Privacy Policy

The data controller responsible for your personal data is:

For all data protection enquiries, including requests to exercise your rights, please contact us at legal@corecld.com with the subject line "Data Protection Request". We aim to respond within 30 days.

As a US-based company that processes the personal data of individuals in the European Economic Area, we may be required under Article 27 of the EU GDPR to designate a representative within the EU. Details of our EU representative, where applicable, will be published at corecld.com/legal/impressum. For all data protection enquiries, including those from EEA residents, please contact legal@corecld.com.

We collect personal data only where it is necessary for the purposes described in this Policy. We do not collect more data than we need.

We do not process special category data (as defined in Article 9 GDPR), such as health, biometric, or racial or ethnic origin data.

Every processing activity we perform has a lawful basis under Article 6 of the EU GDPR:

4.1Performance of a contract (Article 6(1)(b)): We process account data, service data, and payment records to perform our contractual obligations — including provisioning and operating the VPS service and issuing invoices.

4.2Legal obligation (Article 6(1)(c)): We retain billing and invoice records for a minimum of 7 years in accordance with applicable tax and financial record-keeping obligations, including EU VAT requirements where applicable.

4.3Legitimate interests (Article 6(1)(f)): We retain network and system logs for security monitoring, abuse investigation, and fraud prevention. We maintain records of AUP violations to protect our infrastructure and other customers. Our legitimate interests in operating a secure, reliable service outweigh the limited privacy impact of retaining technical log and security data.

We do not use consent as a legal basis for any processing activity described in this Policy. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

We use your personal data strictly for the following purposes:

• To provision, operate, and maintain your VPS services
• To issue invoices, process payments, and manage your billing account
• To send transactional communications: order confirmations, invoices, payment reminders, service alerts, and planned maintenance notifications
• To respond to support requests and investigate reported issues
• To detect, investigate, and respond to fraud, abuse, security incidents, and violations of our Acceptable Use Policy
• To comply with legal and regulatory obligations, including responding to lawful requests from competent authorities

We do not use your personal data for marketing or advertising purposes. We do not sell, rent, or trade personal data. We do not share your data with any third party for their marketing purposes.

We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law:

7.1We do not sell, rent, or share personal data with third parties for commercial purposes. We share data only with the following third-party processors, strictly for service delivery:

7.2WHMCS: Our billing and account management platform. Account data, invoices, and order records are processed through WHMCS to manage your subscription and issue invoices.

7.3VirtFusion: Our server provisioning and control panel platform. Service data including assigned IP addresses and VPS configuration is processed through VirtFusion to provision and manage your server.

7.4Equinix (colocation facility): Our servers are colocated at Equinix FR5, Frankfurt am Main, Germany. Equinix has physical access to the facility for operational purposes only — no personal data is shared with Equinix.

7.5Payment processors: When you make a payment, your payment details are submitted directly to our payment service provider. We receive only a transaction confirmation and masked reference. Our payment processor acts as an independent data controller subject to their own privacy policy and PCI DSS obligations.

7.6Legal disclosure: We may disclose personal data to law enforcement, regulatory authorities, or competent courts where required by applicable law, a valid court order, or other legal compulsion. Where legally permitted, we will notify the affected Customer before making such a disclosure.

7.7We do not sell, rent, or trade your personal data to any third party under any circumstances. Any third party who processes personal data on our behalf is required to enter into a Data Processing Agreement (DPA) under Article 28 of the EU GDPR.

7.8International transfers: Our infrastructure is located within the European Economic Area (Equinix FR5, Frankfurt, Germany). Our company is incorporated in the United States. Transfers of personal data from the EEA to the United States are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of protection for your personal data.

8.1We use only strictly necessary session cookies on our billing portal (billing.corecld.com) to maintain your logged-in session. This cookie is required for the portal to function and expires when you log out or close your browser. No persistent tracking identifiers are set.

8.2We do not use tracking, advertising, or analytics cookies. No third-party marketing scripts are loaded on corecld.com.

8.3Your chosen display theme preference (light/dark mode) is stored in your browser's local storage. This data does not leave your device and is not accessible to us.

8.4We do not use Google Analytics, Google Tag Manager, Meta Pixel, or any other third-party analytics, advertising, or tracking technology.

If you are located in the EEA, you have the following rights under the EU GDPR in relation to your personal data:

• Right of access (Article 15): You have the right to request confirmation of whether we hold personal data about you and, if so, to receive a copy of that data and information about how it is processed.
• Right to rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.
• Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where there is no overriding legal basis for continued processing. This right does not apply to data we are legally required to retain (e.g. billing records).
• Right to restriction (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as while you contest the accuracy of data.
• Right to data portability (Article 20): Where processing is based on contract performance, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests (Article 6(1)(f)) as the legal basis. We will cease processing unless we have compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at legal@corecld.com. We will respond within 30 days. There are no fees for exercising your rights, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.

10.1If you believe our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority. We encourage you to contact us first so we can attempt to resolve your concern.

10.2If you are located in the EEA, you may lodge a complaint with the supervisory authority in your country of habitual residence or place of work. As our servers are located in Germany, you may also contact the German federal data protection authority:

10.3You may also contact the supervisory authority of your country of habitual residence. A full list of EU data protection authorities is available at edpb.europa.eu.

10.4If you believe we have not handled your data correctly, we encourage you to contact us first at legal@corecld.com so we can attempt to resolve your concern before escalating to a supervisory authority.

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered Customers by email and post a notice in the billing portal at least 14 days before the changes take effect. The current version is always available at corecld.com/legal/privacy.