nexia.host
← All legal documents

Privacy Policy

Effective: January 1, 2026 · v4.1

This Privacy Policy explains how Nexia Digital Solutions Limited ("Nexia", "we", "us", "our") collects, uses, discloses, transfers, retains and otherwise processes personal data in connection with our website at nexia.host, our client area, and the hosting and related services we provide (collectively, the "Services"). Where the Services are used by a customer to host content of its own end-users, Nexia acts as a "data processor" with respect to that customer content; for all other purposes (including billing, account administration, marketing and service operation), Nexia acts as a "data controller". This Policy is published in compliance with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable privacy laws.

1. Controller of your personal data

The controller responsible for your personal data is Nexia Digital Solutions Limited, Unit 1507A, 15/F., Eastcore, 398 Kwun Tong Road, Kwun Tong, Kowloon 999077, Hong Kong. Our Data Protection Officer can be reached at dpo@nexia.host. For EU/UK matters, our designated representative pursuant to GDPR Art. 27 / UK GDPR Art. 27 can be contacted at the same address.

2. Categories of personal data we collect

  • Identity & contact data — full name, business name, postal address, country, email address, contact telephone where you provide one.
  • Account credentials — username, securely-hashed password, multi-factor authentication secrets, API token metadata.
  • Billing data — invoice history, billing address, tax identification numbers (VAT/GST), card brand, last four digits, expiry month/year and PCI-tokenised card reference. Full primary account numbers are processed exclusively by our PCI-DSS Level 1 payment processor and never stored on our systems.
  • Transactional data — orders, plan changes, renewal events, refunds, invoices and receipts.
  • Service usage data — server resource metrics (CPU, memory, disk, bandwidth), aggregate request counts, error rates, login timestamps and IP address. Used for capacity planning, billing reconciliation, fraud and abuse detection. Pseudonymised after 90 days.
  • Communications data — support tickets, live chat transcripts, abuse correspondence and (with notice and consent where required) recordings of customer success calls.
  • Device & log data — IP address, user-agent, referrer, requested URLs, response codes and timestamps for the client area and our public website. Retained for security audit purposes for up to 12 months.
  • Marketing preferences — newsletter subscription status and topic interests.
  • Customer Content — files, databases, emails and other materials you upload to the Services. We process Customer Content solely on your documented instructions; see Section 8 below.

3. Purposes & lawful bases of processing

  • Performance of a contract (GDPR Art. 6(1)(b)). To create and administer your Account, deliver and bill the Services, process renewals, provide support and respond to your enquiries.
  • Compliance with legal obligation (Art. 6(1)(c)). To meet tax, accounting, anti-money-laundering, sanctions screening, lawful intercept and abuse-reporting obligations and to respond to valid orders from courts or competent authorities.
  • Legitimate interests (Art. 6(1)(f)). To secure our network and customer infrastructure, prevent and investigate fraud and abuse, improve the Services and our website, perform internal analytics on aggregated usage, and pursue legal claims. We have balanced these interests against your fundamental rights and freedoms; you have the right to object (see Section 10).
  • Consent (Art. 6(1)(a)). Solely for optional marketing communications and any non-essential cookies. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Cookies & similar technologies

Our public website uses only strictly-necessary first-party cookies for session management and security. We use Plausible Analytics (EU-hosted, cookieless, no personal identifiers) for aggregated traffic measurement. The client area uses session cookies essential to authentication and CSRF protection. We do not use third-party advertising cookies, behavioural retargeting, or social-media trackers. See our Cookies Notice for a full inventory.

5. Recipients & sub-processors

We share personal data only with the following categories of recipients, each bound by written contracts containing GDPR Art. 28-compliant data-protection terms:

  • Payment processing — Stripe, Inc. (USA / EU) for card and SEPA processing.
  • Transactional email — Postmark / ActiveCampaign (USA, EU regions) for system notifications.
  • Edge & DDoS mitigation — Cloudflare, Inc. (global anycast network) for the public website and selected customer endpoints.
  • Datacenter operators — Hetzner Online GmbH (DE/FI), Equinix (NL/UK/US), Digital Realty (DE/IE) for physical hosting space, power and connectivity.
  • Identity verification — Veriff or Stripe Identity, only where high-risk fraud signals require it.
  • Professional advisers — auditors, lawyers, accountants and insurers, under duties of confidentiality.
  • Authorities — courts, regulators and law-enforcement agencies, only in response to valid legal process and after reviewing each request for scope and proportionality.

