EstFlux is committed to protecting the privacy of everyone who uses our services or visits our website. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. We operate entirely within the European Union and comply fully with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
1. Who We Are
EstFlux is a VPS hosting service operating from Tallinn, Estonia. Our infrastructure is hosted in Tallinn, Estonia. For all data protection matters, you can reach us at:
- Email: privacy@estflux.com
- Website: estflux.com / estflux.ee
- Address: Tallinn, Estonia, EU
2. Data We Collect
2.1 Account and Billing Data
When you register for an EstFlux account or purchase a service, we collect:
- Full name and email address
- Billing address and VAT number (if applicable)
- Payment method details — processed and stored by our payment processor; we do not store full card numbers
- Company name (optional)
2.2 Service Usage Data
To provide and improve our infrastructure services, we collect:
- IP addresses assigned to your VPS instances
- Aggregate network traffic volume (bytes in/out) — not the content of traffic
- Server resource utilization metrics (CPU, RAM, disk I/O) for billing and capacity planning
- Support ticket content and correspondence
2.3 Website Analytics
When you visit estflux.com or estflux.ee, we may collect:
- Browser type and version, operating system
- Pages visited, referral source, time on site
- IP address (anonymized where possible)
3. How We Use Your Data
We use the data described above for the following purposes:
- Service delivery: provisioning, managing, and supporting your VPS instances
- Billing: generating invoices, processing payments, handling refunds and disputes
- Communication: sending service notifications, maintenance announcements, and support responses
- Security: detecting and preventing abuse, unauthorized access, and network attacks
- Legal compliance: meeting obligations under EU law, responding to lawful requests from authorities
- Service improvement: analyzing usage patterns to improve infrastructure performance and reliability
We do not sell personal data to third parties. We do not use your data for advertising profiling.
4. Legal Basis for Processing
We rely on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)): processing necessary to provide the VPS services you've subscribed to
- Legal obligation (Art. 6(1)(c)): compliance with Estonian and EU law, including tax and anti-abuse requirements
- Legitimate interests (Art. 6(1)(f)): fraud prevention, network security, service improvement
- Consent (Art. 6(1)(a)): marketing emails, where we explicitly request and record your consent
5. Data Sharing and Third Parties
We work with a limited number of trusted third-party processors who assist us in delivering our services:
- Payment processors: handle billing and card data under their own PCI-DSS and GDPR compliance frameworks
- Infrastructure providers: our Tallinn data center provides the physical facilities
- Support and communication tools: used solely for handling customer support tickets
All processors are bound by data processing agreements (DPAs) and may not use your data for their own purposes. We do not transfer personal data to recipients outside the European Economic Area without appropriate safeguards in place.
6. Retention Periods
- Active account data: retained for the duration of the service relationship
- Billing records: retained for 7 years to comply with Estonian accounting law
- Support correspondence: retained for 2 years after ticket closure
- Server logs (connection, access): retained for up to 90 days for security purposes
- Anonymized analytics: retained indefinitely in aggregated form
7. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15): request a copy of all personal data we hold about you
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your data where there is no lawful reason to retain it
- Right to restrict processing (Art. 18): request that we limit how we use your data
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests
- Right to withdraw consent: where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, email us at privacy@estflux.com. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee).
8. Cookies
Our website uses a minimal set of cookies:
- Strictly necessary: session cookies required for the control panel and account authentication — these cannot be disabled
- Analytics: anonymized usage statistics to understand how visitors interact with our site — you can opt out via your browser settings or a cookie consent banner
We do not use advertising or tracking cookies. We do not embed third-party tracking pixels.
9. Security Measures
We take data security seriously. Our measures include:
- TLS 1.2+ encryption for all data in transit
- Encrypted storage for sensitive credentials and payment tokens
- Access controls — personal data is accessible only to staff who require it
- Regular security reviews of our systems and vendor integrations
- Our data center's ISO-certified physical security for infrastructure
In the event of a data breach that poses a risk to your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and affected users without undue delay, as required by GDPR Article 33–34.
10. International Transfers
Our primary infrastructure and data processing operations are located within the European Union (Estonia). Should we use any sub-processors located outside the EEA, we ensure appropriate safeguards are in place — either adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we'll revise the "Last updated" date at the top of this page and, for material changes, notify active customers by email. Continued use of our services after a policy update constitutes acceptance of the revised terms.
For any privacy-related questions, data subject requests, or concerns, contact us at: