Sign inDeploy a VPS
NODED.CLOUD/Legal/Privacy

Privacy policy.

What personal information we collect when you use NODED.CLOUD, why we collect it, and the rights you have to access, correct, or delete it.

Last updated: May 9, 2026

Operator: X ZONE IT SRL · VAT RO48893724 · Reg. Com. J52/908/2023 · Giurgiu, Romania

Questions? Email [email protected] or visit our contact page.

Introduction

X ZONE IT SRL ("NODED.CLOUD", "we", "us") operates the NODED.CLOUD hosting platform and the websites NODED.CLOUD and noded.cloud. This policy explains what personal information we collect, why we collect it, and the rights you have over it.

In short: we collect what we need to run hosting services, and nothing more. We are GDPR, CCPA, and ISO 27001 aligned. If you have questions or want to exercise a right under any applicable privacy law, write to us at [email protected] and we’ll respond within 30 days.

Data controller

The data controller for personal information collected through this site and our services is:

  • X ZONE IT SRL
  • VAT / CUI: RO48893724
  • Reg. Com.: J52/908/2023 (EUID ROONRC.J52/908/2023)
  • Registered office: Bdul. 1 Mai 57, Sat Mihai Vodă, jud. Giurgiu, 087016, Romania
  • Contact: [email protected]

What we collect

Account and billing data

When you sign up we collect your name, email, billing address, VAT/tax ID where applicable, and the contents of any tickets or chats you send us. Payment card data is handled by our PCI-DSS compliant processor; we never store full card numbers.

Service operating data

To run the platform we collect server usage metadata (CPU, network, storage, uptime), API request logs, and abuse-report-relevant traffic flow records. We do not read the contents of your servers, your databases, or your customer-facing traffic.

Website telemetry

Our websites set first-party cookies and a small amount of session telemetry. See the Cookie Policy for the full list and how to opt out.

How we use it

We use personal data only for legitimate purposes:

  • Service delivery — provisioning, billing, account management, support tickets.
  • Security and abuse handling — DDoS mitigation, anti-fraud, complying with abuse reports.
  • Legal compliance — responding to lawful court orders, tax records, anti-money-laundering checks.
  • Service improvement — anonymous, aggregated usage statistics. Never sold, never shared.

What this means in practice: we do not sell personal data to third parties, run behavioral advertising on our site, or share your data with marketing networks.

Who we share with

We share personal data only with:

  • Subprocessors we use to run the business: payment processors, transactional email providers, our datacenter operators, and our identity provider. Each is bound by a written DPA.
  • Lawful authorities when compelled by valid court order. We publish a transparency report annually.

A current subprocessor list is available on request from [email protected].

International transfers

Our primary infrastructure runs in the European Union. Customer data is stored in the region you provision. For non-EU customers we may transfer some operational data (mostly billing) outside the EEA. Where we do, we rely on Standard Contractual Clauses approved by the European Commission.

Customers in regulated EU industries (healthcare, finance, public sector) can request EU-only processing as a contractual addendum.

How long we keep it

Account data is kept for the lifetime of your account plus 7 years to satisfy Romanian tax law on invoicing. Server operating data (logs, metrics) is retained for 90 days unless required longer for an active investigation. Marketing communications opt-ins are kept until you unsubscribe.

Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase data ("right to be forgotten"), subject to legal retention.
  • Restrict processing in certain circumstances.
  • Port your data to another provider in a structured, machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent for any processing based on consent.
  • Lodge a complaint with a supervisory authority — for EU residents, this is the Romanian ANSPDCP.

To exercise any of these, email [email protected]. We respond within 30 days, or sooner where required by law.

How we protect data

We hold ISO 27001 certification and align our practices with SOC 2 Type II controls. All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to customer environments by our staff requires hardware-token MFA and is fully audit-logged.

Changes to this policy

We notify customers of material changes by email at least 30 days before they take effect. Non-material changes (typo fixes, clarifications) are published with an updated "Last updated" date.

Contact

Questions about this policy or our data practices: [email protected].

Data Protection Officer: [email protected] (PGP key on request).

Postal: X ZONE IT SRL · Bdul. 1 Mai 57, Sat Mihai Vodă, jud. Giurgiu, 087016, Romania. You can also use our contact page.

Need to talk to a person? Reach the team via the contact page or email [email protected].