Privacy Policy

ServerAtelier UG (haftungsbeschränkt)

Malvenstr. 4, 75433 Maulbronn, Germany

Email: support@serveratelier.com

Represented by the Managing Directors: Paul Sengl, Micha Damaschke

If you have any questions, you can contact our customer service by email at any time.

We only process personal data of our users insofar as this is necessary to provide a functional website and our content and services. Processing generally only takes place with consent or if legal provisions permit it.

Personal data is any information relating to an identified or identifiable natural person, e.g., name, email address, or IP address.

IP addresses are stored for as long as a customer account exists and are deleted as soon as the account is deleted, provided no statutory retention obligations exist. Storage is solely for the purpose of ensuring technical operation, security, fraud detection, and managing the customer account.

Further personal data is only processed to a limited extent on our website. Web server logs are maintained to ensure technical operation. No further analysis or disclosure to third parties takes place.

If you consent to the use of functional cookies, anonymized technical data (e.g., country, referrer, date) is collected to statistically evaluate website usage. This data does not allow identification of you as a person.

Legal basis for processing:

• Art. 6 (1) (a) GDPR – Consent
• Art. 6 (1) (b) GDPR – Contract Performance
• Art. 6 (1) (f) GDPR – Legitimate Interest

Personal data is deleted as soon as the purpose for its processing ceases to apply or statutory retention periods have expired.

Users can register via OAuth (Google, GitHub, Discord, Modrinth) or traditionally with a username, email, and password. Additionally, a country is initially assigned to your account based on the IP address. With OAuth, only the data necessary for registration (e.g., unique user ID, username, email address) is transmitted to us by the respective provider. A password is automatically generated and sent to the user by email with a request to change it.

During registration, we collect the following data:

• Username (self-chosen or automatically generated by the OAuth system)
• Password or OAuth identifiers (provided by the user or generated during OAuth registration)
• Email address (entered or transmitted by the OAuth provider)
• First and Last Name (required, latest before server rental)
• Address (Street, House Number) (required before server rental)
• City, Postal Code, Country, if applicable State/Region/Province (required before server rental)
• Preferred Language (optional)
• Preferred Currency (required before server rental)
• Company Name (optional)
• "Organization" option (checkbox)
• VAT Identification Number (only if "Organization" is enabled)

If a company name is provided without activating the "Organization" checkbox, processing continues as a private customer (B2C). Only if the checkbox is activated is the VAT ID requested, and the company name and VAT ID become mandatory fields.

The purpose of processing is to provide a customer account, manage orders and servers, and handle contracts.
Legal Basis: Art. 6 (1) (b) GDPR; for OAuth, possibly additionally Art. 6 (1) (a) GDPR (Consent).

If you log in via an OAuth provider, the respective provider's privacy policy also applies:

• Google LLC
  Google Privacy Policy: https://policies.google.com/privacy
  Further information on using Google OAuth: https://developers.google.com/terms/api-services-user-data-policy
• Discord Inc.
  Discord Privacy Policy: https://discord.com/privacy
• GitHub Inc.
  GitHub Privacy Statement: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
• Modrinth LLC
  Modrinth Privacy Policy: https://modrinth.com/legal/privacy

If you register via one of these providers, authentication takes place solely with that provider. We only receive the basic data necessary for identification and account registration from the respective service. No independent transmission or storage of your external password takes place with us.

Before renting a server, the following mandatory fields in the customer account must be completed:

• First and Last Name
• Address (Street, House Number)
• City, Postal Code, State/Region/Province, Country
• Email Address
• Username

Additionally, as part of the server rental process, we collect:

• Rental Period (monthly, 3, 6, or 12 months)
• Contract Type (one-time or recurring, default: recurring)
• Payment Method (PayPal or Stripe)

For business customers who have activated the "Organization" option in their customer account, the company name and VAT identification number are also recorded. If the option is not activated, processing occurs as a private customer (B2C), even if a company name is stored.

The purpose of processing is contract execution, billing, and compliance with legal obligations.
Legal Basis: Art. 6 (1) (b) GDPR.

Sensitive payment data (e.g., credit card information) is transmitted exclusively to the respective provider (PayPal or Stripe) and is not stored on our servers.

Users may revoke their contracts in accordance with legal provisions. The exact details can be found in our Terms and Conditions.

Servers whose contract term has expired or for which payment has not been made are first deactivated and then automatically and completely deleted after a period of 3 days. Deletion includes all data stored on the server, including configurations, files, and associated backups. Data recovery is no longer possible after this process. Processing and deletion are carried out in accordance with Art. 6 (1) (b) GDPR (Contract Performance) as well as in line with the storage limitation principle under Art. 5 (1) (e) GDPR.

Our website uses cookies to ensure technical functionality and to analyze usage anonymously.

We do not use third-party tracking services.

The storage and access to information on your end device are carried out in accordance with the German Telecommunications Digital Services Data Protection Act (TDDDG) as well as the General Data Protection Regulation (GDPR).

• Essential Cookies are technically necessary for the operation of our website (e.g., for session management, login authentication, or security).

  These are set based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR in conjunction with § 25 (2) No. 2 TDDDG and cannot be deactivated.

• Functional Cookies serve for anonymous analysis or improvement of the user experience.

  These are set exclusively with your explicit consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG.

You can adjust your cookie settings at any time via the link provided in the footer.

Please note that essential cookies cannot be disabled.

