AluyAluy

Privacy Policy

Data protection and security. What we collect, why, and your GDPR rights.

Who is responsible

Controller (Art. 4(7) GDPR): Julian Achter (Einzelunternehmer), trading as Aluy

Postal address: Am Hang 55, 85737 Ismaning, Germany

The simple version

Privacy-respecting: We collect minimal information necessary for billing and support. We maintain essential operational logs for service reliability only. We do not monitor your server content.

We don’t sell your data or use invasive web tracking. We respect user privacy. Verification may be requested when legally required or for fraud prevention.

What we collect

Account stuff: Name, email address, billing address. For business customers: company name, VAT ID (if applicable). Standard business information for hosting services.

Payment info: Payments are accepted via PayPal, card, Klarna, Apple Pay, Google Pay, iDEAL, and other methods (via Payrexx), and cryptocurrency. We use third-party payment processors for payment processing. We do not store full card numbers or payment credentials on our systems.

Server logs: Connection logs for security, operations, and troubleshooting. Standard monitoring for service reliability.

Account audit log: For every security-relevant action on your account (logins, password changes, two-factor changes, admin actions, payments, GDPR requests, role changes) we record the timestamp, the action, the IP address and user-agent of the request, and a correlation id. This is what lets us answer abuse reports, investigate account takeovers, and respond to lawful authority requests with precision. Retention is described under “How long we keep it”.

Outbound email log: When we send you transactional email (verification, invoices, password resets, GDPR notices, broadcasts) we record the recipient, sender, subject, the template used, the SMTP message-id and delivery status, and the rendered body. The body is redacted after 90 days; the envelope is kept for 2 years so we can prove that a specific invoice or notice was sent. You can see every email we have sent you in your account dossier (Account → Data export).

Verification: Verification may be requested when legally required or when fraud prevention measures indicate it is necessary. Payment-method rules apply as described at order time.

Support tickets: Your questions and our answers. We keep these to help you better.

What we don’t do

  • We do not track you across websites
  • We do not sell your data to third parties
  • We do not monitor your server content
  • We do not use invasive analytics
  • We do not share data unless legally required
  • We do not use automated decision-making or profiling that produces legal effects concerning you (Art. 22 GDPR)

Legal basis for processing

Under GDPR Article 6, we process your data based on:

Contract performance (Art. 6(1)(b)): Account management, billing, service provision, technical support

Legitimate interest (Art. 6(1)(f)): Network security, fraud prevention, service improvement, basic logging. You may object to processing based on legitimate interest at any time (Art. 21 GDPR); we will then cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Legal obligation (Art. 6(1)(c)): Tax records, business records (e.g. retention periods under German tax and commercial law, §§ 147 AO, 257 HGB — often up to 10 years for tax-relevant documents), law enforcement requests

Consent (Art. 6(1)(a)): Marketing communications (if you opt-in), non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

How we use your data

  • Billing and payment processing
  • Technical support
  • Account security
  • Legal compliance (when required)
  • Service announcements (rare)

How long we keep it

Account data: While you’re a customer + 1 year

Billing records (invoices, orders, payments, balance ledger): 10 years (legal requirement under §§ 147 AO, 257 HGB)

Security audit log (logins, password changes, two-factor changes, admin actions on your account, payments, GDPR requests, broadcasts, role / permission changes): 365 days, then automatically deleted. Each row captures the action, the timestamp, the actor (when known), the IP address and user-agent of the request, and a correlation id. We need this retention to investigate account takeovers, abuse reports, and disputes — most of which surface weeks or months after the fact.

Operational audit log (routine application bookkeeping that has no forensic value after a month): 30 days, then automatically deleted.

Outbound email log (transactional and broadcast email we send to you): envelope (recipient, sender, subject, template, message-id, status) 2 years; rendered message body 90 days, after which the body is redacted but the envelope is kept so we can still prove that a particular invoice or notice was sent. Email rows older than 2 years are deleted in full.

