Privacy Policy

Welcome to Hostinking. Hostinking FZ-LLC ("Hostinking", "we", "our", or "us") operates the website hostinking.comand all related subdomains, APIs, and services (collectively, the "Services"). We are registered in Dubai, United Arab Emirates and serve customers globally.

This Privacy Policy describes how we collect, use, store, share, and protect your personal information regardless of where you are located. We are committed to complying with applicable privacy and data protection laws in every country from which our Services are accessed.

By using our Services, you acknowledge that you have read and understood this policy. If you do not agree, please stop using our Services and contact us at privacy@hostinking.com to request deletion of your account.

We collect information in the following ways:

2.1 Information You Provide Directly

• Account Registration: Name, email address, and password when you sign up.
• Billing Information: Payment method details, billing address, and invoice records. Payment card data is processed by our payment providers and is never stored on our servers.
• Support Communications: Messages, attachments, and details you submit via support tickets, live chat, or email.
• Service Configuration: Domain names, hostnames, server configurations, and other settings you configure through your dashboard.
• Identity Verification: In some cases, we may request government-issued identity documents to verify your identity or comply with local legal obligations.

2.2 Information Collected Automatically

• Log Data: IP address, browser type, operating system, referring URL, pages visited, and timestamps of each request.
• Usage Data: Features used, clicks, session duration, and navigation patterns within our dashboard.
• Device Information: Device type, screen resolution, language settings, and time zone.
• Cookies & Similar Technologies: Session cookies for authentication, preference cookies for theme/language, and analytics cookies. See Section 8 for details.
• Approximate Location: Country-level location inferred from your IP address for compliance, language, and fraud prevention purposes. We do not collect precise GPS location.

2.3 Information from Third Parties

• Domain Registrars: WHOIS data and registration status from our domain registration partners (Namecheap).
• Analytics Providers: Aggregated traffic and usage statistics.
• Payment Processors: Transaction status and payment confirmation from our payment partners.

We use the information we collect for the following purposes:

• Service Delivery: To provision, manage, and maintain the hosting accounts, VPS instances, domains, email accounts, and SSL certificates you purchase.
• Billing & Payments: To generate invoices, process payments, send payment reminders, and manage refunds.
• Account Management: To authenticate you, manage your profile, enforce account security, and process password resets.
• Customer Support: To respond to your inquiries, troubleshoot issues, and improve our support quality.
• Service Notifications: To send you critical transactional emails such as invoice receipts, account suspension notices, SSL expiry warnings, and domain renewal reminders.
• Platform Improvement: To analyze usage patterns, identify bugs, and improve our platform's performance and features.
• Security & Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, abuse of our infrastructure, and security incidents.
• Legal Compliance: To comply with applicable laws, regulations, and lawful requests from government authorities in any jurisdiction.
• Marketing Communications: With your explicit consent, to send you promotional offers, product announcements, and newsletters. You may opt out at any time via the unsubscribe link in any email or by contacting us.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes — ever, regardless of your location.

We process your personal data under recognized legal grounds. The specific law that applies depends on your country of residence. Across all jurisdictions, we rely on one or more of the following bases:

• Contractual Necessity: Processing required to deliver the Services you have purchased or requested (e.g., provisioning a hosting account).
• Legal Obligation: Processing required to comply with applicable laws, tax regulations, or court orders in your jurisdiction.
• Legitimate Interests: Processing for security, fraud prevention, service improvement, and account communications — where our interests do not override your fundamental rights.
• Consent: For marketing communications and optional cookies, where we ask for your explicit consent before processing. You may withdraw consent at any time.

Applicable Laws by Region

The following privacy laws govern how we handle your data based on your location:

Where multiple laws apply, we follow the stricter requirement. If your country is not listed, we still apply our baseline privacy standards and honor your rights as described in Section 9.

We share your personal information only in the following circumstances:

5.1 Service Providers

We engage trusted third-party companies to help us operate our Services. These providers are contractually obligated to protect your data and may only use it to perform services on our behalf:

• Infrastructure: Contabo GmbH — servers located in EU data centers (Germany)
• Domain Registration: Namecheap Inc. (USA)
• Email Delivery: SMTP providers such as Brevo (Sendinblue SAS, France)
• Payment Processing: Our payment gateway partners (subject to their own PCI-DSS compliance)
• AI Services: Groq Inc. (USA) — only anonymized query content is sent; no personal identifiers
• Live Chat: Live Helper Chat — self-hosted on our own servers, no third-party data transfer

5.2 Account Sharing

If you use our account sharing feature to grant access to a team member or sub-user, that person will have access to your account data as defined by the permissions you set. You are responsible for the actions of any person you invite.

