Privacy Policy

Learn how we collect, process, and secure your personal data.

Privacy Policy

Last Updated: April 1, 2026

Your Privacy Matters. This policy explains clearly how we handle your personal data. We do not sell your personal information to any third party. We collect only what is necessary to provide and improve our services.

At Hosting Captain (operating at hostingcaptain.in), we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes in detail what information we collect, why we collect it, how we use and store it, who we share it with, and what rights you have over your data. This policy applies to all visitors, registered users, and customers of our web hosting, VPS, Dedicated Server, domain registration, and related infrastructure services.

1. Data Controller Information

For the purposes of applicable data protection laws, the Data Controller responsible for your personal information is:

As the Data Controller, we determine the purposes and means of processing your personal data. Where we engage third-party processors (such as payment gateways or analytics providers), we ensure appropriate data processing agreements and safeguards are in place.

2. Information We Collect

We collect the following categories of information:

A. Identity & Contact Information (Provided by You):

  • Full legal name and any business or company name.
  • Valid email address (used for account login and all communications).
  • Phone number (for support verification and urgent service notifications).
  • Billing address, including street, city, state, PIN code, and country.
  • GSTIN (Goods and Services Tax Identification Number), where voluntarily provided for GST invoice generation.

B. Account & Transaction Data:

  • Account login credentials (password stored as a one-way bcrypt hash — we never store plaintext passwords).
  • Order history, invoice records, and payment receipts.
  • Applied coupon codes and promotional discount records.
  • Selected service plans, billing cycles, and configuration options.
  • Server provisioning details such as assigned IP addresses, operating system, and configuration parameters.

C. Technical & Usage Data (Automatically Collected):

  • IP address and approximate geographic location at the time of login or transaction.
  • Browser type, version, and operating system.
  • Pages visited on our website, clickstream data, and session duration.
  • Referral URLs and search engine queries that led you to our website.
  • Device identifiers and screen resolution (collected via analytics tools).

D. Communication Data:

  • Content of support emails, tickets, or messages you send to us.
  • Records of notifications and transactional emails we have sent to you.
  • Feedback, survey responses, or testimonials voluntarily submitted.

What We Do NOT Collect: We do not collect or store raw payment card numbers, CVV codes, or bank account details. All payment processing is handled exclusively by our PCI-DSS compliant payment gateway partner, Stripe. We also do not collect sensitive personal data such as biometrics, health information, religious beliefs, or political opinions.

3. How We Collect Your Data

We collect data through the following mechanisms:

  • Registration & Account Forms: When you create an account, place an order, or update your profile on our customer portal.
  • Checkout & Payment Forms: When you submit billing information and complete a purchase. Payment card data is transmitted directly to Stripe's secure servers and never passes through our own infrastructure.
  • Contact & Support Forms: When you submit an inquiry via our contact page or email our support team.
  • Cookies & Browser Technologies: Automatically when you browse our website (see Section 7 for full cookie details).
  • Server Log Files: Our web servers automatically record access logs that include IP addresses, request timestamps, and HTTP status codes for security monitoring and debugging purposes.
  • Analytics Tools: We use Google Analytics and Microsoft Clarity to collect aggregated, anonymised usage data about how visitors interact with our website.
  • Email Interactions: When you open, click, or reply to our transactional emails, basic interaction metadata may be recorded by our email delivery provider.

We do not purchase data from, or engage in data sharing arrangements with, third-party data brokers.

We process your personal data only where we have a lawful basis to do so. Our legal bases include:

  • Contractual Necessity: Processing is necessary to fulfil the service contract between you and Hosting Captain — for example, provisioning your server, generating your invoices, and communicating service-related updates.
  • Legal Obligation: Processing is required to comply with applicable laws — for example, retaining invoices and tax records as required under Indian tax law (GST Act, Income Tax Act).
  • Legitimate Interests: Processing is carried out for our legitimate business interests, such as preventing fraud, securing our network, improving our services, and sending you relevant service communications — provided these interests are not overridden by your data protection rights.
  • Consent: Where required by law, we will seek your explicit consent before processing your data for specific purposes such as sending non-transactional marketing communications. You may withdraw consent at any time.

We do not use automated decision-making or profiling systems that produce legal or similarly significant effects on you.

5. How We Use Your Information

We use the information we collect for the following specific purposes:

Service Delivery:

  • To create, manage, and administer your hosting account and provisioned servers.
  • To process payments, generate GST-compliant invoices, and maintain billing records.
  • To provision, configure, and migrate your server resources as per your plan.
  • To send you server credentials, welcome emails, and service activation confirmations.

Customer Support:

  • To respond to your support queries, complaints, or billing disputes.
  • To verify your identity before making account changes or disclosing account-sensitive information.

Service Communications:

  • To send renewal reminders, maintenance notices, and service outage notifications.
  • To notify you of changes to our Terms of Service, Privacy Policy, or pricing.
  • To send you security alerts relevant to your account or server.

