In an effort to protect our clients' and site visitors' privacy and rights, OBHost LLC ("we", "us", "our", "OBHost") has established this Privacy Policy explaining what information we collect and what we do with it. This Privacy Policy is designed to comply with GDPR (EU), UK GDPR, CCPA/CPRA (California), PDPA (Singapore), PIPEDA (Canada) and the Prevention of Electronic Crimes Act (Pakistan). Last updated April 1, 2025.
- This Privacy Policy governs the manner in which OBHost LLC collects, uses, maintains, discloses and protects information collected from users ("User", "you", "your") of our website at https://obhost.net, our client area at https://my.obhost.net, and all related services.
- OBHost LLC acts as a Data Controller for personal data collected during account registration, billing, support and service provision. When our customers host websites or applications that collect data from their own end-users, OBHost acts as a Data Processor under GDPR Article 28.
- This policy applies to all services — including shared hosting, reseller hosting, VPS, dedicated servers, domain registration, SSL certificates, email hosting, AI/GPU servers and colocation.
- By using any OBHost service or website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
- This Privacy Policy should be read together with the Terms of Service, Acceptable Use Policy and Report Submission Policy.
OBHost collects only the data needed to provide services, process payments, maintain security and communicate with customers. We follow the principle of data minimisation — we don't collect what we don't need.
Personal information you provide directly:
Account DetailsFull name, email, phone number, company name, billing address
Payment InformationProcessed via PCI-DSS compliant gateways — we don't store full card numbers
Support CommunicationsTicket content, live chat messages, phone call recordings (with notice)
Domain Registrant DataWHOIS information as required by ICANN and registry operators
KYC / VerificationGovernment ID, business registration (only when fraud prevention requires)
Tax DocumentationW-9, W-8BEN for affiliates (US tax compliance)
Information collected automatically:
IP AddressesRecorded for security, fraud detection and abuse prevention
Device & BrowserBrowser type, OS, device type, screen resolution, referrer URL
Usage AnalyticsPages visited, time on site, search queries, click patterns
Service LogsAccess logs, authentication events, error logs (security purpose)
Cookies & TrackingSession cookies, preferences, analytics (see §6)
Approximate LocationDerived from IP — used for compliance and localisation
What we DON'T collect: We don't store full credit card numbers (handled by PCI-DSS compliant processors), we don't access your hosted websites' content for marketing, and we don't track you across third-party websites for advertising purposes.
Your personal data is used only for the specific, legitimate purposes listed below. We do not repurpose data beyond these uses without your explicit consent.
- Service Provision — Creating your account, provisioning services, managing your subscriptions, processing payments and renewals.
- Customer Support — Responding to tickets, live chat messages, phone calls and providing technical assistance.
- Billing & Invoicing — Generating invoices, processing payments, handling refunds and managing chargebacks.
- Security & Fraud Prevention — Detecting unauthorised access, preventing account takeovers, identifying fraudulent signups and chargeback abuse.
- Legal Compliance — Complying with ICANN policies, tax reporting requirements, law enforcement subpoenas, court orders and regulatory obligations.
- Service Improvement — Analysing aggregated usage patterns to improve our website, services and infrastructure.
- Service Communications — Sending transactional emails (invoices, service notifications, maintenance alerts, security warnings) — these cannot be opted out of while you have active services.
- Marketing Communications (opt-in) — Newsletters, product updates, special offers — you can unsubscribe at any time.
- Affiliate Program Administration — Tracking referrals, calculating commissions, processing affiliate payouts.
Under GDPR Article 6, we must have a legal basis for processing your personal data. Our legal bases are:
| Legal Basis | When We Rely On It |
|---|
| Contract (Art. 6(1)(b)) | Providing services, processing payments, support — required to fulfil our contract with you |
| Legitimate Interests (Art. 6(1)(f)) | Security, fraud prevention, abuse detection, service improvement — balanced against your rights |
| Legal Obligation (Art. 6(1)(c)) | Tax reporting, ICANN WHOIS, law enforcement cooperation, retaining billing records |
| Consent (Art. 6(1)(a)) | Marketing newsletters, non-essential cookies, optional analytics — you can withdraw consent anytime |
| Vital Interests (Art. 6(1)(d)) | Protecting life or preventing serious harm (rare — e.g., CSAM reporting) |
We never sell your data. Your personal information is never sold, rented, traded or disclosed to advertisers or data brokers. Full stop.
