Legal

Privacy Policy

Effective February 18, 2026

This policy explains what data we collect, why we collect it, and how we handle it. We keep it minimal — we only collect what's needed to run the service.
01

What We Collect

Account information

Your email address, used for authentication (magic links) and billing-related communications.

SSH public keys

Public keys you provide for VPS access. We never ask for or store private keys.

Payment information

Processed and stored by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. We retain only a Stripe customer ID and subscription reference.

Server metadata

VPS instance IDs, IP addresses, provisioning status, power state, and configuration choices (plan, setup config). This is required to operate the service.

Access logs

IP addresses, request paths, and timestamps for requests to our web application. Used for security monitoring and debugging. Retained for 30 days.

02

What We Don't Collect

  • We do not monitor, inspect, or log the contents of your VPS instances
  • We do not track your activity across other websites
  • We do not use third-party analytics or advertising trackers
  • We do not sell, rent, or share your data with third parties for marketing
03

How We Use Your Data

We use collected data exclusively to:

  • Authenticate you and maintain your session
  • Provision, operate, and manage your VPS instances
  • Process payments and manage subscriptions via Stripe
  • Send transactional emails (login links, billing receipts, service alerts)
  • Monitor and protect the security of our infrastructure
  • Comply with legal obligations
04

Third-Party Services

We use a small number of third-party services to operate BotVPS:

Stripe

Payment processing. Subject to Stripe's privacy policy.

DigitalOcean

Infrastructure hosting. VPS instances run on their platform.

Resend

Transactional email delivery for login links and alerts.

05

Cookies & Sessions

We use a single session cookie to keep you logged in. It is:

  • HttpOnly (not accessible to JavaScript)
  • Secure (transmitted over HTTPS only in production)
  • SameSite=Lax (CSRF protection)
  • Expires after 30 days

We do not use advertising cookies, tracking pixels, or fingerprinting techniques.

06

Data Retention

Account data is retained while your account is active. When you delete your account:

  • All VPS instances are destroyed immediately
  • Account information is deleted within 30 days
  • Billing records may be retained as required by tax and accounting law

Access logs are automatically purged after 30 days.

07

Security

We implement reasonable security measures including encrypted connections (TLS), SSH key-only authentication, session-based access controls, and infrastructure-level firewalls. However, no system is perfectly secure, and we cannot guarantee absolute security.

08

Your Rights

You may at any time:

  • Request a copy of the data we hold about you
  • Request correction of inaccurate data
  • Delete your account and all associated data from the dashboard
  • Withdraw consent for non-essential data processing

For data requests, email [email protected]. We will respond within 30 days.

09

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email. The effective date at the top of this page indicates when the policy was last revised.