cdn.apexnodes.xyz

Privacy Policy

1. General information and legal basis

This Privacy Policy sets out the rules for the processing and protection of personal data of users of the apexnodes.xyz service and related services (hereinafter: the “Service”).

We process personal data in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR);
• Applicable national laws on data protection and electronic services.

Contact details:

• E-mail: admin@apexnodes.xyz

---

2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• Personal data — any information relating to an identified or identifiable natural person;
• Processing — any operation or set of operations performed on personal data;
• User — a natural person using the Service to whom the data relates;
• Processor — an entity processing personal data on our behalf;
• Personal data breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data;
• Consent — a freely given, specific, informed, and unambiguous indication of wishes;
• Profiling — any form of automated processing of personal data;
• Cookie — a text file saved by the browser on the User’s device.

---

3. Scope and sources of collected personal data

3.1. Data voluntarily provided by the User

During account registration and placing orders in the Service, the User provides the following personal data:

Data category	Description	Required
Identification data	First name, last name	First name — yes, last name — no
Contact data	E-mail address, phone number	Yes
Address data	Main address (street, number), city, state/region, postal code, country	Yes
Company data	Company name, tax ID/VAT number	No (required for business orders)
Payment data	Information about completed payments (processed exclusively by payment operators)	Yes (for payment)

3.2. Data collected automatically

When using the Service, data is also collected automatically:

Data category	Description	Purpose
IP address	User’s public IP address	Security, logs, fraud prevention
Technical data	Browser type, operating system, screen resolution	Improving Service functionality
Activity data	Access logs, order history, API requests	Technical support, billing, security
Location data	Approximate location based on IP address	Account security, detecting unauthorized access

3.3. Data from third parties

We may receive User data from third parties, in particular:

• Payment operators — transaction status, payment confirmation;
• External service providers (e.g., hCaptcha) — anti-bot verification;
• Domain registrars (eNom) — data necessary for domain registration.

3.4. Special categories of data

We do not process special categories of personal data within the meaning of Article 9 GDPR (data on racial or ethnic origin, religious beliefs, sex life, health, trade union membership, etc.).

---

4. Purposes and legal basis for processing

Users’ personal data is processed for the following purposes and on the following legal bases:

Purpose of processing	Legal basis (GDPR)	Detailed description
Provision of hosting services	Art. 6(1)(b) — performance of a contract	Account registration, service activation, server management, technical support
Payment processing	Art. 6(1)(b) — performance of a contract	Order processing, invoicing, payment handling by external operators
Domain registration	Art. 6(1)(b) — performance of a contract	Transferring data to the eNom registrar for domain registration
Security and fraud prevention	Art. 6(1)(f) — legitimate interest	Identity verification, abuse detection, protection against unauthorized access, log analysis
Own marketing	Art. 6(1)(f) — legitimate interest	Sending information about services, promotions, and news (possibility to opt out)
Analysis and statistics	Art. 6(1)(a) — consent	Analysis of traffic and User behavior using Google Analytics
Legal requirements	Art. 6(1)(c) — legal obligation	Issuing VAT invoices, keeping accounting records, responding to authority requests
Contact and support	Art. 6(1)(b) — performance of a contract / (f) — legitimate interest	Responding to inquiries, handling technical tickets
Automated decision-making and profiling	Art. 6(1)(f) — legitimate interest	See section 9

---

5. Recipients of data and processors

Users’ personal data may be disclosed to the following categories of recipients:

5.1. Processors

Entities acting on our behalf with whom data processing agreements have been concluded:

Entity	Location	Service
Cloudflare, Inc.	USA	DDoS protection, performance optimization, DNS
StormWall LLC	—	Network traffic filtering, DDoS protection
GitHub, Inc.	USA	Hosting of Service static resources
OVHcloud	France, Germany, Poland	Servers and hosting infrastructure
Hetzner Online GmbH	Germany	Dedicated servers
LIM DC	Poland	Data center in Poland
msk.sh	—	Server provider in CIS countries
Intuition Machines, Inc. (hCaptcha)	USA	Anti-bot verification
Google LLC	USA	Statistics analysis (Google Analytics) — only after consent

