Privacy Policy

1. Who we are

MegaHostZone ("we", "us", "our") is the controller of the personal data described in this Policy and is responsible for it under applicable law, including India's Digital Personal Data Protection Act, 2023 ("DPDPA") and, where applicable, the EU General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA/CPRA").

2. What we collect

2.1 Account data

• Name, email address, mobile number.
• An encrypted form of your password — we never see or store the password itself.
• Optional profile fields you choose to add (such as a short bio, date of birth, gender, pronouns, city, language, time zone, country, public username, and avatar).
• An optional recovery email and secondary phone number, used to help you regain access if you lose your primary contact.

2.2 Authentication and session data

• Sign-in times, the IP address you connected from, and information about your device and browser, used to recognise the device on future visits and alert you to sign-ins from new ones.
• Records relating to any passkey, two-factor, or backup-code methods you set up. Where these involve a private key, that key never leaves your device.
• An audit log of security-relevant events on your account, such as sign-in, password change, and changes to your authentication methods.

2.3 Communications

• One-time codes sent by email or SMS for verification and password reset.
• Correspondence with our support team when you contact us.
• Your notification preferences.
• Feedback or bug reports you choose to submit.

2.4 Billing data (paid plans only)

• Legal name, billing address, billing contact details, country, tax registration where required, and preferred currency.
• Invoices and receipts.

Payment-card details are never stored on our servers. They are collected and held by a payment partner that complies with relevant security standards. We receive only a token reference and the metadata needed to issue receipts.

2.5 Data inside individual products

Each MegaHostZone product you sign in to may collect data of its own, governed by that product's own privacy policy. We do not receive content you create inside a product unless that product shares specific data back with the identity service for the purpose of providing you the Service.

2.6 Automatically collected

• Standard server-access information, such as the request path and timestamp.
• A small amount of strictly necessary technical state needed to keep you signed in.
• Aggregated, non-identifying metrics used to monitor service health.

We do not use third-party analytics, advertising networks, behavioural-advertising trackers, or fingerprinting beyond the new-device detection described in 2.2.

3. How and why we use it

We use your personal data to:

• create your account, authenticate you, and keep your session secure;
• detect and prevent fraud, abuse, and unauthorised access;
• send transactional messages, including verification codes, password-reset codes, and security alerts;
• provide and improve the Services;
• comply with legal obligations such as tax, anti-money-laundering, and lawful court orders; and
• where you separately consent, send product announcements and marketing messages — you can opt out at any time from your account.

We do not use your data to build advertising profiles. We do not sell your personal data. We do not share your contact details with marketing partners.

4. Legal basis

Where the GDPR or DPDPA applies, we process your personal data on the following legal bases:

• Performance of a contract — most account, authentication, and product-sign-in processing is necessary to provide the Services you've requested.
• Legitimate interests — fraud prevention, abuse detection, network and information security, and routine service health monitoring. We balance these interests against your rights and offer you the right to object.
• Consent — for marketing communications and any optional features that need it. You can withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — tax records, compliance with court orders, and regulatory reporting.

5. Who we share it with

We share personal data only where necessary, and only with parties bound by appropriate data-protection commitments.

5.1 Service providers

We use third-party service providers in the following categories:

• Cloud hosting and infrastructure.
• Email delivery for transactional messages.
• SMS delivery for one-time codes.
• Payment processing for paid plans.
• Error monitoring and operational tooling.

Each provider receives only the minimum data needed for the function it performs, under a written contract that requires it to handle the data lawfully and securely. We do not authorise any provider to use your data for its own purposes.

5.2 Within the MegaHostZone family

When you sign in to a MegaHostZone product using your account, we share a basic profile with that product so it can recognise you — typically your account identifier, name, email, language, country, avatar (if any), and whether your contact details are verified, plus information about the plan or entitlement you have within that specific product. The product's own privacy policy then governs how it uses that information and what additional data it collects within itself. You can review and disconnect any product from your account settings at any time.

