Legal

Privacy Policy

Last updated: May 2026

1. Introduction

This Privacy Policy explains how RDPCORE DC LTD (“RDPCore”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website, create an account, or use our services.

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

This policy applies to all personal data we process as a Data Controller — that is, data we collect about you as our customer, website visitor, or prospective customer. For information about how we handle data you store on our infrastructure (where we act as a Data Processor), please refer to our Data Processing Agreement (DPA).

This Privacy Policy does not apply to Customer Content processed by us solely on your behalf as a Data Processor, except where such processing also involves our own account, billing, security, or compliance records.

2. Data Controller

The data controller responsible for your personal data is:

RDPCORE DC LTD
Company Number: 16328522
102 Rookery Court, 80 Ruckholt Road
Mainyard Studios, Office C05 G1095
London, E10 5FA
United Kingdom

ICO Registration Number: C1758006

For any privacy-related enquiries, you can contact us at: privacy@rdpcore.com

We aim to respond to all privacy enquiries within fifteen (15) business days.

3. Personal Data We Collect

We collect only the personal data necessary to provide, secure, and improve our services. We categorise the data we collect as follows:

3.1 Account and Identity Data

  • Full name
  • Email address
  • Phone number (if provided)
  • Billing address
  • Company name and VAT number (for business customers)
  • Account username and password (password stored in hashed form only)

3.2 Billing and Payment Data

  • Payment method type (card brand, last four digits)
  • Billing history and invoice records
  • Bank transfer reference details
  • Account credit balance

We do not store full credit or debit card numbers. Payment card processing is handled entirely by our payment processor, Stripe, Inc. We receive only a tokenised reference and the last four digits of your card for identification purposes.

3.3 Technical and Device Data

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referring URL
  • Pages visited and time spent on our website
  • Geolocation data (country and city level, derived from IP address)

3.4 Service Usage Data

  • Services ordered and their configuration
  • Resource usage (bandwidth, storage, CPU)
  • Server access logs and event logs
  • Domain registration details (registrant information as required by ICANN/registry policies)
  • IP address allocation records

3.5 Communication Data

  • Support ticket content and correspondence
  • Live chat transcripts
  • Email communications with our team
  • Feedback and survey responses (if provided)

3.6 Security Data

  • Login timestamps and session information
  • Failed login attempts
  • Two-factor authentication events
  • API key usage logs

4. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: When you create an account, place an order, submit a support ticket, contact us by email, or interact with our website.
  • Automatically: When you visit our website, your browser transmits technical data such as your IP address, browser type, and pages visited. We may also use cookies and similar technologies as described in our Cookie Policy.
  • From third parties: In limited circumstances, we may receive data from payment processors (transaction confirmations from Stripe), domain registries (WHOIS verification), or abuse reporting services (IP reputation data).

5. How We Use Your Data

We process your personal data for the following purposes:

5.1 Service Delivery

To provision, activate, manage, and support the services you purchase from us, including VPS hosting, web hosting, domain registration, colocation, and IP address allocation.

Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).

5.2 Billing and Payments

To process payments, generate invoices, manage account credit, handle refunds, and pursue overdue amounts.

Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).

5.3 Account Security

To authenticate your identity, detect and prevent fraud, monitor for unauthorised access, and protect the security of your account and our infrastructure.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — our legitimate interest in maintaining the security of our services and preventing abuse.

5.4 Communication

To respond to your support requests, send service notifications (maintenance windows, security alerts, billing reminders), and communicate important changes to our services or policies.

Legal basis: Performance of a contract (Article 6(1)(b)) for service-related communications; legitimate interests (Article 6(1)(f)) for operational notifications.

5.5 Legal and Regulatory Compliance

To comply with our legal obligations including tax reporting (UK VAT, EU VAT via ROS), responding to law enforcement requests, maintaining RIPE NCC database records, and fulfilling ICANN requirements for domain registration.

Legal basis: Legal obligation (Article 6(1)(c) UK GDPR).

5.6 Network and Abuse Management

To monitor network traffic for abuse, respond to abuse reports, manage IP reputation, and maintain the integrity of our infrastructure.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — our legitimate interest in maintaining a secure and reputable network for all customers.

5.7 Service Improvement

To analyse aggregate and anonymised usage patterns to improve our website, services, and customer experience. We do not conduct individual profiling or automated decision-making that produces legal effects concerning you.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR).

6. Who We Share Your Data With

We do not sell, rent, or trade your personal data to third parties. We share your data only in the following limited circumstances:

6.1 Payment Processors

Stripe, LLC and its affiliates (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) process card payments on our behalf. Stripe acts as an independent data controller for payment data. Please refer to Stripe’s Privacy Policy for details on how they handle your payment information. Stripe is certified under the EU-US and UK Extension Data Privacy Framework.

6.2 Domain Registries

When you register a domain name, certain registrant information (name, email, address) is shared with the relevant domain registry and our upstream ICANN-accredited registrar partner as required by ICANN policies and applicable registry agreements. This information may be published in WHOIS databases subject to applicable privacy regulations (including GDPR-compliant redaction where applicable).

6.3 Data Centre Provider

Our infrastructure is hosted at a data centre facility in Prague, Czech Republic. The data centre operator may have limited access to facility-level systems but does not have access to customer data stored on our servers.

6.4 Law Enforcement and Legal Authorities

We may disclose your personal data to law enforcement agencies, regulatory authorities, or courts where we are legally compelled to do so, or where disclosure is necessary to protect our rights, your safety, or the safety of others. Please refer to our Law Enforcement Policy for details.

