// legal
Privacy Policy
Plain-language summary: We collect only what we need to run your hosting account. We do not sell your data. You own everything you store on our infrastructure. We use a small number of trusted third-party processors and disclose them fully below.
// 01
Who We Are
Holtzhost is a web hosting company operated by a systems engineer based in Denver, Colorado, USA. We provide web hosting, email hosting, DNS management, SSL provisioning, database services, automated backups, and self-hosted application services.
Data controller: Holtzhost, Denver, Colorado, USA
Contact: [email protected]
For customers in the European Economic Area (EEA): we are the data controller with respect to personal data processed in connection with your use of our services. We do not maintain a formal EU representative at this time; all data subject inquiries may be directed to the contact address above.
// 02
Information We Collect
Account Information
When you create an account or purchase services, we collect:
- Contact details: name, email address, and mailing address
- Billing information: billing address and invoice history (we do not store payment card data — see Section 5)
- Account credentials: username and hashed password
Service Usage Data
As part of delivering hosting services, we collect and log:
- Server logs: IP addresses, timestamps, HTTP request and error records
- Resource usage: bandwidth, disk storage, and CPU consumption metrics
- Control panel activity: login history, configuration changes, and administrative actions performed through HestiaCP
- DNS records: zone files and query logs associated with your domains
- SSL certificate records: domain names submitted for certificate issuance and renewal
- Email routing data: sender/recipient addresses, delivery timestamps, bounce and spam reports generated through our email relay infrastructure
- Backup metadata: timestamps, file counts, and sizes for automated backup jobs
Security and Infrastructure Data
- Firewall and intrusion detection logs, including blocked IP addresses
- Fail2ban event records (brute-force detection)
- ClamAV malware scan results for incoming email
- DDoS mitigation and IP blocklist events
Information You Store on Our Infrastructure
Files, databases, email messages, and application data that you upload or generate are stored on our servers at your direction. You own this data entirely. We access it only as described in Section 3.
Communications
When you contact us by email or through our contact form, we retain the content of that communication and your contact details to respond to and track your request.
// 03
How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provision of services | Account info, service usage data | Contract performance |
| Billing and invoicing | Account info, billing address | Contract performance, legal obligation |
| Security monitoring | Server logs, security event data | Legitimate interest |
| Technical support | Account info, service data, communications | Contract performance |
| Service communications | Email address | Contract performance, legitimate interest |
| Legal compliance | Account info, usage logs | Legal obligation |
| Fraud and abuse prevention | IP addresses, usage patterns | Legitimate interest |
We do not use your data for targeted advertising, behavioral profiling, or any commercial purpose beyond operating your account. We do not sell your personal data to any third party.
We will not access the content of files, databases, or email messages stored on our infrastructure except when required by law, when you request technical support and grant us access, or when we detect an active security threat that requires immediate response.
// 04
Legal Basis for Processing (GDPR)
For customers in the European Economic Area, our lawful bases for processing personal data are:
- Contract performance (Article 6(1)(b)): processing necessary to provide the hosting services you have purchased
- Legal obligation (Article 6(1)(c)): retaining billing and tax records, responding to lawful government requests
- Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, network integrity — we have assessed that these interests are not overridden by your rights
- Consent (Article 6(1)(a)): for non-essential communications or cookies where we seek your consent
We do not engage in automated decision-making or profiling with legal or similarly significant effects on individuals.
// 05
Third-Party Service Providers
We share limited personal data with the following third-party processors to deliver our services. Each is bound by a data processing agreement and prohibited from using your data for any purpose other than providing services to us on your behalf.
Email Delivery — Resend
Transactional and contact-form email is delivered by Resend (Resend Inc., USA). Data transmitted includes sender and recipient addresses, the submitting visitor's email address (used as the reply-to address), message subject and body, and delivery metadata such as timestamps and bounce notifications. Resend maintains SOC 2 Type II and GDPR compliance, uses Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework for international transfers, and provides a Data Processing Agreement automatically incorporated into their Terms of Service. See Resend's Privacy Policy, DPA, and Sub-processor List.