Security & Fraud Prevention:

  • To detect, investigate, and prevent fraudulent transactions, account takeovers, and network abuse.
  • To monitor server activity for signs of compromise, malware distribution, or policy violations.
  • To maintain audit logs of administrative access for security accountability.

Business Analytics & Improvement:

  • To analyse aggregated, anonymised usage data to improve our website, product offerings, and customer experience.
  • To understand purchasing trends and plan capacity for our infrastructure.
  • To measure the effectiveness of promotional campaigns (using aggregated, non-personal data only).

We will never: sell your personal data to third parties, use your data for unsolicited commercial marketing without consent, or share your personal data with advertisers for targeting purposes.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data with the following carefully selected third parties only to the extent necessary to operate our Services:

Third Party Purpose Data Shared Their Privacy Policy
Stripe Payment processing Billing name, email, amount, card token stripe.com/privacy
Google Analytics Website usage analytics Anonymised usage & session data policies.google.com
Microsoft Clarity UX heatmaps & session recording Anonymised click/scroll/session data privacy.microsoft.com
Data Centre Providers Physical hardware & connectivity Server IP, hostname, usage metrics Subject to individual DC agreements
Email Delivery Service Transactional email delivery Recipient email, email content Subject to provider's privacy policy

Law Enforcement & Legal Obligations: We may disclose your personal data to government authorities, law enforcement agencies, or courts where we are legally required to do so by a valid court order, subpoena, or other lawful legal process. Where permitted by law, we will attempt to notify you before disclosing your data in response to such requests.

Business Transfers: In the event of a merger, acquisition, asset sale, or restructuring of our business, your personal data may be transferred to the acquiring entity. We will notify you via email or a prominent notice on our website prior to any such transfer and advise you of any choices you may have regarding your data.

7. Cookies & Tracking Technologies

We use cookies and similar browser technologies to enhance your experience on our website. A cookie is a small text file placed on your device by your browser when you visit a website.

We use the following types of cookies:

  • Strictly Necessary Cookies (Cannot be disabled): These are essential for core website functionality. They manage your login session, remember your active shopping cart contents, protect against CSRF (cross-site request forgery) attacks, and preserve checkout state. Without these cookies, our website cannot function correctly.
  • Analytics Cookies (Google Analytics): These collect anonymised data about how visitors interact with our website — which pages are most visited, how long sessions last, and where traffic originates. This data is aggregated and does not identify you personally. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
  • Behavioural Analytics Cookies (Microsoft Clarity): Microsoft Clarity records anonymised heatmaps and session replays to help us understand user experience and identify usability issues. Clarity does not capture sensitive form fields (such as passwords or payment details). You may opt out via Microsoft's privacy dashboard.
  • Preference Cookies: These remember your preferences such as selected currency or notification settings to personalise your experience on subsequent visits.

Cookie Lifespan: Session cookies expire when you close your browser. Persistent analytics cookies may be retained for up to 24 months depending on the specific analytics platform's configuration.

Managing Cookies: You can control and delete cookies at any time through your browser settings. Note that disabling strictly necessary cookies may impair critical website functionality including account login and checkout. Instructions for managing cookies in major browsers: Chrome, Firefox, Safari.

8. Data Security & Encryption

We implement a multi-layered security architecture to protect your personal data against unauthorised access, disclosure, alteration, or destruction:

  • Database-Level Encryption: All customer personally identifiable information (PII) — including name, email, phone number, and billing address — is stored in our MySQL database encrypted using AES-256 encryption with rotating encryption keys. Even in the event of a database leak, raw personal data cannot be read without the encryption key.
  • Password Hashing: Account passwords are hashed using bcrypt with an appropriate cost factor. We never store plaintext passwords and cannot retrieve your original password — only reset it.
  • Transport Encryption (HTTPS/TLS): All data transmitted between your browser and our servers is encrypted using TLS 1.2 or TLS 1.3 (HTTPS). We enforce HTTPS-only access with HTTP Strict Transport Security (HSTS) headers.
  • CSRF Protection: All state-changing HTTP requests (form submissions, cart updates, checkout) are protected with cryptographic CSRF tokens to prevent cross-site request forgery attacks.
  • Access Controls: Access to the production database and customer records is strictly limited to authenticated administrators via secure, key-authenticated connections. No public-facing application has direct database write access beyond its specific scoped queries.
  • Payment Security: We are not in scope for PCI-DSS certification because all card data is handled exclusively by Stripe, which holds PCI-DSS Level 1 certification — the highest level of payment security certification available.
  • Audit Logging: Administrative access to customer records is logged with timestamps, IP addresses, and action types for security accountability and forensic investigation purposes.

While we take every reasonable precaution to protect your data, no security system is impenetrable. We encourage you to use a strong, unique password for your Hosting Captain account and to enable any available two-factor authentication options.

