Privacy Policy — CoinsHosting.com

Effective Date: [insert date]

Controller: Shopfiles Ltd, Bulgaria, VAT BG204350007

Registered Address: [insert address], Bulgaria

Contact (privacy): [email protected]

Supervisory authority: Commission for Personal Data Protection (CPDP), Bulgaria

1. Scope, Roles, and Interpretation

1.1. This Policy explains how we process personal data in connection with our public website, client portal, billing, support, abuse handling, and service notifications (“Services”).
1.2. Controller. For account, billing, security, and support data, Shopfiles Ltd acts as data controller.
1.3. Customer as controller. Customers control all personal data they store or process on their own servers/instances. We do not monitor or moderate customer content.
1.4. Processor (if applicable). Where we process customer personal data only on documented instructions (e.g., managed backup or support requiring limited access), we act as processor under a separate Data Processing Agreement (DPA) available on request.
1.5. Capitalized terms have the meaning given by the GDPR.

2. Categories of Data We Process (Data Minimization)

Account & Contact: email, display name or alias, country (for VAT and legal compliance), support tickets, billing contact.

Billing & Payments: invoices, amounts, timestamps, identifiers; for crypto, on-chain data such as addresses and TXIDs.

Operational & Security: login IPs and timestamps, user-agent, server identifiers, authentication/abuse-prevention signals, and minimal service logs strictly necessary for integrity and diagnostics.

Verification (conditional): Know-Your-Customer/AML information only if required by law or where activity is high-risk/suspicious. Failure to complete may lead to suspension.

Cookies/Similar Tech: strictly necessary session cookies; optional analytics only with valid consent (if enabled).

We do not collect or scan the contents of customer servers in the ordinary course of business.

3. Purposes and Legal Bases (GDPR Art. 6)

Provide and administer the Services: provisioning, billing, support — Art. 6(1)(b) contract.
Security and abuse prevention: protect accounts, networks, and infrastructure — Art. 6(1)(f) legitimate interests.
Compliance: tax/VAT, accounting, lawful requests — Art. 6(1)(c) legal obligation.
KYC/AML (where applicable): Art. 6(1)(c) and/or Art. 6(1)(f).
Service notices and operational communications: Art. 6(1)(f).
Marketing (if used): only with Art. 6(1)(a) consent; you can withdraw at any time.

4. Special Categories & Automated Decisions

4.1. We do not seek special categories of data (GDPR Art. 9). Do not submit them to us unless strictly necessary and lawful.
4.2. We do not make decisions producing legal or similarly significant effects based solely on automated processing.

5. Crypto Payments

5.1. Cryptocurrency transactions are pseudonymous and recorded on public blockchains; addresses and TXIDs may be visible to third parties.
5.2. We may perform risk screening or request KYC if required by law or fraud/abuse signals.
5.3. We make no promise to access, retrieve, decrypt, or produce data we do not hold or cannot access.

6. Law-Enforcement and Legal Requests

6.1. We respond to valid and binding legal requests from competent authorities. Requests must identify the account or resource and cite a legal basis.
6.2. If the requested data does not exist (e.g., we have no content logs or cannot decrypt data), we cannot provide it.
6.3. Where permitted, we may notify the customer prior to disclosure; emergency or legally restricted cases may prevent notice.
6.4. We provide assistance on a best-effort basis only and do not guarantee outcomes.

7. Retention

We retain data only as long as necessary for the purposes below or as required by law, then delete or irreversibly anonymize it.

Data Category	Typical Retention
Account & contract records	For the account lifetime + statutory limitation period
Invoices & tax records	Minimum required by tax/accounting laws (usually 5–10 years)
Security/abuse logs	Short, necessity-based windows to ensure integrity and investigate abuse
KYC/AML (if collected)	For the legally required period, then deleted
Support tickets	Operational necessity; scrub PII where feasible after closure

(Exact periods may vary by jurisdiction and legal hold obligations.)

8. International Transfers

8.1. Processing is primarily within the EU/EEA.
8.2. If support or providers involve transfers outside the EEA, we use GDPR transfer safeguards (e.g., Standard Contractual Clauses), apply minimization, and, where relevant, transfer-impact assessments.

9. Security

9.1. We implement technical and organizational measures appropriate to risk, including encryption in transit, network isolation, access controls, and least-privilege.
9.2. No security is perfect. If a breach risks individuals’ rights and freedoms, we will notify the CPDP and affected users per law.

10. Your Rights

10.1. GDPR (EU/EEA): access, rectification, erasure, restriction, portability, and objection (Arts. 15–21).
10.2. Certain US states: access/erase/opt-out where applicable by state law.
10.3. End-users of our customers: if your data resides on a customer’s server, contact that customer (controller). We will support the customer, where feasible, in fulfilling your request.

11. How to Exercise Rights or Complain

11.1. Contact us at [email protected]. We may request limited information to verify identity.
11.2. You may lodge a complaint with the CPDP or your local supervisory authority.

12. Cookies & Analytics

12.1. Essential cookies are required for session integrity and security; you cannot opt out of these without affecting functionality.
12.2. Analytics (optional): used only with consent (if enabled) and configured for privacy. You can withdraw consent at any time in your cookie preferences.

13. Processors and Disclosures

13.1. We may engage vetted processors (e.g., payment processors, data-center/colocation and connectivity providers, fraud-prevention tools, professional advisors).
13.2. Where parties act as processors, they are bound by written terms meeting GDPR Art. 28 (confidentiality, security, breach notice, sub-processing controls).
13.3. Where parties act as independent controllers (e.g., banks/payment networks), their privacy policies apply.
13.4. We may disclose limited data to competent authorities where legally required.

14. Customer Responsibilities (Critical)

14.1. Customers are solely responsible for the lawful processing of personal data they control on their instances, including providing their own privacy notices, obtaining valid consents, handling data-subject requests, and performing DPIAs where required.
14.2. Customers must implement appropriate technical and organizational measures (patching, access controls, encryption, backups, logging) for systems they control.
14.3. Use of our infrastructure must comply with all applicable laws and our Terms/AUP.

15. Liability & Disclaimers (Privacy Context)

15.1. To the maximum extent permitted by law, we disclaim responsibility for: (a) customer-controlled processing; (b) data exposed via public blockchains; (c) failures caused by third-party networks, systems, or providers outside our reasonable control.
15.2. We do not guarantee the ability to access, monitor, recover, or erase customer-hosted content.
15.3. Nothing here limits non-waivable statutory rights or mandatory obligations; allocation of responsibilities follows applicable data-protection law.

16. Children

Our Services are intended for adults/business use and are not directed to children under 16.

17. Changes

We may update this Policy to reflect legal/technical changes. Material changes will be posted with a new Effective Date.

18. Language and Governing Law

18.1. This Policy may be provided in multiple languages; for Bulgarian residents, a Bulgarian version may apply. In the event of conflict, the Bulgarian version may prevail for BG residents.
18.2. This Policy is governed by Bulgarian law and applicable EU legislation.