Privacy Policy

ParadoxNetworks Limited is the data controller responsible for personal data processed under this Privacy Policy.

• Company: ParadoxNetworks Limited
• Company number: 14831279 (registered in England and Wales)
• Registered office: 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
• Data protection contact: legal@pdxnet.co.uk

We are not currently required to appoint a Data Protection Officer under UK GDPR Article 37, but the contact above is the named point of contact for all data protection matters.

2.1 Data Protection Act 2018 and UK GDPR

ParadoxNetworks Limited processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2.2 PECR

Use of cookies, similar technologies, and any electronic marketing communications is governed by the Privacy and Electronic Communications Regulations 2003 (PECR). See Section 12 (Cookies and Tracking) and Section 13 (Marketing Communications) for details.

We process personal data only where we have a lawful basis under Article 6 of the UK GDPR. The basis varies by activity:

• Contract (Art 6(1)(b)): Providing, operating, and billing for services.
• Legal Obligation (Art 6(1)(c)): Tax records, HMRC reporting, fraud prevention, KYC/AML.
• Legitimate Interests (Art 6(1)(f)): Network security monitoring, abuse handling, IP reputation protection, sub-processor management, service improvement, and analytics where not relying on consent.
• Consent (Art 6(1)(a) / PECR): Optional analytics or marketing cookies, electronic marketing.

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 10).

We collect personal data in the following categories:

• Contact Information: Name, email address, phone number, billing address, and other contact details.
• Account Credentials: Account usernames and salted/hashed passwords, API keys, multi-factor authentication tokens.
• Payment Information: Tokenised payment references provided by our card payment processor. We do not store full card numbers; PCI-DSS compliance is the responsibility of the processor. Where you pay by bank transfer or Direct Debit, we hold the relevant transaction reference and (for Direct Debit) account details required to take payment.
• KYC / AML Data: Identity, business, and address verification information collected as required for fraud prevention, sanctions screening and anti-money-laundering compliance per our Terms of Service.
• Service Usage Data: Server, network, and access logs (BGP session metadata, traffic flow records, API requests, portal logins) generated by your use of our services.
• Communications: Support tickets, emails, abuse reports, and other communications you send us, plus our responses.
• Technical Information: IP addresses, browser type, operating system, device identifiers, and basic visit metadata for our website.
• Cookie / Analytics Identifiers: See Section 12.
• Cloudflare Turnstile metadata: When you submit our contact form, Cloudflare receives signals to determine whether the request is human (no personal data is shared beyond what is technically necessary).

Special category data: We do not knowingly collect or process special category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health, sex life, or sexual orientation). Please do not submit such data to us.

We use personal data for the following purposes:

• To provide, operate, and maintain our services (network, hosting, broadband, colocation).
• To process transactions and send transactional communications (confirmations, invoices, service notices).
• To communicate with you, respond to inquiries and provide customer support.
• To prevent and investigate fraud, abuse, and security incidents (including network monitoring per our Acceptable Use Policy Section 3.2).
• To comply with legal, tax, accounting, regulatory, and law enforcement obligations.
• To improve our website and services by analysing aggregated usage.

We do not use your personal data to make automated decisions producing legal or similarly significant effects (UK GDPR Article 22).

We do not sell your personal data. We share data only with:

• Sub-processors acting on our behalf (see Section 7).
• Group companies, professional advisors, and auditors where necessary for business operations and compliance.
• Law enforcement, courts, and competent authorities where required by law or a valid legal order. Where legally permitted, we will notify the affected customer before disclosure. We aim to challenge requests that appear unlawful or overbroad.
• Acquirers in the event of a merger, acquisition, or sale of substantially all of our assets, subject to equivalent privacy commitments.

We rely on the following third-party sub-processors. Each is contractually required to handle personal data under appropriate data protection terms.

