AluyAluy

Privacy Policy

Data protection and security. What we collect, why, and your GDPR rights.

Who is responsible

Controller (Art. 4(7) GDPR): Julian Achter (Einzelunternehmer), trading as Aluy

Postal address: Am Hang 55, 85737 Ismaning, Germany

The simple version

Privacy-respecting: We collect minimal information necessary for billing and support. We maintain essential operational logs for service reliability only. We do not monitor your server content.

We don’t sell your data or use invasive web tracking. We respect user privacy. Verification may be requested when legally required or for fraud prevention.

What we collect

Account stuff: Name, email address, billing address. For business customers: company name, VAT ID (if applicable). Standard business information for hosting services.

Payment info: Payments are accepted via PayPal, card, Klarna, Apple Pay, Google Pay, iDEAL, and other methods (via Payrexx), cryptocurrency, and cash. We use third-party payment processors for payment processing. We do not store full card numbers or payment credentials on our systems.

Server logs: Connection logs for security, operations, and troubleshooting. Standard monitoring for service reliability.

Verification: Verification may be requested when legally required or when fraud prevention measures indicate it is necessary. Payment-method rules apply as described at order time.

Support tickets: Your questions and our answers. We keep these to help you better.

What we don’t do

  • We do not track you across websites
  • We do not sell your data to third parties
  • We do not monitor your server content
  • We do not use invasive analytics
  • We do not share data unless legally required
  • We do not use automated decision-making or profiling that produces legal effects concerning you (Art. 22 GDPR)

Legal basis for processing

Under GDPR Article 6, we process your data based on:

Contract performance (Art. 6(1)(b)): Account management, billing, service provision, technical support

Legitimate interest (Art. 6(1)(f)): Network security, fraud prevention, service improvement, basic logging. You may object to processing based on legitimate interest at any time (Art. 21 GDPR); we will then cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Legal obligation (Art. 6(1)(c)): Tax records, business records (e.g. retention periods under German tax and commercial law, §§ 147 AO, 257 HGB — often up to 10 years for tax-relevant documents), law enforcement requests

Consent (Art. 6(1)(a)): Marketing communications (if you opt-in), non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

How we use your data

  • Billing and payment processing
  • Technical support
  • Account security
  • Legal compliance (when required)
  • Service announcements (rare)

How long we keep it

Account data: While you’re a customer + 1 year

Billing records: Up to 10 years (legal requirement under §§ 147 AO, 257 HGB)

Server logs: 30 days max

Support tickets: 2 years for reference

Data is deleted or anonymised once the retention purpose expires and no statutory retention obligation prevents deletion.

Your rights

Under GDPR (Articles 15–22) and other privacy laws, you have the following rights:

Access (Art. 15): Request a copy of your personal data

Rectification (Art. 16): Correct inaccurate or incomplete data

Erasure (Art. 17): Request deletion when legally possible

Restriction (Art. 18): Limit how we process your data

Portability (Art. 20): Receive your data in machine-readable format

Objection (Art. 21): Object to processing based on legitimate interest

Withdrawal of consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing

How to exercise your rights: Email us at privacy@aluy.net with your request. We’ll respond within 30 days as required by Art. 12(3) GDPR.

Right to lodge a complaint: You may lodge a complaint with a supervisory authority in the EU/EEA — in Germany, e.g. the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or your state data protection authority (Länderbehörden).

Data processors & third parties

We use the following processors to provide our services. All processors are bound by data processing agreements (DPAs) under Art. 28 GDPR:

Infrastructure providers: Our servers are hosted with: Hetzner (Germany/Finland), LIAM (UK), USM (Netherlands). These providers have access to server infrastructure but not customer data except as required for service delivery.

Payment processors: PayPal, Payrexx (Visa, Mastercard, Amex, Klarna, Apple Pay, Google Pay, iDEAL, Bancontact, EPS, Alipay, Przelewy24, and others), and Heleket (crypto).

Email service: Transactional emails (invoices, support) sent via our own mail servers or third-party email service providers as necessary for service delivery.

All processors are located within the EU/EEA or operate under appropriate data transfer mechanisms (Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR where applicable). We may change sub-processors as operationally necessary; material changes will be communicated to you through our privacy policy updates.

International data transfers

Where personal data is transferred to a country outside the EU/EEA that does not benefit from an adequacy decision under Art. 45 GDPR, we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) or other appropriate safeguards. You may request a copy of the applicable safeguards by contacting privacy@aluy.net.

Security & encryption

We implement industry-standard security measures to protect your data. We do not guarantee absolute security — no system connected to the internet can — but we take reasonable technical and organisational measures (Art. 32 GDPR):

  • HTTPS/TLS Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Password protection: Customer passwords are hashed using industry-standard algorithms (bcrypt/Argon2)
  • Access controls: Strict access controls limit who can access customer data internally
  • Security monitoring: We maintain security logs and monitor for unauthorized access attempts
  • Regular updates: Systems are kept updated with security patches

Note: Admin panel access attempts are logged for security purposes (with consent). These logs include IP addresses and timestamps and are retained for 30 days.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34 GDPR).

Cookies

We use essential cookies for service functionality and non-essential cookies with your consent:

  • Login session (essential) — Keeps you logged in
  • CSRF protection (essential) — Prevents security attacks
  • Payment verification (essential) — Confirms payment status
  • Preference storage (non-essential) — Remembers banner dismissals (requires consent)

A cookie consent banner appears on your first visit. You can accept all cookies or choose essential-only.

No tracking cookies, no advertising cookies, no third-party analytics.

For full details see our Cookie Policy.

Changes to this policy

We may update this policy as needed. Material changes will be notified by email. Continued use of the services after notification constitutes acceptance of the updated policy, except where separate consent is required by law.

Updated April 2026