Last Updated: April 1, 2026
Your Privacy Matters. This policy
explains clearly how we handle your personal data. We do not sell your personal information to
any third party. We collect only what is necessary to provide and improve our services.
At Hosting Captain (operating at hostingcaptain.in), we are
committed to protecting your privacy and handling your personal data responsibly. This Privacy
Policy describes in detail what information we collect, why we collect it, how we use and store
it, who we share it with, and what rights you have over your data. This policy applies to all
visitors, registered users, and customers of our web hosting, VPS, Dedicated Server, domain
registration, and related infrastructure services.
1. Data Controller Information
For the purposes of applicable data protection laws, the Data
Controller responsible for your personal information is:
As the Data Controller, we determine the purposes and means of processing your
personal data. Where we engage third-party processors (such as payment gateways or analytics
providers), we ensure appropriate data processing agreements and safeguards are in place.
2. Information We Collect
We collect the following categories of information:
A. Identity & Contact Information (Provided by You):
- Full legal name and any business or company name.
- Valid email address (used for account login and all communications).
- Phone number (for support verification and urgent service notifications).
- Billing address, including street, city, state, PIN code, and country.
- GSTIN (Goods and Services Tax Identification Number), where voluntarily provided for GST
invoice generation.
B. Account & Transaction Data:
- Account login credentials (password stored as a one-way bcrypt hash — we never store
plaintext passwords).
- Order history, invoice records, and payment receipts.
- Applied coupon codes and promotional discount records.
- Selected service plans, billing cycles, and configuration options.
- Server provisioning details such as assigned IP addresses, operating system, and
configuration parameters.
C. Technical & Usage Data (Automatically Collected):
- IP address and approximate geographic location at the time of login or transaction.
- Browser type, version, and operating system.
- Pages visited on our website, clickstream data, and session duration.
- Referral URLs and search engine queries that led you to our website.
- Device identifiers and screen resolution (collected via analytics tools).
D. Communication Data:
- Content of support emails, tickets, or messages you send to us.
- Records of notifications and transactional emails we have sent to you.
- Feedback, survey responses, or testimonials voluntarily submitted.
What We Do NOT Collect: We do not collect or store raw payment card
numbers, CVV codes, or bank account details. All payment processing is handled exclusively by
our PCI-DSS compliant payment gateway partner, Stripe. We also do not collect sensitive personal
data such as biometrics, health information, religious beliefs, or political opinions.
3. How We Collect Your Data
We collect data through the following mechanisms:
- Registration & Account Forms: When you create an account, place an
order, or update your profile on our customer portal.
- Checkout & Payment Forms: When you submit billing information and
complete a purchase. Payment card data is transmitted directly to Stripe's secure servers
and never passes through our own infrastructure.
- Contact & Support Forms: When you submit an inquiry via our contact
page or email our support team.
- Cookies & Browser Technologies: Automatically when you browse our
website (see Section 7 for full cookie details).
- Server Log Files: Our web servers automatically record access logs that
include IP addresses, request timestamps, and HTTP status codes for security monitoring and
debugging purposes.
- Analytics Tools: We use Google Analytics and Microsoft Clarity to collect
aggregated, anonymised usage data about how visitors interact with our website.
- Email Interactions: When you open, click, or reply to our transactional
emails, basic interaction metadata may be recorded by our email delivery provider.
We do not purchase data from, or engage in data sharing arrangements with,
third-party data brokers.
4. Legal Basis for Processing
We process your personal data only where we have a lawful basis to do so. Our legal
bases include:
- Contractual Necessity: Processing is necessary to fulfil the service
contract between you and Hosting Captain — for example, provisioning your server, generating
your invoices, and communicating service-related updates.
- Legal Obligation: Processing is required to comply with applicable laws —
for example, retaining invoices and tax records as required under Indian tax law (GST Act,
Income Tax Act).
- Legitimate Interests: Processing is carried out for our legitimate business
interests, such as preventing fraud, securing our network, improving our services, and
sending you relevant service communications — provided these interests are not overridden by
your data protection rights.
