Effective Date: August 14, 2017
Last Updated: May 28, 2026

Overview

This Privacy Policy (the "Policy") describes how CCHosting, Inc., a Delaware corporation with registered office at 1111B S Governors Ave # 48212, Dover, DE 19904 ("ChemiCloud", "we", "us", "our") collects, uses, shares, and protects personal data of customers and users of our consulting services, online services, websites, and web services (the "Services").

This Policy applies to all visitors to chemicloud.com (and its subdomains), to all customers of our Services, and to anyone whose personal data we process in connection with operating our business. It is a single, unified policy: where particular legal regimes (such as the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act / CPRA, COPPA, and similar laws) grant you additional rights, those rights are described inline in the relevant section.

For Data Processing Addendum (DPA) purposes under GDPR Article 28, the current DPA is available at GDPR Addendum, or by request to [email protected].

1. Scope and Roles

1.1 Controller. For personal data we collect about you when you visit our websites, sign up for our Services, contact our support team, apply for a job, or participate in surveys or contests, ChemiCloud acts as a data controller under GDPR / UK GDPR / Swiss FADP / California law.

1.2 Processor. For personal data of your End Users that you host on our infrastructure as part of using the Services (your databases, your customers' contact lists, the contents of your email inboxes routed through us, etc.), ChemiCloud acts as a data processor on your behalf. The terms of that processing are set out in our Data Processing Addendum.

1.3 EU Representative. ChemiCloud has designated George Duduman as our EU Representative under GDPR Article 27. EU/EEA/UK residents may contact our EU Representative directly at [email protected] to exercise any of their rights under the GDPR.

1.4 Privacy Officer & Privacy Team. Our Privacy Officer, George Duduman, leads our Privacy Team. The team is reachable at [email protected]; this inbox is actively monitored and managed.

2. Information We Collect

We collect personal data only as it might be needed for us to deliver our Services. The categories of personal data we may collect include:

2.1 Information you give us directly.

• Account & billing data when you create an account or purchase a Service: name, postal address, telephone number, email address, payment details (handled by our payment processors, see §4.1), VAT/tax identifier where applicable;
• Support data when you contact our customer-support team: phone number, ticket and chat transcripts, case notes;
• Marketing data when you fill in contact forms, request newsletters, or sign up for content offers: email address, optional name and company;
• Application data when you apply for a job with us, or participate in a contest, survey, or community activity.

2.2 Information we collect automatically.

• Account-related information: account number, purchases, renewal and expiry dates, information requests, support requests, and notes or details explaining what you asked for and how we responded;
• Service-usage data: IP address, browser type and settings, the date and time the Services were used, browser configuration and plugins, language preferences, cookie data, device identifiers, operating system, and error data;
• Cookies and similar technologies: we use cookies and similar technologies (pixels, local storage, server-side identifiers) for the purposes described in §7 (Cookies);
• Location data (IP-based): we may approximate your location from your IP address for fraud prevention, compliance, and to personalize the Services. We do not collect precise device GPS coordinates.

2.3 Information from third parties. We may receive personal data about you from public sources, marketing partners, or other third parties (for example, fraud-prevention services or affiliate-tracking partners). We use such data only for the purpose for which it was provided to us, and combine it with information we already have about you only to keep our records accurate or to identify customers who may be interested in our Services.

3. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the EU, EEA, UK, or Switzerland, the legal bases on which we rely to process your personal data (per GDPR Article 6) are:

• Performance of a contract (Art. 6(1)(b)): to provide you with the Services you have purchased, to bill you, to provide customer support, and to administer your account;
• Compliance with a legal obligation (Art. 6(1)(c)): to keep accounting and tax records, to respond to lawful requests from authorities, to comply with anti-money-laundering and sanctions law, and to handle DMCA and similar notices;
• Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve our network and Services, to detect and prevent fraud and abuse, to monitor for security threats, to enforce our agreements, and to conduct limited marketing of similar Services to existing customers, in all cases balanced against your interests and fundamental rights;
• Consent (Art. 6(1)(a)): for non-essential cookies, optional analytics, marketing emails where required by law, and any other processing for which we ask for your specific consent. You may withdraw consent at any time without affecting the lawfulness of processing already carried out.