5.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or to protect the rights, property, or safety of Hostinking, our users, or the public. We will only comply with requests from authorities in a manner consistent with applicable law, and will notify you where permitted.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website at least 30 days before your data becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you explicitly and freely consent to such sharing.

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption at Rest: All sensitive data (API keys, credentials, payment tokens) stored in our database is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher (HTTPS). Plain HTTP is rejected.
• Password Security: Account passwords are hashed using bcrypt — we never store plaintext passwords.
• Access Controls: Access to production systems is restricted to authorized personnel only, using role-based access controls and the principle of least privilege.
• Rate Limiting: Our APIs implement sliding-window rate limiting to prevent brute-force attacks and abuse.
• Security Headers: We enforce Content Security Policy, X-Frame-Options, and Permissions-Policy headers on all responses.
• Session Management: Active sessions are tracked and can be reviewed and individually revoked from your account settings at any time.
• Admin IP Whitelisting: Administrative access to our platform is restricted by IP address.

Despite these measures, no system is 100% secure. In the event of a data breach that is likely to affect your rights or freedoms, we will notify you and the relevant supervisory authority within the timeframe required by your applicable law (e.g., 72 hours under GDPR, 30 days under Egypt Law 151/2020).

We retain your personal information for as long as necessary to:

• Maintain your active account and deliver the Services.
• Comply with legal, tax, and accounting obligations. Financial records are kept for the period required by your local law — typically 5 years (Egypt, KSA), 7 years (UAE, EU), or as otherwise mandated.
• Resolve disputes, enforce agreements, and investigate abuse.

When you request account deletion, we will anonymize or delete your personal data within 30 days, except where retention is required by applicable law. Encrypted backup copies may persist for up to 90 days before being permanently purged from all backup systems.

Log data is retained for up to 12 months for security and debugging purposes, then automatically deleted. Marketing consent records are retained for the duration required to demonstrate lawful processing.

We use the following types of cookies and similar technologies:

8.1 Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be disabled. They include session authentication tokens (NEXT_LOCALE, session cookies) and CSRF protection tokens. No consent is required for these as they are technically essential.

8.2 Preference Cookies

These remember your preferences such as dark/light mode and selected language. They improve your experience but are not strictly required. You may disable them in your browser without losing core functionality.

8.3 Analytics Cookies

We may use analytics tools to understand how visitors use our website. Any analytics data collected is aggregated and anonymized. We do not use advertising networks, behavioral tracking pixels, cross-site trackers, or retargeting cookies.

You can control or delete cookies at any time through your browser settings. Visitors from regions with cookie consent laws (EU, UK, Brazil, South Korea, etc.) will receive a consent notice before non-essential cookies are set. Disabling strictly necessary cookies will affect your ability to log in and use the dashboard.

Regardless of where you live, you may exercise the following rights with respect to your personal data. We honor these universally — you do not need to be in the EU or any specific country to submit a request.

How to Submit a Request

Email privacy@hostinking.com with the subject line "Privacy Request" and describe what you are requesting. We will respond within 30 days (or sooner as required by your local law — e.g., 15 days under Egypt Law 151/2020, 30 days under GDPR, 45 days under CCPA). We may need to verify your identity before fulfilling the request.

Supervisory Authorities

If you are not satisfied with our response, you may contact your local authority:

• Egypt: Personal Data Protection Centre (PDPC) — pdpc.gov.eg
• Saudi Arabia: National Data Management Office (NDMO)
• UAE: UAE Data Office — uaedataoffice.ae
• EU/EEA: Your national Data Protection Authority (DPA) — edpb.europa.eu
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• South Africa: Information Regulator — inforegulator.org.za
• Nigeria: Nigeria Data Protection Commission (NDPC)
• Kenya: Office of the Data Protection Commissioner (ODPC)
• India: Data Protection Board of India (DPBI)
• Australia: Office of the Australian Information Commissioner (OAIC)
• Canada: Office of the Privacy Commissioner of Canada (OPC)

We serve customers globally and take specific steps to comply with regional requirements. Below are jurisdiction-specific commitments:

GCC Countries (Saudi Arabia, Bahrain, Qatar, Kuwait, Oman)

• We comply with Saudi Arabia's PDPL (Royal Decree M/19, 2021) including data minimization, purpose limitation, and transfer controls.
• We respect Bahrain's Personal Data Protection Law (2018) and Qatar's PDPA for residents of those countries.
• All processing of GCC resident data follows the principle of explicit consent for non-essential uses.
• We do not process sensitive categories of data (health, religion, political views) of GCC residents without explicit consent.

Egypt (Law No. 151 of 2020)

• We process personal data of Egyptian residents lawfully, fairly, and transparently.
• We respond to data subject requests within 15 days as required.
• We notify the Personal Data Protection Centre (PDPC) and affected individuals of breaches within 72 hours of discovery.
• We do not transfer Egyptian residents' data outside Egypt without adequate safeguards or explicit consent where required.