5.3 Law-enforcement and legal compliance

We will disclose personal data to government authorities only on receipt of a valid legal order from a competent authority, or where we are otherwise legally compelled to do so. We do not voluntarily disclose user data, and we challenge requests we believe are overbroad or unlawful where we have grounds to do so.

5.4 Business transfers

In connection with a merger, acquisition, financing, sale of assets, or insolvency, we may transfer personal data to the acquirer or successor entity. You will be notified of any such transfer and given an opportunity to opt out where required by law.

6. Sign-in across our products

Our identity service uses a standard authorisation flow to sign you in to MegaHostZone products. When you authorise a product, that product receives a short-lived access credential and a longer-lived refresh credential. You can review every product currently signed in to your account, and revoke access at any time, from your account settings.

7. International transfers

Our primary infrastructure is in India. Some service providers operate in other jurisdictions. Where personal data is transferred outside India we put in place appropriate contractual safeguards equivalent to standard contractual clauses, or rely on your explicit consent where required. Where the GDPR applies, we use the European Commission's Standard Contractual Clauses or another transfer mechanism approved under Chapter V of the GDPR.

8. Retention

We keep personal data only for as long as we need it for the purposes set out in this Policy. The general principles are:

• Active account data is kept for the lifetime of your account.
• If you close your account, your data is retained for a short grace period during which you may restore it, after which it is permanently deleted, except for limited records we are required by law to retain.
• Short-lived items such as one-time codes and password-reset tokens are kept only for the brief window needed to use them.
• Security and audit information is retained for the period reasonably necessary to investigate incidents and comply with our security obligations.
• Billing and tax records are retained for the period required by applicable law.
• Backups are encrypted and rotated on a regular schedule.

Where the law requires longer retention — for example, to defend a legal claim or to satisfy a regulator — we keep data only for as long as that requirement applies and segregate it from ordinary processing.

9. Security

We use a combination of organisational and technical safeguards to protect your personal data, including encryption in transit, industry-standard hashing of passwords, optional multi-factor authentication and passkeys, rate limiting and abuse detection on authentication endpoints, encrypted backups, and strict access controls for our staff. The audit log of activity on your account is available for you to review from your account settings.

No system can be guaranteed perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (in particular, within 72 hours where required).

10. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete your account and the personal data tied to it.
• Restrict or object to processing on grounds relating to your particular situation.
• Port your data to another service in a structured, commonly used, machine-readable format.
• Withdraw consent for marketing and other optional uses at any time.
• Lodge a complaint with a data-protection regulator.
• Designate a nominee (under DPDPA §14) to exercise your rights upon your death or incapacity.

You can exercise most of these rights directly from your account settings. For requests we can't action through the in-app controls, contact us using the details in §14. We will verify your identity before acting on a request, and respond within the timeframes required by applicable law.

11. Children

The Services are not directed at children under 13 years old, or under a higher age where local law requires parental consent. We do not knowingly collect personal data from children below that age. If you are a parent or guardian and believe a child has provided us with personal data, contact us and we will delete the account.

12. Cookies

We use only first-party, strictly-necessary cookies, used to keep you signed in and to protect form submissions. We do not use third-party advertising cookies, analytics trackers, or behavioural profiling cookies on the identity service.

Because we use only strictly-necessary cookies, no cookie banner is required under the EU ePrivacy directive. You can clear or block cookies in your browser settings; if you block our session cookie, sign-in will not work.

13. Changes to this Policy

We update this Policy when our practices change. The "Version" and "Effective" date at the top of this page indicate the current version. For material changes affecting your rights, we will notify you in advance and require you to re-accept the updated Policy before continuing to use the Services. Your acceptance record is available from your account settings.

14. Contact

For privacy questions, to exercise any of the rights in §10, or to raise a concern, please contact us at privacy@megahostzone.com.

For India residents: if you believe we have mishandled your personal data, you may also lodge a complaint with the Data Protection Board of India. For EU/EEA residents: you may lodge a complaint with the supervisory authority of the EU member state where you live or work.