5.2. Payment operators

Payments are processed by external operators. Payment data (card numbers, bank account details) are not stored by us — they are processed exclusively by payment operators:

Operator	Location	Payment methods
LAVA	—	Online payments
Monobank	Ukraine	Bank payments
Stripe, Inc.	USA	Card payments
2328.io	—	Cryptocurrency payments
Heleket	—	Online payments
CryptoBot	—	Payments via Telegram
LZT Market (Lolzteam)	—	Alternative payments

5.3. Domain registrars

Entity	Purpose
eNom (Tucows Inc.)	Domain registration and management — necessary transfer of User WHOIS data

5.4. Other recipients

• Public authorities — based on applicable laws (courts, law enforcement agencies, data protection authorities);
• Legal and accounting service providers — lawyers, accountants, auditors;
• Debt collection companies — in the event of payment arrears;
• Insurers — to the extent necessary for the conclusion and performance of insurance contracts.

---

6. Transfer of data outside the European Economic Area (EEA)

Some personal data may be transferred to third countries (outside the EEA), in particular to the United States (Google LLC, Cloudflare, Inc., GitHub, Inc., Stripe, Inc.) and to the territory of CIS countries in connection with the provision of server services by msk.sh.

We ensure that any transfer of data outside the EEA takes place with appropriate safeguards:

• Standard Contractual Clauses (SCC) approved by the European Commission;
• Certifications and mechanisms in line with European Commission implementing decisions;
• In the case of transfers to US entities — appropriate supplementary measures are applied in accordance with EDPB guidelines.

Detailed information on safeguards for cross-border data transfers can be obtained by contacting us at: admin@apexnodes.xyz.

---

7. Data retention periods

Personal data is stored for the period necessary to achieve the purposes for which it was collected, and thereafter — for the period required by law or until claims become time-barred.

Data category	Retention period	Justification
Account and order data	6 years from the end of the calendar year in which the payment deadline expired	VAT law, limitation of claims
System logs (IP, activity)	12 months	Security, fraud prevention, abuse detection
E-mail correspondence	3 years	Legitimate interest (ability to prove facts)
Domain registration data	For the validity period of the domain + 1 year	Obligations to the domain registrar
Inactive account data	30 days from account deletion	Possibility of service restoration
Archival data (backup)	Up to 30 days from deletion of data from the production system	Protection against accidental loss

After the retention periods expire, data is irreversibly deleted or anonymized.

---

8. Users’ rights

Under the GDPR, each User has the following rights:

8.1. Right of access (Art. 15 GDPR)

The User has the right to obtain from us information on whether his or her personal data is being processed, and if so, the right to access that data and the following information: purposes of processing, categories of data, recipients, retention period, source of data, automated decision-making.

8.2. Right to rectification (Art. 16 GDPR)

The User has the right to request the immediate rectification of personal data concerning him or her that is inaccurate. The User may also supplement his or her data via the WHMCS client panel or by contacting us.

8.3. Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

The User has the right to request deletion of data in the following cases:

• the data is no longer necessary for the purposes for which it was collected;
• the User has withdrawn consent;
• the User has objected;
• the data was processed unlawfully;
• the data must be deleted to comply with a legal obligation.

The right to erasure does not apply to the extent that processing is necessary to comply with a legal obligation or to establish, exercise, or defend claims.

8.4. Right to restriction of processing (Art. 18 GDPR)

The User has the right to request restriction of processing in the cases specified in Art. 18 GDPR, in particular when contesting the accuracy of data or having objected.

8.5. Right to data portability (Art. 20 GDPR)

The User has the right to receive his or her data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

8.6. Right to object (Art. 21 GDPR)

The User has the right to object at any time to the processing of personal data based on our legitimate interest (Art. 6(1)(f) GDPR), including profiling. We will cease processing for this purpose unless we demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the User, or grounds for establishing, exercising, or defending claims.

If data is processed for direct marketing purposes, the User has the right to object at any time, and after objection is raised, we will immediately cease processing for this purpose.