Web / application access logs (nginx, Next.js): 30 days max.

Support tickets: 2 years for reference, or until you exercise your right to erasure under Art. 17 GDPR — whichever comes first. We have no statutory obligation to retain support correspondence; the 2-year period is a legitimate-interest retention (Art. 6(1)(f)) and is overridden by an erasure request. The only exception is where individual messages are necessary to defend a specific, identifiable legal claim under Art. 17(3)(e) GDPR (e.g. ongoing abuse / fraud investigation, pending dispute) — those messages may be retained, under restricted processing (Art. 18 GDPR), until the relevant limitation period expires.

On Art. 17 erasure we delete: profile data, postal address, phone number, VAT-ID, password hash, two-factor secrets, passkeys, sessions, OAuth links, marketing-consent state, all support tickets, ticket messages, and ticket-attachment files, and the rendered bodies of email we sent to you. We scrub IP / user-agent / actor and subject links from every historical audit-log row that referenced your account, leaving only action, timestamp, entityType, and a retention class — enough to preserve accountability (Art. 17(3)(e) GDPR), nothing that identifies you. We retain only what we are legally required to keep: invoices, the buyer name + address frozen onto each invoice (§ 14 Abs. 4 UStG), the orders / payments / balance ledger that backs them, the email envelopes that prove dispatch of those invoices, and the consent-log row that proves consent was obtained (Art. 7(1) accountability). All retained records are placed under restricted processing pursuant to Art. 18 GDPR and are accessed only where legally required.

Pre-erasure dossier archive: Immediately before your account is anonymised we produce a sealed ZIP archive of everything we held about you at that moment, together with a SHA-256 hash manifest. The archive is kept for 30 days under Art. 17(3)(e) GDPR (defence of legal claims) so that, if you later dispute what was deleted, we can show exactly what existed at the moment of erasure. After 30 days the archive is deleted automatically.

Data is deleted or anonymised once the retention purpose expires and no statutory retention obligation prevents deletion. All retention windows are enforced by an automated daily job — they are not maintained by hand.

Your rights

Under GDPR (Articles 15–22) and other privacy laws, you have the following rights:

Access (Art. 15): Request a copy of your personal data

Rectification (Art. 16): Correct inaccurate or incomplete data

Erasure (Art. 17): Request deletion when legally possible

Restriction (Art. 18): Limit how we process your data

Portability (Art. 20): Receive your data in machine-readable format

Objection (Art. 21): Object to processing based on legitimate interest

Withdrawal of consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing

Self-service data export (Art. 15 + Art. 20): Logged-in customers can download a full machine-readable copy of their data at any time from Account → Data export in the portal. The download is a ZIP archive containing your profile, orders, invoices, payments, services, support tickets and attachments, the outbound email log, your sessions, every audit-log entry that references your account, and a cover sheet with SHA-256 hashes of every file for integrity verification. We do not retain a copy of the archive; we log only the fact that you requested it.

How to exercise other rights: Email us at privacy@aluy.net with your request. We’ll respond within 30 days as required by Art. 12(3) GDPR.

Law-enforcement and supervisory-authority disclosure: We only disclose personal data to authorities where we are legally compelled to (e.g. a request under § 100j TKG, §§ 161, 163 StPO, § 14 Abs. 2 TMG, court order, or an equivalent instrument in the jurisdiction of one of our servers). Every disclosure is produced as a sealed ZIP dossier with a cover sheet that records the requesting authority, the reference / Aktenzeichen, the legal basis cited, and the SHA-256 hash of every file in the archive. The act of producing the dossier is itself written to our audit log so we have an internal record of every disclosure for the duration of the audit retention window. Where the law allows, we will inform you of a disclosure that concerned your data.

Right to lodge a complaint: You may lodge a complaint with a supervisory authority in the EU/EEA — in Germany, e.g. the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or your state data protection authority (Länderbehörden).

