Privacy Policy and Personal Data Processing

Introduction

Core Hosting OÜ ("Core Hosting", "we", "us", or "our") provides web hosting, VPS, dedicated servers, domain name registration, and related services (collectively, the "Services").

At Core Hosting, the privacy and security of our customers and website visitors ("Customers", "Visitors", "you", "your") is of paramount importance. We are committed to protecting the data you share with us.

This Privacy Policy ("Policy") explains how Core Hosting processes information that can be used to directly or indirectly identify an individual ("Personal Data") collected through our websites, services, customer portal, and mobile applications (collectively, the "Platform").

Core Hosting operates in accordance with the laws of the Republic of Estonia and European Union legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and the Estonian Personal Data Protection Act.

For the purposes of this Policy, the terms "personal data", "controller", "processor", and "data subject" have the meanings defined in the GDPR.

By using the Services, you acknowledge having read and understood this Privacy Policy.

For any questions regarding this Policy or any requests regarding the processing of personal data, please contact us at dpo@core.hosting

General Principles and Confidentiality

Core Hosting processes all Personal Data adhering to the general data processing principles:

• Lawfulness, fairness, and transparency: processing lawfully, fairly and in a transparent manner;
• Purpose limitation: collecting and processing only for specified, explicit and legitimate purposes;
• Data minimization: ensuring that Personal Data is adequate, relevant and limited to what is necessary;
• Accuracy: ensuring that Personal Data is accurate and, where necessary, kept up to date;
• Storage limitation: keeping Personal Data in a form which permits identification for no longer than is necessary;
• Integrity and confidentiality: processing in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

All information stored on Core Hosting's Platform is treated as strictly confidential. All information is stored securely and is accessed by qualified and authorized personnel only.

Information We Collect

Information You Provide to Us

We ask for and collect the following personal information when you use the Core Hosting Platform. This information is necessary for the adequate performance of the contractual arrangement between you and us and to allow us to comply with our legal obligations. Failing to provide this data or decision to delete or object to the processing of such data may result in deactivation of your account.

Account signup information: When you sign up to Core Hosting, we require you to provide minimum information such as email address and password. Orders can only be made through a registered client account. When registering for a customer account, we store: account holder's name, business name (if a business account), postal address, postal code, telephone number and email address.

Identity verification: To comply with the rules set forth by the Internet Corporation for Assigned Names and Numbers ("ICANN") before the registration of new domain names, Core Hosting may collect identity verification information (such as images of your passport, national ID card, valid driving license or other documents as required or permitted by applicable laws).

Domain and SSL certificate information: For domain and SSL certificate orders, you may be asked to provide the following information: name, personal identification code, date of birth, postal address, postal code, telephone number and email address. This information is used to complete orders by automatically transferring them to registry or a Certification Center using secure communication channels.

Payment information: To order and use features of the Core Hosting Platform, we may require you to provide certain financial information to facilitate the processing of payments. We use third-party payment processor services, so we do not collect and store credit card information (we receive information about the payment status and store only last 4 credit card digits).

Communications and support: When you communicate with Core Hosting (including by using general inquiries windows, chat windows or chatbots), we collect information about your communication and any information you choose to provide or disclose. In order to respond to your request, we may also access information provided in your account and purchase history.

Job applicants: We collect information provided when applying to open positions via email or other methods.

Visitors and users of our customers' websites: We may also collect information pertaining to visitors and users of our customers' websites or services, solely for and on our customers' behalf.

You may also choose to provide us information when you fill in a form, conduct a search, update or add information to your account, respond to surveys, post to community forums, participate in promotions, or use other features of the Platform. We advise against posting any information you don't wish to make public. If you upload any content to your account or post it on your website, you do so at your own risk.

Automatically Collected Information

When you use the Services, we automatically collect certain information about your device and usage patterns:

• Device information: IP address, browser type, operating system, device identifiers;
• Usage data: pages visited, time spent, links clicked, referring URLs;
• Technical data: log files, error reports, performance metrics;
• Location data: approximate geographic location based on IP address.

