Privacy Policy.

1. Who we are

This Privacy Policy is issued by Fatality Servers ("Fatality Servers", "we", "us", "our"), the operator of the website fatalityservers.com and the managed game server hosting, VPS, and dedicated server products offered through it.

For the purposes of EU / UK data protection law, Fatality Servers is the data controller for personal data collected through the website and for account data tied to our hosting services.

If you need to exercise a data right, or have a privacy question that isn't answered below, email [email protected] and a human will answer — usually the same business day.

2. What data we collect

We collect only what we need to sell you hosting, invoice you for it, keep your servers online, and support you when things go wrong. In practice that's five categories:

2.1 Account data

• Your email address
• Your chosen account username / display name
• A password hash (we never store the plaintext password)
• Optionally: your display avatar, timezone, preferred language
• Optionally: a Discord ID or Steam ID you link for support

2.2 Billing data

• Your full name and billing address
• The country/region and tax jurisdiction we owe VAT / GST in
• The last four digits and expiry of a payment card, OR a PayPal / crypto / bank reference — we do not ever see or store full card numbers; those are collected directly by our payment processors
• Invoices, payment status, and transaction history

2.3 Service-operations data

• IP addresses used to sign in and to connect to the control panel
• Server usage metrics (CPU, RAM, disk, bandwidth, player count, uptime)
• Action logs in the panel (plan changes, deploys, password resets, login attempts)
• Server console log excerpts you share with us in tickets

2.4 Support data

• Tickets, live-chat transcripts, and emails you send to support
• Any screenshots, config files, or logs you attach
• Satisfaction ratings you give after a ticket closes

2.5 Website data

• Standard web-server logs (IP, user agent, requested URL, timestamp) for security and abuse investigations
• Strictly-necessary cookies for the site and panel (see Cookies)
• Aggregated, anonymised analytics on page views and conversion events — we do not build cross-site behavioural profiles

3. Why we collect it

Each category above maps to a specific, limited purpose:

• Account data — to let you log in, own your servers, and authenticate to the panel.
• Billing data — to charge you, send invoices, comply with tax law, and remit VAT / GST to the correct revenue authority.
• Service-operations data — to operate your server, detect abuse (ours and others'), size hardware, investigate incidents, and meet our uptime commitments.
• Support data — to reproduce problems, fix them, and learn from them.
• Website data — to keep the site and panel online, block attackers, and measure whether changes to the site actually help customers.

4. Legal basis for processing (GDPR / UK-DPA)

If you are in the UK, EU, or EEA, our legal basis under Article 6 of the UK-GDPR / EU-GDPR is:

• Contract (Art. 6(1)(b)) — for account, billing, and service-operations data. We cannot perform the hosting contract without processing these.
• Legal obligation (Art. 6(1)(c)) — for invoices, VAT records, and anti-abuse records we are required to keep under tax and telecoms law.
• Legitimate interests (Art. 6(1)(f)) — for security logging, fraud prevention, product improvement, and direct customer communications about service changes. You have a right to object (see Your rights).
• Consent (Art. 6(1)(a)) — for optional marketing emails and non-essential analytics. You can withdraw consent at any time from your account settings or by emailing us.

5. Who we share data with

We share personal data with three narrow categories of third parties, only as needed to run the service:

5.1 Payment processors

Card payments are processed by Stripe, Inc. and PayPal-branded entities depending on your region. They receive your name, email, billing address, and card/account details — we do not. Their handling of that data is governed by their respective privacy policies.

5.2 Infrastructure providers

We co-locate or rent capacity in tier-3 / tier-4 datacenters across 10 global locations. These providers see IP addresses and bandwidth associated with your server but do not access your account or billing data. All providers we use are contractually bound to GDPR-grade data processing terms.

5.3 Operational vendors

A short, curated list of vendors helps us run the business — transactional email delivery, customer support ticketing, status-page notifications, DDoS mitigation, and fraud screening. We share only the specific data each vendor needs to perform its function. A current list is available from [email protected] on request.

5.4 Law enforcement & legal process

We disclose personal data in response to valid legal process (subpoena, court order, or equivalent formal law-enforcement request) only to the extent required. We push back on overbroad or extraterritorial requests and notify affected customers unless legally prohibited from doing so.