• Cloudflare, Inc. (US, UK GDPR safeguards via UK IDTA / SCCs): Bot detection (Turnstile) on contact forms.
• Postal (self-hosted mail server, Toronto, Canada): Transactional email delivery (contact form, service notifications). Postal is the open-source MTA software we operate on our own infrastructure in Toronto, Canada; no third-party processing of email content occurs in transit. Canada has a UK adequacy decision for commercial organisations subject to PIPEDA, so no additional transfer safeguards are required for this transfer.
• Amazon Web Services EMEA SARL (Amazon SES) (Luxembourg, with infrastructure in EU/UK regions and possible onward transfers to Amazon Web Services, Inc. in the US under UK IDTA / SCCs): Outbound transactional email delivery for selected message flows. Amazon SES processes email envelope and content data solely to deliver messages on our behalf.
• Google LLC (Google Analytics) (US, UK GDPR safeguards via UK IDTA / SCCs): Website usage analytics, loaded only after cookie consent where required.
• Google LLC (Sign in with Google) (US, UK GDPR safeguards via UK IDTA / SCCs): Single sign-on (SSO) for customer portal authentication, where the customer chooses to sign in using their Google account. Google receives only the authentication assertion required to identify the user and the basic profile fields they choose to share; we do not transmit additional customer personal data to Google for this purpose.
• PeeringDB Inc. (US, UK GDPR safeguards via UK IDTA / SCCs): Single sign-on (SSO) for customer portal authentication, where the customer chooses to sign in using their PeeringDB account. PeeringDB receives only the authentication assertion required to identify the user and the basic profile fields they choose to share; we do not transmit additional customer personal data to PeeringDB.
• Stripe Payments UK, Ltd. (UK, with onward transfers to Stripe, Inc. in the US under UK IDTA / SCCs): Card payment processing (PCI-DSS Level 1 compliant). Full card numbers are tokenised by Stripe and never stored on our systems.
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg, with onward transfers to PayPal, Inc. in the US under UK IDTA / SCCs): Payment processing for customers paying via PayPal. PayPal acts as an independent controller for its own anti-fraud, regulatory, and account-relationship purposes.
• GoCardless Ltd (UK): Direct Debit collection under the Bacs scheme, including Direct Debit mandate setup and payment instruction handling. GoCardless is FCA-authorised as an Authorised Payment Institution.

This list may change as we add or remove providers. Material changes are reflected here. For an up-to-date list please contact legal@pdxnet.co.uk.

7.1 Network Carriers and Internet Exchanges

To deliver IP transit and connectivity services, customer traffic transits a blend of:

• Upstream IP transit providers (a mix of Tier 1 and Tier 2 networks), and
• Internet Exchange Points (IXPs) such as LINX, AMS-IX, and similar UK and European exchanges.

These carriers and exchanges are independent network operators, not our sub-processors. They carry traffic in transit under standard interconnection arrangements.

Traffic telemetry: Some upstream carriers and IXPs collect aggregated traffic telemetry (sFlow, NetFlow, or IPFIX samples) for capacity planning, peering analysis, and abuse handling. We do not control how each carrier or IXP handles this telemetry.

What may be sampled: Packet headers, including source and destination IP addresses, ports, and protocol, may be sampled and processed by these third parties as a normal part of internet routing.

What is not exposed: Application-layer content carried over TLS or other encrypted protocols is not exposed by this telemetry.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit: TLS 1.2+ for all web traffic, customer portal sessions, and API access.
• Encryption at rest where supported by the underlying platform.
• Access controls: Role-based access, principle of least privilege, multi-factor authentication for staff access to production systems.
• Audit logging of access to systems containing personal data.
• Regular reviews of access rights, vulnerability patching, and security configuration.
• Sub-processor due diligence before onboarding and on an ongoing basis.

No transmission or storage system is 100% secure. While we apply current industry standards, we cannot guarantee absolute security.

Retention periods vary by data category:

• Billing and account records: Retained for at least 6 years after the end of the customer relationship to comply with HMRC record-keeping requirements and other legal, tax and regulatory obligations.
• Service-related data (virtual machines, virtual disks, bare metal server drives, configurations, stored files, BGP configurations): Securely wiped immediately on service termination by zeroing out the underlying media or equivalent secure-erase methods, unless retention is required by law enforcement or a valid legal order. ParadoxNetworks Limited does not offer managed backups for VPS or other compute services; customers are responsible for taking and storing their own backups (see Terms of Service Section 15.3).
• Server, network and access logs: Retained for the period required for security, abuse investigation, and operational diagnostics, typically up to 12 months unless required to be held longer for an active investigation.
• Communications (support tickets, emails): Retained for the duration of the customer relationship plus a reasonable period thereafter for dispute and complaint handling.

