z3box PRIVACY POLICY
Effective Date: April 27, 2026

This Privacy Policy describes how BSQL Networking ("BSQL Networking,"
"we," "us," "our") collects, uses, discloses, and safeguards information
when you visit our website, create an account, or use our Services
(offered under z3box hosting). It applies to information we
process as a controller about our customers and website visitors. It does
not apply to data you store on the Services as Customer Content, where we
act as a processor or service provider on your behalf.


1. INFORMATION WE COLLECT

1.1 Information You Provide
  - Account information: name, email address, billing address, and
    account credentials.
  - Communications: messages you send to support, abuse, or legal
    contacts.
  - Service configuration: hostnames, SSH keys, OS choices, and similar
    technical inputs.

1.2 Information Collected Automatically
  - Server and connection logs: IP address, user-agent, request
    timestamps, request paths, and bandwidth usage.
  - Security and abuse logs: authentication attempts, rate-limit events,
    and signals associated with abuse detection. IP addresses and similar
    identifiers may constitute personal data under applicable law.
  - Cookies: strictly necessary cookies for authentication and session
    integrity. We do not use tracking cookies, third-party analytics,
    advertising trackers, or behavioral profiling.

1.3 Information from Third Parties
  - Payment processor: payments are handled by Stripe under its own
    privacy policy at https://stripe.com/privacy. We receive only limited
    transaction metadata (such as confirmation, last four digits of the
    payment instrument, country of issuance, and a transaction
    identifier). We do not receive or store full payment card numbers.

1.4 Categories Collected (CCPA/CPRA)
For California residents, the categories of personal information we have
collected in the past 12 months are: identifiers (name, email, IP
address, account ID); customer records (billing address); commercial
information (transaction history); internet/network activity (server and
connection logs); approximate geolocation (IP-derived only); and
inferences drawn for fraud and abuse prevention. We disclose these same
categories to service providers (Stripe, infrastructure vendors) for the
business purposes described in Section 3. We do not collect sensitive
personal information beyond account credentials.


2. CONTROLLER AND PROCESSOR ROLES

For account, billing, and server-usage data we collect about you, we are
the data controller (or "business" under California law). For Customer
Content, you are the controller and we act only as a processor (or
"service provider") to the extent we incidentally handle such data in
operating the underlying infrastructure. We do not access, monitor,
analyze, or use Customer Content for our own purposes. No Data Processing
Agreement (DPA) is provided by default; if you require one, contact
hello@z3box.net. Provision is at our discretion and may be subject to
additional terms.


3. HOW WE USE INFORMATION

  - To provide, maintain, and support the Services, including
    provisioning servers and processing payments through Stripe.
  - To secure the Services, detect and prevent fraud and abuse, and
    enforce our Terms and AUP.
  - To communicate with you about your account, transactions, and
    service-impacting events.
  - To comply with legal obligations, respond to lawful requests, and
    protect rights, property, and safety.

We do not sell your personal information, and we do not "share" it for
cross-context behavioral advertising as those terms are defined under
California law.


4. LEGAL BASES (EEA / UK USERS)

If you are in the European Economic Area, the United Kingdom, or another
jurisdiction with similar laws, we process your personal data on the
following legal bases under the GDPR / UK GDPR:

  - Contract (Art. 6(1)(b)): to provide the Services you requested.
  - Legitimate interests (Art. 6(1)(f)): to secure our infrastructure,
    prevent abuse, and operate the business.
  - Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and
    law-enforcement requirements.
  - Consent (Art. 6(1)(a)): where required, for optional communications.


5. CUSTOMER CONTENT AND ACCESS

We respect the confidentiality of Customer Content. As a general practice,
we do not examine, access, or use Customer Content. We reserve the right
to access it where, in our reasonable judgment, doing so is necessary to:
comply with valid legal process or applicable law; investigate, prevent,
or respond to suspected fraud, abuse, security incidents, or violations
of our Terms; diagnose or remediate a specific technical issue you
reported, or address a clear and present threat to our infrastructure or
other customers; protect the rights, property, or safety of BSQL
Networking, our customers, or others; or act with your explicit consent.

The backup service requires client-side encryption and is delivered as a
VPS without a public IP, accessible only through a NAT-translated SSH
port. We generally do not have access to encrypted contents but retain
access to associated metadata (account identifiers, file sizes,
timestamps, access logs). We do not hold your encryption keys. If you
lose your keys, your data is unrecoverable.

Where we are legally compelled to disclose Customer Content, we will,
where permitted by law and reasonably practicable, give you notice so you
may seek to challenge the request. We are not obligated to challenge
legal process on your behalf and may be prohibited from notifying you in
cases involving non-disclosure or gag orders.


