1. Overview
StarterHost is committed to protecting the personal data of our customers, employees, and all individuals whose data we process. This Data Protection Policy outlines how we collect, process, store, and safeguard personal data in compliance with India's Information Technology Act, 2000, the IT (Amendment) Act, 2008, and the Digital Personal Data Protection Act, 2023 (DPDPA).
Our Commitment: We process personal data lawfully, fairly, and transparently. We collect only what is necessary, store it securely, and never use it beyond its intended purpose.
2. Scope
This policy applies to:
- All personal data collected from customers using StarterHost services
- Data processed through our website, control panel, and support channels
- Data shared with us by third-party partners in the course of service delivery
- All StarterHost employees and contractors who handle personal data
3. Data We Process
We process the following categories of personal data:
- Identity Data: Full name, username, account ID
- Contact Data: Email address, phone number, billing address
- Financial Data: Transaction records, payment status (card details are processed by PayU and never stored by us)
- Technical Data: IP addresses, server logs, browser type, device information
- Usage Data: Pages visited, features used, support tickets raised
- Configuration Data: Domain names, hosting usernames, server settings
4. Legal Basis for Processing
We process your personal data on the following legal grounds:
- Contractual Necessity: Processing required to deliver the hosting services you have purchased
- Legal Obligation: Processing required to comply with Indian tax, financial, and regulatory laws
- Legitimate Interests: Processing for fraud prevention, network security, and platform integrity
- Consent: Processing for optional marketing communications, which you may withdraw at any time
5. Data Minimisation
We adhere strictly to the principle of data minimisation. We only collect personal data that is directly necessary for the purpose it is being collected for. We regularly review what data we hold and delete anything that is no longer required.
6. Data Storage & Location
All personal data is stored on servers located within India, specifically in Mumbai. We do not transfer personal data outside of India except where strictly necessary for service delivery (for example, where a third-party software provider processes data). In such cases, we ensure adequate contractual protections are in place.
7. Data Security Measures
We implement robust technical and organisational measures to protect personal data including:
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256.
- Access Controls: Personal data is accessible only to authorised personnel on a strict need-to-know basis. All internal access is logged and audited.
- Network Security: Our infrastructure is protected by firewalls, intrusion detection systems, and regular vulnerability scanning.
- Incident Response: We maintain a documented data breach response procedure. In the event of a breach affecting your data, we will notify you within 72 hours as required by law.
- Employee Training: All staff with access to personal data receive regular data protection training.
8. Data Retention
We retain personal data only for as long as necessary:
- Active accounts: Data retained for the duration of the account
- Cancelled accounts: Data retained for 90 days post-cancellation, then permanently deleted
- Billing records: Retained for 7 years as required by Indian tax law
- Support tickets: Retained for 2 years for quality and audit purposes
- Server logs: Retained for 90 days for security analysis
9. Third-Party Data Processors
We work with the following third-party processors who may handle your personal data on our behalf:
- PayU India: Payment processing. Governed by PayU's own privacy policy and PCI-DSS compliance.
- cPanel/WHM: Server management software. Processes domain and hosting configuration data.
All third-party processors are contractually bound to process data only on our instructions and to maintain appropriate security standards.
10. Your Data Rights
Under the Digital Personal Data Protection Act, 2023, you have the following rights:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Correction: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data, subject to legal retention requirements
- Right to Grievance Redressal: Raise a complaint with our Data Protection Officer
- Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity
To exercise any of these rights, submit a request to dpo@starterhost.in. We will respond within 30 days.
11. Data Protection Officer
We have appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and compliance. You may contact our DPO at:
- Email: dpo@starterhost.in
- Address: Data Protection Officer, StarterHost, Mumbai, Maharashtra, India
12. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with India's Data Protection Board, which will be established under the Digital Personal Data Protection Act, 2023. We encourage you to contact us first at dpo@starterhost.in so we can resolve the matter directly.
13. Policy Updates
We review and update this Data Protection Policy at least annually or whenever there are significant changes to our data processing activities or applicable law. Material changes will be communicated to you via email with at least 14 days notice.