1. Data controller
HostLife Digital S.R.L. is the data controller for your personal data and for the services we provide to you. Full identification details: S.C. HostLife Digital S.R.L., CUI 52638053, J2025075925001, share capital 500 RON, registered office: 37 Vidin Street, Tecuci Municipality, Galați County, Romania. For any questions relating to privacy or the processing of your data, you can reach us at contact@hostlife.ro or by phone at 0774 244 912.
We are not required under Art. 37 GDPR to formally appoint a Data Protection Officer (DPO) — we are not a public authority, we do not systematically monitor data subjects at large scale, and processing special categories of data is not our core activity. Nevertheless, we take data protection very seriously and you can contact our team directly for any privacy request.
2. What data we collect
We only collect data necessary to provide services and to comply with legal obligations:
| Category | Specific data | Source | Mandatory? |
|---|---|---|---|
| Individual ID | First name, last name, CNP (optional, only for personal invoices) | Account | Yes |
| Company ID | Company name, VAT number, Trade Register number, legal representative, NACE code | Account | Yes for companies |
| Contact | Email, phone | Account | Yes |
| Address | Street, city, county, postal code, country | Account | Yes for billing |
| Access | Email + password (bcrypt/argon2 hash) | Account | Yes |
| Financial | IBAN, default payment method | Account | Optional |
| Card payment data | NOT stored — processed by Stripe | Stripe | N/A |
| Technical | IP, user-agent, server logs, activity_log | Automatic | Automatic |
| Communication | Emails, support tickets | Initiated by you | On request |
| Marketing | Email for newsletter | Opt-in | Optional |
3. Legal basis (GDPR)
For each processing purpose we use a specific legal basis from Art. 6(1) GDPR:
| Purpose | Data | GDPR basis | Retention |
|---|---|---|---|
| Contract performance | Account, orders, billing | Art. 6(1)(b) | Contract term + 3 years |
| Legal obligation | Invoices, payments | Art. 6(1)(c) + Romanian Law 227/2015 (Fiscal Code) | 10 years |
| Legitimate interest — security | IP, logs | Art. 6(1)(f) | 90 days |
| Customer support | Tickets, communication | Art. 6(1)(b) | Contract term + 1 year |
| Marketing | Art. 6(1)(a) — consent | Until withdrawn | |
| Analytics cookies | _ga, _gid, _gat | Art. 6(1)(a) + Art. 5(3) ePrivacy | 24h-2 years (cookies) |
4. Processing purposes
We process your data for the following purposes: (a) providing contracted services — account creation and management, service provisioning, technical support — legal basis: contract performance Art. 6(1)(b); (b) billing and accounting under Romanian law — issuing fiscal invoices, recording payments, reporting — legal basis: legal obligation Art. 6(1)(c) in conjunction with Romanian Law 227/2015 (Fiscal Code); (c) platform security — access logs, anomaly detection, fraud prevention, audit trail — legal basis: legitimate interest Art. 6(1)(f); (d) support communication — responding to tickets, service notifications (expiry, renewal, incidents) — legal basis: contract performance.
We process your data for marketing (newsletter, new product announcements, promotional offers) ONLY with your explicit consent, obtained by checking the opt-in option. Consent can be withdrawn at any time, with no impact on contracted services, via the unsubscribe link in any email or through your account settings.
5. Recipients / Sub-processors
To provide services we work with the following processors, each with a specific role:
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Card payment processing | Ireland + USA | DPF + SCC |
| Intelligent IT SRL (SmartBill) | Romanian fiscal invoicing | Romania | GDPR direct |
| Supabase (self-hosted at HostLife) | DB, auth, storage | Romania (HostLife infra) | N/A (own infra) |
| Coolify (self-hosted) | Container provisioning | Romania (HostLife infra) | N/A (own infra) |
| server21.ro (cPanel partner) | DNS subdomain assignment | Romania | GDPR direct |
| Google Ireland Ltd. | Google Analytics + reCAPTCHA | EU + USA | DPF + SCC, anonymized IP |
| GitHub Inc. (Microsoft) | OAuth opt-in integrations | USA | DPF |
| SMTP provider | Transactional email | RO/EU | GDPR direct |
6. HostLife as processor for its customers
When you use HostLife services to host your own applications, websites, or your users' data (web hosting, VPS, VDS, n8n, Supabase hosting, etc.), HostLife acts as a processor, not a controller, for that data. You are the data controller in relation to your end users and are responsible for GDPR compliance in that relationship.
The processing relationship is governed by the DPA (Data Processing Agreement) clauses included in HostLife Terms and Conditions, §14 — Annex A. By accepting the Terms, you have also accepted these DPA clauses. If you need a separately signed DPA (e.g. for an internal audit or client requirement), contact us at contact@hostlife.ro.
