Privacy Policy

Last updated: 2026-01-01

1. Introduction

At NugetHosting, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. This policy applies to all users of NugetHosting, including our website, APIs, and related services.

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Contract performance: Processing necessary to provide you the service you signed up for (account creation, package hosting, billing)
  • Legitimate interest: Processing for service improvement, security monitoring, fraud prevention, and analytics
  • Consent: Processing based on your explicit consent (marketing emails, optional analytics)
  • Legal obligation: Processing required to comply with applicable laws (tax reporting, law enforcement requests)

3. Information We Collect

We collect information you provide directly to us, including:

  • Account information (full name, email address, company name, industry)
  • Payment information (processed securely via Stripe — we never store your full card number)
  • Package and container image data you upload
  • API tokens you create and their usage metadata
  • Communication preferences and support tickets

Automatically Collected Information

When you use our service, we automatically collect:

  • IP address and approximate geolocation
  • Browser type, operating system, and device information
  • Access logs (pages visited, timestamps, API requests made)
  • Download and usage metrics for your packages
  • Performance data and error reports

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send billing-related communications
  • Send technical notices, security alerts, updates, and support messages
  • Respond to your comments, questions, and support tickets
  • Protect against fraudulent, unauthorized, or illegal activity
  • Generate aggregated, anonymized analytics about service usage
  • Enforce our Terms of Service and Fair Use Policy

5. Email Communications

We send the following types of emails:

  • Transactional emails: Account verification, password resets, payment receipts, security alerts (cannot be opted out)
  • Service emails: Package published/deleted notifications, token expiration warnings, quota alerts (can be configured in your notification settings)
  • Product emails: Feature announcements, tips, and best practices (can be unsubscribed from via the link in each email)

We use SendGrid as our email delivery provider. Your email address is shared with SendGrid solely for the purpose of delivering emails. You can manage your email preferences in your account settings.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • TLS 1.3 encryption for all data in transit
  • AES-256-GCM encryption at rest for uploaded artifacts (packages and container images)
  • Row Level Security (RLS) ensuring strict data isolation between tenants
  • TOTP-based two-factor authentication (2FA) available for all accounts
  • Regular security audits and vulnerability assessments

While we use commercially reasonable efforts to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Information Sharing & Sub-Processors

We do not sell your personal information. We share data with the following categories of service providers (sub-processors):

  • Stripe (United States) — Payment processing and billing management
  • SendGrid / Twilio (United States) — Transactional and service email delivery
  • Cloud infrastructure providers (United States) — Database, authentication, and file storage
  • Law enforcement authorities — Only when required by a valid legal process
  • Other parties — Only with your explicit consent

All sub-processors are contractually bound to process your data only for the purposes we specify and to maintain appropriate security measures. An up-to-date list of sub-processors is available upon request.

8. International Data Transfers

Your data may be processed and stored in the United States, where our infrastructure providers operate. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: Store your language preference and UI settings. Duration: 1 year.
  • Analytics cookies: Help us understand how the service is used. These are anonymized and do not track you across other websites.

We do not use third-party advertising cookies or share cookie data with advertisers. You can manage cookie preferences in your browser settings, though disabling essential cookies will prevent you from using the service.

10. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete personal information
  • Right to erasure: Request deletion of your personal data ('right to be forgotten')
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw previously given consent at any time

To exercise any of these rights, contact us at privacy@nugethosting.com. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.

11. Account Deletion

You can request account deletion at any time by contacting us at privacy@nugethosting.com or through your account settings. Upon deletion request:

  • Your account will be deactivated immediately
  • You will have 30 days to download your packages and data
  • After 30 days, all personal data, packages, and container images will be permanently deleted
  • Billing records may be retained for up to 7 years as required by tax laws
  • Anonymized, aggregated analytics data may be retained indefinitely

12. Data Retention

We retain different types of data for different periods:

  • Account data: For the duration of your account plus 30 days after deletion
  • Billing and transaction records: Up to 7 years (legal requirement)
  • Access logs and security data: 90 days
  • Support tickets: 2 years after resolution
  • Anonymized analytics: Indefinitely

13. Children's Privacy

NugetHosting is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@nugethosting.com.

14. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. Notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommendations for protecting yourself.

15. Automated Decision-Making

We use automated systems for fair use monitoring, rate limiting, and fraud detection. These systems may automatically throttle or temporarily suspend accounts that exhibit abusive patterns. No automated decisions are made that have significant legal effects on you. You can contact us to request human review of any automated decision.

16. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will provide at least 30 days advance notice via email and a prominent notice on our website. We will notify you of any changes by posting the new policy on this page and updating the 'Last updated' date. Continued use of the service after changes constitutes acceptance.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a data protection concern, please contact us.

Data Protection Inquiries: privacy@nugethosting.com

General Inquiries: support@nugethosting.com