Legal · Privacy

Privacy Policy.

Last updated: 20 June 2026 Effective: 20 May 2026 Version: 1.0
The short version: We only collect what we need to run your servers and your account. We don't sell your data, ever. You can request a copy of your data or delete your account at any time. UK-based, UK GDPR compliant, hosted entirely in London.

01Who we are

LowLight Hosting ("we", "us") is a UK-based Minecraft server hosting service, operated as a sole trader by [YOUR FULL LEGAL NAME].

Data controller: LowLight Hosting
Address: [YOUR REGISTERED ADDRESS]
ICO registration: [ICO NUMBER]
Contact: privacy@lowlight.host

For UK GDPR and the Data Protection Act 2018, we are the data controller for personal data collected through lowlight.host.

02What we collect

We collect only what we need. The categories below:

Account information From you

Email and password (password stored as a salted hash — we never see the plaintext). Optionally a display name or username.

Server data You create it

For each server: name, subdomain, type, version, RAM, plan tier, configuration. Plus world files, plugins, and anything you upload.

Technical & usage data Auto-collected

IP address (security, rate limiting, abuse prevention), browser type and version, pages visited, server resource usage (CPU, RAM, network).

Product analytics With your consent

If you choose “Accept all” on the cookie notice, PostHog (EU) records anonymised usage — pages visited, feature interactions, sign-up funnel steps and front-end errors — to help us improve the site. It assigns a random visitor ID and may infer your approximate region from your IP. It respects Do Not Track / Global Privacy Control, you can decline it at any time, and we never sell this data. See our Cookie Policy for the cookies involved.

Payment information Future · via Stripe

Payments will be processed by Stripe. We never see or store card details — only payment confirmation, last 4 digits, and card brand. No payments currently processed (pre-launch).

Connected accounts If you link them

If you verify a Minecraft account, we store your Minecraft username and UUID to link it to your LowLight account, for in-game verification and server access. If you connect Discord, we store your Discord user ID and username. You can unlink either at any time in Settings.

Referral programme If you take part

If you use the referral programme, we record your referral link clicks, sign-ups and conversions, and your commission balance and history. We don't reveal to you the identity of the people you refer. If you qualify as a Creator and request a cash payout, we collect the bank or payment details you provide solely to pay you, and we keep the transaction record as long as required for accounting and UK tax purposes.

03How we use it

We use your data to:

  • Provide the service — run your servers, manage your account, let you sign in
  • Communicate with you — service updates, security alerts, billing (marketing only if you opt in)
  • Prevent abuse — detect unauthorised access, rate limit, block malicious traffic
  • Meet legal obligations — respond to lawful requests, keep tax records
  • Improve the service — analyse aggregate usage to plan capacity
We do not sell your data. We do not use it for advertising or profiling. We do not share it with data brokers.

04Lawful basis

Each thing we do has a legal basis under UK GDPR:

What we doLawful basis
Provide the serviceContract (our Terms)
Billing & paymentsContract
Security & abuse preventionLegitimate interests
Service updates & security alertsLegitimate interests
Marketing emailsConsent (opt-in only)
Legal & tax recordsLegal obligation

05Who we share with

Only the providers we need to run the service. Each acts as our data processor under contract.

ProviderWhat they handleWhere
SupabaseAccount data, authenticationEU / UK
CloudflareWebsite traffic, DDoS, DNSGlobal (UK-routed)
ResendAccount & transactional emailsEU / US
TCPShieldMinecraft DDoS protectionUK / EU
Stripe (future)Card paymentsUK / EU
PostHog (analytics, with consent)Product analytics & error tracking — only if you accept analytics cookiesEU

We may also disclose data if required by law (court order, UK government request).

Content you choose to make public. Some features publish information by your choice. If you list a server on Discovery, publish a Bundle, leave a review, or have a public creator profile, then the associated details — for example your username, server name and description, Bundle configuration and description, review text and rating, and aggregate stats like deploy counts — become visible to anyone, including people without an account, and may be indexed by search engines. This is not "sharing with a processor" — it is publication you control. You can unlist a server, delete a Bundle, or remove a review at any time, though cached or copied copies may persist outside our control.

06How long we keep it

Only as long as we need it:

Data typeRetention period
Account dataActive + 30 days after deletion
Server world files7 days after server deletion
Backups1 day (free) → 30 days (paid)
Server logs14 days
IP addresses (security)90 days
Billing & tax records6 years (UK tax law)

07International transfers

Primary infrastructure is in London, UK. Some processors (Cloudflare, Supabase) may process data in other countries — mostly EEA or countries with UK adequacy decisions.

Where data leaves the UK and EEA, we use appropriate safeguards: UK International Data Transfer Agreements or EU Standard Contractual Clauses with UK addendums.

08Security

What we do to protect your data:

  • TLS 1.3 on all web traffic
  • Salted, hashed passwords — we never store or see plaintext
  • Least-privilege database access with row-level security enforced at the DB layer
  • Multi-factor authentication on all infrastructure access
  • Encrypted, off-site backups of all account data
  • TCPShield DDoS protection on every server

If a breach occurs that risks your rights, we'll notify the ICO within 72 hours and tell you directly where required.

09Your rights

Under UK GDPR, you have these rights over your data. To exercise any of them, email privacy@lowlight.host.

Right of access

Get a copy of the data we hold about you.

Right to rectification

Correct anything inaccurate or incomplete.

Right to erasure

Delete your data (subject to legal retention requirements).

Right to restriction

Pause processing while a dispute is resolved.

Data portability

Get your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests.

Withdraw consent

Where we rely on your consent (e.g. marketing emails), you can withdraw it at any time.

We respond within 30 days. Free of charge unless the request is manifestly unfounded or excessive.

Not happy with how we handled your data? You can complain to the UK Information Commissioner's Office or call 0303 123 1113.

10Cookies

We use a small number of cookies — mostly to keep you signed in. No advertising, no tracking. See our Cookie Policy Accessibility for full details.

11Children's data

Our service is for users aged 13 and over. We don't knowingly collect data from anyone under 13. If you're between 13 and 16, you need a parent or guardian's permission to sign up.

If you believe we have a child's data without proper consent, contact us and we'll delete it.

12Changes

If we update this policy:

  • The "Last updated" date at the top changes
  • For material changes, we email you
  • You get 30 days' notice before significant changes take effect, where possible

Continued use after changes take effect means you accept them. Don't agree? Delete your account any time.

13Contact us

For privacy questions, data requests, or complaints:

Data Protection Contact

Email: privacy@lowlight.host

Security issues: security@lowlight.host

Postal: [YOUR REGISTERED ADDRESS]

We respond to data protection requests within 30 days.