PRIVATEBYTE
LegalHomeSign in

Privacy Policy

Last modified: 21 April 2026

This Privacy Policy explains how PRIVATEBYTE collects, uses, retains, and protects your personal data when you use our hosting, proxy, and AI-agent services. We are a UK company and this policy is written to comply with the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018.

We designed this policy to be shorter and clearer than most. If anything is unclear, email us at [email protected] and we'll explain in plain English.

1. Who we are

PRIVATEBYTE is the data controller for personal data processed under this policy.

  • Registered address: 128 City Road, London, EC1V 2NX, United Kingdom
  • Privacy contact: [email protected]
  • General support: [email protected]

2. What this policy covers

This policy covers personal data we collect when you:

  • Create an account on my.privatebyte.com
  • Purchase and use our hosting, proxy, or OpenClaw AI-agent services
  • Contact our support team
  • Link your Telegram account for notifications and server management
  • Make a payment, including in cryptocurrency
  • Visit our websites (privatebyte.com, my.privatebyte.com, pay.privatebyte.com)

It does not cover data you voluntarily store on your VMs, in your OpenClaw agents, or in your proxy traffic. That data is yours, stored on infrastructure you control, and we do not inspect or access it.

3. What we collect and why

We only collect the data we actually need to deliver and bill our services.

3.1 Account data

  • Name, email address, postal address, phone number
  • Purpose: creating your account, invoicing, and contacting you about your services
  • Lawful basis: contract (UK-GDPR Article 6(1)(b))

3.2 Payment data

  • Card details are never stored on our systems. Our payment processors tokenise your card and we only hold the token. Raw card data never touches our infrastructure.
  • Cryptocurrency transactions: wallet address, transaction hash, amount, timestamp
  • Purpose: processing payments and producing accounting records
  • Lawful basis: contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) for tax record-keeping

3.3 Service and usage data

  • Service metadata: VM names, IP addresses assigned to you, plan tier, location, OS, resource usage
  • Logs we keep:
    • Authentication events, admin API calls, VNC console access, firewall events. Retained 30–90 days depending on category.
    • Proxy audit log (proxy customers only): your connecting IP, the destination hostname, the HTTP method, the upstream status code, bytes transferred, timestamp. Retained 90 days. We use this to (a) respond to abuse complaints from destination networks, (b) respond to lawful demands from authorities, (c) protect the IP reputation of our shared proxy network, and (d) defend our own upstream provider relationships from abuse penalties.
  • What we do NOT log:
    • Contents of your VMs, files, or any data they store.
    • Network traffic passing through your VMs (we operate IaaS — your VM is a private box to us).
    • URL paths, query strings, request bodies, or response bodies of your proxy requests. We log destination hostname only. The path, parameters, and contents of what you send and receive are invisible to us.
    • Code running in your OpenClaw agents.
  • Lawful basis: legitimate interests (UK GDPR Article 6(1)(f)) — network security, abuse prevention, incident investigation, and protection of our supply-chain relationships with upstream proxy providers. The retention periods are the minimum we believe are necessary for these interests; you have the right to object (see Section 8).

3.4 Support communications

  • Content of tickets and emails you send to us, attachments, and our replies
  • Lawful basis: contract (Article 6(1)(b)) — you contacted us about our service

3.5 Telegram link

  • Telegram user ID, username, and a verification token, if you voluntarily link your Telegram account for notifications and server management
  • Lawful basis: consent (Article 6(1)(a)) — you opt in; you can unlink at any time from the portal

3.6 Marketing preferences

  • A flag indicating whether you have opted in to receiving marketing emails from us
  • Lawful basis: consent (Article 6(1)(a))

3.7 Website analytics

  • Approximate location derived from IP, browser type, pages viewed
  • We do not use third-party ad tracking, behavioural profiling, or fingerprinting

4. Where your data goes

We use third-party service providers to deliver our services. To protect our commercial supply chain, we disclose these providers by category in this public policy. On individual request, we will provide the specific sub-processor names and locations applicable to your data (see Section 8, your rights).

Categories of recipients

  • Cloud infrastructure and compute platforms — where our portal, billing system, and VM hypervisors run
  • Email delivery providers — to send transactional and support emails
  • Content delivery and DDoS protection providers — to protect our websites and your VMs
  • Payment processing gateways — to handle card payments
  • Cryptocurrency settlement networks — to accept and convert crypto payments
  • IP address and routing providers — to allocate and maintain IP ranges used by customer VMs
  • Customer messaging and bot platforms — for features like Telegram notifications, if you use them
  • Tax, accounting, and legal advisors — to meet our regulatory obligations
  • Court or regulatory authorities, and law enforcement agencies acting under valid legal process — if we are legally required to disclose data under UK law or under a recognised mutual legal assistance treaty. We log every such disclosure and, where lawful, notify the affected customer. See our Abuse and Legal Process page for the procedural details.

