Skip to content

Privacy Policy

Last updated: May 2026

1. Data Controller

HostStack is operated by MICCI (CVR: 45587452, Fyrretoften 31, 7100 Vejle, Denmark). MICCI is the data controller for personal data processed through the HostStack website, dashboard, and account administration.

For any personal data you (as a customer) upload, store, or otherwise process using HostStack services (for example, end-user data in a database you provision), MICCI acts as a data processor on your behalf — see our Data Processing Agreement.

2. Information We Collect

We collect information you provide directly, including: name, email address, billing address, VAT ID (where applicable), payment information (handled by Stripe — we never see full card numbers), and any content you deploy to our platform. We also automatically collect usage data, IP addresses, and browser information for service operation, abuse prevention, and security audit logging.

If you sign in via a third-party provider (GitHub, GitLab, or Bitbucket), we receive your provider user ID, username, email address, avatar URL, and an OAuth access token scoped to the repositories you authorise. The token is encrypted at rest (AES-256-GCM) and used only to read commits and trigger builds for repositories you have explicitly connected. You can disconnect a provider at any time from your account settings.

3. How We Use Your Information and Legal Basis

We process personal data on the following GDPR Article 6 legal bases:

  • Contract (Art. 6(1)(b)): to provide and maintain the Service, process payments, and send service-related notifications.
  • Legal obligation (Art. 6(1)(c)): to keep invoices and accounting records for the statutory period under Danish law (5 years).
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, and improve the product. We balance these interests against your rights and privacy.
  • Consent (Art. 6(1)(a)): for any optional processing (for example, product announcement emails if you opt in).

We do not sell your personal information to third parties.

4. Data Storage and Security

All data is stored on dedicated European infrastructure in the European Union unless you explicitly select a non-EU region at project creation. We implement industry-standard security measures including encryption at rest and in transit, access controls, and regular security audits.

5. Data Sharing and Sub-Processors

We share your information with a limited set of sub-processors that are necessary to deliver the Service (infrastructure, payment processing, transactional email). The current list — including legal names, locations, and international-transfer safeguards — is published in our Data Processing Agreement. We may also disclose personal data where required by law.

6. International Transfers

Where personal data is transferred outside the EU/EEA (for example, to Stripe's US entity), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism, and the sub-processor's own safeguards. Customer-uploaded data stays in the region you select when creating a project.

7. Your Rights

Under GDPR Articles 15–22 you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability in a machine-readable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Not be subject to automated decision-making with legal effect (Art. 22)

To exercise any of these rights, contact privacy@hoststack.dev.

You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

8. Cookies

We use essential cookies for authentication and session management plus one cookie that remembers your dismissal of the cookie banner. We do not use third-party advertising or behavioural-tracking cookies on our own domains. See our Cookie Policy for the full list.

9. Data Retention

We retain your personal data for as long as your account is active. The following per-category retention windows apply automatically:

  • Account audit log (logins, permission changes, admin actions): 365 days, then automatically purged.
  • Deploy logs (build output, container start traces): 90 days, then automatically purged.
  • Runtime logs (your services' stdout/stderr): 30 days, then automatically purged. Increase by exporting to your own log drain.
  • Usage records (compute hours, bandwidth, etc.): 395 days — keeps the prior full billing year for invoice disputes.
  • Backup files (managed databases): 7 most recent per database locally; off-site lifecycle is provider-configurable.
  • Invoices and accounting records: 5 years, as required by Danish bookkeeping law (Bogføringsloven § 10).

When you delete your account, we permanently delete your user record, all owned teams, and all owned resources within 30 days. Activity log entries retain the action and context but the link to your user is removed (set to NULL), preserving audit trails without identifying you. Invoices and accounting records are retained separately for the statutory 5 years.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. Continued use after changes constitutes acceptance.

11. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@hoststack.dev.

MICCI — CVR: 45587452Fyrretoften 31, 7100 Vejle, Denmark

Essential cookies only — for login sessions. No tracking. Details