Privacy Policy & GDPR

Version Date: 24/01/2023

9Flares Technology OÜ, trading as 9Flares through the website www.9flares.com, is a private company incorporated and registered in Estonia under No 16659646,  whose registered office is at Narva mnt 5, 10117 Tallinn.

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a European data protection regulation adopted by the EU Commission. It replaces the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR becomes effective on May 25, 2018 and will strengthen security of and regulate personal data in the broadest sense. The GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled.

Understanding GDPR terms:

• Personal Data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
• Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.
• Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

9Flares Technology OÜ collects and processes personal data as legislated in the General Data Protection Regulation (GDPR) (EU) 2016/679[a].

2. 9Flares Technology as a Data Processor

9Flares Technology is classed as a "Processor" when it processes personal data on behalf of a data controller.

By using our hosting services (Shared Hosting, Mail Hosting, VPS, dedicated servers) the Customer stores personal data on our hosting infrastructure. Therefore, 9Flares Technology is a Processor of the Customer Hosted Data.

Customer Hosted Data may include, but not limited to:

• web files;
• database files;
• content of Mailboxes;
• anything uploaded or stored on 9Flares Technology services.

Within the limit of its technical restrictions, 9Flares Technology may process any stored data solely in accordance with the Customer instructions, and on their behalf. 9Flares Technology will never process the Customer stored data for any other purposes (marketing, etc.).

9Flares Technology has limited knowledge of the data that each customer processes via the hosting infrastructure (Hosted Data). While 9Flares Technology takes every reasonable step to ensure security of Customer Hosted Data, it is the direct Customer’s responsibility to ensure such data is stored in a way which minimises the risk of compromise or disclosure.

The Customer is a Controller and ultimately is responsible for the Hosted Data to the Estonian Data Protection Inspectorate[b], according to the GDPR. Any content posted, uploaded, sent to or otherwise made available by the Customer or his own data subjects on his hosting account is not subject to our Privacy Policy as Data Controller, but is subject to our Terms and Conditions and our Privacy Policy as a Data Processor.

2.1 Hosted Data storing

The IT infrastructure is hosted in the different datacenters in European Union countries.

We operate exclusively with ISO27001 certified datacenters which guarantee the highest level of security and compliance with GDPR requirements.

2.2 Hosted Data protection

We have taken all reasonable steps (including appropriate technical and organisational measures) to protect “Customer Data“. This would include physical, host level and network security.

In the case of Virtual and Dedicated servers the host and application level security is the responsibility of the client.

In the case of Shared Web Hosting the web site/application security is the responsibility of the client.

2.3 Hosted Data access

Our technical support staff have limited knowledge of the Customer Hosted Data. We will access data only when strictly required to provide technical support, debugging, taking backups, malware scanning or other system administration tasks.

2.4 Hosted Data portability

Typically a Customer will be able to access and migrate their Hosted Data using secure file transfer protocols without assistance from us.

2.5 Hosted Data deletion policy

This is outlined in our General Terms and Conditions. In brief Customer Hosted Data will be removed 30 days after termination[c] of services depending on product or service.

2.6 Data breach policy

This is detailed in our internal IT & Security Policy. Depending on the product and access we have, we will:

• Notify the Controller (Customer) without undue delay
• Provide a description of the nature of the breach
• Provide details of measures taken to address the Data breach
• Provide any information relating to the data breach
• Preserve available digital evidence for forensic needs

2.7 Security Policy

We have an internal IT & Security Policy which oversees other policies including our IT Security Policy, Access Control Policy, Password Policy, Clear Desk/Screen Policy and Data Destruction Policy.

We implement appropriate technical and organizational measures to secure Hosted Data such as technologies including but not limited to Encryption, Network Monitoring, Malware Scanning, Vulnerability Scanning, Network Security, Firewalls, Intrusion Detection/Protection, Access Control and Dual Factor Authentication. The responsibilities and methods used will depend on the exact service provided.

2.8 Investment in data protection security

We promote a continuous improvement methodology by regularly testing the integrity and resilience of our systems and processes, making appropriate improvements where necessary.

