Privacy Policy

We collect only the information needed to run your account and deliver the services you have paid for:

• Account information: name, email, country, password (hashed), billing address.
• Payment information: we never see your full card number — Stripe processes payments and returns us a token + the last four digits + brand for display.
• Domain registration details: contact information required by ICANN or the relevant TLD registry. WHOIS privacy hides these from public lookup, free, by default.
• Service-usage logs: IP addresses, request times, response codes, error traces. Retained for 30 days for debugging and abuse investigation.
• Support tickets: the text and attachments you send when contacting support. Retained for the life of your account.

We do not sell your data, ever. We do not use customer content to train AI models. We do not share account information with marketers.

We do not log the content of your hosted sites, the bodies of your emails, the queries you run against your databases, or files you upload to your account.

We do not run third-party analytics or advertising trackers on the marketing site or in the panel.

The information we collect is used for:

• provisioning and operating the services you have ordered;
• billing and invoice management;
• fraud detection and abuse investigation;
• responding to your support tickets;
• complying with legal obligations (tax, court orders).

We use a small number of trusted third parties to deliver core services. Each handles a specific job and is bound by data-processing terms:

• Stripe — payment processing (no card numbers ever touch our servers).
• Cloudflare — DNS, DDoS protection, CDN, domain registration (Cloudflare Registrar).
• Let's Encrypt — SSL certificate issuance.
• Anthropic and OpenAI — AI model providers, only if you opt into OpenClaw AI features (currently in development). Customer prompts pass through to these providers under their respective terms.
• Postmark / Resend — outbound transactional email (account activation, password resets, billing notices).

The marketing site uses a single first-party cookie called sx-region to remember your preferred currency / region (NAD vs USD). It lasts 24 hours and contains no personal data.

The hosting panel sets an hh_token session cookie when you sign in, so you stay logged in across page navigations. This cookie is HTTP-only, secure, and cleared when you log out.

We do not use third-party tracking cookies.

Wherever you are based, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information directly from the panel, or by emailing support.
• Delete your account and all associated data. After cancellation, account data is retained for 30 days, then permanently erased.
• Export your data — files, databases, email, domain DNS — at any time. We do not lock data in.
• Object to specific processing activities (for example, abuse investigation) on legitimate grounds.

To exercise any of these rights, email info@sitesox.com. We respond within one business day.

Customer data is hosted on infrastructure located primarily in Frankfurt (Germany) with edge caching globally via Cloudflare. Some sub-processors (Stripe, Anthropic, OpenAI) operate in the United States; we transfer the minimum data required for those specific functions under their respective compliance frameworks.

We harden every layer of our stack — per-site PHP-FPM isolation, fail2ban, ModSecurity WAF, encrypted backups, hashed passwords (bcrypt), TLS 1.2+ on all endpoints. Security incidents that affect customer data are reported to affected customers within 72 hours, in line with GDPR breach-notification standards.

Our services are not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us and we will delete it.

If we change this policy in a way that materially affects your rights, we will email you at the address on your account before the change takes effect. The effective date at the top of this page is always current.