6. How long we keep it

We keep the minimum data necessary for the minimum time reasonable:

• Account data — for the lifetime of your account, and 30 days after closure for dispute-handling.
• Billing & invoice records — 7 years, because most tax authorities in our jurisdictions require it.
• Service logs & usage metrics — 90 days rolling, then aggregated/anonymised.
• Support tickets — 3 years, then permanently deleted.
• Web-server logs — 30 days rolling.
• Marketing consent records — for as long as consent is active, plus 2 years after withdrawal as proof that consent existed when required.

7. International data transfers

Our primary operations are in the European Economic Area (EEA). Some vendors (notably payment processors and DDoS mitigation) are headquartered in the United States and may process data outside the EEA.

Where that happens, transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where relevant, by adequacy decisions (e.g. the UK Data Bridge). A copy of the SCCs used is available on request.

8. Your rights over your data

If you are in the UK, EU, EEA, California, or any jurisdiction with equivalent protections (Switzerland, Brazil, Canada, etc.), you have the following rights:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion where we have no overriding legal need
• Restriction — ask us to stop processing while a dispute is resolved
• Portability — receive your data in a machine-readable format, or have it transferred to another provider where technically feasible
• Objection — object to processing based on legitimate interests
• Withdraw consent — for anything we process based on consent
• No automated decision-making — we do not make legally significant decisions about you via fully automated profiling
• Complain to a supervisory authority — most notably the UK's ICO (ico.org.uk) or your national DPA in the EU. We'd appreciate the chance to resolve it with you first, but you are never required to contact us before complaining to a regulator.

To exercise any of these, email [email protected]. We respond within 30 days (often within 72 hours) and ask for proof of identity only where reasonably necessary to protect your account.

9. Cookies & tracking

We use a minimal set of cookies and similar technologies:

• Strictly necessary — session cookies for login, CSRF protection, and shopping-cart state. These are required for the site to function; we do not ask for consent to set them.
• Functional — preferences like theme choice, selected currency. Set on first interaction, persist 12 months, never shared.
• Analytics — aggregated page-view counts via a privacy-respecting analytics provider that does not use third-party cookies or cross-site fingerprinting. You can opt out via the cookie banner or a browser Do-Not-Track signal, which we honour.

We do not use advertising pixels, remarketing tags, or social-media trackers on the core site or panel. Blog posts or documentation pages that embed third-party video may temporarily load cookies from those providers when you interact with the embed.

10. Data security

We take the security of your personal data seriously and apply measures appropriate to its sensitivity:

• TLS 1.2+ on every public endpoint; HSTS enforced on the primary domain
• At-rest encryption on databases and backup storage
• Scrypt-based password hashing with per-user salts
• Optional two-factor authentication on the panel (TOTP / WebAuthn)
• Least-privilege access controls with audit logging on every administrative action
• Quarterly third-party penetration testing and continuous dependency scanning
• A documented incident-response plan — affected customers are notified within 72 hours of a confirmed personal-data breach

No system is perfectly secure, and we do not pretend otherwise. If you believe your account has been compromised, email [email protected] immediately and we will take action.

11. Children

Our services are not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. If we learn that we have collected personal data from a child without appropriate parental consent, we will delete it promptly. If you believe we may hold data about a child, email [email protected].

12. Changes to this policy

We update this policy when our data handling genuinely changes — new vendor, new legal basis, new region. Minor clarifications (wording, examples) may also be made without ceremony. In both cases:

• The Last updated date at the top of this page changes
• Material changes are communicated to active customers via email at least 14 days before they take effect
• A revision history is maintained at [email protected] on request

13. How to contact us

For any privacy-related question, right request, or concern:

• Email: [email protected]
• Security incidents: [email protected]
• General support: [email protected] or via the support portal
• Registered address: available on request to any of the above

If you prefer to raise a concern publicly, the relevant supervisory authority in your jurisdiction can receive complaints directly — in the UK, the Information Commissioner's Office (ICO) at ico.org.uk; in the EU, your national data-protection authority.