4. How We Use and Share Information

4.1 Sub-processors. We rely on a number of trusted third-party service providers (sub-processors under GDPR Article 28) to operate our Services. We share only the personal data that is necessary for each sub-processor to perform its role, and each is bound by data-processing terms equivalent to ours. Our current sub-processors:

• Stripe, Inc. — credit/debit card and ACH/SEPA payment processing (United States);
• PayPal, Inc. — PayPal payment processing (United States / Luxembourg);
• Cloudflare, Inc. — CDN, WAF, DNS, and DDoS mitigation in front of our infrastructure (United States, with global edge);
• ConvertKit / Kit — marketing emails and newsletters (United States);
• Tawk.to — live chat on chemicloud.com (United States);
• Google LLC — Google Analytics, Google Tag Manager, and YouTube embeds (United States);
• Upstream infrastructure providers — data-center and network providers that host our servers in the regions described in §1.2 of the Service Agreement.

The above list is current as of the Last Updated date. We may update it from time to time; you can request the current list at any time from [email protected].

4.2 International transfers of personal data. Because ChemiCloud operates globally, your personal data may be transferred to and processed in countries other than your country of residence, including the United States. When we transfer personal data from the EU, EEA, UK, or Switzerland to a country that has not been deemed by the European Commission (or the equivalent authority) to provide an adequate level of protection, we rely on appropriate safeguards under GDPR Chapter V, including:

• the Standard Contractual Clauses ("SCCs") approved by the European Commission (Decision 2021/914) for controller-to-processor and controller-to-controller transfers, where required;
• the UK International Data Transfer Addendum for transfers from the UK;
• where available, our sub-processors' certifications under recognized adequacy frameworks (for example, the EU–U.S. Data Privacy Framework).

Where personal data is transferred outside the EEA, we perform a Transfer Impact Assessment ("TIA") in line with European Data Protection Board Recommendations 01/2020, and apply supplementary safeguards (technical, contractual, or organisational) where the assessment identifies a need.

You may request a copy of the relevant transfer safeguards from [email protected].

4.3 Other sharing.

• Within ChemiCloud: with affiliated companies in our corporate family, where appropriate to operate the Services;
• Aggregate, anonymous data: we may share aggregate and de-identified statistics about how our Services are used with investors, potential partners, and the public. Such information cannot reasonably be linked back to an individual;
• Mergers, acquisitions, restructuring: if ChemiCloud is sold, merged, or restructured, personal data may be transferred to the new owners, subject to the same protections set out in this Policy;
• Legal, regulatory, and law-enforcement requests: we cooperate with government and law-enforcement officials and private parties to enforce and comply with the law. We may disclose information about you in our sole discretion if we believe it necessary to respond to claims and legal process (such as a subpoena), to protect our property and rights or the property and rights of a third party, to protect the safety of the public or any person, or to prevent or stop activity we consider to be illegal or unethical. Where legally permitted, we will take reasonable steps to notify you before we are required to provide your personal data to third parties as part of a legal process;
• ICANN / ccTLD: when you register a domain name with us, we will share your information to the extent necessary to comply with ICANN policies and the rules of the applicable Country-Code Top-Level Domain registry.

4.4 Marketing communications. We may contact you directly or through a service provider regarding products or services you have purchased from us, including transactional and service-related communications. We may also contact you with offers for additional services that we think you will find valuable, where you have given consent or where allowed under legitimate interests (in which case you may opt out at any time). Marketing communications may include email, text (SMS) messages, and telephone or automated calls where you have consented to them. You can update your subscription preferences in your Client Area, or by emailing [email protected].

4.5 Targeted advertising. We work with third-party advertising partners (such as Facebook/Meta, Google, Microsoft, and X/Twitter) to present interest-based offers to you on our websites and on third-party websites. These partners use cookies and similar technologies subject to your consent (see §7). If you wish to opt out of interest-based advertising in the EU, EEA, UK, or Switzerland, please contact [email protected]. Please note that opting out of interest-based ads does not stop generic, non-personalized ads.

4.6 We do not sell your personal data. ChemiCloud does not sell your personal data to third parties for money. The "sharing for cross-context behavioral advertising" described in §4.5 may, under California law, be considered "sharing" for which California residents have opt-out rights; see §6.

4.7 Third-party websites. Our websites and the Client Area may contain links to third-party websites and embeds (for example, KB articles, YouTube videos, social-media links, payment-processor checkout flows). We are not responsible for the privacy practices or the content of those third-party sites. Please read the privacy policy of any website you visit.