9. Data Retention Policy

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations:

  • Active Account Data: Retained for the duration of your active account. Personal data associated with your active services (name, email, billing address, order history) is kept while your account remains open.
  • Post-Termination: Following account closure or service termination, your personal account data (excluding invoice records) is retained for a period of 90 days to allow for reactivation requests, dispute resolution, and chargeback investigations. After this period, personal identifiers are anonymised or deleted.
  • Invoice & Tax Records: Order and invoice records are retained for a minimum of 8 years from the date of transaction as required under the Indian Goods and Services Tax (GST) Act and Income Tax Act for tax compliance and audit purposes. These records may be anonymised where personal identifiers are not required for tax reporting.
  • Server Access Logs: Web server access logs (IP addresses, request timestamps) are retained for up to 90 days for security monitoring and then automatically purged.
  • Support Communications: Email and support records are retained for up to 3 years from the date of last interaction for quality assurance and dispute resolution purposes.
  • Analytics Data: Anonymised analytics data collected via Google Analytics and Microsoft Clarity is retained per those platforms' own data retention configurations (typically 14–26 months).

Upon the expiry of the applicable retention period, personal data is either securely deleted, anonymised (so it can no longer be associated with you), or archived in an encrypted form where longer retention is required by law.

10. Your Data Protection Rights

Subject to applicable law, you have the following rights with respect to your personal data held by Hosting Captain. To exercise any of these rights, contact us at [email protected]. We will respond to all verified requests within 30 calendar days.

  • Right of Access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most information directly through your account portal.
  • Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data where we no longer have a legitimate purpose or legal obligation to retain it. Note that certain data (such as invoice records) must be retained for legal compliance even after a deletion request.
  • Right to Restrict Processing: You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data or object to its processing.
  • Right to Data Portability: Where processing is based on your consent or a contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another controller.
  • Right to Object: You have the right to object to processing based on legitimate interests. Where your objection is to direct marketing, we will cease processing for that purpose without requiring justification.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant supervisory authority if you believe your data protection rights have been violated. In India, this may be the Data Protection Board of India (under the DPDPA, 2023).

We will not discriminate against you for exercising any of your data protection rights. We may need to verify your identity before processing your request to ensure your data is not disclosed to unauthorised parties.

11. Children's Privacy

Our Services are intended solely for individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process personal data from persons under the age of 18.

If we become aware that we have inadvertently collected personal data from a minor under the age of 18, we will take immediate steps to delete that data from our systems. If you believe that a minor's data may have been submitted through our platform, please contact us immediately at [email protected].

12. International Data Transfers

Hosting Captain is based in India, and our primary data storage and processing occurs within India. However, some of our third-party service providers — including Stripe (payment processing), Google Analytics, and Microsoft Clarity — may process data in data centres located outside of India, including in the United States and European Union.

Where your personal data is transferred to and processed in countries outside India, we ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws. These safeguards include:

  • Transferring data only to countries deemed to provide an adequate level of data protection by the relevant regulatory authority.
  • Engaging only with third-party processors that maintain their own robust privacy programmes and certifications (such as Stripe's PCI-DSS Level 1 and SOC 2 Type II certifications).
  • Implementing Standard Contractual Clauses (SCCs) or equivalent contractual mechanisms where required.

By using our Services, you acknowledge and consent to the processing of your data as described in this section.

13. Data Breach Response

Despite our extensive security measures, no system is entirely immune to data breaches. In the event that we discover or are notified of a data security incident that may compromise the personal data of our customers, we are committed to the following response process:

  • Containment: We will immediately activate our incident response procedures to contain the breach, isolate affected systems, and prevent further unauthorised access.
  • Assessment: We will assess the scope and nature of the breach, identify what data was affected, and determine the risk level to affected individuals.
  • Notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected customers without undue delay, and in any case within 72 hours of becoming aware of the breach, to the extent feasible. This notification will include the nature of the breach, categories of data affected, and steps we recommend you take to protect yourself.
  • Regulatory Reporting: We will report qualifying breaches to the relevant data protection authority as required by applicable law.
  • Remediation: We will implement appropriate remediation measures and conduct a post-incident review to strengthen our defences.

To help us reach you promptly in an emergency, please ensure your registered email address is always current and that you monitor it regularly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or our Services. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send an email notification to your registered account email address for significant changes.
  • Where required by law, seek your renewed consent before processing your data under the new policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Services after any changes to this policy constitutes your acceptance of those changes.

15. Contact & Grievance Officer

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your data protection rights, please contact us using the details below. We are committed to working with you to resolve any privacy concerns promptly and fairly.

All privacy-related requests must be submitted in writing (via email or contact form) and must include sufficient information for us to verify your identity and understand the nature of your request. We will acknowledge receipt of your request within 5 business days.

Trusted Technologies & Partners

  • Technology Partner
  • Technology Partner
  • Technology Partner
  • Technology Partner
  • Technology Partner
  • Technology Partner
  • Technology Partner
  • Technology Partner