6. DISCLOSURES OF INFORMATION

We disclose information only as described below:

  - Service providers (processors): Stripe for payment processing, and
    infrastructure and colocation vendors that process data on our behalf
    under appropriate confidentiality obligations.
  - Legal and safety: to comply with subpoenas, court orders, search
    warrants, or other legal process; to respond to lawful emergency
    requests under 18 U.S.C. § 2702(b)(8)/(c)(4); to NCMEC and law
    enforcement where required by law; and to protect the rights,
    property, or safety of BSQL Networking, our users, or the public.
  - Successors: in connection with a merger, acquisition, financing,
    reorganization, or sale of assets, subject to confidentiality.
  - With your direction or consent: for any other disclosure you
    authorize.


7. INTERNATIONAL DATA TRANSFERS

We are based in California, USA, and process data in the United States. If
you access the Services from outside the U.S., your information will be
transferred to and processed in the U.S., which may not provide the same
level of data protection as your home jurisdiction. Where required, we
rely on appropriate safeguards such as the EU Standard Contractual Clauses
and the UK International Data Transfer Addendum.


8. DATA RETENTION

  - Account email and profile information: while your account is active
    and up to 12 months after closure for record-keeping and fraud
    prevention.
  - Server and connection logs and performance metrics: up to 90 days,
    except where a longer period is necessary to investigate a specific
    incident or comply with legal obligations.
  - Billing and transaction records: as required by tax and accounting
    laws (typically 7 years).
  - Support communications: up to 24 months after the matter is
    resolved.
  - Backup ciphertext: retained according to your subscription; deleted
    immediately and permanently on cancellation, suspension, non-payment,
    or termination.


9. SECURITY AND BREACH NOTIFICATION

We use administrative, technical, and physical safeguards designed to
protect personal information, including TLS in transit, restricted
administrative access, access logging, and host hardening. The backup
service additionally requires client-side encryption and is not exposed
to the public internet (no public IP; access only via a NAT-translated
SSH port). No method of transmission or storage is completely secure, and
we cannot guarantee absolute security. You are responsible for the
security of your own credentials, encryption keys, and the data you
process on the Services. In the event of a personal data breach affecting
your information, we will notify affected users and applicable regulators
in accordance with applicable law and without undue delay.


10. YOUR CHOICES AND RIGHTS

10.1 California Residents (CCPA / CPRA)
California residents have the following rights, subject to verification
and statutory exceptions:

  - Right to know what personal information we collect, use, and
    disclose.
  - Right to access and obtain a copy of your personal information.
  - Right to correct inaccurate personal information.
  - Right to request deletion of personal information.
  - Right to limit the use and disclosure of sensitive personal
    information.
  - Right to opt out of sale or sharing for cross-context behavioral
    advertising. We do not sell or share personal information as those
    terms are defined by California law.
  - Right to non-discrimination for exercising any of these rights.

To exercise these rights, contact hello@z3box.net. We will verify your
request by confirming control of the account email or by other reasonable
means. You may use an authorized agent; we will verify the agent's
authority and your identity.

10.2 EEA / UK Residents (GDPR / UK GDPR)
You have the rights of access, rectification, erasure, restriction,
portability, and objection, and the right not to be subject to a decision
based solely on automated processing producing legal effects. Where
processing is based on consent, you may withdraw consent at any time. You
have the right to lodge a complaint with your supervisory authority (e.g.,
the UK ICO or your local EEA Data Protection Authority). We would
appreciate the opportunity to address your concerns first.

10.3 Other U.S. State Privacy Laws
Residents of states with comprehensive privacy laws (including Virginia,
Colorado, Connecticut, Utah, Texas, Oregon, and others as enacted) may
have similar rights of access, deletion, correction, and opt-out of
certain processing. Contact hello@z3box.net to exercise these rights.

10.4 Global Privacy Control
Our website honors the Global Privacy Control (GPC) signal as an opt-out
of "sale" and "sharing" where applicable. Because we do not engage in
such activities, the practical effect is informational.


11. CHILDREN'S PRIVACY

The Services are not directed to children under 13 (or under 16 in the
EEA / UK). We do not knowingly collect personal information from children.
If you believe a child has provided personal information to us, contact
hello@z3box.net so we can delete it.


12. THIRD-PARTY SERVICES

The Services may interact with third-party services (e.g., Stripe,
upstream networks). Their use of information is governed by their own
privacy policies, which we encourage you to review.


13. CHANGES TO THIS POLICY

We may update this Policy from time to time. We will post the updated
version with a new effective date and, for material changes, provide
additional notice by email to your account address or by prominent notice
on our website. Continued use after the effective date constitutes
acknowledgment.


14. CONTACT US

BSQL Networking
z3box hosting

General:  hello@z3box.net
Abuse:    abuse@bsql.net