Privacy Policy of Yhost Hosting provider

Controller: Apefo Ltd trading as Yhost

Address: 24-26 Regent Place, City Centre, Birmingham, United Kingdom, B1 3NJ

Contact: [email protected] (privacy requests: [email protected])

Effective date: January 24, 2026 | Version: 2.0

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website, create an account, purchase Services, or communicate with us. It also clarifies the roles and responsibilities where we process personal data in Customer Content as a hosting provider.

1. Scope and Roles

1.1 When We Act as Controller

We act as a “controller” (or equivalent term) for personal data we collect and use to operate our business, including account registration data, billing and payment data, support communications, and marketing preferences.

1.2 When We Act as Processor

For personal data contained in Customer Content hosted on the Services (for example, your website database containing end-user records), we typically act as a “processor” (or “service provider”) on behalf of the Customer. In this context, the Customer determines what data is collected and the purposes of processing. Our processing is limited to providing the hosting infrastructure and support and complying with legal obligations.

2. Data We Collect

2.1 Data You Provide

Account data: name, company name, username, password (stored as a hash), contact email, phone number, address, country.
Verification data (KYC): where needed, copies of identification documents, proof of address, or business registration information. We minimize retention and may use third-party verification services.
Billing data: invoices, subscription details, tax IDs (VAT/GST), and transaction references.
Support data: ticket content, attachments you provide, chat transcripts, and call notes where applicable.

2.2 Data Collected Automatically

Device and log data: IP address, timestamps, user agent, referrer URL, and basic request data when you access our website or client portal.
Security logs: authentication events, suspicious activity indicators, and firewall/WAF events needed for security and fraud prevention.
Cookies and similar technologies: used for essential functions and, where you consent, analytics/marketing.

3. How We Use Personal Data (Purposes)

Service delivery: to create and manage Accounts, provision Services, authenticate users, and provide customer support.
Billing and accounting: to process payments, issue invoices, handle taxes, and maintain required financial records.
Security and abuse prevention: to protect our platform, investigate incidents, prevent fraud, and enforce our Terms/AUP.
Communications: to send service notices, invoices, renewal reminders, policy updates, and respond to requests.
Product improvement: to analyze usage and reliability trends and improve performance and user experience.
Marketing (optional): where permitted by law, to send product updates or offers. You may opt out at any time.

4. Legal Bases (UK GDPR / EU GDPR)

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:

Contract: to perform our contract with you (e.g., providing hosting and support).
Legal obligation: to comply with tax, accounting, and lawful requests.
Legitimate interests: to secure our services, prevent abuse, and improve our products, balanced against your rights.
Consent: where required, for certain cookies and for marketing in some jurisdictions.

5. Sharing and Disclosure

We share personal data only as needed for the purposes above:

Infrastructure providers and subprocessors: datacenters, storage, monitoring, and security vendors that help us deliver the Services.
Payment processors: to process payments and prevent fraud.
Professional advisers: accountants, auditors, lawyers where needed.
Legal disclosure: regulators, law enforcement, or rights holders when required by law or necessary to protect rights and safety.

6. International Transfers

We may process data in the United Kingdom, the European Union, and other locations where our subprocessors operate. Where data is transferred internationally and GDPR applies, we use appropriate safeguards such as standard contractual clauses, vendor due diligence, and security measures.

7. Retention

We retain personal data only as long as necessary for the purposes described:

Account and billing records: retained for the period required by tax and accounting laws.
Support communications: retained to provide continuity and defend legal claims, subject to deletion requests where applicable.
Security logs: retained for a limited time to investigate incidents and prevent fraud.
Customer Content (processor context): retained for the duration of the Services and deleted after termination within a reasonable operational timeframe, unless legally required to retain.

8. Your Rights

Depending on your jurisdiction, you may have rights such as access, correction, deletion, restriction, portability, and objection. You may also withdraw consent where processing is based on consent. To exercise rights, contact us using the details above. We may request verification to protect against unauthorized requests.

9. Security

We implement technical and organizational measures designed to protect personal data, including access controls, least privilege, encryption in transit where supported, monitoring, and incident response processes. No system is perfectly secure; you are responsible for securing your own applications and credentials.

10. Cookies

We use essential cookies to operate the site and client portal. Where required, we ask for consent for non-essential cookies (analytics and marketing). You can manage cookie settings in your browser and, where available, through our cookie consent tool.

11. Children

The Services are not directed to children. We do not knowingly collect personal data from children under 13 (or the age required by local law). If you believe a child has provided data, contact us and we will take appropriate steps.

12. Changes

We may update this Privacy Policy. We will post the updated version on our site and update the effective date. Material changes may be notified via email or the client portal.

13. Contact and Complaints

Contact us at [email protected]. If you are in the UK or EEA and believe we have not addressed your concern, you may also have the right to lodge a complaint with your local data protection authority.

14. Subprocessors and Service Providers

We use service providers (“subprocessors” when acting as a processor) to help operate the Services. Typical categories include:

Datacenter and cloud infrastructure providers (compute, storage, networking).
Backup and disaster recovery tooling providers.
Support ticketing, email delivery, and status page providers.
Fraud prevention and identity verification providers (where needed).

We contractually require providers to protect data and use it only for our instructions. Where we act as a processor, customers may request an up-to-date subprocessor list via support.

15. Identity Verification (KYC) Data

When we request identity or business verification, we use the data to prevent fraud, comply with payment provider requirements, and protect platform integrity. Verification data may be processed by third-party verification services. We restrict access to verification data and store it for the shortest period necessary, subject to legal obligations and fraud prevention needs.

16. Additional Information for U.S. Residents

Depending on your U.S. state, you may have privacy rights similar to GDPR (access, deletion, correction, and opt-out of certain disclosures). We do not sell personal information in the traditional sense. Some disclosures to service providers for analytics or marketing may be considered “sharing” under certain U.S. state laws. Where required, we provide opt-out mechanisms and honor browser-based signals where applicable.

17. Automated Decision-Making

We may use automated systems to detect fraud, abuse, or security anomalies (for example, login risk scoring or abuse pattern detection). These systems may lead to temporary restrictions or requests for manual verification. You may contact support to request human review of a decision that materially affects your access to the Services.

18. Data Subject Requests for Hosted Content

If you are an end user of a website hosted by one of our customers and you want to exercise data rights regarding that website’s content, you should contact the site operator (our customer) because they control the content and purposes of processing. We can assist the customer as needed as a processor.

19. Security Measures (Examples)

Security controls vary by service tier and may include: encrypted connections (TLS) for web portals; access control and role-based permissions for internal systems; monitored authentication events; malware scanning and quarantining (where enabled); network firewalls and WAF; DDoS mitigation; secure backups (where purchased); and incident response procedures. Customers remain responsible for application-layer security, credential hygiene, and safe configuration of their services.