Privacy policy

What we collect, why we collect it, and what we do with it.

Last updated: May 3, 2026 · Effective: May 3, 2026

Plain English summary. We collect what we need to give you the service and bill you for it. We don't sell your data. We don't read what you store on your virtual machines. We use a small number of well-known sub-processors (Stripe, Cloudflare, Plausible) and we list them all below. You can ask us to delete your data at any time.

1. Who we are

ServersCamp is operated by ServersCamp S.R.L., a company registered in Romania. When this policy says "we", "us", or "ServersCamp", it means that company. When it says "you", it means the person or organisation using our services or visiting this website.

Contact for any privacy question: [email protected].

2. What we collect

Account information

  • Email address (required to sign in and receive service notifications)
  • Display name and any avatar image you upload
  • Authentication identifiers from OAuth providers if you sign in with Google, GitHub, etc.

Billing information

  • Company name, billing address, VAT/tax ID - needed to issue compliant invoices
  • Card details are entered directly with our payment processor (Stripe). We never see or store full card numbers; we only store the last 4 digits and the card brand for display.
  • Wire transfer details - when you pay by SEPA bank transfer, we see the standard bank reference fields visible on the transaction.

Service usage

  • Resource usage metrics (CPU, RAM, disk, network bandwidth) - needed to bill correctly and to enforce quotas
  • Audit record of important account actions (creating, modifying, or destroying resources; changing security settings) - kept while your account is active so you have a history of what happened, and so we can investigate abuse complaints

We do not currently run a centralised log collector. Application processes write to standard output inside their containers, but those streams are not aggregated, archived, or queryable. Once a container restarts, those lines are gone.

HTTP request metadata (your IP, the URL, response code, bytes) is observed by our reverse proxy provider, Cloudflare. Cloudflare keeps these edge logs on its own systems for roughly 30 days under its own policy; we do not import or store them ourselves.

What we do NOT look at

We do not inspect the contents of your virtual machines, databases, or object storage. Block storage volumes are encrypted at rest. Object storage data is private by default. The only time we would access workload contents is if compelled by valid legal order, or if we have an active abuse complaint and need to verify it (e.g., to confirm reported phishing content). Even then, only authorised staff with audit logging.

Support communications

When you contact us by email or chat, we keep the messages and any attachments you send. We use them to help you and to improve our docs.

Website

We use Plausible Analytics on this marketing site. Plausible is GDPR-friendly: no cookies, no cross-site tracking, no personal identifiers. They give us aggregate stats like "X people visited /pricing today". Plausible's approach.

3. Cookies

This site uses a small number of cookies. None of them are used for advertising or cross-site tracking.

  • Session cookie - keeps you signed in to the dashboard. Deleted when you log out or after 1 hour of inactivity.
  • CSRF token - prevents cross-site request forgery. Required for form submissions.
  • Referral cookie - if you arrived via a partner referral link, we remember that for attribution. Lasts 30 days.

4. Sub-processors

To run the service we share specific data with the following companies. We've picked them because they are widely used, EU-friendly, and have their own published privacy commitments.

Company What it's used for What it sees Location
Stripe Payment processing for cards Card details, billing address, transaction amount Ireland (EU)
Oblio Romanian-compliant invoice generation Billing name, address, VAT ID, line items Romania (EU)
BCR (Banca Comercială Română) Bank account for SEPA transfers Standard bank-transfer metadata Romania (EU)
Cloudflare CDN, DDoS protection, reverse proxy Public IP, request URL, headers, bytes transferred (kept on their systems for ~30 days) Global edge network
Plausible Aggregate website analytics (no cookies) Anonymised page views and referrers Germany (EU)

We also run our own internal tooling (Grafana for metrics, OpenSearch for logs) on infrastructure we control. These are not third parties - your data does not leave our systems for those.

If we add or replace a sub-processor we'll update this list. For material changes we will notify you by email at least 14 days in advance so you can object.

5. How we use your data

  • Operate the service - provision your VMs, store your files, route your traffic
  • Bill you - calculate usage, generate invoices, charge cards, reconcile transfers
  • Send transactional email - incident notifications, billing receipts, security alerts. You cannot opt out of these - they are required for the service.
  • Send product updates - occasional emails about new features. You can opt out at any time from your account settings or via the unsubscribe link.
  • Prevent abuse - detect and stop fraud, spam, malware, network abuse
  • Comply with the law - respond to valid legal requests, fulfil tax and accounting obligations

If GDPR applies to you, we process your data on the following legal bases:

  • Contract - most processing is necessary to provide the service you signed up for
  • Legal obligation - accounting, tax, fraud prevention
  • Legitimate interest - security, abuse prevention, basic product analytics, transactional communications
  • Consent - optional marketing emails. You can withdraw at any time.

7. How long we keep data

  • Account data - kept while your account is active. When you close your account, it is deleted immediately and irreversibly along with all your resources.
  • Workload data (the contents of your VMs, databases, object storage buckets) - destroyed immediately and irreversibly when you delete the resource. We do not keep a backup or recovery copy. If you need point-in-time recovery, use our snapshots or PITR features while the resource is still alive.
  • Billing and invoice records - we do not store these on our own systems. They are held by our payment processor (Stripe) and our invoicing partner (Oblio) under their own retention policies, driven by Romanian tax law (10 years for fiscal documents) and PCI compliance for card data. Deletion of those records is outside our control.
  • Audit and usage records - kept while your account is active; deleted together with your account on closure
  • Application logs - we do not collect them centrally; container stdout is ephemeral
  • Cloudflare edge logs - retained by Cloudflare on their systems for roughly 30 days; we do not store them

8. Your rights

Under GDPR (and similar laws in many other countries) you have the right to:

  • Get a copy of your personal data we hold
  • Correct inaccurate data
  • Delete your data ("right to be forgotten") - subject to our legal obligations to keep certain records
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent for marketing emails
  • Lodge a complaint with your local data protection authority. In Romania this is ANSPDCP.

Email [email protected] with any of these requests. We'll respond within 30 days.

9. International transfers

Your data is hosted in EU datacenters by default. Some of our sub-processors (notably Cloudflare) operate global edge networks, which means request metadata (your IP, the URL you visited) may pass through servers outside the EU. Where data leaves the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Security

We take security seriously. Some of what we do:

  • All website and API traffic is HTTPS-only with modern TLS
  • Workload data on block storage is encrypted at rest
  • Internal admin access requires SSO and is audit-logged
  • Hardware lives in physically secure datacenters with controlled access

If you discover a security issue, please email [email protected] with the subject line "SECURITY". We will respond promptly.

11. Children

ServersCamp is not directed at children. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we'll delete the account.

12. Changes to this policy

If we make material changes we will notify you by email and post a banner on the site at least 14 days before the change takes effect. Minor edits (typos, clarifications, new sub-processors that don't change how we use your data) we'll update silently with a new "Last updated" date at the top of this page.

13. Contact

ServersCamp S.R.L.
Șos. Colentina 16, Bl. A5, Ap. B44
Sector 2, Bucharest 021177, Romania
CUI: 50730737
Nr. Reg. Com.: J2024032843002
EUID: ROONRC.J2024032843002
Email: [email protected]