We share data only in these specific circumstances, with carefully selected partners under strict data-processing agreements:
- Payment Processors — Stripe, PayPal, 2Checkout, local gateways — to process credit card and alternative payments. These processors are PCI-DSS certified and handle card data directly; we never store full card numbers.
- Domain Registry Operators — ICANN-accredited registries (Verisign, Afilias, nominet, etc.) — to register and manage domain names. Required WHOIS data is shared per ICANN policy.
- SSL Certificate Authorities — Sectigo, DigiCert, Let's Encrypt — to validate and issue SSL certificates on your behalf.
- Microsoft — For SPLA and Indirect Partner licensing when you purchase Microsoft products (Windows Server, SQL Server, M365).
- Cloud Infrastructure Partners — Enterprise datacenter operators hosting our infrastructure — limited to technical data needed for service delivery.
- Email Delivery Services — For transactional email delivery — limited to sender/recipient addresses and message metadata.
- Analytics Providers — Privacy-respecting analytics to understand website usage — data is pseudonymised.
- Legal Authorities — When compelled by valid legal process (subpoena, court order, warrant) — see Report Submission Policy §10.
- Successors in Business — In the event of merger, acquisition or asset sale, customer data may transfer to the successor — subject to the same privacy commitments.
All data processors sign Data Processing Agreements (DPAs) with OBHost containing GDPR Article 28 required clauses. DPA copies are available to EU/EEA customers on request.
We use cookies and similar tracking technologies (pixels, local storage, session storage) to make our website work, remember preferences and understand usage. You can control cookies through your browser settings and our cookie banner.
| Category | Purpose | Opt-Out |
|---|
| Strictly Necessary | Login, shopping cart, security — the site cannot function without these | Not possible |
| Functional | Remembering preferences, language, currency, dark/light mode | Via cookie banner |
| Analytics | Understanding aggregate usage to improve the site (pseudonymised data) | Via cookie banner |
| Marketing | Personalising content on our site (never cross-site advertising) | Via cookie banner |
- Most cookies expire after 30 days. Session cookies are deleted when you close your browser. Persistent cookies (like "remember me") last up to 1 year.
- We do not use third-party advertising cookies that track you across other websites for retargeting purposes.
- You can delete existing cookies and block future cookies through your browser settings. Note that blocking essential cookies may break website functionality.
- We respect the Global Privacy Control (GPC) signal and Do Not Track (DNT) headers where applicable.
We retain personal data only as long as necessary for the purposes described in this policy — or as required by law.
| Data Type | Retention Period | Reason |
|---|
| Active Account Data | Duration of active service | Required for service provision |
| Billing & Invoice Records | 7 years after closure | US tax law (IRS) |
| Support Tickets | 3 years | Service history & quality |
| Access / Security Logs | 12 months | Security investigations |
| Marketing Preferences | Until opt-out | Compliance with consent |
| Closed Account Data | 30 days after closure | Account restoration window |
| Backups (off-site) | 90 days | Disaster recovery |
| Abuse & Fraud Records | 5 years | Future abuse prevention |
| Domain WHOIS | Per ICANN requirements | ICANN compliance |
| Affiliate Tax Records | 7 years (US) | IRS reporting requirements |
After the retention period expires, personal data is anonymised (made irreversibly non-identifiable) or permanently deleted from all active systems and backups.
OBHost implements industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure and destruction.
Encryption in TransitTLS 1.2/1.3 for all connections. HSTS enforced on all user-facing endpoints.
Encryption at RestAES-256 encryption for stored data including backups.
Two-Factor Authentication2FA available for all client area accounts via TOTP apps.
Access ControlsStrict role-based access with audit logs for all staff access to customer data.
Regular Security AuditsInternal and external penetration testing, vulnerability scans.
PCI-DSS CompliancePayment processing via PCI-DSS Level 1 certified processors.
Backup & DREncrypted off-site backups, disaster recovery testing.
Staff TrainingRegular privacy and security training for all employees handling data.
While we implement strong security measures, no system is 100% secure. You play an important role too — use strong passwords, enable 2FA, and notify us immediately of any suspected unauthorised access to your account.
