PRIVACY POLICY
Company: Bastille Holding Limited (“Company”, “we”, “us”)
Jurisdiction: Hong Kong SAR
Website: https://cobaltstack.net
Privacy contact: privacy@cobaltstack.net
Last updated / Effective date: 5 Jan 2026
1. Scope
This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when you use our Services (software licenses, API services, VPS/dedicated servers, SaaS, VPN) and when you interact with our website and support channels.
2. Legal Framework
2.1 Hong Kong SAR (PDPO). We process Personal Data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and relevant guidance.
2.2 GDPR (where applicable). If the GDPR applies to our processing (e.g., offering Services to individuals in the EEA/UK or monitoring their behavior), we comply with GDPR requirements to the extent applicable.
2.3 Controller. For purposes of this Policy, Bastillle Holding Limimited is the data controller for Account, billing, and website/support data, unless stated otherwise.
2.4 Processor scenarios. For certain VPS/SaaS use cases, we may process Personal Data on behalf of customers (e.g., when a customer uploads personal data into a SaaS workspace). In those cases, the customer may be the controller and we may be a processor.
3. Definitions
“Personal Data” means information relating to an identified or identifiable individual (GDPR) / personal data as defined under PDPO.
“Processing” means any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
4. Personal Data We Collect
We collect data directly from you, automatically through your use of Services, and from third parties (e.g., payment providers).
4.1 Account and identity data
- Name, username, company name
- Email address, phone number
- Billing address, country/region
- Account preferences and settings
4.2 Billing and transactional data
- Invoices, order history, payment status
- Tax/VAT information (if applicable)
- Fraud/risk indicators (where applicable)
4.3 Technical and usage data
- IP address, timestamps, device/browser identifiers
- Authentication logs (login attempts, session info)
- Service usage telemetry and diagnostics (error logs, performance metrics)
- Security events, audit records where relevant
4.4 Service-specific data
(a) VPS / Dedicated Servers:
- System/network metadata needed to provision and secure infrastructure
- Abuse/security signals and incident records
(b) API Services:
- Request metadata (request IDs, timestamps, endpoints, response codes)
- Quota consumption, rate limit events
- Error logs and audit events
(c) SaaS:
- Workspace identifiers, user roles, audit logs
- Content you upload or generate within the SaaS (as applicable to the product)
(d) VPN:
- Technical connection data and abuse-prevention signals.
- We do not aim to collect more than necessary for security, service delivery, and abuse prevention.
4.5 Support communications
- Tickets, emails, chat messages
- Attachments and information you choose to provide
4.6 Cookies and similar technologies
- Cookies, local storage, pixels, or similar for functionality, security, and analytics as described in [COOKIE_POLICY_URL].
5. How We Use Personal Data (Purposes)
We use Personal Data for:
5.1 Providing Services: account creation, authentication, provisioning, service operation, updates, customer support.
5.2 Contract and billing: processing orders, invoices, payments, renewals, account management.
5.3 Security and abuse prevention: detecting fraud, preventing attacks/spam, enforcing our AUP, protecting customers and our infrastructure.
5.4 Compliance: meeting legal obligations (e.g., accounting records), responding to lawful requests by authorities.
5.5 Product improvement: troubleshooting, analytics, performance monitoring, service enhancement.
5.6 Marketing (where permitted): sending product/service updates and offers, subject to your choices and legal requirements.
6. Legal Bases (GDPR – where applicable)
Where GDPR applies, we rely on one or more of the following legal bases:
- Contract performance (Art. 6(1)(b))
- Legal obligation (Art. 6(1)(c))
- Legitimate interests (Art. 6(1)(f)) such as security, fraud prevention, and service improvement
- Consent (Art. 6(1)(a)) for certain marketing or non-essential cookies, where required
7. Disclosure of Personal Data
We may share Personal Data with:
7.1 Service providers (processors)
- Payment processors (e.g., Stripe)
- Hosting/data center and network providers
- Email delivery and communications providers
- Customer support and ticketing tools
- Security, fraud prevention, and monitoring providers
We share only what is reasonably necessary for the specified purposes and require appropriate confidentiality and security.
7.2 Third parties required for service delivery
- Software publishers/licensors for license fulfilment, validation, or compliance (where applicable)
- Upstream infrastructure partners needed to deliver the Services
7.3 Legal and safety disclosures
We may disclose Personal Data if required by law, regulation, court order, or lawful request, or to protect rights, safety, and security.
7.4 Business transfers
If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, Personal Data may be transferred subject to confidentiality and applicable law.
8. Payments (Stripe and others)
Payments may be processed by third-party payment providers. Typically, payment card details are processed by the payment provider and not stored by us. We receive payment confirmation and limited payment metadata (e.g., transaction IDs, status, billing details).
9. International Data Transfers
Your data may be processed in Hong Kong SAR and in other jurisdictions where we or our providers operate.
9.1 GDPR transfers (where applicable)
Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms.
9.2 PDPO considerations
We take reasonable steps to ensure any overseas recipient provides a comparable level of protection, using contractual and organizational measures where appropriate.
10. Data Retention
We retain Personal Data only as long as necessary for the purposes described above, including:
- duration of your account and service subscription,
- compliance with legal obligations (e.g., accounting),
- dispute resolution and enforcement.
Retention periods and deletion rules are described in 365 days. After that, we delete or anonymize data unless law requires longer retention.
11. Security
We implement reasonable technical and organizational measures to protect Personal Data (access controls, encryption where appropriate, logging, incident response, and infrastructure security practices). No system is 100% secure; you are responsible for using strong passwords and secure endpoints.
12. Your Rights
12.1 PDPO (Hong Kong SAR)
You may request access to and correction of your personal data (Data Access Request / Data Correction Request). Requests can be sent to privacy@cobaltstack.net. We may verify identity and may charge a reasonable fee where allowed.
12.2 GDPR (where applicable)
You may have the right to:
- Access, rectification, erasure
- Restrict or object to processing
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority
You can exercise these rights by contacting privacy@cobaltstack.net. We may need to verify identity.
13. Cookies
We use necessary cookies for website functionality and security. We may also use analytics and marketing cookies where permitted. See [COOKIE_POLICY_URL] for details and controls.
14. Children
Our Services are not directed to children under 20. We do not knowingly collect Personal Data from children. If you believe a child has provided data, contact privacy@cobaltstack.net.
15. Third-Party Links
Our websites/services may contain links to third-party sites. We are not responsible for their privacy practices.
16. Changes to this Policy
We may update this Privacy Policy from time to time. The updated version becomes effective when posted with a new “Last updated” date. Material changes may be notified via email or the billing portal.
17. Contact
Privacy questions and requests: privacy@cobaltstack.net
Company address: company@cobaltstack.net
