ScaleHost
Privacy Policy
What we collect, why we collect it, who we share it with, and how to get it back or have it deleted.
LAST UPDATED: 2026-05-15
1.Who's responsible
ScaleHost is operated from Ontario, Canada. For the purposes of Canadian PIPEDA, the EU/UK GDPR, the California CCPA/CPRA, and similar laws, ScaleHost is the controller of personal information we collect about you. Contact us at privacy@scalehost.gg for any privacy-related request.
2.What we collect
Only what we need to operate the service. Broadly:
- Account info: email address, account display name, hashed password. Optionally a Discord handle if you connect one.
- Billing info: we do not store your card number, CVC, or bank details. Those go directly to Stripe (see section 5). We store the Stripe customer ID, your plan, your add-ons, subscription state, and historical invoice IDs.
- Server data: server name, region, plan, settings you configure (wipe schedule, gameplay preset, plugin list, optimization toggles, etc.), and the world saves / plugin configs / log files you generate by running the server.
- Usage and technical data: IP address you connect from, browser and OS user-agent, the times you signed in, what panel pages you loaded, API calls you made, errors your session triggered.
- Support communication: emails or chats you send us, plus our replies.
We don't run third-party advertising tracking, fingerprinting scripts, social-network pixels, or behavioural ad networks on the site or in the panel.
3.Why we collect it
- To run the service. Boot your server, apply your settings, route packets, take backups, render the panel. Without this, no service.
- To bill you. Create subscriptions in Stripe, prorate plan changes, send receipts.
- To keep the service safe and abuse-free. Detect brute-force login attempts, rate-limit abuse, investigate suspected breach of the Terms, comply with law enforcement requests where legally required.
- To improve the service. Aggregated usage stats help us know which features matter. We try not to look at any single account's data except when troubleshooting a specific issue.
- To communicate with you. Transactional emails (signup confirm, password reset, invoices, billing notices, service incidents) and occasional product updates. You can opt out of non-transactional emails.
Under GDPR terms, our legal bases are: contract (running the service you signed up for), legitimate interest (security, abuse prevention, product improvement), legal obligation (tax records, law enforcement), and consent (marketing emails, where required).
4.Who we share it with
We don't sell your data. We don't rent it. We don't share it with advertisers. We share it with the third-party providers we need to run the service, and only what each one needs:
| Provider | What they get | Why |
|---|---|---|
| Stripe | Email, name, card details (entered directly into Stripe), billing address, country, IP | Payment processing, subscription management, fraud prevention |
| Hetzner Online | The bytes of your running Rust server (world save, plugins, log files) and our agent traffic | Bare-metal hardware hosting in Ashburn, Virginia |
| Fly.io | Panel and API runtime, your account database | Hosts the web panel, API, and Postgres database |
| Resend | Email address and the contents of transactional emails | Sending signup confirms, password resets, receipts, service notices |
| Sentry | Stack traces, request paths, user agent, internal user ID, error context | Error tracking and crash reporting |
| Cloudflare Turnstile | IP, browser fingerprint at signup | Bot prevention on signup and login |
Each of these providers has their own privacy policy. We pick providers that take security seriously and that allow data deletion on request. We may add or change providers as our infrastructure evolves. Material changes to this list will be reflected in updates to this page.
We may also disclose information when required by law (subpoena, court order, lawful government request), or to protect the rights, safety, or property of ScaleHost, our users, or the public.
5.Stripe and payment data
Payments go through Stripe. When you enter a card, you're typing it into Stripe's hosted form, not ours. We never receive your full card number. What we do receive from Stripe is: the customer ID, the last 4 digits and card brand for display purposes, your subscription status, and invoice / charge records.
Stripe is responsible for the security of payment card data they hold. They're PCI-DSS Level 1 certified. Their own privacy policy governs the data they collect.
6.Where your data is stored
The web panel, API, and account database run on Fly.io infrastructure. Your game server's running state and saved files live on dedicated hardware we operate in Ashburn, Virginia (USA). Backups may be stored at Hetzner-operated locations (US and EU). Stripe processes payment data on its own infrastructure (primarily US and EU).
If you're outside Canada, your data is processed in countries that may have different privacy laws than your own, including the United States. By using the service, you consent to this transfer. We rely on standard contractual clauses and equivalent safeguards where applicable.
7.How long we keep it
- Account info: for the life of the account, plus up to 12 months after cancellation in case you reactivate.
- World saves and plugin configs: for the life of the server, plus 1 year after cancellation (resume-friendly), unless you delete the server explicitly (which is immediate and irreversible).
- Billing records: 7 years, as required for Canadian tax records.
- Login and IP logs: 90 days rolling.
- Error logs (Sentry): 90 days rolling.
- Support emails: 2 years.
- Aggregated, non-identifiable analytics: indefinitely.
8.Your rights
Wherever you live, you can email privacy@scalehost.gg to:
- Access the personal information we have about you.
- Correct anything wrong or outdated.
- Delete your account and associated data (subject to billing record retention required by law).
- Export your account data and your servers' world saves in a portable format.
- Restrict or object to certain processing.
- Withdraw consent for marketing emails (one-click unsubscribe in any marketing email).
- File a complaint with your local data protection authority. In Canada, that's the Office of the Privacy Commissioner of Canada (priv.gc.ca). EU residents can lodge a complaint with their national supervisory authority. UK residents can lodge a complaint with the ICO.
We respond to verified requests within 30 days. We may ask you to verify your identity (typically by replying from the email address on file) before disclosing data or processing a deletion.
9.Cookies
We use a small number of strictly necessary cookies to operate the service:
- A session cookie that keeps you logged in.
- A CSRF token to protect form submissions.
- A cookie set by Cloudflare Turnstile to prevent automated signups and logins.
We don't use cookies for tracking, ads, or analytics. No third-party cookies are set by the marketing site or the panel beyond the strictly-necessary ones noted above.
10.Children
The service is not directed at children under 13 (or under 16 in the EEA / UK). We don't knowingly collect personal information from anyone in those age groups. If we discover we have, we delete it. If you believe a child has signed up without authorization, email privacy@scalehost.gg and we'll investigate.
11.Security
Passwords are hashed with a modern password-hashing algorithm. Account sessions use signed, HTTP-only cookies. The panel and API run over TLS. Postgres is private to our VPC. Game servers run on isolated Linux cgroups so one customer's server can't see another's data. Backups are encrypted at rest where the provider supports it.
No system is perfectly secure. If you believe you've found a vulnerability, please email security@scalehost.gg with details. We commit to responding within 5 business days and not pursuing legal action against good-faith security researchers.
12.Changes to this policy
If we make material changes to this policy, we'll email account holders and post a notice in the panel at least 14 days before the changes take effect. Non-material changes (typos, clarifications, sub-processor name changes that don't change what data is shared) may be made without notice.
13.Contact
Privacy questions, access requests, deletion requests, anything else: privacy@scalehost.gg.