An up-to-date list of sub-processors and notice of any additions or replacements is published at nexia.host/sub-processors. We never sell, rent or trade personal data, and we do not share it with advertisers.

6. International transfers

Customer Content is stored in the region you select at order time (EU, UK, US or APAC). Where personal data leaves the European Economic Area or the United Kingdom, we rely on appropriate safeguards under GDPR Art. 46 and UK GDPR, including the European Commission's Standard Contractual Clauses 2021/914 and the UK International Data Transfer Addendum, supplemented by transfer-impact assessments and, where appropriate, technical measures such as encryption in transit and at rest. A copy of the relevant transfer safeguards is available on request from dpo@nexia.host.

7. Retention

  • Account data: for the life of the Account plus seven (7) years for tax, accounting and audit purposes (or longer where required by law).
  • Customer Content: for the duration of the Service; deleted within 30 days of termination from production systems and purged from backups within 90 days.
  • Server and access logs: 30 days in raw form, then anonymised aggregates indefinitely.
  • Support tickets: three (3) years from closure.
  • Marketing data: until you unsubscribe or 24 months of inactivity, whichever is earlier.
  • Legal hold: we may retain data longer where reasonably necessary to establish, exercise or defend legal claims.

8. Customer Content & processor obligations

Where we process Customer Content on your behalf, we do so solely on your documented instructions, applying technical and organisational measures appropriate to the risk under GDPR Art. 32. We assist you, taking into account the nature of processing and information available to us, in fulfilling your obligations to respond to data-subject requests and to notify personal-data breaches. We will not engage any new sub-processor without giving you prior notice and an opportunity to object. On termination of the Services we will, at your choice, return or delete Customer Content within the windows set out in Section 7.

9. Security

We maintain a written information-security programme aligned with ISO/IEC 27001 and SOC 2 Type II controls and audited annually by an independent third party. Measures include: TLS 1.3 in transit, AES-256 at rest, encrypted off-site backups, segregated production and corporate networks, single-sign-on with mandatory hardware-based MFA for all staff, least-privilege access with quarterly recertification, immutable audit logging, vulnerability scanning, quarterly third-party penetration testing, and a public bug-bounty programme paying up to USD 25,000 per report.

10. Your rights

Depending on the law that applies to you, you have the following rights in respect of your personal data:

  • Access — confirmation of whether we process your data and a copy of it.
  • Rectification — correction of inaccurate or incomplete data.
  • Erasure — deletion where one of the legal grounds applies (e.g. data no longer necessary, withdrawal of consent).
  • Restriction — temporary suspension of processing while a dispute is resolved.
  • Portability — to receive certain data in a structured, commonly-used, machine-readable format.
  • Objection — including to processing based on legitimate interests and to direct-marketing communications.
  • Withdraw consent at any time where processing is based on consent.
  • Not be subject to automated decision-making producing legal or similarly significant effects (we do not currently engage in such decision-making).
  • California residents additionally have the right to know, delete, correct, limit use of sensitive personal information and opt out of "sharing" for cross-context behavioural advertising. We do not "sell" or "share" personal information as defined under the CCPA.
  • Lodge a complaint with your local supervisory authority — for EU residents, the data-protection authority of your habitual residence; for UK residents, the Information Commissioner's Office (ICO); for Hong Kong residents, the Office of the Privacy Commissioner for Personal Data (PCPD).

To exercise any right, email dpo@nexia.host from the address on file. We will verify your identity and respond within 30 calendar days (typically 48 hours), extendable by a further 60 days for complex requests. Exercising your rights is free of charge except where requests are manifestly unfounded or excessive.

11. Personal-data breaches

We maintain an incident-response plan tested at least annually. Where a personal-data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with GDPR Art. 33, and notify affected individuals without undue delay where the breach is likely to result in a high risk.

12. Children

The Services are not directed to children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, please contact dpo@nexia.host and we will take steps to delete it.

13. Third-party links

Our website may contain links to third-party sites. We are not responsible for their privacy practices and encourage you to review their notices.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 30 days before they take effect. The "Effective" date at the top of this page indicates when the latest version was published.

15. Contact

Data Protection Officer: dpo@nexia.host. Postal: Nexia Digital Solutions Limited, Unit 1507A, 15/F., Eastcore, 398 Kwun Tong Road, Kwun Tong, Kowloon 999077, Hong Kong.