Privacy Policy
This Privacy Policy explains how S.C. CROCKY S.R.L. ("Crocky", "we", "us", or "our") collects, uses, stores, and shares personal data in connection with the https://crocky.host website and the hosting services we provide.
We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation or "GDPR"), Romanian Law no. 190/2018, Law no. 506/2004 on the processing of personal data in the electronic communications sector, and other applicable law.
1. Data Controller
The controller of your personal data is:
| Legal name | S.C. CROCKY S.R.L. |
| Registered office | Strada Drăgăica nr. 5, sat Balasan, mun. Băileşti, jud. Dolj, 205101, Romania |
| CUI / VAT | RO50515950 |
| Registration no. | J2024020698007 |
| contact@crocky.host | |
| Privacy contact | support@crocky.host |
| Phone | +40 750 265 179 |
We have not appointed a Data Protection Officer (DPO), as we are not required to do so under Article 37 GDPR. For any privacy-related question, you may contact us directly using the details above.
2. Scope
This Policy applies to:
- Visitors of https://crocky.host;
- Customers who purchase or use any Crocky service;
- Persons who contact us via e-mail, ticket, live chat, or WhatsApp;
- Recipients of our service-related e-mails.
Where we process personal data on behalf of a Customer (for example, personal data contained in databases, e-mail accounts, or files stored on the services we provide), the Customer is the controller and Crocky is the processor. Such processing is governed by a separate Data Processing Agreement, available on request.
3. Categories of Personal Data We Process
3.1 Account and billing data
When you register or place an Order, we collect:
- Full name or company name;
- Billing address;
- Country;
- E-mail address;
- Phone number;
- VAT number (for business customers);
- Payment-related data (the payment itself is processed by Stripe, PayPal, NETOPIA, or your bank; we receive only the transaction reference, amount, status, and last four digits of the card where applicable - we do not store full card numbers).
3.2 Service usage data
In the course of operating the services we collect:
- Server and application logs (IP address, timestamps, requested URLs, user-agent, HTTP status codes);
- Resource usage metrics (CPU, RAM, storage, bandwidth);
- Authentication logs (logins, failed login attempts, IP address);
- Abuse-related events and security logs.
3.3 Support data
When you contact support we process:
- The content of your tickets, e-mails, live chat, and WhatsApp messages;
- Attachments you choose to send;
- Metadata (date, time, channel, agent).
3.4 Website data
When you visit https://crocky.host we process, where applicable:
- IP address;
- Device, browser, and operating system information;
- Referrer URL and pages visited;
- Cookies and similar technologies (see Section 9).
3.5 Customer Content
Personal data contained in Customer Content (e.g. data in databases, e-mail mailboxes, files, backups) is processed by us as a processor, on your behalf and on your instructions. We do not access Customer Content except as strictly necessary to provide, secure, or support the service, or where required by law.
4. Purposes and Legal Bases
We process personal data for the following purposes and on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b) GDPR) |
| Provisioning, operating, and supporting the services | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) - Romanian fiscal law |
| Keeping accounting and tax records | Legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) in securing our systems and our customers |
| Handling abuse complaints and legal requests | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
| Service-related communications (maintenance, incidents, expiry reminders) | Performance of a contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) or legitimate interest for existing customers, within the limits of Law 506/2004 |
| Website analytics (Google Analytics) | Consent (Art. 6(1)(a)) via cookie banner |
| Establishing, exercising, or defending legal claims | Legitimate interests (Art. 6(1)(f)) |
5. Sources of Data
We mainly collect personal data directly from you (when you register, order, or contact us) and automatically through the use of the services and the website. In limited cases we may receive data from third parties, such as:
- Payment providers (payment status, fraud signals);
- Upstream providers (abuse reports, security incidents);
- Registries and registrars (for domain registrations);
- Public authorities (legal requests).
6. Recipients and Sub-processors
We share personal data only where necessary and only with parties bound by appropriate confidentiality and data protection obligations. The main categories of recipients are:
6.1 Infrastructure sub-processors (upstream hosting)
- OVH (OVH SAS / OVH Group) - dedicated server infrastructure, EU data centers;
- Contabo (Contabo GmbH) - dedicated server infrastructure, EU data centers.
6.2 Platform and management tools
- WHMCS - billing, invoicing, and client-area platform;
- cPanel / DirectAdmin / Plesk - hosting control panels;
- Pterodactyl, WISP, Multicraft - game server panels;
- WP Squared - managed WordPress platform.
6.3 Payment providers
- Stripe (Stripe Payments Europe, Ltd.);
- PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.);
- NETOPIA Payments (NETOPIA FINANCIAL SERVICES S.A.);
- Libra Bank and Trezoreria Băileşti, for bank transfers.
