Legal

Privacy Policy

Effective date: 20 April 2026

This Privacy Policy explains how CanarHost Cloud (“CanarHost”, “we”, “us”, “our”) processes personal data in connection with our website, pre-contract enquiries, customer communications, support, hosting operations, security, and compliance activities. It is intended to provide the information required by Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), and related Spanish information society rules where applicable.

1. Data controller

For the processing covered by this Privacy Policy, the controller is:

CanarHost Cloud
Address: Calle Tomas Cruz 3 of 8, Las Chafiras 38639, Spain
Privacy contact: support@canarhost.com

If we appoint a data protection officer for the activities covered by this policy, we will update this notice accordingly.

2. When this policy applies

This policy applies to:

visitors to the CanarHost website;
people who contact us by form, email, or other direct communications;
prospective customers and customer representatives;
existing customers to the extent we process personal data for our own business purposes, such as account administration, support, security, billing coordination, fraud prevention, compliance, and legal recordkeeping.

This policy does not replace any separate customer contract, data processing addendum, service terms, or security documentation that may apply to a particular service relationship.

3. Roles: when we act as controller and when we may act on customer instructions

For website enquiries, commercial communications, support handling, billing coordination, fraud prevention, legal compliance, and security logs generated by our own systems, CanarHost acts as controller.

If a customer uses our hosting services to store, host, transmit, or otherwise process personal data belonging to that customer’s own users, visitors, employees, or end customers, the customer is generally responsible for determining the purposes and means of that processing. In those cases, CanarHost may act as a processor or infrastructure/service provider for the customer, except where we must process certain data for our own independent purposes, such as security, abuse prevention, invoicing, compliance, business continuity, and legal claims.

Customers remain responsible for ensuring that the content, applications, websites, databases, and communications they run through our services comply with applicable data protection law and include their own valid privacy notices and legal bases.

4. Categories of personal data we process

Depending on the relationship with you, we may process the following categories of personal data:

Data you provide directly

name;
email address;
company name;
the contents of your enquiry, request, or support message;
any additional information you choose to include in communications with us;
account, contract, billing, invoicing, and service administration data if you become a customer.

Data collected automatically when you use the website or services

IP address;
request and response metadata;
timestamps;
user-agent and technical device/browser information;
referrer or route information where available;
security, anti-abuse, and server logs;
service configuration and operational metadata necessary to provide, maintain, and secure hosting services.

Data we do not intend to collect

We do not request special categories of personal data (for example, health data, biometric data, religious beliefs, or political opinions) through the public website. Please do not send this type of information unless it is strictly necessary and legally justified. If you do so, you represent that you have a valid legal basis to disclose it.

5. Purposes of processing and legal bases

We process personal data only where we have a valid legal basis under Article 6 GDPR. The main purposes and legal bases are:

Purpose	Typical data involved	Legal basis
Responding to enquiries, quotations, migration requests, demos, and pre-contract steps	Name, email, company, message contents	Article 6(1)(b) GDPR: steps at your request before entering into a contract
Providing hosting and related services, customer support, and service communications	Account, contact, service, support, and operational data	Article 6(1)(b) GDPR: performance of a contract
Authenticating, securing, monitoring, troubleshooting, preventing abuse, spam, fraud, or unauthorized access, and maintaining backups and business continuity	Technical logs, IP addresses, operational metadata, support context	Article 6(1)(f) GDPR: legitimate interests
Complying with legal, tax, accounting, recordkeeping, law-enforcement, and regulatory obligations	Identity, billing, accounting, transaction, correspondence, and log data	Article 6(1)(c) GDPR: legal obligation
Establishing, exercising, or defending legal claims, audits, investigations, or incident handling	Relevant correspondence, logs, account, billing, and support records	Article 6(1)(f) GDPR: legitimate interests, and where applicable Article 6(1)(c) GDPR
Sending electronic marketing or similar communications where legally required on the basis of consent, or where otherwise lawfully permitted	Contact details and preference data	Article 6(1)(a) GDPR: consent, or another lawful basis where applicable under law

Where we rely on legitimate interests, these generally include operating a secure hosting business, protecting our systems and customers, preventing misuse, preserving evidence, organizing internal administration, and managing legal and commercial risk in a proportionate manner.

We do not use the public website to make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals.

