Privacy Policy

ServerPrism AB (“ServerPrism”, “we”, “us”) operates the ServerPrism game server hosting platform and is the data controller responsible for your personal data.

Our full company registration and postal address are on our About page.

For any privacy question or to exercise your rights, contact us at [email protected]. We do not have a statutory Data Protection Officer, but privacy requests are handled directly by our team at that address.

We are established in the European Union (Sweden). Our lead supervisory authority is the Swedish Authority for Privacy Protection (IMY).

This policy explains how we handle personal data of visitors to our website and customers of our hosting services, wherever you are located — including the European Economic Area (EEA), the United Kingdom, and the United States.

Content you place inside the game servers you rent (world files, configurations, player data, plugins, and similar) is processed by us on your behalf as a processor. You are the controller of that content and responsible for any personal data within it; our handling of it is governed by your customer agreement, not this policy.

Account data: name, email address, password (stored only as a salted hash), and, if you sign in with Discord, your Discord account identifier and basic profile.

Billing data: billing name, billing address and country (required for VAT and invoicing), and company/VAT number where applicable. Card payments are processed by our payment provider — we never receive or store your full card number.

Service data: the servers, plans, and add-ons you order and metadata needed to provision and run them.

Support data: the content of support tickets and emails you send us.

Technical & usage data: IP address, browser/device information, and server access logs generated when you use the site or your servers. These are kept short-term for security, abuse prevention, and troubleshooting.

Cookies & similar technologies: see section 5.

To provide the service — creating your account, provisioning and running servers, processing payments and renewals, and providing support. (Legal basis: performance of a contract.)

Security & abuse prevention — detecting fraud, abuse, and attacks, and keeping the platform stable. (Legal basis: legitimate interests.)

Legal & accounting — keeping invoices and tax records as required by law. (Legal basis: legal obligation.)

Service improvement & limited analytics — understanding aggregate site usage to improve the product. (Legal basis: legitimate interests, and your consent where analytics cookies are used.)

Optional communications and non-essential cookies — only with your consent, which you can withdraw at any time.

Providing your account and billing data is necessary to create an account and provide the service — without it we cannot enter into or perform our contract with you. Certain billing, VAT, and invoice records are also required to be kept by law. Any other data (such as optional communications) is entirely voluntary.

We use a small number of cookies and similar technologies, grouped into four categories you can control from the “We value your privacy” banner (re-openable any time):

Strictly necessary — session, security, CSRF, login and cart. Always on; the site cannot function without them.

Functional — remembers preferences such as language and currency.

Analytics — privacy-friendly, aggregate usage statistics to help us improve the site. We do not use cross-site advertising trackers.

Marketing — off by default; only set if you explicitly opt in.

Your choices are stored in your browser and applied immediately. Non-essential categories are only activated with your consent, and you can change or reject them at any time without affecting access to the service. We honour the Global Privacy Control (GPC) signal where your browser sends one.

We do not sell your personal data, and we do not share it for cross-context behavioural advertising.

We share data only with service providers who process it on our behalf, under contract and only as needed:

Payment processing — Stripe, Inc. (handles card data directly under PCI-DSS).

Infrastructure & data centres — the cloud/colocation providers that host the platform and your servers, in the region you select for each server.

Network, security & analytics — Cloudflare, Inc. (CDN, DDoS protection, and privacy-friendly web analytics).

Email delivery — the provider that delivers transactional and support email.

Authentication — Discord (only if you choose to sign in with Discord).

Reviews — Trustpilot (only if you choose to leave a review; collected by Trustpilot under its own policy).

A current list of sub-processors is available on request. We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and security of our users and platform.

You can choose where each server is hosted, including locations inside the EEA. Some of our providers (such as Stripe, Cloudflare, and Discord) are based in the United States, so providing the service may involve transferring personal data outside the EEA/UK.

Where that happens, the transfer is protected by appropriate safeguards — Standard Contractual Clauses and/or the provider’s certification under the EU–US Data Privacy Framework (and UK extension) where applicable.

Account & billing data — kept while your account is active. Invoices and accounting records are retained afterwards for as long as required by applicable tax and accounting law.

Server content & backups — deleted after your services are cancelled, following a short grace period; you may request earlier deletion.

Server & access logs — rotated and deleted on a short cycle (around 14 days) unless retained longer for an active security investigation.

Support tickets — kept for a reasonable period to provide continuity of support and resolve disputes.

If you are in the EEA or UK, you have the right to: access your data; correct inaccurate data; erase your data; restrict or object to processing; data portability; and withdraw consent at any time (without affecting prior lawful processing). You also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects — we do not make such decisions.

To exercise any right, email [email protected]. We will respond within one month. There is no charge unless a request is manifestly unfounded or excessive.

You also have the right to lodge a complaint with your local data protection authority, or with our lead authority, the Swedish Authority for Privacy Protection (IMY) — www.imy.se.

This section applies to residents of US states with comprehensive privacy laws, including California (CCPA/CPRA), Virginia, Colorado, Connecticut, and Utah.

Categories of personal information we collect: identifiers (name, email, IP address), customer/commercial records (orders and billing), financial information (processed by our payment provider), and internet activity (site usage). We collect these for the business purposes described in section 4.

Sources: we collect this information directly from you (account, billing, support), automatically from your use of the site and your servers (technical/usage data), and from our service providers (for example, our payment processor confirms a successful charge).

We do not sell your personal information, and we do not “share” it for cross-context behavioural advertising — including for residents under 16. We do not collect or use sensitive personal information to infer characteristics about you; we use it only as strictly necessary to provide the service, so the right to limit its use is met by default.

Depending on your state, you may have the right to know/access, delete, and correct your personal information, to data portability, to opt out of sale/sharing or targeted advertising (not applicable, as we do not do this), to limit the use of sensitive personal information, and to not be discriminated against for exercising these rights. To exercise them, email [email protected]; you may use an authorised agent. We respond within 45 days (extendable as permitted by law) and honour browser opt-out preference signals such as Global Privacy Control.

We protect data with encryption in transit (HTTPS/TLS with HSTS), hashed passwords, access controls, and optional two-factor authentication on your account. While we work hard to safeguard your data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected users as required by law.

Our services are not directed to children, and we do not knowingly collect personal data from children under 16 (or the minimum age in your jurisdiction). If you believe a child has provided us personal data, contact us and we will delete it.

Our site may link to third-party websites and services. We are not responsible for their privacy practices; we encourage you to review their policies.

We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, provide a more prominent notice. Continued use of the service after an update means you accept the revised policy.

Privacy questions and data-rights requests: [email protected]. For general contact and our full registered company details, see our About page.

Supervisory authority: Swedish Authority for Privacy Protection (IMY) — www.imy.se.