Email Delivery — Mailgun
Mailgun (a Sinch company) serves as a fallback email delivery provider when Resend is unavailable. The same categories of data described above — sender and recipient addresses, reply-to address, message content, and delivery metadata — are transmitted through Mailgun's infrastructure in that event. Mailgun maintains GDPR, SOC 2 Type II, ISO 27001, and ISO 27701 compliance and is certified under the EU-U.S. Data Privacy Framework. Mailgun does not read the content of messages for commercial purposes. See Mailgun's Privacy Policy.
Payment Processing
All payment transactions are processed by our third-party payment processor through our customer portal at service.holtzhost.com. Holtzhost does not receive, store, process, or transmit credit card or bank account data. Your payment information is handled entirely by our payment processor, which maintains PCI DSS compliance. Your billing address and invoice history are retained by us for accounting and tax purposes.
SSL Certificate Authority
SSL certificates are issued by Let's Encrypt, a public certificate authority operated by the Internet Security Research Group (ISRG). Domain names submitted for certificate issuance are logged in Let's Encrypt's public Certificate Transparency logs, which is an industry-standard requirement. See Let's Encrypt's Privacy Policy.
Infrastructure and Hosting
Our servers are located in the United States. We do not use third-party cloud infrastructure providers (AWS, GCP, Azure, etc.) for customer data storage — your data resides on hardware we operate directly.
We will notify you at least 30 days in advance of any addition or change to our list of sub-processors that may affect the processing of your personal data. You may request an up-to-date sub-processor list at any time by emailing [email protected].
Legal Disclosures
We may disclose personal data to law enforcement, government agencies, or courts when we are legally required to do so, when necessary to enforce our Terms of Service, or to protect the rights, property, or safety of Holtzhost, our customers, or the public. We will notify affected customers of any such disclosure unless prohibited by law.
// 06
Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 60 days post-termination | Service delivery, data export window |
| Billing and invoice records | 7 years | Tax and accounting legal requirements |
| Server and access logs | 90 days | Security monitoring, abuse investigation |
| Automated backups | 30 days rolling | Disaster recovery |
| Email routing logs | 30 days | Delivery troubleshooting |
| Security event logs | 180 days | Incident investigation |
| Support communications | 2 years | Support history and dispute resolution |
| Customer-stored data (files, databases, email) | Deleted within 60 days of account termination | Customer data export window |
After the applicable retention period, data is permanently and securely deleted or anonymized. Note that deleted data may persist in encrypted backup copies for up to 30 days beyond the deletion event, consistent with our backup rotation schedule.
// 07
Security
We implement and maintain a layered set of technical and organizational security measures, including:
- Encryption in transit: all data transmitted between your device and our servers is protected by TLS 1.2 or higher
- Encryption at rest: backup archives are encrypted using AES-256
- Access controls: customer environments are isolated; administrative access to production systems requires multi-factor authentication
- Intrusion detection: Fail2ban monitors for and automatically blocks brute-force login attempts
- Firewall: a managed iptables firewall and IP blocklist are active on all servers
- Malware scanning: ClamAV scans incoming email attachments
- Regular updates: operating system and software packages receive security patches on an ongoing basis
No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected customers without undue delay, and no later than 72 hours after becoming aware of the breach. Notifications will be sent to the email address associated with your account and will describe the nature of the breach, the data involved, and the steps we are taking.
You are responsible for maintaining the security of your account credentials. Please notify us immediately at [email protected] if you suspect unauthorized access to your account.
