Privacy Policy
Please read very carefully before ordering and/or using any of AltusHost services.
Privacy Policy
Last updated: September 10, 2025 • Version 2.1
AltusHost B.V. (“AltusHost”, “we”, “us”, or “our”) is committed to protecting your privacy and the security of personal data processed through our services. This Privacy Policy explains what we collect, why we collect it, our legal bases, how long we keep data, how we share it, and the technical and organizational measures we maintain, including measures aligned with the EU NIS2 Directive.
If you have questions, contact our Privacy Team at privacy@altushost.com.
1. About AltusHost (Controller)
AltusHost B.V. is the controller for the processing described in this Policy.
Address: IJsbaanpad 2, 1076 CV Amsterdam, The Netherlands
Chamber of Commerce: 57600511 • EU VAT: NL852652896B01
Email: info@altushost.com • Privacy: privacy@altushost.com
2. Scope
This Policy applies when you visit our websites, contact us, or use our hosting, cloud, and related services (including Business Web Hosting, Reseller Hosting, Dedicated Servers, and Colocation). It does not apply to content and personal data that our customers process, store, or host using our services (for which customers act as the controller), nor to third-party products or websites that have their own privacy notices.
3. What We Collect, Why, and How Long We Keep It
3.1 Account & Billing
We collect customer name, company details, address, contact details, order history, and payment references to create and manage your account, deliver services, and provide support (GDPR Art. 6(1)(b) – contract). Certain billing and invoicing data are retained for up to 7 years to meet tax and accounting obligations (Art. 6(1)(c) – legal obligation).
3.2 Payments
Your chosen payment provider processes payments. We do not store full card numbers or CVV codes on our systems. For fraud prevention, we may, where strictly necessary, request limited verification (e.g., a partial card snapshot showing only the last four digits and expiry; redacted ID). For Colocation access control, we may request identification to issue a personal access card (Art. 6(1)(f)—legitimate interests; and, where applicable, Art. 6(1)(c)).
3.3 Support & Communications
When you contact us (email, ticket, live chat, phone), we process your message content, contact details, IP address, and related technical logs to respond, investigate issues, and improve support (Art. 6(1)(f)).
3.4 Service Operation & Security
We process system and access logs, usage metrics, and events for provisioning, troubleshooting, capacity planning, abuse handling, and security monitoring (Art. 6(1)(b) and 6(1)(f)).
3.5 Marketing
With your consent or where permitted by law, we use your contact details to send newsletters and product updates. You can opt out at any time (Art. 6(1)(a) or 6(1)(f), as applicable).
3.6 Careers
For job applicants, we process contact details, CVs, and attachments to evaluate applications (Art. 6(1)(f)); we retain them for a limited period and extend only with your consent (Art. 6(1)(a)).
3.7 Identity Verification & Fraud Prevention
We may request identity verification to fully confirm orders flagged by our fraud prevention controls. For this purpose, we use a specialized identity verification provider, iDenfy. Depending on the check, this may involve collecting and verifying your identification document and a selfie (liveness/face match). Where required by law, we will obtain your explicit consent for biometric verification. For details on iDenfy’s data handling and coverage, see their Privacy Policy and Cyber Insurance pages.
4. Legal Bases
We rely on: (i) contract necessity (Art. 6(1)(b)), (ii) legal obligations (Art. 6(1)(c)), (iii) legitimate interests (Art. 6(1)(f) — e.g., service security, fraud prevention, direct marketing), and (iv) consent where required (Art. 6(1)(a)). For identity verification of flagged orders, we rely on contract necessity and our legitimate interests in preventing fraud (Art. 6(1)(b) and 6(1)(f)); where biometric data are processed for unique identification, we will obtain your explicit consent where required (GDPR Art. 9(2)(a)).
5. Retention
We retain personal data only as long as necessary for the purposes described above. Billing/tax records may be retained for up to seven (7) years under applicable law. Support tickets and operational logs are retained for shorter periods consistent with security and operational needs. Identity verification records related to fraud-screened orders are kept for the shortest useful period needed to complete verification, maintain auditability of the transaction, and meet legal obligations, after which they are securely deleted or anonymized.
6. Sharing & Recipients
We may share personal data with:
• Payment processors to complete transactions you request.
• Registries/Registrars for the domain registrations you order.
• Infrastructure and support providers (e.g., data center, network, email, anti-abuse, and monitoring vendors) under data-processing agreements.
• Identity verification provider (iDenfy) to verify identity for fraud-flagged orders. iDenfy acts under a data-processing agreement and processes data in line with its publicly available policies.
• Professional advisors & authorities (legal/accounting) and competent authorities where required by law or to establish, exercise, or defend legal claims.
7. International Transfers
Where personal data are transferred outside the EEA, we use appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and mechanisms. Copies of relevant safeguards are available upon request.
8. Security Measures (GDPR & NIS2 Alignment)
We implement technical and organizational measures designed to protect personal data and our network and information systems, including:
• Risk management program covering asset inventory, threat modeling, vulnerability management, and secure configuration baselines.
• Strong encryption for data in transit (TLS) and at rest where supported; managed keys and separation of duties.
• Access controls with least privilege, role-based access, MFA for privileged accounts, and periodic access reviews.
• Network segmentation, firewalls/WAF, DDoS protection, secure remote access, and anti-abuse automation.
• Backup and disaster-recovery procedures with regular testing; time-bound restoration objectives.
• Secure development and change management, including code review and pre-deployment testing for managed platforms.
• Security logging, monitoring, and alerting; tamper-resistant logs and retention aligned to incident response needs.
• Supplier and sub-processor due diligence; contractual security and confidentiality obligations.
• Employee awareness and role-based security training, including phishing simulations for relevant staff.
• Documented incident-response playbooks integrating privacy and cybersecurity handling.
NIS2 incident reporting: For significant incidents affecting the availability, authenticity, integrity, or confidentiality of our network and information systems, we operate 24/7 monitoring and will follow NIS2 timelines with the competent CSIRT/authority (early warning within 24 hours of becoming aware; incident notification within 72 hours; final report within one month). Where a personal data breach occurs, we assess and notify the competent supervisory authority under the GDPR within 72 hours where required and, where there is a high risk to individuals, we will also inform affected data subjects without undue delay.
Security contact & Vulnerability Disclosure: Report suspected security issues to security@altushost.com. Please include sufficient details for reproduction. We may publish a coordinated vulnerability disclosure (CVD) page with our PGP key and disclosure timelines.
Vendor assurance: We perform supplier due diligence and maintain assurance records (e.g., security certifications, privacy policies, and cyber-insurance attestations where applicable).
9. Your GDPR Rights
You have the right to request: access, rectification, erasure, restriction, and data portability, and to object to processing based on our legitimate interests or for direct marketing. Where processing relies on consent, you may withdraw it at any time. We will respond without undue delay and within one month (extendable up to two months for complex requests). If we decline your request, we will inform you of the reasons and your options for complaint or judicial remedy.
10. Cookies
Our websites use cookies and similar technologies for functionality, analytics, and security. For details and choices, please see our separate Cookie Policy.
11. Children
Our services are intended for adults to use for business. We do not knowingly collect personal data from children.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified via our website and/or email. Continued use of our services after the effective date constitutes acceptance of the updated Policy.
13. Complaints & Contact
If you believe your data-protection rights have been breached, don’t hesitate to contact us at privacy@altushost.com.
You also have the right to complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
General contact: info@altushost.com