Note on Browser Storage:
Despite our server-side deletion and expiration mechanisms, it may happen that browsers or operating systems locally store cookies, cache data, or session information longer than intended by us. This local storage is outside our area of responsibility according to Art. 4 No. 7 GDPR. We recommend regularly clearing cookies and browser cache or adjusting the corresponding settings.

Note on Web Server Logs:
Additionally, our web servers automatically store IP addresses as part of technical logs.
This storage is solely for security, fraud detection, and management of customer accounts and is also deleted after the account is deleted, provided no statutory retention obligations exist.

If you contact us by email, we process your data (name, email, message) to answer your inquiry.

Legal Basis: Art. 6 (1) (b) or (f) GDPR.

Data is deleted as soon as the inquiry is completed and no statutory retention periods exist.

Within the scope of our server and backup services, we process personal data on behalf of our customers in accordance with Art. 28 GDPR.

A separate Data Processing Agreement (DPA) is concluded for this purpose.

Sub-processors:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

  Provision of server infrastructure (hosting, DDoS protection, backup)

• Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA

  Security and performance services (CDN, DDoS protection, HTTPS)

  Transfers to Cloudflare are based on the EU Commission's Standard Contractual Clauses pursuant to Art. 46 GDPR.

Legal Basis: Art. 6 (1) (f) GDPR.

We do not use external tracking or analytics services such as Google Analytics.

Statistical evaluations are carried out exclusively in anonymized form on our own servers.

Under the GDPR, you have the following rights:

• Right of Access (Art. 15 GDPR)
• Right to Rectification (Art. 16 GDPR)
• Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
• Right to Restriction of Processing (Art. 18 GDPR)
• Right to Data Portability (Art. 20 GDPR)
• Right to Object (Art. 21 GDPR)

Note on Right of Withdrawal:

If a statutory right of withdrawal exists for you, please note that this may be limited according to our Terms and Conditions. Details can be found under § 6 Right of Withdrawal / Exclusion of Withdrawal.

To exercise these rights, you can contact us at any time:
Email: support@serveratelier.com

We maintain an online presence on the Discord platform to communicate with our customers, prospects, and the community, offer support, and inform about our services and products.

Within the scope of this use, personal data of Discord users may be processed, especially if you interact with us via our Discord server (e.g., by joining, sending messages, reactions, or voice communication).

This data is processed by Discord Inc., 444 De Haro St Suite 200, San Francisco, CA 94107, USA, as well as by its European branch VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.

Data Processing by Discord

The information you provide on Discord (e.g., username, profile picture, message content) is processed on Discord's servers.

Discord may also collect usage data for its own purposes, in particular for analysis, market research, and advertising, and store cookies or similar technologies on users' devices.

We have no influence over the nature and extent of data processing carried out by Discord.

Our processing of personal data takes place, insofar as you contact us via our Discord server (e.g., for support requests or feedback), on the basis of Art. 6 (1) (b) GDPR (Contract Performance or Pre-contractual Measures).

Furthermore, our presence on Discord is based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR to provide a modern, efficient communication and information platform for our users.

Joint Responsibility

To the extent that Discord provides aggregated or statistical data about the use of our server (e.g., number of members, activity, regions, or interactions), we may have access to this information.

This data is usually anonymized. A joint responsibility within the meaning of Art. 26 GDPR may exist insofar as Discord provides these statistics for server operators.

Exercise of Data Subject Rights

Requests for access, erasure, or rectification of personal data collected or processed directly via Discord should preferably be directed to Discord Inc., as only Discord itself has access to the complete user data.

Of course, you can also contact us directly. In this case, we will examine your request and, if necessary, forward it to Discord.

Further information on Discord's privacy practices can be found at:
Discord Privacy Policy

We implement extensive technical and organizational measures (TOMs) in accordance with Art. 32 GDPR to protect your personal data against loss, misuse, manipulation, unauthorized access, or unauthorized disclosure.

Our security measures are continuously improved in line with technological developments.

Measures employed include in particular:

• Encrypted Data Transmission:
  All communication between your browser and our servers takes place exclusively via an encrypted connection (SSL/TLS).
• Access Protection and Authentication:
  Access to customer accounts is password-protected. Users can additionally voluntarily activate Two-Factor Authentication (2FA) to further secure access.
  With 2FA enabled, a one-time authentication code is requested in addition to username and password.
• Password Security:
  Passwords are stored exclusively in hashed form (no plain text).
  We use recognized cryptographic methods for secure storage and validation of passwords.
• Data Minimization and Access Restriction:
  Access to personal data is restricted to those employees and service providers who need it to fulfill their tasks.
• System and Network Security:
  Our servers are operated in ISO 27001-certified data centers in Europe.
  Protection mechanisms such as firewalls, DDoS mitigation, and regular security updates serve to maintain technical operation and data security.
• Backup and Recovery:
  To ensure data security and system stability, regular encrypted backups of our own systems (including website, central server, and internal customer data management) are created. These backups serve exclusively for recovery in case of technical disruptions or data loss and are stored protected in accordance with applicable data protection regulations.
  Backups of customer systems or servers are not automatically created by us.
  However, customers have the option to use optional backup services for their own servers for a monthly fee. In this case, data backup takes place solely based on the corresponding contractual agreement.
• Review and Awareness:
  Our security measures are regularly reviewed internally.

We reserve the right to update this Privacy Policy in case of changes to our services or due to legal adjustments.

The current version published on our website always applies.