Data processors & third parties

We use the following processors to provide our services. All processors are bound by data processing agreements (DPAs) under Art. 28 GDPR:

Our infrastructure (BYOIP / BYOASN on rented dedicated servers): Our VPS and our own dedicated-server products run on dedicated servers we rent from third-party server providers in the Netherlands, Bulgaria, Switzerland, and Finland. On those rented machines we announce our own ASN and IP space (bring-your-own-IP / bring-your-own-ASN); our systems and customer data sit on our software stack. The underlying hardware owner / data-centre operator has physical-layer access to the server but no logical access to customer data on our systems beyond what is required to deliver the rented hardware (e.g. remote-hands, IPMI / KVM when explicitly requested). We may change the underlying hardware provider for a location without notice; the IPs, ASN, and service identity remain ours.

Resold Hetzner server auction: If you purchase a "Hetzner Server Auction" dedicated server, that hardware is owned and operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) on Hetzner’s own network, ASN, and IP space, in one of Hetzner’s own data centres in Germany (Falkenstein, Nuremberg) or Finland (Helsinki) depending on which auction unit you select. Hetzner is the sub-processor and primary data-centre operator for those services and Hetzner’s terms and privacy policy also apply in addition to ours.

Number resources & LIR services: IP, ASN, and LIR services are issued and operated under the policies and agreements of the RIPE NCC (Stationsplein 11, 1117 KX Schiphol, NL). RIPE NCC is a registry, not a processor of customer content; registration and routing data submitted under those services is published in the RIPE Database in accordance with RIPE policy.

Payment processors: PayPal, Payrexx (Visa, Mastercard, Amex, Klarna, Apple Pay, Google Pay, iDEAL, Bancontact, EPS, Alipay, Przelewy24, and others), and Heleket (crypto).

Email service: Transactional emails (invoices, support) sent via our own mail servers or third-party email service providers as necessary for service delivery.

All processors are located within the EU/EEA, in a country covered by a European Commission adequacy decision under Art. 45 GDPR (Switzerland: Commission Implementing Decision (EU) 2024/2391 of 21 August 2024), or operate under appropriate data transfer mechanisms (Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR where applicable). We may change sub-processors as operationally necessary; material changes will be communicated to you through our privacy policy updates.

International data transfers

Where personal data is transferred to a country outside the EU/EEA that does not benefit from an adequacy decision under Art. 45 GDPR, we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) or other appropriate safeguards. You may request a copy of the applicable safeguards by contacting privacy@aluy.net.

Security & encryption

We implement industry-standard security measures to protect your data. We do not guarantee absolute security — no system connected to the internet can — but we take reasonable technical and organisational measures (Art. 32 GDPR):

  • HTTPS/TLS Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Password protection: Customer passwords are hashed using industry-standard algorithms (bcrypt/Argon2)
  • Access controls: Strict access controls limit who can access customer data internally
  • Security monitoring: We maintain security logs and monitor for unauthorized access attempts
  • Regular updates: Systems are kept updated with security patches

Note: Admin panel access attempts are logged for security purposes (with consent). These logs include IP addresses and timestamps and are retained for 30 days.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34 GDPR).

Cookies

We use essential cookies for service functionality and non-essential cookies with your consent:

  • Login session (essential) — Keeps you logged in
  • CSRF protection (essential) — Prevents security attacks
  • Payment verification (essential) — Confirms payment status
  • Preference storage (non-essential) — Remembers banner dismissals (requires consent)

A cookie consent banner appears on your first visit. You can accept all cookies or choose essential-only.

No tracking cookies, no advertising cookies, no third-party analytics.

For full details see our Cookie Policy.

Changes to this policy

We may update this policy as needed. Material changes will be notified by email. Continued use of the services after notification constitutes acceptance of the updated policy, except where separate consent is required by law.

Updated April 2026