6.4 Analytics
- Google Analytics (Google Ireland Ltd.), only if you consent via the cookie banner.
6.5 Domain registries and registrars
Where you register a domain, the relevant registry and registrar receive the WHOIS data required by the registration rules of the respective TLD.
6.6 Public authorities
We may disclose personal data to public authorities (courts, prosecutors, police, ANAF, ANSPDCP, ANPC, and similar) where required by a valid legal request.
6.7 Professional advisors
Lawyers, auditors, and accountants engaged by Crocky, bound by confidentiality.
We do not sell your personal data to anyone.
7. International Data Transfers
Our primary infrastructure is located within the European Union. Some sub-processors listed above may transfer data to third countries (e.g. Google Analytics servers). Where such transfers occur, they rely on appropriate safeguards under Chapter V GDPR, primarily:
- Adequacy decisions of the European Commission, where applicable;
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- Additional technical and organizational measures where required.
You can obtain a copy of the safeguards in place by contacting us at support@crocky.host.
8. Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, and then in accordance with the retention periods below:
| Data | Retention period |
|---|---|
| Account and billing data | Duration of the contract and 10 years thereafter (Romanian fiscal / accounting obligation) |
| Invoices and fiscal documents | 10 years from issuance (Law 82/1991) |
| Service logs (access, security) | Up to 12 months, then aggregated or deleted |
| Backups | Daily backups retained up to 7 days on a rolling basis |
| Customer Content after voluntary cancellation | Deleted immediately |
| Customer Content after suspension for non-payment | 14 days after suspension, then permanently deleted |
| Support tickets | 3 years after closure |
| Abuse / security incident records | Up to 3 years |
| Marketing consents and their withdrawal | Until withdrawn plus 3 years for evidence |
| Website analytics (where consent is given) | Up to 14 months |
| Cookie consents | Up to 12 months |
Where longer retention is required by law, or necessary for the defence of legal claims, data may be retained for the legally required period.
9. Cookies and Similar Technologies
9.1 Cookies we use
- Strictly necessary cookies - required for the website, Client Area, and authentication to function (e.g. session, CSRF, cart). These do not require consent.
- Analytics cookies - Google Analytics, set only with your consent via the cookie banner.
9.2 Managing cookies
You can accept or reject non-essential cookies at any time via the cookie banner. You can also delete or block cookies via your browser settings. Blocking strictly necessary cookies may prevent parts of the website from working.
More detailed information on specific cookies, their names, providers, and durations is set out in our dedicated Cookie Policy (or within the cookie banner).
10. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access - to obtain confirmation of whether we process your data and a copy of it (Art. 15);
- Rectification - to have inaccurate data corrected (Art. 16);
- Erasure - "right to be forgotten", in the circumstances set out in Art. 17;
- Restriction of processing (Art. 18);
- Data portability - to receive your data in a structured, commonly used, machine-readable format (Art. 20);
- Objection - to object to processing based on legitimate interests or for direct marketing (Art. 21);
- Withdrawal of consent - at any time, without affecting the lawfulness of processing before withdrawal;
- Not to be subject to automated decisions with legal or similarly significant effects (Art. 22). We do not carry out such automated decision-making.
To exercise any of these rights, contact us at support@crocky.host. We will respond within one month, extendable by a further two months where necessary, in accordance with Art. 12 GDPR.
Complaints
You also have the right to lodge a complaint with the Romanian supervisory authority:
- ANSPDCP - Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
- B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
- Website: https://www.dataprotection.ro
- E-mail: anspdcp@dataprotection.ro
11. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Encrypted connections (TLS) for the website, Client Area, and control panels;
- Access controls and strong authentication for staff;
- Network and host-based security measures on the upstream infrastructure;
- Regular updates and patching of server software;
- Internal access limited to what is necessary for each role;
- Documented procedures for personal data breach notification (Art. 33-34 GDPR).
No system can be guaranteed 100% secure. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the ANSPDCP and affected individuals as required by GDPR.
12. Children
Our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe that a child has provided us with personal data, contact us at support@crocky.host so we can delete it.
13. Automated Decision-Making and Profiling
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects concerning you. Where we use automated fraud checks at Order stage, they assist human review but do not result in automated decisions within the meaning of Art. 22 GDPR.
14. Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by e-mail and/or by a notice on the website at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent version.
15. Contact
For any question about this Privacy Policy or the processing of your personal data:
- E-mail: support@crocky.host
- Postal address: S.C. CROCKY S.R.L., Strada Drăgăica nr. 5, sat Balasan, mun. Băileşti, jud. Dolj, 205101, Romania
