NEW - Ashburn VPS now live with Ryzen 9 7950X. See plans →
HomeFiveM VPSVPS HostingDedicatedAll products
Resources
DDoS ProtectionSign in
Legal · Privacy Policy

Privacy Policy

How we handle your personal data under UK GDPR and the Data Protection Act 2018. Short version: we collect what we need to deliver your service and we don't sell it.

Effective: {{EFFECTIVE_DATE}}

1. Who is the data controller

For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is {{TRADER_NAME}}, an individual trading as SurgeNode, with a service address at {{SERVICE_ADDRESS}} and an ICO data-protection-fee registration number {{ICO_REGISTRATION_NUMBER}}.

From June 2026 the controller will become a UK limited company. We will update this policy at that point with the company name, Companies House number, and registered office.

For privacy enquiries, email {{PRIVACY_EMAIL}}.

2. What personal data we collect

We collect the minimum we need to provide the service. In practice that is:

  • Account data - your name, email address, billing address, contact phone (optional), and account password (stored as a salted hash). Held in our WHMCS billing system.
  • Billing data - invoice history, currency, VAT status. Card numbers are never stored by us; payments go directly to our payment processor.
  • Service data - the configuration of the services you have ordered (plan, location, hostname, OS choice), and credentials we issue you for those services.
  • Network and access logs - IP addresses connecting to the site, the billing panel, and customer support; timestamps and user-agent. Used for security and abuse response.
  • Support data - anything you send us in a support ticket, a Discord message, or an email.

We do not knowingly collect special-category data (health, religion, biometrics, etc.) and we ask that you do not send any to us unless strictly necessary for support.

Under UK GDPR Article 6, the legal bases we rely on are:

  • Performance of a contract - to register your account, deliver the service you ordered, take payment, and provide support.
  • Legitimate interests - fraud prevention, abuse response, network security, defending legal claims, and limited internal record-keeping. We have balanced these interests against your rights and consider them proportionate; you can object at any time (see Your rights below).
  • Legal obligation - keeping VAT and accounting records (HMRC requires six years), responding to lawful requests from authorities, and complying with court orders.
  • Consent - only where we explicitly ask for it. We rely on consent for analytics cookies (Google Analytics). You can accept or reject these via the cookie banner shown on your first visit, and change your preference at any time.

4. How we use your data

  • To create and operate your account.
  • To provision, run, and (when you ask) tear down your services.
  • To bill you and to keep records of those transactions.
  • To respond to your support requests.
  • To investigate and respond to abuse complaints, security incidents, and unlawful activity.
  • To comply with legal obligations.

We do not use your data for marketing to third parties, for behavioural advertising, or to train AI models.

5. What we don't do

  • No advertising cookies. We do not run display ads, retargeting, or affiliate-attribution cookies.
  • No selling of personal data. Ever.
  • No automated decision-making with legal effect.

6. Third-party sub-processors

We use a small number of third parties to deliver the service. Each acts as a data processor under Article 28. The list below is current as of the effective date of this policy and may change with notice:

  • WHMCS - our billing platform, self-hosted at billing.surgenode.net. Holds your account, billing history and support tickets. Hosted in the UK.
  • Stripe and/or PayPal (via WHMCS) - payment processing. Card numbers are sent directly to the processor and never stored on our systems. Processors operate internationally; transfers are covered by their UK IDTA / EU SCC mechanisms and / or UK adequacy.
  • VirtFusion - VPS control plane. Stores VPS configuration, hypervisor credentials, and server access logs.
  • Cloudflare - DDoS mitigation via Magic Transit. Sees packet metadata (source IP, ports, traffic patterns) for traffic destined for our network. Does not see TLS-encrypted payloads. Used on Ashburn VPS and dedicated servers.
  • Path.net - DDoS provider for New York VPS while we migrate to Cloudflare. Same scope of data as above.
  • Google Analytics (Google LLC) - website analytics, loaded only if you consent via the cookie banner. Collects anonymised usage data (pages visited, session duration, approximate location derived from IP). IP anonymisation is enabled. Google operates under EU/UK Standard Contractual Clauses. You can opt out at any time via the cookie banner or by using the Google Analytics Opt-out Browser Add-on.
  • Tawk.to - live chat widget. Stores chat transcripts and may set a session cookie to maintain your chat. Only active when the chat widget loads.

7. Cookies and similar technologies

Under the Privacy and Electronic Communications Regulations 2003 (PECR), you must consent to cookies that are not strictly necessary.

Strictly necessary cookies (no consent required):

  • surgenode_consent - stores your cookie preference (accepted / rejected). Set by this site. Expires after 365 days.
  • The customer billing panel at billing.surgenode.net sets a session cookie to keep you logged in.

Analytics cookies (consent required):

  • _ga, _ga_DSN541XQ66 - Google Analytics. Used to distinguish users and sessions. Set only if you accept analytics cookies via the consent banner. Expire after 2 years / 24 hours respectively.

You can change your cookie preference at any time by clicking the cookie settings link in the site footer, or by clearing your browser cookies.

8. How long we keep data

  • Account data - for as long as you have an active service with us, plus a short period (typically 30 days) afterwards in case you reactivate.
  • Billing and accounting records - six years from the end of the financial year, as required by HMRC.
  • Support tickets - typically two years, unless legitimate interests (e.g. ongoing dispute) justify longer.
  • Server access and security logs - typically 30 to 90 days, longer where required to investigate an incident.
  • Abuse evidence - for as long as needed to defend ourselves and to cooperate with authorities.

9. Your rights under UK GDPR

You have the following rights, free of charge in most cases:

  • Access (Article 15) - a copy of the personal data we hold about you.
  • Rectification (Article 16) - correction of inaccurate data.
  • Erasure (Article 17) - the right to be forgotten, subject to our need to keep certain records for legal reasons.
  • Restriction (Article 18) - limit how we use your data.
  • Portability (Article 20) - receive your data in a structured, machine-readable format where the processing is automated and based on consent or contract.
  • Objection (Article 21) - object to processing based on legitimate interests.
  • Withdraw consent - where we rely on consent.

To exercise any of these, email {{PRIVACY_EMAIL}}. We will normally respond within one calendar month, with extensions for complex requests.

10. Complaining to the ICO

We always prefer that you talk to us first. But you have the right to complain to the UK supervisory authority, the Information Commissioner's Office:

  • Website: ico.org.uk
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113

11. International transfers

Where personal data is transferred outside the UK to one of our sub-processors, the transfer is covered by an appropriate safeguard: a UK adequacy regulation (the EEA, for example), the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum. We will only use sub-processors that can offer an equivalent level of protection.

12. Security

We use TLS for traffic in transit, hashed credentials, role-based access controls, principle-of-least-privilege for staff access, and prompt patching for the systems we operate. No system is perfectly secure; if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and notify affected individuals where required by Article 34.

13. Children's privacy

The service is not directed at people under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Changes to this policy

We will revise this policy from time to time. The effective date at the top reflects the latest version. If a change materially affects how we use your data, we will tell you in advance by email or a prominent notice on the site.

15. Contact

Privacy: {{PRIVACY_EMAIL}}
Service address: {{SERVICE_ADDRESS}}
ICO registration: {{ICO_REGISTRATION_NUMBER}}