1. Who we are
Maxa Cloud Ltd, trading as HostMaxa, is the Data Controller responsible for your personal data.
| Registered name | Maxa Cloud Ltd t/a HostMaxa |
| Address | Unit 2, 2 Bridge Street, Athlone, Co. Westmeath, Ireland N37 F1W4 |
| Phone | +353 1699 4375 |
| General inqueries | [email protected] |
| Privacy inqueries | [email protected] |
| Supervisory authority | Data Protection Commission (DPC), Ireland – www.dataprotection.ie |
2. Data we collect
We collect personal data in three categories:
Account and billing data
When you register or purchase a service through our client area, we collect your name, company name, email address, postal address, phone number, VAT number (if applicable), and account credentials. For billing we record invoice history, payment method type, and transaction references. We do not store full card numbers – these are tokenized by our payment processor.
Service and support data
To deliver and support your hosting, domain, email, AI tools, and SSL services, we process domain names, DNS configurations, hosting resource usage, control panel credentials (encrypted), and the content of support tickets and correspondence. If calls are recorded for quality purposes, you will be informed at the start of the call.
Technical and usage data
Our systems automatically collect IP addresses, browser type, pages visited, login timestamps, and error logs when you use our website or services. We also use cookies – see Section 9 for details. If you provide data about a third party (e.g. a billing contact), you confirm you have their authority to do so.
3. Why we process your data (lawful basis)
Under GDPR Article 6, we process your personal data on the following bases:
| Lawful Basis | Examples |
|---|---|
| Contract (Art. 6(1)(b)) | Provisioning and managing hosting, domains, email, and other services; processing payments; invoicing; handling upgrades, downgrades, and cancellations |
| Legal Obligation (Art. 6(1)(c)) | Retaining financial records for 7 years under Irish tax law; responding to lawful authority requests; fulfilling GDPR data subject rights obligations |
| Legitimate Interests (Art. 6(1)(f)) | Security monitoring; fraud and abuse prevention; service improvement analytics; sending service-related announcements to existing customers |
| Consent (Art. 6(1)(a)) | Marketing emails and newsletters (opt-in only); non-essential cookies. You may withdraw consent at any time without affecting prior processing. |
We will never sell your personal data to third parties for their own marketing purposes. You may unsubscribe from any marketing email using the link in that email, or by contacting [email protected].
4. Who we share your data with
We do not sell or rent your personal data. We share it only where necessary:
- Billing system: Our client area and invoicing run on a self-hosted billing platform deployed on our own EU-based infrastructure. We are the data controller for all data within this system.
- Payment processors: Payments are handled by third-party gateways (including Stripe Payments Europe and PayPal Europe) under their own PCI DSS compliance programs. Full card numbers are never stored by us.
- Domain registries: When you register a domain, registrant data is passed to the relevant registry as required (e.g. IEDR for .ie domains). For .ie, IEDR’s own privacy policy applies to data held by them.
- Infrastructure providers: We use EU-based data centers and network providers who act as processors under our instruction, with Data Processing Agreements in place.
- Legal authorities: We may disclose data to law enforcement or courts where required by law.
- Business transfer: In the event of a sale or merger, personal data may transfer to the acquirer. We will notify you before that happens.
We do not share your data with advertisers or ad networks. HostMaxa is ad-free.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and identity data (active customer) | Duration of account + 12 months after closure |
| Billing records and invoices | 7 years (Irish tax law) |
| Support tickets and correspondence | 3 years from last communication |
| Server and access logs | 90 days (rolling) |
| Marketing consent records | Until withdrawn + 3 years for audit |
| Inactive accounts (no paid invoice, no active service) | Archived after 12 months; deleted after a further 6 months |
| Incomplete registrations (no paid invoice) | Deleted after 30 days |
| Accounts pending deletion request | Deleted within 30 days (subject to any legal hold) |
Data subject to a legal hold (e.g. an active dispute) is retained until the matter is resolved.
6. International data transfers
Your data is primarily stored within the EU on our EU-based infrastructure. In limited cases, for example where a payment processor or domain registry operates outside the EU/EEA, data may be transferred internationally. In all such cases we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or transfers to countries with an EU adequacy decision.
Contact [email protected] if you want details of safeguards for any specific transfer.
7. Your Rights Under GDPR
You have the following rights under GDPR. We will respond to verified requests within one calendar month.
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data where there is no compelling reason to keep it. Self-service account deletion is available in your client area. |
| Restriction (Art. 18) | Request that we limit processing of your data (e.g. while accuracy is contested) |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior lawful processing |
To exercise any right, use the self-service options in your client area, or email [email protected]. Where we have reasonable doubt about the identity of a person making a request, we may ask for information sufficient to confirm their identity.
Right to complain
If you are unhappy with how we have handled your data, you may lodge a complaint with the Data Protection Commission:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Phone: +353 57 868 4800 | Email: [email protected]
www.dataprotection.ie
We would appreciate the opportunity to resolve your concern directly first.
8. Security
We implement appropriate technical and organizational measures to protect your personal data, including AES-256 password encryption, TLS for data in transit, multi-factor authentication (MFA/U2F) for all client area accounts, daily encrypted offsite backups, and role-based access controls. In the event of a personal data breach likely to affect your rights, we will notify the DPC within 72 hours (GDPR Article 33) and, where the risk is high, notify you directly without undue delay (Article 34).
9. Cookies
We use cookies on our website and client area. Strictly necessary cookies (session authentication, security tokens) are always active. Functional and analytics cookies are only placed with your consent, which you can manage via the cookie notice on our website or your browser settings. We do not use advertising or third-party marketing cookies, HostMaxa is ad-free.
A full Cookie Policy is available at Cookie Policy.
10. Children
Our services are not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we hold data about a child, please contact [email protected] and we will investigate it promptly.
11. NIS2 and cybersecurity compliance
As a web hosting and digital infrastructure provider, HostMaxa operates within the scope of the EU NIS2 Directive (Directive 2022/2555), as transposed into Irish law. We maintain an ongoing cybersecurity risk management program that includes:
- Regular risk assessments of our infrastructure and supply chain
- Business continuity and disaster recovery planning
- Incident detection, response, and reporting procedures aligned with NIS2 requirements
- Staff cybersecurity training and awareness programs
- Technical hardening of server infrastructure and control panel environments
Significant cybersecurity incidents are reported to the relevant national CSIRT (Computer Security Incident Response Team) and, where applicable, to affected customers, in accordance with our NIS2 obligations.
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the effective date above, publish the revised policy, and notify registered customers by email at least 14 days before changes take effect.
13. Contact us
Privacy queries
Maxa Cloud Ltd t/a HostMaxa.ie
Unit 2, 2 Bridge Street, Athlone, Co. Westmeath, Ireland N37 F1W4
Email: [email protected]
We aim to acknowledge all privacy queries within 5 business days.