Privacy Policy
This policy explains how we process your personal data when you visit our website or use our services.
Last updated: May 2, 2026
1. Who we are (Data Controller)
The Data Controller is Matteo Martelloni, sole proprietor operating under the trade name DeluxHost, with registered office at Via della Motomeccanica 5/C, 00071 Pomezia (RM), VAT/Tax Code IT17734661006.
- Website: https://deluxhost.net
- Email for privacy requests: privacy@deluxhost.net
- General email / support: support@deluxhost.net
- Abuse reporting email: abuse@deluxhost.net
- Certified email (PEC): deluxhost@mypec.eu
2. Dual role of the Controller
When you use our services, we process personal data in two distinct roles:
- (a) As Data Controller — when we process your personal data as a customer or visitor: personal details, contact data, billing information, access logs, contents of emails you send us. This Privacy Policy governs this role.
- (b) As Data Processor (Art. 28 GDPR) — when, through our VPS, VDS, and dedicated servers, personal data of your choice transits through the infrastructure. With respect to this data you are the Data Controller and we act solely on your instructions. The terms of this relationship are governed by the Data Processing Agreement (DPA) available separately.
- Services purchased through Resellers: the Reseller is generally the Data Controller for the commercial relationship with the end customer, while we act as Data Processor pursuant to Art. 28 GDPR.
3. What data we process
We process the following categories of personal data:
- Registration and contract data: first name, last name, company name, address, tax code, VAT number, recipient code / PEC, email, phone number.
- Payment data: we do not store card data on our systems. Transactions are processed by Mollie B.V. (Netherlands), PayPal (Europe) S.à r.l. (Luxembourg), and Xeltox Enterprises Ltd / Cryptomus (Canada), who act as independent data controllers.
- Technical data: IP address, control panel access logs, system logs, browser and device data.
- Communication data: contents of emails, support tickets, and live chat messages (managed via Crisp IM SAS, Nantes, France).
- Content uploaded to services: personal data contained in files, databases, and configurations stored on our infrastructure — processed as Data Processor.
- Special categories of data: we do not process special categories of data (Art. 9 GDPR). If such data is uploaded by the customer, responsibility lies entirely with the customer as Data Controller.
4. Why we process data and on what legal basis
We process your data for the following purposes:
- Account registration, activation and provision of services — Performance of a contract (Art. 6.1.b GDPR)
- Invoicing, accounting, tax obligations — Legal obligation (Art. 6.1.c GDPR)
- Technical support, ticket management, customer communications — Performance of a contract (Art. 6.1.b GDPR)
- Service communications (maintenance notices, expiry notices, security alerts) — Performance of a contract / legal obligation
- Infrastructure security, prevention of abuse, fraud, and unlawful activities — Legitimate interest (Art. 6.1.f GDPR)
- Management of the referral / affiliate program — Performance of a contract (Art. 6.1.b GDPR)
- Handling data subject requests (Arts. 15-22 GDPR) — Legal obligation (Art. 6.1.c GDPR)
- Legal defense and dispute management — Legitimate interest (Art. 6.1.f GDPR)
- Compliance with requests from authorities — Legal obligation (Art. 6.1.c GDPR)
5. How long we retain data
Retention periods by data category:
- Personal and contract data: for the duration of the contractual relationship and for 10 years after termination.
- Tax and accounting documents: 10 years from issuance.
- Panel and system/security access logs: up to 12 months.
- Customer data on servers (VPS, VDS, dedicated): deleted within 7 days from expiry; panel backups retained for 14 days total from expiry.
- Account deletion on request: processed within 30 days (extendable by 60 days for complex cases), subject to mandatory retention of tax data.
- Prospect/lead data: 24 months from last contact.
- Support communications (tickets, emails): 5 years from closure.
6. Who we share data with
Data may be shared with the following categories of recipients:
- Datacenters: Qupra DC (Nieuwe Hemweg 26, 1013 CX Amsterdam) and Skylink Data Center BV (Bart van Slobbestraat 16B, 6471 WV Eygelshoven) — both in the Netherlands.
- External backup provider: Hetzner Online GmbH (Gunzenhausen, Germany).
- Payment providers: Mollie B.V., PayPal (Europe) S.à r.l., Xeltox Enterprises Ltd / Cryptomus — acting as independent data controllers.
- Accounting and electronic invoicing: Aruba S.p.A. (Ponte San Pietro, Italy).
- Support and live chat: Crisp IM SAS (Nantes, France).
- Internet Registry: RIPE NCC (Amsterdam) for IP address registration and WHOIS/RDAP contacts.
- Consultants and professionals: accountants, lawyers, bound by professional secrecy.
- Judicial, public security, and administrative authorities: when required by law.
- Data is not sold, transferred, or exchanged with third parties for marketing or profiling purposes.
7. Transfers outside the European Union
All operational data and backups are processed within the European Economic Area (Netherlands and Germany). Some ancillary providers may transfer data outside the EEA:
- PayPal may transfer data to the United States, covered by the EU-US Data Privacy Framework (Commission Implementing Decision EU 2023/1795) and Standard Contractual Clauses (SCCs).
- Xeltox Enterprises Ltd / Cryptomus is based in Canada, a country covered by an EU adequacy decision (Decision 2002/2/EC).
- An updated list of providers and safeguards is available upon request at privacy@deluxhost.net.
8. Your rights
At any time you may exercise the following rights under Articles 15-22 of the GDPR by writing to privacy@deluxhost.net:
- Access to your data and information about its processing.
- Rectification of inaccurate or incomplete data.
- Erasure of data (right to be forgotten) in the cases provided for by Art. 17.
- Restriction of processing.
- Portability of data in a structured, machine-readable format.
- Objection to processing based on legitimate interest.
- Complaint to the Italian Data Protection Authority (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) or to the authority in your country of residence.
9. Security measures
We adopt appropriate Technical and Organizational Measures (TOMs), including:
- Encryption of data in transit (TLS) for all communications with the site and control panel.
- Controlled, authenticated, and audited access to administration systems.
- Network segmentation, firewalls, and perimeter protection measures.
- Periodic backups and data redundancy.
- Constant system updates and security patches.
- Security incident management procedures, with notification to the supervisory authority within 72 hours (Art. 33 GDPR) and communication to data subjects in the event of high risk (Art. 34 GDPR).
- Confidentiality agreements with staff and authorized processing suppliers.
10. Changes to this policy
This policy may be updated to reflect regulatory, organizational, or technical changes. The current version is always published on this page with the date of last update. For material changes, we will notify you via a notice in the customer area or by email.