- Consent: Where required by law, we will seek your explicit consent before
processing your data for specific purposes such as sending non-transactional marketing
communications. You may withdraw consent at any time.
We do not use automated decision-making or profiling systems that produce legal or
similarly significant effects on you.
5. How We Use Your Information
We use the information we collect for the following specific purposes:
Service Delivery:
- To create, manage, and administer your hosting account and provisioned servers.
- To process payments, generate GST-compliant invoices, and maintain billing records.
- To provision, configure, and migrate your server resources as per your plan.
- To send you server credentials, welcome emails, and service activation confirmations.
Customer Support:
- To respond to your support queries, complaints, or billing disputes.
- To verify your identity before making account changes or disclosing account-sensitive
information.
Service Communications:
- To send renewal reminders, maintenance notices, and service outage notifications.
- To notify you of changes to our Terms of Service, Privacy Policy, or pricing.
- To send you security alerts relevant to your account or server.
Security & Fraud Prevention:
- To detect, investigate, and prevent fraudulent transactions, account takeovers, and network
abuse.
- To monitor server activity for signs of compromise, malware distribution, or policy
violations.
- To maintain audit logs of administrative access for security accountability.
Business Analytics & Improvement:
- To analyse aggregated, anonymised usage data to improve our website, product offerings, and
customer experience.
- To understand purchasing trends and plan capacity for our infrastructure.
- To measure the effectiveness of promotional campaigns (using aggregated, non-personal data
only).
We will never: sell your personal data to third parties, use your
data for unsolicited commercial marketing without consent, or share your personal data with
advertisers for targeting purposes.
6. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information. We share data with the
following carefully selected third parties only to the extent necessary to operate our Services:
| Third Party |
Purpose |
Data Shared |
Their Privacy Policy |
| Stripe |
Payment processing |
Billing name, email, amount, card token |
stripe.com/privacy |
| Google Analytics |
Website usage analytics |
Anonymised usage & session data |
policies.google.com |
| Microsoft Clarity |
UX heatmaps & session recording |
Anonymised click/scroll/session data |
privacy.microsoft.com |
| Data Centre Providers |
Physical hardware & connectivity |
Server IP, hostname, usage metrics |
Subject to individual DC agreements |
| Email Delivery Service |
Transactional email delivery |
Recipient email, email content |
Subject to provider's privacy policy |
Law Enforcement & Legal Obligations: We may disclose your
personal data to government authorities, law enforcement agencies, or courts where we are
legally required to do so by a valid court order, subpoena, or other lawful legal process. Where
permitted by law, we will attempt to notify you before disclosing your data in response to such
requests.
Business Transfers: In the event of a merger, acquisition, asset
sale, or restructuring of our business, your personal data may be transferred to the acquiring
entity. We will notify you via email or a prominent notice on our website prior to any such
transfer and advise you of any choices you may have regarding your data.
7. Cookies & Tracking Technologies
We use cookies and similar browser technologies to enhance your experience on our
website. A cookie is a small text file placed on your device by your browser when you visit a
website.
We use the following types of cookies:
- Strictly Necessary Cookies (Cannot be disabled): These are essential for
core website functionality. They manage your login session, remember your active shopping
cart contents, protect against CSRF (cross-site request forgery) attacks, and preserve
checkout state. Without these cookies, our website cannot function correctly.
- Analytics Cookies (Google Analytics): These collect anonymised data about
how visitors interact with our website — which pages are most visited, how long sessions
last, and where traffic originates. This data is aggregated and does not identify you
personally. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
- Behavioural Analytics Cookies (Microsoft Clarity): Microsoft Clarity
records anonymised heatmaps and session replays to help us understand user experience and
identify usability issues. Clarity does not capture sensitive form fields (such as passwords
or payment details). You may opt out via Microsoft's privacy dashboard.
- Preference Cookies: These remember your preferences such as selected
currency or notification settings to personalise your experience on subsequent visits.