OBHost operates infrastructure in 11 datacenter locations across 9 countries. Your data may be transferred to and processed in countries other than your own — we use lawful transfer mechanisms to protect your rights.
- For customers in the EU/EEA/UK, we offer the option to host services in EU-based datacenters (Germany, France, Poland) to keep your data within the EU.
- Where EU personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
- For UK transfers outside the UK, we rely on the UK International Data Transfer Addendum.
- We perform Transfer Impact Assessments (TIAs) for data transfers to third countries where appropriate, considering local surveillance laws and legal remedies.
- For Pakistani customer data, we comply with the Prevention of Electronic Crimes Act (PECA) 2016 and any subsequent data protection legislation.
- OBHost infrastructure partners maintain ISO 27001, SOC 2 Type II or equivalent certifications where applicable.
If you are located in the EU, EEA, UK or similar jurisdiction, you have the following rights regarding your personal data. To exercise any right, contact info@obhost.net.
Request a copy of all personal data we hold about you (Article 15).
Correct inaccurate or incomplete personal data (Article 16).
"Right to be forgotten" — subject to legal retention requirements (Article 17).
Limit how your data is processed in specific circumstances (Article 18).
Receive your data in a structured, machine-readable format (Article 20).
Object to processing based on legitimate interests or for marketing (Article 21).
Not be subject to decisions based solely on automated processing (Article 22).
Complain to your national supervisory authority if unsatisfied.
OBHost responds to data subject requests within 30 days as required by GDPR Article 12(3). Complex requests may be extended by 60 days with notice. We may need to verify your identity before processing a request.
California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
- Right to Know — Request disclosure of personal information collected, sources, purposes and categories shared with third parties.
- Right to Delete — Request deletion of personal information, subject to legal and operational retention requirements.
- Right to Correct — Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing — We do not sell or share personal information for cross-context behavioural advertising, so there's nothing to opt out of.
- Right to Limit Use of Sensitive PI — Request limitation on the use of sensitive personal information.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
To exercise CCPA rights, email privacy@obhost.net with subject "CCPA Request". You may designate an authorised agent to act on your behalf with written permission. We respond within 45 days as required by CCPA.
OBHost services are not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16 without verifiable parental consent.
- Account registration requires users to be at least 18 years of age or the age of majority in their jurisdiction, whichever is greater.
- If we discover that a person under 16 has registered an account or provided personal information without parental consent, we will delete the account and associated data promptly.
- Parents or guardians who believe their child has provided personal information to OBHost should contact privacy@obhost.net for assistance with account deletion.
- We comply with COPPA (Children's Online Privacy Protection Act) for US-based children's data.
In the unlikely event of a personal data breach affecting your rights and freedoms, OBHost commits to the following:
- We will notify affected users without undue delay — typically within 72 hours of becoming aware of the breach — as required by GDPR Article 34.
- We will notify relevant supervisory authorities (e.g., Irish DPC for EU, ICO for UK) within 72 hours of awareness, per GDPR Article 33.
- Notifications will include: the nature of the breach, categories and approximate number of affected individuals, likely consequences, measures taken to mitigate, and contact information for the DPO.
- We maintain an incident response plan with designated teams for detection, containment, investigation and communication.
- All security incidents are documented internally for 5 years for audit purposes.
If you suspect your OBHost account has been compromised, notify us immediately at
support@obhost.org or open an urgent ticket marked
[SECURITY-URGENT].
- OBHost may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or service offerings.
- Material changes (significant changes to how we use data or to your rights) will be communicated by email to active customers at least 30 days before taking effect.
- Minor changes (clarifications, typo fixes, formatting) will be reflected on this page with an updated "Effective" date.
- The "Effective" date at the top of this page always reflects the most recent version. Historical versions are available on request via privacy@obhost.net.
- Continued use of OBHost services after a Privacy Policy change constitutes acceptance of the updated policy.
For any privacy-related questions, data subject requests, or to contact our Data Protection Officer:
📬 Privacy & Data Protection Contacts
Postal Address for Privacy Matters:
OBHost LLC — Data Protection Officer
16192 Coastal Highway, Lewes, Delaware 19958, United States
DUNS: 00-373-8107
EU/EEA customers: You have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at
edpb.europa.eu.