8.7. Right to withdraw consent

If processing is based on consent, the User has the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.8. Right to lodge a complaint

The User has the right to lodge a complaint with the relevant data protection authority if he or she considers that the processing of personal data violates GDPR provisions.

8.9. How to exercise rights?

All requests regarding the exercise of rights should be sent to the e-mail address: admin@apexnodes.xyz.

We will respond to the request within 30 days of receiving it. In the case of complex requests or a large number of requests, this period may be extended by a further 60 days, of which the User will be informed.

---

9. Automated decision-making and profiling

We use automated decision-making and profiling of personal data for the following purposes:

Purpose	Mechanism description	Consequences
Fraud and abuse protection	Algorithms analyze login patterns, IP addresses, request frequency, and payment history to detect suspicious activity	Possible temporary account blocking or requirement for additional verification
Anti-bot verification	The hCaptcha system assesses the risk of automated access based on user behavior	Access denial or requirement to solve a CAPTCHA challenge
Automatic notifications	The system generates automatic notifications about service expiration, resource limit exceedances, payment arrears	E-mail sending, automatic suspension or deletion of service in case of non-payment
Risk classification	Algorithms assess payment risk based on transaction history, geolocation, and payment method	Possibility of requiring prepayment or rejecting the transaction

The User has the right to:

• express an opinion on the processing described above;
• object to processing based on automated decision-making;
• obtain human intervention on our side;
• learn about the basis of the decision applied.

To exercise the above rights, please contact us at: admin@apexnodes.xyz.

---

10. Security of personal data

We have implemented appropriate technical and organizational measures to ensure the protection of personal data:

10.1. Technical measures

• SSL/TLS encryption — all connections to the Service and client panels (WHMCS, Pterodactyl, SolusVM, ISPmanager, phpMyAdmin) take place via encrypted protocols (HTTPS, TLS 1.2+);
• Database encryption — sensitive data is stored in encrypted form;
• Cryptographically secure tokens — session identifiers are generated using secure cryptographic algorithms;
• Infrastructure security — servers located in certified data centers (LIM DC, OVH);
• Backups — regular data backups with the possibility of restoration;
• Network segmentation — isolation of systems from the public network;
• Monitoring and logging — continuous monitoring of access to systems and infrastructure.

10.2. Organizational measures

• Access restriction — only authorized persons have access to personal data;
• Password policy — requirement to use strong passwords and multi-factor authentication (MFA) in administrative panels;
• Training — persons with access to data have undergone appropriate data protection training;
• Incident procedures — implemented procedures for responding to personal data breaches;
• Regular audits — periodic reviews of security and access policies.

---

11. Personal data breaches

In the event of a personal data breach likely to result in a high risk to the rights and freedoms of natural persons, we will:

• notify the relevant data protection authority without undue delay, and where feasible, not later than 72 hours after becoming aware of the breach;
• document all personal data breaches;
• inform Users of the breach if it may result in a high risk to their rights and freedoms.

---

12. Cookies and tracking technologies

Detailed information about cookies used on the Service — their types, purposes, retention periods, and the entities using them — is contained in a separate document: the Cookie Policy, available at: https://cdn.apexnodes.xyz/documents/cookie-policy.

---

13. Changes to the Privacy Policy

We reserve the right to make changes to this Privacy Policy. Users will be informed of any significant changes by:

• publishing the updated Policy on the Service;
• sending an e-mail notification to the contact address assigned to the account (in the case of significant changes to the scope or purposes of processing);
• a message in the WHMCS client panel upon next login.

Last updated: June 4, 2026

---

14. Final provisions

14.1. In matters not regulated by this Policy, the provisions of applicable law, including the GDPR, shall apply.

14.2. We have made every effort to ensure that this Policy is understandable and transparent for Users. If you have any questions or doubts, please contact us at: admin@apexnodes.xyz.

14.3. Using the Service after changes to the Policy are published constitutes acceptance of those changes. If you do not accept the changes, you should stop using the Service and delete your account.

14.4. This Privacy Policy is effective from June 4, 2026 and applies to all Users of the Service.

---

E-mail: admin@apexnodes.xyz