Cookie Lifespan: Session cookies expire when you close your
browser. Persistent analytics cookies may be retained for up to 24 months depending on the
specific analytics platform's configuration.
Managing Cookies: You can control and delete cookies at any time
through your browser settings. Note that disabling strictly necessary cookies may impair
critical website functionality including account login and checkout. Instructions for managing
cookies in major browsers: Chrome, Firefox, Safari.
8. Data Security & Encryption
We implement a multi-layered security architecture to protect your personal data
against unauthorised access, disclosure, alteration, or destruction:
- Database-Level Encryption: All customer personally identifiable information
(PII) — including name, email, phone number, and billing address — is stored in our MySQL
database encrypted using AES-256 encryption with rotating encryption
keys. Even in the event of a database leak, raw personal data cannot be read without the
encryption key.
- Password Hashing: Account passwords are hashed using
bcrypt with an appropriate cost factor. We never store plaintext passwords
and cannot retrieve your original password — only reset it.
- Transport Encryption (HTTPS/TLS): All data transmitted between your browser
and our servers is encrypted using TLS 1.2 or TLS 1.3 (HTTPS). We enforce
HTTPS-only access with HTTP Strict Transport Security (HSTS) headers.
- CSRF Protection: All state-changing HTTP requests (form submissions, cart
updates, checkout) are protected with cryptographic CSRF tokens to prevent cross-site
request forgery attacks.
- Access Controls: Access to the production database and customer records is
strictly limited to authenticated administrators via secure, key-authenticated connections.
No public-facing application has direct database write access beyond its specific scoped
queries.
- Payment Security: We are not in scope for PCI-DSS certification because all
card data is handled exclusively by Stripe, which holds PCI-DSS Level 1
certification — the highest level of payment security certification available.
- Audit Logging: Administrative access to customer records is logged with
timestamps, IP addresses, and action types for security accountability and forensic
investigation purposes.
While we take every reasonable precaution to protect your data, no security system
is impenetrable. We encourage you to use a strong, unique password for your Hosting Captain
account and to enable any available two-factor authentication options.
9. Data Retention Policy
We retain your personal data only for as long as necessary to fulfil the purposes
for which it was collected and to comply with our legal obligations:
- Active Account Data: Retained for the duration of your active account.
Personal data associated with your active services (name, email, billing address, order
history) is kept while your account remains open.
- Post-Termination: Following account closure or service termination, your
personal account data (excluding invoice records) is retained for a period of 90
days to allow for reactivation requests, dispute resolution, and chargeback
investigations. After this period, personal identifiers are anonymised or deleted.
- Invoice & Tax Records: Order and invoice records are retained for a
minimum of 8 years from the date of transaction as required under the
Indian Goods and Services Tax (GST) Act and Income Tax Act for tax compliance and audit
purposes. These records may be anonymised where personal identifiers are not required for
tax reporting.
- Server Access Logs: Web server access logs (IP addresses, request
timestamps) are retained for up to 90 days for security monitoring and then
automatically purged.
- Support Communications: Email and support records are retained for up to
3 years from the date of last interaction for quality assurance and dispute
resolution purposes.
- Analytics Data: Anonymised analytics data collected via Google Analytics
and Microsoft Clarity is retained per those platforms' own data retention configurations
(typically 14–26 months).
Upon the expiry of the applicable retention period, personal data is either securely
deleted, anonymised (so it can no longer be associated with you), or archived in an encrypted
form where longer retention is required by law.
10. Your Data Protection Rights
Subject to applicable law, you have the following rights with respect to your
personal data held by Hosting Captain. To exercise any of these rights, contact us at [email protected]. We will respond to all
verified requests within 30 calendar days.
- Right of Access: You have the right to request a copy of the personal data
we hold about you and information about how we process it.
- Right to Rectification: You have the right to request correction of any
inaccurate or incomplete personal data we hold about you. You can update most information
directly through your account portal.
- Right to Erasure ("Right to be Forgotten"): You have the right to request
deletion of your personal data where we no longer have a legitimate purpose or legal
obligation to retain it. Note that certain data (such as invoice records) must be retained
for legal compliance even after a deletion request.