3. 9Flares Technology as a Data Controller

3.1 What we need

9Flares Technology is a Controller of the personal data the Customer (data subject) provides us. We collect the following types of personal and non-personal data:

• Personal Data: Name, Address, Telephone Number, Email, Payment information and IP address. We may also retain records of your queries and correspondence in the event you contact us e.g. by email or support ticket.
• Non-Personal Data: Browser types and cookies

Providing us with personal data about a third-party (e.g. when registering a domain on their behalf), the Customer warrants that he has obtained the express consent from the third-party for the disclosure and use of their personal data.

3.2 Why do we need it?

We need Customer’s personal data in order to provide the following services:

• to provide services and fulfil our obligations to our Customers;
• to provide technical support and Customer care;
• to process payments;
• to detect incorrect order details;
• to communicate with our Customers and consenting subjects regarding our services;
• to facilitate access for users on our website(s);
• to provide Customers with information about products or services we have been requested.

3.3 What we do with it

Customer data is processed in our management and monitoring platform. The Security of your data is important to us and we take appropriate technical and organisational measures to protect it.

Customer data will not be transferred to any third-party unless this is required for one of the following reasons:

• In order to fulfil the service ordered and meet our obligations (for example to a fulfil a domain registration with a particular registry)
• Estonian law enforcement request, Court order or statutory requirement
• Merger, acquisition of company or sale of company assets.

Any such third-party will have similar appropriate data protection policies.

We do not and never shall sell your personal data to third parties for marketing or advertising purposes.

3.4 How long do we keep it?

We will keep Customer personal data as long as is required to fulfil our obligations. After we have fulfilled our obligations, under Estonian law, we are required to keep Customer documents for a further 6 years[d]. After this period, Customer personal data will be irreversibly destroyed. Any personal data held by us for marketing and service update notifications will be kept by us until such time that you notify us that you no longer wish to receive this information.

3.5 What about security?

In line with our IT & Security Policy, we take all reasonable steps including appropriate technical and organisational measures to protect Customer Personal Data.

3.6 What are Customer’s rights?

Under GDPR regulations if the Customer should believe that any of his personal data we hold is incorrect or incomplete, he has the ability to make reasonable requests to see this information, rectify it or have it deleted. Please contact us at [email protected][e] and request a Data Subject Access Request Form.

In the event a Customer wishes to complain about how we have handled his personal data, please contact us at [email protected][f]. We will then look into the complaint and work to resolve the matter.

If a Customer still feels that his personal data has not been handled appropriately according to the law, he can contact the Data Protection Inspectorate www.aki.ee and file a complaint with them.

3.7 What about Cookies?

We may store some information on the Customer and Visitors computers in the form of a "cookie". A Cookie will permit us to maintain our service to match Customers and Visitors needs, interests and preferences. You have a right to refuse to accept cookies.

A cookie is a small text file that is saved on your computer. Most web sites deliver cookies to provide visitors access to various functions on the website. Cookies can be long-lived or short lived. The long-lived cookie holds information and compares it with information you display when you return. Websites that recognise you when you return and provide access codes automatically are examples of this. The short-term cookies are known as session cookies. These are stored temporarily during your visit and are not stored in your computer for long and are regularly deleted when you close your computer. Long lasting cookies can be deleted from "documents and settings" on your computer.

You can set your computer to block cookies by setting your browser to reject them. However, you may lose many functions that you at present take for granted. Cookies have become like unseen automatic servants - doing things repeatedly that would otherwise require our deliberate intervention.

3.8 What about domain name registration?

Currently some personal data is made available on the public WHOIS database as this is a contractual requirement of the governing body ICANN. This requirement is being reviewed by the EU Commission. Most European country code registries have phased out the publishing of personal WHOIS data. Certain country code domain registries outside of the EU will still publish WHOIS data as this is often mandatory if Customer requires the domain name. Each domain registry has its own Domain Registration and Privacy Policies which we advise the Customer to read.