European Union & EEA (GDPR)

• Where GDPR applies, we act as the Data Controller for data you provide directly to us.
• International transfers of EU/EEA data to third countries (e.g., USA, UAE) are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• EU/EEA residents have all rights listed in Article 15–22 of the GDPR and may lodge a complaint with their national DPA.
• Our servers are located in EU data centers (Contabo, Germany), minimizing cross-border transfer exposure for EU data.

United Kingdom (UK GDPR)

• UK residents are protected under the UK GDPR and Data Protection Act 2018, which mirror EU GDPR standards post-Brexit.
• You may contact the ICO (ico.org.uk) if you have concerns about how we handle your data.

United States (CCPA / CPRA — California)

• California residents have the right to know, delete, correct, and opt out of the sale or sharing of their personal information. We do not sell personal information.
• We do not engage in cross-context behavioral advertising or share personal information with advertising networks.
• We will not discriminate against any California resident for exercising their CCPA rights.
• Residents of other US states with enacted privacy laws (Virginia, Colorado, Connecticut, Texas, etc.) may exercise equivalent rights under those laws.

Brazil (LGPD)

• Brazilian residents have all rights provided under the LGPD including confirmation of processing, access, correction, deletion, portability, and information about sharing.
• We rely on legitimate interest and contractual necessity as the primary legal bases; consent is obtained for marketing.

Africa (South Africa POPIA, Nigeria NDPR/NDPA, Kenya DPA)

• South African residents are protected under POPIA; we process data only for a lawful purpose and with accountability.
• Nigerian residents are protected under the NDPR (2019) and NDPA (2023); we appoint a Data Protection Officer upon request.
• Kenyan residents have rights under the Data Protection Act (2019) including the right to data portability and objection.

Asia-Pacific (India, Singapore, Australia)

• Indian residents are protected under the Digital Personal Data Protection Act (DPDPA) 2023; we obtain consent before processing and honor all data principal rights.
• Singapore residents are covered under PDPA 2012; we notify you of data purposes before or at the time of collection.
• Australian residents are protected under the Privacy Act 1988 (Australian Privacy Principles); we provide access and correction rights.

If your country is not specifically listed, we still apply our global baseline standards — the highest level of protection described in this policy — and honor all rights in Section 9 universally.

Hostinking is incorporated in Dubai, UAE, and our primary servers are located in EU data centers (Contabo GmbH, Germany). As a global service, your data may be accessed by our team or processed by our sub-processors in other countries. When such transfers occur, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): For transfers out of the EU/EEA and UK, we use SCCs approved by the European Commission and, where applicable, the UK ICO.
• Adequacy Decisions: Where the destination country has been deemed adequate by the relevant authority, we rely on that adequacy decision.
• Contractual Safeguards: All sub-processors are bound by data processing agreements requiring GDPR-equivalent protections.
• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), regardless of where it flows.
• Data Minimization: Only the minimum necessary data is transferred to each sub-processor for their specific purpose.

For users in countries with data localization requirements (e.g., certain categories under Saudi PDPL or sector-specific rules in other jurisdictions), we will inform you if your data must be handled differently and obtain any required consents before any cross-border transfer.

You may request a copy of the safeguards we have in place for international transfers by emailing privacy@hostinking.com.

Our Services are not directed at individuals under the age of 18 (or the minimum legal age in your jurisdiction where higher, such as 16 in some EU member states). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe we have inadvertently collected data from a minor, please contact us immediately at privacy@hostinking.com and we will promptly delete such data. For US residents, this policy is consistent with the Children's Online Privacy Protection Act (COPPA).

Our website may contain links to third-party websites, knowledge base articles referencing external resources, or integrations with third-party tools. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you access through our platform. We are not responsible for the privacy practices of external sites.

This Privacy Policy is governed by the laws of the United Arab Emirates. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Dubai, UAE, unless overridden by mandatory consumer protection laws in your country of residence.

Nothing in this section limits your rights to bring a complaint before your local data protection supervisory authority (as listed in Section 9), which is a right that exists independently and cannot be waived by any contractual provision.

We are committed to resolving privacy disputes amicably. Before initiating formal proceedings, we encourage you to contact our Privacy Team at privacy@hostinking.com to allow us the opportunity to address your concern directly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable laws in any of the regions we serve. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send an email notification to all registered account holders at least 14 days before the change takes effect (30 days for material changes affecting GDPR or CCPA rights).
• Display a prominent notice in your dashboard for 30 days after the change takes effect.

For non-material changes (e.g., fixing typos or adding clarifications), we will update this page without prior notice. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data — regardless of your location — please contact our Privacy Team:

For general support inquiries, please use our contact form or open a support ticket from your dashboard. We support inquiries in English and Arabic.