Privacy Policy

1. Who we are and what this document covers

This Privacy Policy applies to the website operated at anonymousserverhosting.com and to the hosting infrastructure we provide to paying customers. References to "we", "us", "our" mean the operating entity behind Anonymous Server Hosting; references to "you" mean a visitor to this website or a paying customer of our services.

For corporate identity, registered office and the operator's legal name, see our Terms of Service. We update this Privacy Policy when material changes occur and post the effective date at the top of the document. Substantial changes are announced via the customer Telegram channel at least 30 days before they take effect.

2. What we collect when you visit this website

This website does not run any third-party analytics. We do not load Google Analytics, Meta Pixel, Cloudflare Analytics, Plausible, Matomo, Mixpanel, Hotjar, or equivalent services. We do not place advertising pixels. We do not embed social-media tracking widgets. The footer of every page declares this commitment, and the Permissions-Policy response header on every page disables browser-level tracking APIs.

The web server that delivers this site keeps temporary access logs containing the request path, response status, response size, user agent and a truncated source IP address (last octet zeroed). These logs are rotated every 7 days and used only for debugging server errors and detecting abuse against our infrastructure. They are not joined to any customer record, not exported for marketing analysis, and not shared with third parties.

The price-conversion ticker shown on some pages fetches public exchange-rate data from CoinGecko. That request is initiated from your browser, not from our servers, and we have no visibility into it. CoinGecko's privacy policy applies to that single network call. The result is cached in your browser's localStorage for five minutes and never transmitted to us.

3. What we collect when you become a customer

To deliver hosting services we need a contact channel and a means of payment. We deliberately limit collection to the operational minimum:

• A contact handle. A Telegram username or an email address, your choice. We do not require a verified email and we do not require a phone number.
• Payment evidence. A cryptocurrency transaction identifier sufficient to confirm payment was received. We do not record on-chain analytics, do not perform chain-tracing on customer transactions, and do not associate wallet addresses with customer identity beyond what is needed to confirm a single invoice.
• Service configuration. Domain names, sender names, IP allocations, DKIM keys and any other technical data you provide to us so that we can configure the infrastructure you ordered.
• Operational logs from the hosted infrastructure. Standard server logs from your provisioned servers, retained for the periods described in section 5.

We do not require government-issued identification. We do not require proof of address. We do not perform credit checks. We do not enrich customer records with third-party data brokers.

4. What we never collect

We make a positive commitment about specific categories of data we will not collect from website visitors or customers under any circumstances:

• Government-issued identification documents (passport, driver's licence, national ID).
• Biometric data of any kind.
• Photographs of customers.
• Behavioural profiles built from cross-site browsing patterns.
• Inferred demographic data (estimated age, gender, household income, etc.).
• Cookies for advertising or cross-site tracking purposes.
• Audio recordings or transcripts of customer support conversations beyond what is necessary to follow up on a specific open ticket.

5. How long we keep data

Customer data is retained only for as long as is operationally necessary, with these retention periods:

• Active customer records: retained while the customer relationship is active and for 90 days after termination, to support reactivation requests, dispute resolution and accounting reconciliation.
• Server access logs on customer infrastructure: rotated every 7 days by default. Customers may request shorter or longer retention via configuration request.
• Payment confirmations: retained for the period required by the accounting laws of the operating jurisdiction (typically 5 to 7 years), but stripped of all personally-identifying contact metadata after 90 days.
• Support conversations on Telegram: we do not maintain a separate archive. Telegram's own retention applies to messages on the platform; we delete our own copies of ticket conversations 30 days after the ticket is closed.
• Website server logs: 7 days, with truncated source IPs as described in section 2.

6. Subprocessors and third parties

The infrastructure that runs your services is operated by us directly. We do not outsource hosting to a major cloud provider (AWS, Google Cloud, Azure, etc.) and your traffic does not transit those networks except as part of normal Tier 1 transit between autonomous systems on the public internet.

The narrow exceptions where third parties touch customer-relevant data are:

• Datacenter operators. Our hardware is colocated in Tier III+ facilities in the seven jurisdictions listed publicly. Datacenter operators have physical access to the racks but do not have logical access to data on the machines.
• Tier 1 transit providers. Your traffic transits networks operated by Cogent, NTT, Telia and GTT, in the standard manner of internet routing. These providers do not see the contents of TLS-encrypted connections.
• Cryptocurrency networks. Public blockchains record on-chain transactions permanently. We do not control this; the privacy properties of your chosen cryptocurrency determine what is observable about your payment.
• Tor network. If you reach us via our .onion mirror, the Tor network itself routes the connection. We do not operate Tor relays.

We do not engage marketing, advertising, analytics, customer-success, customer-data-platform, or AI-training subprocessors. We do not sell, rent or otherwise transfer customer data to any commercial third party.

7. Legal process and data requests

We comply with valid legal orders issued by courts of competent jurisdiction in the country where the relevant infrastructure is operated. We do not act on informal requests, voluntary intelligence-sharing arrangements, or letters of intent that lack judicial backing.