Information Security Recommendations

Please always take care and observe at least the following minimum requirements for the protection of your personal information:

• Avoid using your name, address, telephone number, personal identification number, date of birth, bank account number, card number, or other sensitive data in the subject of requests or file names;
• Do not include your personal code, payment card number, financial information, health details, family member details, or other sensitive data in the texts of requests, emails or similar communications to us;
• Ensure that personal data is only indicated to the extent necessary for the purposes for which the communication is sent.

Legal Basis for Processing

Core Hosting processes personal data on the following legal bases:

• Performance of contract: to provide the Services and fulfill contractual obligations;
• Legal obligation: to comply with applicable laws, including tax, accounting, anti-money laundering regulations, and ICANN rules;
• Legitimate interests: to operate and improve the Services, prevent fraud, ensure security, and enhance customer experience;
• Consent: where specifically obtained for optional processing activities, such as marketing communications or voluntary submission of information through forms or inquiries.

Use of Personal Data

Core Hosting uses the collected personal data for the following purposes:

Service provision: To communicate with customers (announcements about service changes, payment reminders, service status notifications). The address data stored by the customer is automatically used as an invoice address.

Order fulfillment: To complete domain and SSL certificate orders by transferring necessary information to registries or Certification Centers using secure communication channels. Domain owner information is generally public in different registries.

Marketing communications: Customers have the right to opt-out from newsletters sent by Core Hosting. Marketing communications are sent via email only. Service expiration notices and renewal reminders are sent as transactional messages necessary for service provision.

Service improvement: To analyze usage patterns, improve our Platform, develop new features, and enhance user experience.

Security and fraud prevention: To protect against unauthorized access, fraud, abuse, and other security risks.

Compliance: To comply with legal obligations, enforce our terms, and respond to legal requests.

New purposes: Where we intend to process your personal data for a purpose other than that for which it was originally collected, we will assess whether such new purpose is compatible with the original purpose. If the new purpose is not compatible and not based on a legal obligation, we will obtain your consent before commencing such processing.

Sharing of Personal Data

Core Hosting does not share or disclose personal information to third parties, unless it is necessary to complete a customer order or as required by law.

Core Hosting may share personal data with the following categories of recipients where necessary:

• Domain registries and registrars (for domain registration services);
• SSL certification authorities (for certificate issuance);
• Payment processors (for transaction processing);
• Infrastructure providers (for service delivery);
• Cloud storage and hosting providers (for data storage and processing);
• Analytics and monitoring services (for service improvement and performance);
• Customer support tools (for providing technical assistance);
• Email delivery services (for transactional and marketing communications).

All third-party processors are bound by data protection obligations equivalent to those in this Policy and are required to implement appropriate technical and organizational measures to ensure GDPR compliance.

Core Hosting uses customer contact information only to provide information about the Services. Contact details are not forwarded to third parties for marketing activities.

Core Hosting will not provide third parties with any personal data about customers, except in cases arising from law or where explicitly consented to by the customer.

We may share your personal data in manners other than as described above, pursuant to your explicit consent, or if we are legally obligated to do so.

Disclosure for law enforcement and security purposes: Under certain circumstances, we may be required to disclose personal data if required to do so by law or in response to valid requests by public authorities. We always assess the lawfulness of such requests before disclosing any personal data. We may also disclose personal data where necessary and proportionate for ensuring network and information security, including to Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of electronic communications networks and services, and providers of security technologies and services.

Business transactions: If Core Hosting is involved in a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Platform before your personal data becomes subject to a different privacy policy.

Data Retention

Core Hosting retains personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

Customers may request account deletion after all active services expire. Personal data will be retained for the minimum period required by Estonian and EU law. This includes:

• Accounting and financial records: 7 years from the end of the fiscal year (Estonian Accounting Act);
• Tax records: 7 years from the end of the fiscal year (Estonian Taxation Act);
• Anti-money laundering records: 5 years after the end of the business relationship (Estonian Money Laundering and Terrorist Financing Prevention Act);
• Domain registration records: as required by ICANN and registry policies;
• Service logs and technical data: typically 90 days unless required longer for security or legal purposes.

Non-essential personal data may be deleted upon request if no legal retention obligation exists. Personal data that is no longer required will be deleted in accordance with Core Hosting's data retention schedules and applicable legal requirements.

Changing and Accessing Personal Data

Customers can access the stored information through the https://my.core.hosting/ client portal. Customers can independently modify all data through the portal settings.

You may at any time access and edit, update or delete your contact details by logging into your Core Hosting account. The Customer may also update personal data at any time by contacting Core Hosting support at dpo@core.hosting. Core Hosting will make reasonable efforts to update such data promptly.

Please note that you will only be able to delete your email during deactivation of your Core Hosting account. To deactivate your account, please send your request to info@core.hosting, and you will be provided with further guidance.

Data Security

Core Hosting has implemented security measures designed to protect the personal information you share with us. Personal data is secured through technical and organizational measures, including:

• Encryption: HTTPS secure access to most areas on our Services;
• Access controls: limiting access to authorized personnel only;
• Physical security: secure data centers with restricted access;
• Network security: firewalls, intrusion detection, and monitoring systems;
• Regular audits: monitoring systems for possible vulnerabilities and attacks;
• Data backups: regular backups stored securely with encryption;
• Employee training: security awareness training for all staff handling personal data.

We regularly seek new ways and third-party services for further enhancing the security of our Services and protection of our customers' privacy.

Regardless of the measures and efforts taken by Core Hosting, we cannot and do not guarantee the absolute protection and security of your personal information or any other content you upload, publish or otherwise share with Core Hosting or anyone else.

We therefore encourage you to set strong passwords for your account and avoid providing us or anyone with any sensitive information of which you believe its disclosure could cause you substantial or irreparable harm.

Please note that certain security-related events such as port scans, failed login attempts, ping floods, denial of service attempts, and similar probes that result in no unauthorized access to personal data do not constitute a personal data breach and are not subject to breach notification requirements.

If you have any questions regarding the security of our Services, you are welcome to contact us at dpo@core.hosting

Data Controller and Data Processor Roles

Core Hosting acts in different roles depending on the nature of the data:

• Core Hosting acts as a data controller with respect to customer account information (contact information, billing information, etc.);
• Core Hosting acts as a data processor with respect to personal data contained in customer data that the customer uploads or processes through the Services;
• The customer acts as a data controller with respect to personal data in customer data.

Core Hosting, as a controller, processes the personal data of the customer (if the customer is a natural person), the customer's representatives and other individuals whose personal data becomes available to Core Hosting due to activities of the customer or who are interacting with Core Hosting on behalf of the customer, according to this Privacy Policy.

Core Hosting will be entitled to engage processors in the processing of personal data if they provide sufficient security that they shall implement appropriate technical and organizational measures in such manner that the processing of customer data shall be in conformity with the requirements set out in the respective laws.

Core Hosting has no basis for knowing whether the customer data contain any personal data, and therefore Core Hosting shall treat all customer data as potentially containing personal data and the customer agreement as a written contract between the customer as the controller and Core Hosting as the processor.

Data Transfers

Core Hosting's primary data processing infrastructure is located in the European Economic Area. Where services require use of third-party processors outside the EEA, appropriate safeguards are implemented.

Core Hosting will only transfer personal data to a country outside the European Economic Area if such country guarantees an adequate level of protection and complies with the data protection obligations under the applicable laws. Personal data may be transferred to and processed in countries outside the European Economic Area where Core Hosting's service providers, data centers, or partners are located. Such transfers are conducted in accordance with applicable data protection laws and appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission;
• Adequacy decisions by the European Commission;
• Other legally valid transfer mechanisms.

Domain Services Data Transfer

Upon the use of domain services, the transfer of the data of the registrant and/or contact persons to a register or registrar, and in case of a top-level domain, also disclosure of the personal data shall form an inevitable part of the provision of services, deriving from the rules of the respective top-level domain and ICANN requirements.

Data Subject Rights

Every data subject is entitled to the following rights under GDPR:

• Right to access: The right to access and request copies of personal data and obtain confirmation of whether personal data is being processed;
• Right to rectification: The right to rectification of inaccurate information and correct inaccurate personal data;
• Right to erasure: The right to erasure of personal data under certain conditions and request deletion of personal data in certain circumstances;
• Right to restriction of processing: The right to restrict processing under certain conditions;
• Right to data portability: The right to data portability under certain conditions and receive personal data in a structured, commonly used format;
• Right to object: The right to object to processing under certain conditions and object to processing based on legitimate interests;
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent;
• Right to lodge a complaint: The right to file a complaint with supervisory authority.