This Section is consistent with Section 15.3 of our Terms of Service.

Under UK GDPR you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure: Ask us to delete your personal data, subject to legal retention obligations and active service requirements.
• Restriction of processing: Ask us to restrict processing in certain circumstances.
• Object: Object to processing based on legitimate interests, including profiling.
• Data portability: Ask us to transfer data you provided to another organisation or to you, in a commonly used machine-readable format.
• Withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

10.1 How to exercise your rights

You may exercise these rights by emailing legal@pdxnet.co.uk or by writing to ParadoxNetworks Limited, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom.

We aim to respond within one calendar month of receiving your request, in line with UK GDPR Article 12(3). This period may be extended by up to two further months for complex or numerous requests, in which case we will notify you within the first month.

We may need to verify your identity before responding. We may also need to retain certain information as required by law or for legitimate purposes permitted under UK GDPR.

10.2 Right to lodge a complaint

If you believe we have not handled your personal data in accordance with UK data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/ or 0303 123 1113. We would appreciate the opportunity to address your concern first by contacting us at legal@pdxnet.co.uk.

Where a personal data breach is likely to result in a risk to your rights and freedoms, ParadoxNetworks Limited will report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, in accordance with UK GDPR Article 33.

Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay (Article 34). Notifications will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take.

If you suspect a personal data breach affecting our services, please report it to legal@pdxnet.co.uk and noc@pdxnet.co.uk immediately.

Our website uses cookies and similar technologies. Under PECR, non-essential cookies require your consent before being set.

• Strictly necessary cookies: Set automatically because they are required for the website to function (e.g., theme preference, session state). No consent required.
• Analytics cookies (Google Analytics): Help us understand how visitors use the site. Loaded only where consent has been provided, where required by law.
• Cloudflare Turnstile: Loaded on the contact form to verify the request is from a human. Operates without setting tracking cookies but exchanges signals with Cloudflare.

You can manage or withdraw cookie consent at any time using your browser settings. Blocking strictly necessary cookies may affect site functionality.

We send transactional and service-related communications (invoices, service notices, security alerts) on the basis of contract, regardless of marketing preferences.

We do not currently send unsolicited electronic marketing communications. If we begin to do so, it will only be on the basis of explicit consent or, where lawful under PECR's "soft opt-in" rules for existing customers of similar services, with a clear opt-out in every message. You may opt out of marketing at any time by emailing legal@pdxnet.co.uk.

Our services are intended for businesses and adult individuals. We do not knowingly collect personal data from children. Where we rely on consent for processing (such as analytics or marketing cookies), we apply the UK GDPR Article 8 age of digital consent of 13 for information society services. If you believe a child has provided us with personal data, please contact legal@pdxnet.co.uk and we will take steps to delete such data.

Some of our sub-processors are located outside the United Kingdom. Where personal data is transferred to a country that has not received an "adequacy decision" from the UK Government, we rely on appropriate safeguards under UK GDPR, including:

• UK International Data Transfer Agreement (IDTA), or
• EU Standard Contractual Clauses with the UK International Data Transfer Addendum.

For US-based sub-processors (such as Cloudflare and Google), transfers are made under the UK IDTA / SCCs and the UK Extension to the EU-US Data Privacy Framework where the recipient is certified.

You may request a copy of the safeguards in place by contacting legal@pdxnet.co.uk.

We do not use personal data to make automated decisions producing legal or similarly significant effects on you (UK GDPR Article 22). Automated systems (such as fraud screening or rate limiting) may flag activity for human review, but the decision to suspend, terminate, or otherwise act is taken by a person.

We may update this Privacy Policy from time to time. The current version is published on this page with the Effective Date shown at the top. Where changes materially affect your rights, we will provide reasonable advance notice (for example, by email or service notice).

For any questions, requests, or concerns regarding this Privacy Policy or your personal data:

• Email: legal@pdxnet.co.uk
• Postal: ParadoxNetworks Limited, 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom
• Suspected data breach affecting our services: legal@pdxnet.co.uk and noc@pdxnet.co.uk

To complain to the supervisory authority, contact the Information Commissioner's Office at ico.org.uk.