- Right to Restrict Processing: You have the right to request that we
restrict processing of your personal data in certain circumstances — for example, while you
contest the accuracy of the data or object to its processing.
- Right to Data Portability: Where processing is based on your consent or a
contract, you have the right to receive your personal data in a structured, commonly used,
machine-readable format (such as CSV or JSON) and to transmit it to another controller.
- Right to Object: You have the right to object to processing based on
legitimate interests. Where your objection is to direct marketing, we will cease processing
for that purpose without requiring justification.
- Right to Withdraw Consent: Where processing is based on your consent, you
may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried
out before withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with
the relevant supervisory authority if you believe your data protection rights have been
violated. In India, this may be the Data Protection Board of India (under the DPDPA, 2023).
We will not discriminate against you for exercising any of your data protection
rights. We may need to verify your identity before processing your request to ensure your data
is not disclosed to unauthorised parties.
11. Children's Privacy
Our Services are intended solely for individuals who are 18 years of age or
older. We do not knowingly collect, solicit, or process personal data from persons
under the age of 18.
If we become aware that we have inadvertently collected personal data from a minor
under the age of 18, we will take immediate steps to delete that data from our systems. If you
believe that a minor's data may have been submitted through our platform, please contact us
immediately at [email protected].
12. International Data Transfers
Hosting Captain is based in India, and our primary data storage and processing
occurs within India. However, some of our third-party service providers — including Stripe
(payment processing), Google Analytics, and Microsoft Clarity — may process data in data centres
located outside of India, including in the United States and European Union.
Where your personal data is transferred to and processed in countries outside India,
we ensure that appropriate safeguards are in place to protect your data in accordance with this
Privacy Policy and applicable data protection laws. These safeguards include:
- Transferring data only to countries deemed to provide an adequate level of data protection
by the relevant regulatory authority.
- Engaging only with third-party processors that maintain their own robust privacy programmes
and certifications (such as Stripe's PCI-DSS Level 1 and SOC 2 Type II certifications).
- Implementing Standard Contractual Clauses (SCCs) or equivalent contractual mechanisms where
required.
By using our Services, you acknowledge and consent to the processing of your data as
described in this section.
13. Data Breach Response
Despite our extensive security measures, no system is entirely immune to data
breaches. In the event that we discover or are notified of a data security incident that may
compromise the personal data of our customers, we are committed to the following response
process:
- Containment: We will immediately activate our incident response procedures
to contain the breach, isolate affected systems, and prevent further unauthorised access.
- Assessment: We will assess the scope and nature of the breach, identify
what data was affected, and determine the risk level to affected individuals.
- Notification: Where a breach is likely to result in a high risk to your
rights and freedoms, we will notify affected customers without undue delay, and in any case
within 72 hours of becoming aware of the breach, to the extent feasible.
This notification will include the nature of the breach, categories of data affected, and
steps we recommend you take to protect yourself.
- Regulatory Reporting: We will report qualifying breaches to the relevant
data protection authority as required by applicable law.
- Remediation: We will implement appropriate remediation measures and conduct
a post-incident review to strengthen our defences.
To help us reach you promptly in an emergency, please ensure your registered email
address is always current and that you monitor it regularly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data
practices, applicable law, or our Services. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Send an email notification to your registered account email address for significant changes.
- Where required by law, seek your renewed consent before processing your data under the new
policy.
We encourage you to review this Privacy Policy periodically to stay informed about
how we protect your information. Your continued use of our Services after any changes to this
policy constitutes your acceptance of those changes.
15. Contact & Grievance Officer
If you have any questions, concerns, or complaints about this Privacy Policy or our
data practices, or if you wish to exercise any of your data protection rights, please contact us
using the details below. We are committed to working with you to resolve any privacy concerns
promptly and fairly.
All privacy-related requests must be submitted in writing (via email or contact
form) and must include sufficient information for us to verify your identity and understand the
nature of your request. We will acknowledge receipt of your request within 5 business days.