International transfers

Some of these providers are based outside the UK, including in the United States and the European Union. Where data is transferred outside the UK, we rely on one of:

  • the UK Adequacy Regulations (for EU transfers)
  • the UK extension to the EU–US Data Privacy Framework
  • Standard Contractual Clauses approved by the UK Information Commissioner

We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing.

5. Cookies

We use the minimum set of cookies required to operate the service.

  • Strictly necessary cookies: session ID, CSRF token, login state. Cannot be disabled — the site does not work without them.
  • Functional cookies: UI preferences like dark mode, selected currency
  • We do not use: third-party advertising cookies, behavioural tracking, fingerprinting, or social media pixels

You can disable all cookies in your browser, but necessary cookies mean you would not be able to log in or make purchases.

6. How long we keep your data

Our default is to keep data only as long as we need it.

Data Retention
Active account details For the life of your account
Authentication and session logs 30 days
Proxy audit log (proxy customers only) 90 days
Admin and audit logs 90 days
Support tickets For the life of your account
Backups of your VMs 7 days rolling
Invoices and transaction records 6 years (HMRC tax requirement)

What happens when you close your account

Our commitment is simple: we do not retain data on former customers beyond what the law requires of us.

When you close your account:

  • Your name, email address, postal address, phone number, payment methods, Telegram link, session logs, and support history are permanently deleted.
  • Your account email is replaced with an opaque placeholder (for example, [email protected]) so your identity can no longer be derived from our systems.
  • Your transaction records (invoice numbers, dates, amounts, service types, VAT treatment) are retained for 6 years because UK tax law (HMRC record-keeping rules) requires it. These records contain no personal identifiers after closure.
  • After 6 years, the transaction records are deleted in full.

This approach is known as pseudonymisation under UK-GDPR Article 4(5) and is explicitly supported by the Information Commissioner's Office as a way to reconcile the right to erasure with overriding legal retention requirements.

If you believe a specific record contains personal data that should not be retained, contact us at [email protected] and we will review it.

7. Security

We protect your personal data using industry-standard security controls, including:

  • Encryption in transit for all portal and service traffic
  • Tokenisation and segregation of payment data
  • Strict access controls for administrative functions, with multi-factor authentication
  • Physical and network security at our hosting facilities
  • Ongoing monitoring, patching, and independent security reviews

No system is perfectly secure. If we suffer a data breach that is likely to affect you, we will notify you and the Information Commissioner's Office within 72 hours as required by Article 33 of UK-GDPR.

8. Your rights

Under UK-GDPR you have the following rights over your personal data:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — ask us to delete your data (subject to the HMRC retention exception above)
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, for any processing based on consent (for example, Telegram link, marketing)

How to exercise your rights

Email [email protected] with your request from the email address associated with your PRIVATEBYTE account. We will respond within 30 days. We will not charge a fee except where requests are manifestly unfounded or excessive.

Identity verification

For requests that involve disclosing information to you — such as a copy of your personal data (access request) or our subprocessor list — we verify your identity before responding. This is both an UK-GDPR Article 12(6) safeguard and a practical protection: without verification, an attacker could use disclosure requests to harvest information about you or enumerate our supply chain.

Verification typically means either:

  • replying from your registered account email and confirming a recent invoice number or service identifier, or
  • providing a copy of government-issued photographic ID if you can no longer access the registered email.

For requests that involve reducing or removing data (erasure, restriction, withdrawal of consent), we do not require additional ID verification — asking for less data about yourself is not something we need to protect against.

Subprocessor disclosure on request

The specific names and locations of our subprocessors are commercially sensitive, and we do not publish them to protect our supply chain from targeted attack. You have the right to request them, and we will provide the full list applicable to your account once your identity has been verified as described above.

Right to complain

If you are not satisfied with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office: ico.org.uk or 0303 123 1113. We would prefer you raise concerns with us first so we can put things right.

9. Children

Our services are not directed to people under 18 and we do not knowingly collect data about children. If you believe we have, email [email protected] and we will delete the data.

10. Changes to this policy

If we make material changes, we will notify active customers by email at least 14 days before the change takes effect. Non-material changes (typos, clarifications, re-ordering) may be made without notice. The "last modified" date at the top of this page always reflects the most recent version.

Previous versions of this policy are available on request.

11. Contact

  • Privacy questions: [email protected]
  • General support: [email protected]
  • Post: PRIVATEBYTE, 128 City Road, London, EC1V 2NX, United Kingdom

Related documents

Terms of ServiceAcceptable Use PolicyRefund PolicyService Level AgreementAbuse & Legal Process
PRIVATEBYTE

High-performance VPS hosting with unmetered bandwidth, free DDoS protection, and no hidden fees.

TelegramExcellent on Trustpilot
Product
FeaturesPricingProxiesStatus
Company
AboutContactTerms of ServicePrivacy PolicyAcceptable UseRefund PolicySLA
Resources
Client PortalSupport
© 2026 PRIVATEBYTE LTD · 128 City Road, London, EC1V 2NX, United KingdomAll prices in USD. All plans include IPv4, DDoS protection, backups & snapshots.