// 08
Your Rights — European Economic Area (GDPR)
If you are located in the EEA, you have the following rights with respect to your personal data:
- Right of access (Article 15): request a copy of the personal data we hold about you
- Right to rectification (Article 16): request correction of inaccurate or incomplete data
- Right to erasure (Article 17): request deletion of your personal data, subject to legal retention obligations
- Right to restrict processing (Article 18): request that we limit how we use your data in certain circumstances
- Right to data portability (Article 20): receive your data in a structured, machine-readable format
- Right to object (Article 21): object to processing based on legitimate interests
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing
To exercise any of these rights, email [email protected] with the subject line "GDPR Request." We will respond within 30 days. If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority.
// 09
Your Rights — California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, the purposes for which it is used, and the categories of third parties with whom it is shared
- Right to Delete: request deletion of your personal information, subject to certain exceptions
- Right to Correct: request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: we do not sell or share your personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond what is necessary to provide our services
- Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights
To submit a request, email [email protected] with the subject line "CCPA Request," or write to us at our mailing address. We will respond within 45 days. You may designate an authorized agent to submit requests on your behalf.
// 10
Your Rights — Colorado Residents (Colorado Privacy Act)
If you are a Colorado resident, the Colorado Privacy Act (CPA) provides you the following rights:
- Right to access: confirm whether we process your personal data and request a copy
- Right to correct: request correction of inaccurate personal data
- Right to delete: request deletion of personal data we hold about you
- Right to data portability: obtain your data in a portable format
- Right to opt out: opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling — none of which we engage in
We honor Global Privacy Control (GPC) signals as opt-out requests for the sale or sharing of personal data, consistent with CPA regulations effective January 1, 2025.
To submit a CPA request, email [email protected] with the subject line "CPA Request." We will respond within 45 days. If you are unsatisfied with our response, you may appeal by replying to our decision notice, and you have the right to file a complaint with the Colorado Attorney General at coag.gov.
// 11
Cookies and Tracking Technologies
Our public-facing website uses a minimal set of cookies:
- Theme preference (essential): a localStorage entry that remembers your light/dark mode choice. This is stored in your browser only and is not transmitted to our servers.
- Session cookies (functional): if you are logged into your hosting control panel, a session cookie maintains your authenticated session. This is required for the control panel to function.
We do not use third-party analytics cookies, advertising cookies, or any tracking pixels on our marketing pages. We do not build behavioral profiles or engage in cross-site tracking.
You can manage or delete cookies through your browser settings at any time. Disabling session cookies will prevent you from using your hosting control panel.
// 12
Children's Privacy (COPPA)
Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Our hosting services require a billing relationship, which presupposes legal capacity to enter into a contract (18 years of age in most jurisdictions).
If we become aware that we have inadvertently collected personal information from a child under 13, we will delete that information promptly. If you believe we have collected information from a child under 13, please contact us at [email protected].
// 13
International Data Transfers
Holtzhost is based in the United States, and your personal data is stored and processed on servers located in the United States. If you are located outside the United States — including in the European Economic Area — your data will be transferred to and processed in the US, which may not provide the same level of data protection as your home jurisdiction.
For transfers of personal data from the EEA to the United States, we rely on the following transfer mechanisms where applicable:
- Standard Contractual Clauses (SCCs): adopted by the European Commission and incorporated into our data processing agreements with sub-processors
- Contractual necessity: where transfer is necessary to perform the contract you have entered into with us
You may request a copy of the applicable transfer safeguards by emailing [email protected].
// 14
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. When we make material changes — including changes to how we collect, use, or share your data, or changes to your rights — we will:
- Post the updated policy on this page with a revised "Last updated" date
- Notify you by email at least 30 days before the changes take effect
For non-material changes (such as corrections or clarifications), we will update the policy without individual notice. We encourage you to review this page periodically. Your continued use of our services after the effective date of changes constitutes your acceptance of the updated policy.
// 15
Contact Us
For any questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact us:
- Email: [email protected]
- Subject line for rights requests: "Privacy Request" + your jurisdiction (e.g., GDPR, CCPA, CPA)
- Location: Denver, Colorado, USA
We are committed to resolving privacy concerns promptly and transparently. If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection authority in your jurisdiction.