement (DPA):

• Payment processors — Stripe Payments Europe Ltd. (Ireland), PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg), CoinPayments Inc. (Canada). They receive name, email and amount; card numbers NEVER pass through our servers
• Infrastructure providers — VirtFusion (VPS panel, EU/US servers), cPanel L.L.C. (shared hosting panel)
• Domain registrars — various, depending on the TLD (Verisign, ICI-RoTLD, Nominet, etc.). WHOIS data is mandatory under ICANN policies
• Transactional email providers — for delivering invoices and alerts; our own SMTP or, optionally, a third-party relay (e.g. SendGrid, Postmark, Mailgun)
• DDoS protection and CDN providers — for filtering and mitigation; they typically see only visitor IPs and request headers
• Lawyers, accountants, consultants — strictly limited to what is needed for legal advice or audit
• Public authorities — only upon formal legal request (court order, police request, tax summons)

We do not transfer data to third parties for advertising, profiling or marketing without your explicit consent.

Our infrastructure includes data centres in the European Union, the United Kingdom and the United States. When your data is transferred outside the EEA, we ensure that adequate safeguards are in place:

• Adequacy decisions by the European Commission (e.g. UK, Canada — within applicable limits)
• Standard Contractual Clauses (SCCs) approved by the Commission for transfers to the US and other jurisdictions
• Data Privacy Framework certification for US partners where available (Stripe, CoinPayments)

You can request a copy of the relevant SCCs by writing to privacy@ligahosting.com.

We apply the following retention periods:

• Active account data — for the duration of the contract + 30 days after closure
• Hosted content (websites, files, databases) — deleted within a maximum of 30 days after Service termination. Note: per the Terms, content from expired services is deleted at 14 days
• Invoices and tax records — 7 years, in accordance with UK tax legislation (Companies Act 2006, HMRC requirements)
• Technical logs (web server, authentication) — 90 days, then rotated/deleted
• Support tickets — 3 years after closure, for history and audit
• Backups — cPanel backups kept 7 days; our internal DB backups 30 days
• Affiliate cookie (lh_ref) — 30 days, or until browser close if session cookies are blocked

After these periods expire, the data is irretrievably deleted or anonymised beyond any possibility of identification.

You have the following rights regarding your personal data:

• Right of access (Art. 15) — you can request a copy of all personal data we hold about you
• Right to rectification (Art. 16) — you can request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten", Art. 17) — you can request deletion of data, subject to legal retention obligations
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20) — receive data in a structured format (JSON / CSV)
• Right to object (Art. 21) — in particular for processing based on legitimate interest or for direct marketing
• Right to withdraw consent at any time, without retroactive effect
• Right to lodge a complaint with a supervisory authority — for the UK at the ICO, for Romania at ANSPDCP, for other EU states at the local authority

To exercise these rights write to privacy@ligahosting.com. We will respond within a maximum of 30 days (extendable by another 60 days for complex requests). The request is free; manifestly unfounded or excessive requests may be charged a reasonable fee.

For identity verification we may ask you to answer security questions or to send the request from the email associated with the account.

We use a minimal set of cookies, none for advertising or commercial profiling:

• PHPSESSID (essential) — identifies your login session. Duration: until browser closes. Without this cookie you cannot authenticate
• csrf_token (essential) — protection against Cross-Site Request Forgery attacks on form submissions. Duration: session
• lh_ref (functional) — the affiliate code from the link you arrived on the site through, so it can be credited at registration. Duration: 30 days
• lang (functional) — chosen language (en/ro/zh). Duration: 1 year

We do not use Google Analytics, Facebook Pixel, Hotjar or other third-party analytics trackers. Our sites do not show ads and do not participate in advertising networks.

You can configure your browser to reject cookies, but our Service will not work without the essential cookies (login will fail).

We apply reasonable technical and organisational measures to protect your data:

• Encryption in transit — TLS 1.2/1.3 for all HTTPS connections, with HSTS and certificates from a trusted public authority
• Encryption at rest for backups and servers where applicable
• Strong password hashes — bcrypt with minimum cost factor 12
• Two-factor authentication (2FA) optional for any client account; recommended for admin accounts
• CSRF tokens on all POST forms
• HTTP security headers — CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• Restricted access to databases and logs on the least privilege principle
• Redundant backups in geographically separate locations
• Continuous monitoring of infrastructure for intrusion detection

No information system is 100% secure. In the event of a data breach affecting you, we will notify you directly and report to the ICO within 72 hours, per GDPR Art. 33.

Our Services are not intended for persons under 18 years of age. We do not knowingly collect data about minors. If we learn that we have collected data about a person under 18 without parental consent, we will delete it promptly.

If you are a parent or legal guardian and believe your child has provided us with personal data, please contact us at privacy@ligahosting.com.

We may update this Policy from time to time to reflect legislative changes, changes in our practices, or in the Services we offer. Minor changes (clarifications) take effect upon publication. Material changes (those significantly affecting your rights, e.g. new categories of data collected or new partners) will be announced by email at least 30 days in advance.

The current version is indicated by the "Last updated" date at the top of this page. We recommend that you consult it periodically.

For any question, request or complaint related to this Privacy Policy or the processing of your personal data:

• Email (privacy / GDPR): privacy@ligahosting.com
• Email (general): contact@ligahosting.com
• Phone: +40 766 453 265
• Postal address: LIGA HOSTING LTD, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom

If you are not satisfied with how we handled your request, you have the right to lodge a complaint with the supervisory authority in your country (see the "Your rights" section above for details).