6. Whether data is mandatory

Some data is necessary so that we can respond to a request or provide a service. For example, if you do not provide the information marked or treated as required in a contact or support process, we may be unable to answer your enquiry, validate your request, or deliver the relevant service safely.

7. Recipients and categories of recipients

We do not sell personal data. We may disclose or make personal data available, on a need-to-know basis, to:

hosting, infrastructure, and systems providers;
email, communications, support, monitoring, security, or backup providers;
payment, invoicing, accounting, tax, banking, or fraud-prevention providers, where relevant;
professional advisers, auditors, insurers, and legal counsel;
competent authorities, regulators, courts, law enforcement bodies, or public administrations where required by law or necessary to protect legal rights;
prospective purchasers, investors, or transaction counterparties and their advisers where disclosure is reasonably necessary in connection with a corporate transaction, subject to appropriate confidentiality controls.

Where third parties process personal data on our behalf, we require them to act under appropriate contractual and security obligations.

8. International transfers

As a rule, we seek to use providers and infrastructure that allow us to operate within the European Economic Area (“EEA”) or under an adequate level of protection. However, some providers or support operations may involve access from, storage in, or transfer to countries outside the EEA.

Where an international transfer is made, we will rely on a lawful transfer mechanism under Chapter V GDPR, such as:

an adequacy decision adopted by the European Commission; or
appropriate safeguards, including the European Commission’s standard contractual clauses, supplemented where necessary by additional technical, organizational, or contractual measures.

You may request general information about the transfer mechanism relevant to your situation by contacting us.

9. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, and thereafter for as long as necessary to comply with legal obligations, preserve evidence, resolve disputes, and defend legal claims.

Our retention approach typically includes the following:

Pre-contract and contact enquiries: normally kept for the time necessary to manage the request and for a limited follow-up period, unless a contract is concluded or longer retention is justified by legal risk, repeated follow-up, or compliance needs.
Customer account, service, and support data: retained for the duration of the customer relationship and afterwards for the periods reasonably necessary for service continuity, incident handling, audits, abuse prevention, and legal limitation periods.
Accounting, invoicing, commercial correspondence, and supporting records: retained for at least the period required by applicable commercial, accounting, and tax rules. Under Article 30 of the Spanish Commercial Code, business books, correspondence, documentation, and supporting records must in general be retained for six years, without prejudice to longer periods required by specific law or necessary for claims.
Technical and security logs: retained for the period reasonably necessary to maintain security, prevent abuse, investigate incidents, and ensure service integrity, after which they may be deleted, overwritten, or reduced.

Backup copies may persist until overwritten in the normal backup cycle, provided they remain subject to appropriate security controls.

10. Your rights

Subject to the conditions and limits established by applicable law, you may exercise the following rights:

access;
rectification;
erasure;
objection;
restriction of processing;
portability;
withdrawal of consent at any time, where processing is based on consent;
not to be subject to decisions based solely on automated processing where the GDPR grants that right.

To exercise your rights, contact us at support@canarhost.com and clearly identify your request. We may ask for reasonable information to verify identity and prevent unauthorized disclosures.

If your request is valid, we will normally respond within one month, although the period may be extended where legally permitted due to complexity or number of requests. If you believe that our processing infringes data protection law, you also have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD).

11. Security and incident management

We apply technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, or misuse. These measures may include access controls, least-privilege practices, monitoring, logging, patching, backup controls, and incident response procedures appropriate to the nature of the processing.

No system can be guaranteed to be completely secure. If a personal data breach occurs, we will assess it and act in accordance with applicable law, including notification to the competent supervisory authority and, where required, affected individuals.

12. Children and minors

Our services are generally intended for businesses and adult users. We do not knowingly seek to collect personal data from children in circumstances where consent from a minor alone would not be legally valid.

Under Spanish law, where processing is based on consent, a minor must generally be over 14 years of age to consent on their own behalf, unless another rule requires assistance from a parent or guardian. If you believe a child or minor has provided us with personal data unlawfully, contact us and we will review the situation.

13. Third-party websites and external services

Our website may contain links to third-party websites, tools, documentation, status pages, control panels, or external services. We are not responsible for the privacy practices of third parties outside our control. You should review the privacy notices of those third parties before submitting personal data to them.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The version published on this website will indicate its effective date. Where legally required, we will provide additional notice or obtain consent before changes take effect.