Some of these rights are easy to exercise: you may at any time access and edit, update or amend your details, opt out of receiving communications from us by visiting and adjusting your account settings, or by contacting dpo@core.hosting

When you object to processing of personal data when processing is carried out on the basis of legitimate interest, we will carefully consider such a request, which may result in your account closure or deactivation.

To exercise these rights, please contact dpo@core.hosting. We will respond to your request within one month of receipt. In cases of complexity or high volume of requests, this period may be extended by a further two months, in which case we will notify you within the first month. Before acting on a request, we may need to verify your identity to ensure personal data is not disclosed to an unauthorized person.

Automated Decision Making and Profiling

In certain cases we make automated decisions related to you. We may use technology to assess your personal situation and other factors to predict potential risks or outcomes (this practice is known as profiling). We implement this to make decisions that are fair, consistent, and informed by accurate data.

In cases where a decision based solely on automated processing produces legal effects concerning you or similarly significantly affects you, you have the right to contest the decision, express your point of view and request human intervention. You can do this by contacting our support team or by using the email indicated in this Policy. We will review your request and provide a human review of the decision, ensuring that your rights are fully respected.

For example, we make automated decisions and profiling in the following cases:

• Fraud prevention: We perform fraud prevention checks before a purchase is accepted. This helps to protect our customers and services from potential risk of fraud, scams or abuse. The processing is necessary to fulfill our contract with you. If based on data and behavior patterns it is determined that a purchase poses a risk, we may not be able to complete the purchase;
• Pricing and discounts: We may evaluate whether to apply a discount to the price of products or services you purchase. This will not be used to increase the price of products or services you want to purchase. The processing is based on our legitimate interest to enhance customer experience and encourage long-term commitment;
• Abuse prevention: We assess risk of abuse or other use of our services inconsistent with our Terms of Service and apply appropriate measures. We use an automated system that helps to identify users that are likely to be involved in abusive activities, based on behavior patterns, account and other data. Based on the identified risk level, proportional automated measures may be applied, including suspension of services or account. The legal basis for this processing is our legitimate interest in preventing abuse and performance of our contract with you.

Cookies and Tracking

Core Hosting uses cookies and similar technologies as described in the Cookie Policy. Cookies are small text files stored on your device that help us improve your experience, analyze usage, and provide personalized content.

You can manage cookie preferences through your browser settings or our cookie consent management platform. Please note that disabling certain cookies may affect the functionality of our Services.

Supervisory Authority

The data protection supervisory authority for Estonia is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): https://www.aki.ee/en/contacts

You have the right to lodge a complaint with the national Data Protection Agency in your country of residence in the event where your rights may have been infringed. However, we recommend attempting to reach a peaceful resolution of any possible dispute by contacting us first at dpo@core.hosting

Children's Information

Core Hosting does not knowingly collect any personal data from children under the age of 18. If we find out that we have obtained data of children or if Core Hosting discovers that personal data of a child has been collected, we will delete such data immediately or seek approval from legal guardian or parent.

Data Processing Agreement

If Core Hosting, as a processor, and the customer, as a controller, enter into a separate Data Processing Agreement and any terms thereof conflict with these Terms, then the provisions of such DPA shall prevail.

Acceptance of This Policy

We assume that all users of Core Hosting Platform have carefully read this document and agree to its contents. If someone does not agree with this Policy, they should refrain from using our Platform. We reserve the right to change our Policy at any time and inform users as indicated in the Amendments section. Continued use of Core Hosting's Platform implies acceptance of the revised Policy.

This Policy is an integral part of Core Hosting's Terms of Service.

We will ask for your consent before using information for a purpose other than those set out in this Policy.

Amendments

Our Policy may change from time to time. Material changes will be communicated via email or Portal notification at least 30 days before taking effect. We will also post the updated version on our website. Continued use of the Services after changes take effect indicates your acceptance of the updated Policy.

Contact Information

For questions regarding this Privacy Policy or to exercise your data rights, contact our Data Protection Officer at dpo@core.hosting. For full company contact details, see Section 22 of the Core Hosting Terms of Service.

Further Information

If you have any further questions regarding the data Core Hosting collects, or how we use it, then please feel free to contact the Data Protection Officer at the details indicated above.