7. International transfers
Some of our processors operate partly outside the EU (Stripe, Google, GitHub — USA). These transfers are protected by the Data Privacy Framework (DPF) — a mechanism approved by the European Commission via Adequacy Decision (2023/1795) — and by Standard Contractual Clauses (SCC) where applicable. The full list of DPF-certified providers is publicly available at dataprivacyframework.gov. Our remaining processors operate exclusively in the EU/Romania.
We do not transfer your data to countries without an adequate level of protection without appropriate safeguards. If you would like details about the specific safeguards for a particular processor, contact us at contact@hostlife.ro.
8. Automatically collected data (server logs)
Our servers automatically collect technical data with each HTTP request: IP address, user-agent (browser and operating system), timestamp, accessed URL, HTTP status code, and referrer. This data is generated automatically and requires no action on your part.
The purpose of collection is platform security: detecting unauthorized access attempts, preventing abuse, diagnosing technical errors, and security auditing. The legal basis is our legitimate interest under Art. 6(1)(f) GDPR. Log data is retained for 90 days, after which it is automatically deleted. We do not use this data for profiling or marketing.
9. Retention period
Data is retained for periods specific to each processing purpose: active account data for the contract term plus 3 years (civil limitation period); invoices and fiscal documents for 10 years under Romanian Law 227/2015 (Fiscal Code); technical logs for 90 days for security purposes; rolling backups for 30 days; marketing preferences until consent is withdrawn. On contract termination we irreversibly delete data not required by law (within 30 days at most). See the detailed table in section 3.
10. Your GDPR rights
You have all rights provided by the GDPR:
10.1 Access (Art. 15)
You can request a copy of the data we hold about you.
10.2 Rectification (Art. 16)
You can request correction of inaccurate data.
10.3 Erasure (Art. 17)
You can request deletion of your data — with exceptions (invoices remain under Romanian Law 227/2015 — 10 years).
10.4 Restriction (Art. 18)
You can request that processing be limited for a certain period.
10.5 Portability (Art. 20)
You can receive your data in a structured format (JSON or CSV).
10.6 Objection (Art. 21)
You can object to processing based on legitimate interest (e.g. technical logs).
10.7 Withdrawal of consent (Art. 7)
You can withdraw consent at any time (for marketing, analytics cookies).
10.8 Complaint to ANSPDCP
You can file a complaint with the supervisory authority — see section 17.
11. How to exercise your rights
To exercise any of the GDPR rights listed in section 10, send an email to contact@hostlife.ro from the email address associated with your account (required to identify you). We respond within a maximum of 30 calendar days as per Art. 12 GDPR. For complex requests we may extend this deadline by a further 60 days, but we will notify you within the first 30 days with the reason for the extension.
Your request is free of charge. We only charge for requests that are manifestly unfounded or excessive (for example, identical requests repeated at short intervals), under Art. 12(5) GDPR, in which case we will inform you in advance.
12. Automated decisions / profiling
We do NOT use automated decisions with legal effect or significant impact on customers, within the meaning of Art. 22 GDPR. We do not profile you for behavioural marketing without explicit consent.
13. Incident notification
In the event of a security incident affecting your personal data, we will notify you and notify ANSPDCP (Romanian National Data Protection Authority) within a maximum of 72 hours of becoming aware of the incident, in accordance with Art. 33-34 GDPR. Your notification will include the nature of the incident, the categories of data affected, the measures taken, and our team's contact details.
14. Security — concrete measures
We apply the following technical and organisational measures:
14.1 TLS 1.3
All connections are encrypted (HSTS, valid certificate).
14.2 Password hashing
Passwords are hashed with industry-standard algorithms (bcrypt or argon2).
14.3 Opt-in MFA
Two-factor authentication available in account settings.
14.4 Restricted admin access
Administrative access to infrastructure is restricted by IP allowlist.
14.5 Audit log
All sensitive actions (login, password change, data modification) are recorded in activity_log.
14.6 Encrypted backups
Daily encrypted backups, rolling 30 days.
14.7 Security updates
We apply OS and application security patches in line with vendor schedules.
15. Children's data
HostLife services are intended for adults (18+) or legal entities. We do not knowingly collect data about minors. If you find that a minor has provided us with data, contact us at contact@hostlife.ro and we will delete that data as soon as possible.
17. Complaints & ANSPDCP
If you believe that the processing of your data violates the GDPR, you can file a complaint with the ANSPDCP (Romanian National Data Protection Authority): B-dul G-ral Gheorghe Magheru 28-30, sector 1, Bucharest — anspdcp.ro.
18. Policy changes
We may update this privacy policy periodically to reflect legislative changes (e.g. new ANSPDCP decisions, GDPR amendments) or operational changes (new processors, new purposes). Major changes will be communicated by email with a minimum of 30 days' notice. Minor changes (clarifications, corrections) take effect upon publication. The current version and date of last update are displayed in the header of this page.
19. Contact details
For privacy questions: contact@hostlife.ro or 0774 244 912.
Privacy contact
Questions about your data: contact@hostlife.ro