Specifically:

• DMCA notices under United States law have no enforcement authority outside the United States. We forward DMCA notices to the affected customer as informational notifications and we do not act on them on our own initiative for non-US infrastructure.
• Foreign court orders require domestication in the jurisdiction where the affected infrastructure is operated. We respond to validly-domesticated orders; we do not respond to bare foreign judgements.
• Criminal investigations involving CSAM, malware command-and-control, ransomware infrastructure, or violent threats receive our immediate cooperation, regardless of the requesting jurisdiction. These categories are excluded from our acceptable use policy and customers operating them are not protected by this Privacy Policy.
• Civil discovery from private litigants is responded to via the courts of the relevant jurisdiction; we do not honour informal discovery requests.

Where legally permitted, we notify the affected customer of any process served against them before responding, so that the customer can take protective action of their own.

8. Your rights

Active customers can, at any time, request:

• A copy of all data we hold associated with their account.
• Correction of any inaccurate data we hold.
• Deletion of their account and all associated data, subject to retention obligations imposed by accounting law in the operating jurisdiction.
• Export of customer-controlled data (DKIM keys, configuration files, server snapshots) in standard portable formats.

Requests are submitted via Telegram or ticket and answered within 7 business days. Identity verification for these requests is performed against your existing payment history with us. We do not require additional documents to be provided.

9. Children

Our services are designed for and offered to professional infrastructure operators. We do not knowingly collect data from individuals under 18. If you believe a minor has somehow established an account, contact us and we will delete the account and any associated data immediately.

10. Cryptocurrency payment privacy

Payment data sits at the boundary of what we control and what is publicly observable on the underlying blockchain. We document both sides honestly here because customers commonly misunderstand the privacy implications of cryptocurrency payments specifically when used through a self-hosted BTCPay Server like ours.

What we retain: the invoice ID, the EUR amount, the cryptocurrency selected, the destination address we generated for the invoice, and the on-chain transaction hash that settled the payment. We retain this for accounting purposes as long as required by the operating jurisdiction (typically 5-7 years), encrypted at rest with AES-256. We do not retain the source address that paid the invoice; the BTCPay Server configuration discards source attribution after payment confirmation, and our database schema does not have a column for source addresses.

What is publicly observable: for on-chain Bitcoin, Ethereum, Litecoin, Bitcoin Cash, Dogecoin, Tron, and Solana, the transaction is permanently recorded on the public blockchain showing source address, destination address (which we generated), amount, and timestamp. Anyone with the destination address can correlate it with the payment to us. For Monero, on-chain analysis is not generally possible with current techniques; the chain reveals that transactions occurred but not amounts, source addresses, or destination addresses. For Lightning Network, payments route through multiple intermediate nodes and are not reconstructable from public chain data.

Customers concerned about chain-analysis correlation should prefer Monero, Lightning Network for smaller invoices, or funding their payment from an address with no other history linked to their identity. Customers using exchanges that applied KYC to their account should understand that their identity may be correlatable with the chain-visible payment through subpoena to the exchange; we have no control over and no visibility into that chain of correlation, but it affects what privacy the customer effectively has regardless of what we collect or retain.

11. Privacy under multi-jurisdictional operation

Our infrastructure operates across seven jurisdictions (Bulgaria, Romania, Moldova, Ukraine, Panama, Hong Kong, Singapore). The privacy posture varies by jurisdiction because the legal frameworks vary. We document the per-jurisdiction specifics in the relevant location pages, but the privacy-relevant summary is here.

For data subject to legal process: EU member states (Bulgaria, Romania) operate under EU procedural frameworks including GDPR and the MLAT system for cross-border process. Customer data in these jurisdictions is subject to legitimate EU-jurisdiction court orders and properly-routed MLAT requests. Moldova and Ukraine require local court orders and do not honour MLAT-style requests automatically; cross-border legal process must be re-issued through local courts. Panama, Hong Kong, and Singapore each require local court orders or appropriate mutual legal assistance treaties; the specific treaty network varies by jurisdiction and country of request.

For routine operational data: each jurisdiction follows the retention schedule documented in section 5 above. We do not replicate operational data across jurisdictions; customer infrastructure in Bulgaria stays in Bulgaria. The exception is the small set of administrative data needed for billing and account management, which is stored centrally encrypted at rest. Customers concerned about specific data residency requirements can structure their deployment to keep all their data within a single jurisdiction; this is the standard pattern for customers with GDPR or PDPA compliance requirements that mandate specific data residency.

12. Changes to this policy

We update this document when material changes occur. The effective date is shown at the top of the document. Substantial reductions to customer protection (for example, new categories of data collection, new subprocessors, changes to retention periods) are announced via the customer Telegram channel at least 30 days before they take effect, giving customers the opportunity to terminate before the change becomes effective.

13. Contact

Privacy questions, data requests and concerns are answered via:

• Telegram: anonymousserverhosting, fastest channel, median response 12 minutes.
• Ticket: open a ticket at /contact/, answered within 4 hours during operating hours.
• Tor mirror: our .onion address for visitors who prefer to reach us over the Tor network is shown in the footer.