4.8 Co-branded offers. If we collect information from you in connection with a co-branded offer, it will be clear at the point of collection who is collecting the information and whose privacy policy applies. The relevant collection notice will describe any choices you have regarding the use or sharing of your personal data with the co-branded partner, and how to exercise those choices.

5. Data Retention

We retain personal data only for as long as necessary to provide the Services you have requested and thereafter for legitimate legal, accounting, fraud-prevention, and business-records purposes. Our default retention schedule:

• Active-account data — for the duration of your account, plus up to 30 days after termination to allow for reactivation or final data export, except where a longer retention is required by law or our other policies;
• Backups — per the JetBackup retention policy described in §9 of the Terms of Service. Suspended accounts are not retained; cPanel backups stored on the server are deleted after 14 days;
• Billing, tax, and financial records — up to 7 years, as required by U.S. tax law and analogous laws in other jurisdictions;
• Support tickets and chat transcripts — up to 3 years from the last activity on the ticket;
• Marketing-suppression records — indefinitely, to honor your opt-out;
• Affiliate-tracking data — 90 days from the last click (per the Affiliate cookie window described in Affiliates Terms of Service §2.3);
• Cookies — per the lifetimes set out in our Cookie disclosures and your consent choices (see §7);
• Server access and security logs — up to 13 months, for security investigation and audit purposes;
• Legal-hold records — for as long as required by an active legal proceeding, regulatory investigation, or our legal obligations.

When the retention period for a category of data ends, we either delete it or de-identify it so that it can no longer be linked back to you.

6. Your Rights

6.1 United States — California (CCPA / CPRA), Virginia, Colorado, and similar laws. If you are a California resident, you have the following rights under the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"):

• Right to know — what personal data we collect about you, the categories of sources, the business or commercial purpose, the categories of recipients, and the specific pieces of personal data we hold;
• Right to delete — we will delete the personal data we hold about you, subject to legal-retention exceptions;
• Right to correct — we will correct inaccurate personal data;
• Right to opt out of sale or sharing — we do not sell personal data; if you wish to opt out of cross-context behavioral-advertising sharing (see §4.5), email [email protected];
• Right to limit the use of sensitive personal information — we do not use sensitive personal information for purposes that would require this opt-out;
• Right to non-discrimination — we will not deny you Services, charge you different prices, or provide a lower quality of Services because you exercised any of these rights.

To exercise any of these rights, email [email protected]. We will respond within 45 days, extendable by another 45 days when necessary (we will notify you of the extension). Residents of other U.S. states with comparable consumer-privacy laws (Virginia, Colorado, Connecticut, Utah, etc.) have substantially similar rights and may use the same channel.

6.2 European Union, EEA, United Kingdom, Switzerland (GDPR / UK GDPR / Swiss FADP). If you are in the EU, EEA, UK, or Switzerland, you have the following rights regarding your personal data:

• Right of access (GDPR Art. 15) — to obtain confirmation of whether we process your personal data and a copy of the data;
• Right to rectification (Art. 16) — to have inaccurate personal data corrected and incomplete data completed;
• Right to erasure / right to be forgotten (Art. 17) — to have your personal data deleted, subject to the exceptions in Art. 17(3);
• Right to restriction of processing (Art. 18) — to have processing of your personal data restricted in certain circumstances;
• Right to data portability (Art. 20) — to receive a copy of your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller;
• Right to object (Art. 21) — to object at any time to processing of your personal data based on legitimate interests (including direct marketing);
• Rights related to automated decision-making (Art. 22) — we use automated fraud-screening on orders, which is necessary for entering into or performing the contract with you (Art. 22(2)(a)). If your order is declined by this automated check, you may request human review by emailing [email protected]. Aside from this, we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you;
• Right to withdraw consent at any time, where we rely on your consent (Art. 7(3)), without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email [email protected]. We respond within one (1) month, extendable by two further months for complex requests (we will notify you of any extension). We do not charge a fee for handling these requests, except in the case of manifestly unfounded or excessive requests.

6.3 Right to lodge a complaint. If you are in the EU, EEA, UK, or Switzerland and you believe our processing of your personal data infringes the law, you have the right to lodge a complaint with your national data-protection supervisory authority. A list of EU/EEA supervisory authorities is available at edpb.europa.eu; the UK authority is the Information Commissioner's Office (ico.org.uk); the Swiss authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch). We invite you to contact us first at [email protected] so we can try to resolve any concern directly.

6.4 Verifying your identity. Before responding to any data-subject request, we may need to take reasonable steps to verify your identity, for example by asking you to confirm details that match those on your account.

7. Cookies and Similar Technologies

We use cookies and similar technologies on chemicloud.com and the Client Area for several purposes:

• Strictly necessary cookies — required for the website and Lab to function (session, security, load-balancing, fraud-prevention). These cannot be turned off;
• Preference cookies — remember your language, currency, and accessibility choices;
• Analytics cookies — help us understand how our Services are used (Google Analytics, Google Tag Manager). Used only after you consent through the cookie banner;
• Marketing cookies — used by our advertising partners (Facebook/Meta, Google, X/Twitter, Microsoft) to present relevant ads. Used only after you consent;
• Affiliate-tracking cookies — set when you arrive through an affiliate link, to credit the referring affiliate (see §4.1).

You can manage your cookie consent at any time through the cookie banner on our website, through your browser settings, or through third-party tools (such as the EFF's Privacy Badger, or browser extensions like Disconnect or Ghostery). Withdrawing consent will not affect processing that took place before withdrawal.

8. Security

We follow generally accepted standards to store and protect the personal data we collect, both in transit and at rest. ChemiCloud operates global infrastructure designed to provide security through the entire information-processing lifecycle — secure deployment of services, secure storage of data, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators.

The security of our infrastructure is built in layers that build upon one another, from the physical security of our upstream providers, to the security protections of our hardware and software, to the operational-security processes we use to support them. This layered approach creates a strong security foundation for everything we do.

We use encryption to protect data in transit and at rest. Data in transit is protected using HTTPS, which is enabled by default for the Client Area and for our public websites. Sensitive data such as credit-card numbers is encrypted before transmission to our payment processors; we do not store full payment-card numbers on our own infrastructure.

For ChemiCloud employees, access rights and levels are based on job function and role, using the principles of least privilege and need to know. Requests for additional access follow a formal process that involves a request and approval from a data or system owner, manager, or other executives, as required by our security policies.

We scan for vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality-assurance processes, software-security reviews, and external audits. We also rely on the broader security-research community and greatly value their help in identifying vulnerabilities in our products; please report design and implementation issues to [email protected].

Each customer can enable two-factor authentication ("2FA"). 2FA greatly reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. This can be enabled for the Client Area and for cPanel/WHM as well; please contact [email protected] if you need assistance.

We also use an in-house-developed firewall that monitors suspicious login attempts and helps detect anomalies using machine-learning techniques. The infrastructure is monitored in real time, 24/7/365, by our team.

8.1 Breach notification. In the unlikely event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify our lead supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with Article 34.

8.2 Your responsibility. You are responsible for the security of the login credentials — usernames, passwords, API tokens — that give you access to your account and Services. Keep them in a safe place and do not share them. Be aware that keyloggers, malware, and other surveillance devices can intercept credentials on devices from which you access our Services, especially public computers. Always log out from any Services when you are not actively using them. Notify us promptly at [email protected] if you suspect unauthorized access to your account.

9. Children

Our Services are not directed at children. We do not knowingly collect personal data from:

• children under 13 years of age in the United States (per the Children's Online Privacy Protection Act, COPPA);
• children under 16 years of age in the EU, EEA, UK, and Switzerland (the default age of digital consent under GDPR Article 8, except where a Member State has set a lower minimum, which is permitted down to age 13).

If we learn that we have inadvertently collected personal data from a child below the applicable age without verifiable parental consent, we will delete it as soon as practicable. If you believe a child has provided us with personal data, please contact [email protected].

10. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time. If we make material changes, we will notify you here, by email, or by a notice on chemicloud.com at least thirty (30) days before they take effect, except where a shorter notice is required by law. The Last Updated date at the top of this page indicates when the most recent version took effect. A dated history of changes is published at terms revisions.

11. Contact

If you have any questions, concerns, or complaints about this Privacy Policy, our practices, or our Services, you may contact us at:

• Privacy and GDPR / CCPA matters: [email protected]
• Security incidents and abuse: [email protected]
• General support and billing: [email protected]
• Formal legal notices: [email protected]

Mailing address:
CCHosting, Inc.
Attn: Privacy Team
1111B S Governors Ave # 48212
Dover, DE 19904
United States

Revisions

A dated history of changes to this Privacy Policy and our other legal documents is published at terms revisions.