6.5 Professional Advisors

We may share data with our legal advisors, accountants, or auditors where necessary for the provision of professional services to us, subject to appropriate confidentiality obligations.

6.6 Debt Recovery

In cases of persistent non-payment, we may share limited account and billing information with third-party debt collection agencies for the purpose of recovering outstanding amounts.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA) and the United Kingdom. However, some transfers outside these regions may occur in the following circumstances:

  • Stripe (USA): Payment processing. Stripe participates in the EU-US and UK Extension Data Privacy Framework and maintains appropriate safeguards for international transfers.
  • Domain registrar partner (USA): Domain registration data shared with registries in accordance with ICANN rules. Transfers are necessary for the performance of your domain registration contract.

Where personal data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place, including:

  • EU-US / UK-US Data Privacy Framework certification;
  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO’s International Data Transfer Agreement (IDTA);
  • Transfers necessary for the performance of a contract between you and us (Article 49(1)(b) UK GDPR).

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

8.1 Active Accounts

We retain your account data for the duration of your relationship with us. As long as you have an active account or active services, your data will be maintained.

8.2 After Account Closure

  • Account and identity data: Retained for six (6) years after account closure to comply with UK tax and accounting obligations (Companies Act 2006, VAT regulations).
  • Billing and invoice records: Retained for six (6) years as required by HMRC for VAT and corporation tax purposes.
  • Support ticket content: Retained for two (2) years after account closure, then permanently deleted.
  • Server access logs: Retained for a maximum of ninety (90) days for security and abuse investigation purposes, then automatically purged.
  • Security, abuse, and fraud-related logs: May be retained for longer than ninety (90) days where necessary to investigate ongoing abuse, enforce our Terms, or comply with legal obligations.
  • Website analytics data: Retained for the period stated in our Cookie Policy and, where possible, stored in aggregated or anonymised form.

8.3 Specific Scenarios

  • Abuse investigations: Data relevant to an ongoing or potential legal dispute may be retained until the matter is resolved, regardless of the standard retention period.
  • Law enforcement preservation: Where we receive a valid preservation request, data will be retained for the period specified in the request.
  • Domain registration: WHOIS data is retained in accordance with ICANN and registry policies, which may extend beyond our standard retention periods.

8.4 Deletion

When retention periods expire, personal data is securely deleted or irreversibly anonymised. We use industry-standard methods for data destruction appropriate to the storage medium.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher;
  • Encryption of sensitive data at rest where technically appropriate;
  • Access controls limiting data access to authorised personnel on a need-to-know basis;
  • Regular security assessments and vulnerability monitoring;
  • Secure password hashing (bcrypt or equivalent);
  • Two-factor authentication available for customer accounts;
  • Physical security at our data centre facility (access controls, CCTV, 24/7 monitoring);
  • Staff training on data protection and information security.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents in accordance with our obligations under UK GDPR.

10. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

10.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one (1) month of receiving your request. In complex cases, we may extend this period by a further two (2) months, and will inform you of any extension within the initial one-month period.

10.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most account information directly through your client portal.

10.3 Right to Erasure

You have the right to request deletion of your personal data where: (a) it is no longer necessary for the purpose it was collected; (b) you withdraw consent (where consent was the legal basis); (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed.

Please note that we may be unable to comply with erasure requests where retention is required by law (e.g., tax records) or where the data is necessary for the establishment, exercise, or defence of legal claims.

10.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

10.5 Right to Data Portability

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit it directly to another controller where technically feasible.

10.6 Right to Object

You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims.

10.7 Rights Related to Automated Decision-Making

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. If this changes in the future, we will update this policy and provide appropriate safeguards including the right to obtain human intervention.

10.8 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@rdpcore.com. We may need to verify your identity before processing your request. We will respond within one (1) month, or inform you if an extension is required.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to provide functionality, analyse usage, and improve your experience. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy.

12. Children’s Privacy

Our services are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take steps to delete that data as soon as reasonably practicable. If you believe we may have collected data from a minor, please contact us at privacy@rdpcore.com.

Our website may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit.

14. Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach;
  • Notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms;
  • Document the breach, its effects, and the remedial actions taken in our internal breach register.

Notification to you is not required where: (a) we have implemented appropriate technical protection measures (such as encryption) that render the data unintelligible; (b) we have taken subsequent measures that ensure the high risk is no longer likely to materialise; or (c) individual notification would involve disproportionate effort, in which case a public communication will be made instead.

15. Complaints

If you are unhappy with how we have handled your personal data, we encourage you to contact us first at privacy@rdpcore.com so that we can try to resolve your concern.

You also have the right to lodge a complaint with the relevant supervisory authority:

  • United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk/make-a-complaint — Telephone: 0303 123 1113
  • European Union: You may contact the data protection authority in your country of residence. A list of EU data protection authorities is available at edpb.europa.eu.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Where changes are material, we will notify you by email or through a prominent notice on our website at least thirty (30) days before the changes take effect.

We encourage you to review this policy periodically. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

17. Contact Us

If you have any questions about this Privacy Policy or our data protection practices, please contact us:

  • Privacy Enquiries: privacy@rdpcore.com
  • General Support: support@rdpcore.com
  • Postal Address: RDPCORE DC LTD, 102 Rookery Court, 80 Ruckholt Road, Mainyard Studios, Office C05 G1095, London, E10 5FA, United Kingdom
  • ICO Registration: C1758006