Bubbly Clouds Privacy Policy

By using our Services, you agree that Bubbly Clouds can use your personal data in accordance with our Privacy Policy.

You can contact our Data Protection Officer, James Acres, at any time about the details in this privacy policy.

Privacy Policy

Last Updated: 2018-05-20

'We' or 'Bubbly Clouds' refers to James Acres and the collection of services personally offered to you by James Acres from bubblyclouds.co.uk or bubblyclouds.com

'You' refers to any user(s) and customer(s) of our services

URLs in the privacy policy are correct at the time of writing.


Who does the Privacy Policy apply to?

This Privacy Policy is designed to help all Bubbly Clouds customers and visitors to our websites understand how we treat your personal data and protect your privacy when you use our Services.

It is also designed to help you understand your own role as a data controller when you decide to run your own services using our products.

If you are a visitor and not a customer of ours, providing your personal data to us is not a contractual requirement. You can choose not to provide this information; however, you might not be able to gain access to our information, services or products.


Roles and Responsibilities

Bubbly Clouds Responsibilities

When placing an order with us you enter a contract with us to become a customer of ours. In this scenario Bubbly Clouds has the legal basis to become a controller of the necessary personal data we are required to collect from you in order to provide you with the service you ordered, collect payment and keep you notified of renewals etc.

We are only data controllers of our own customers' data. Bubbly Clouds has the role of data processor when our customers use the products we provide to them to run their own services. Our customers are data controllers when using our products to provide their own services to their own users.

Bubbly Clouds will always provide info on, and enforce our Terms of Service and Privacy Policy so our own services process data securely.

All our systems collect data for robust breach detection, investigation and internal reporting procedures so we can prevent and detect breaches and keep a record of them if they were to occur.

Within 72 hours of becoming aware of a personal data breach we will notify the UK's ICO and if this is of high risk of adversely affecting individuals’ rights and freedoms we will notify those individuals.

If one of our sub-processors notify us about a breach that impacts our customer's data we will notify them.

Customer Responsibilities

When using our web hosting products. Bubbly Clouds customers are data controllers and Bubbly Clouds is a data processor in this scenario.

Our products can be used by our customers to store personal information about their own customers and users. As a customer of ours it is your responsibility to decide what data you expose to us. It is your responsibility to provide your users with the necessary means to retrieve, review, correct, or remove their personal data in a similar way to how we do this for you as a Bubbly Clouds customer.

Bubbly Clouds provides you with tools for you to monitor web server logs to detect suspicious activity, but as you are in control of your own application setup it is up to you to install your own monitoring to prevent and detect breaches. We can advise you how to do this, but we can't do this for you as the services we offer are unmanaged.

As a customer of Bubbly Clouds it is your responsibility to comply with all applicable laws and your internal policies relating to such personal data collection, and providing notices and obtaining any necessary consents from your users.

Bubbly Clouds does not control how our customers process data, configure their applications, and so on. It is up to the customer to maintain high security standards for the applications they configure and we require this in our Terms of Service.

You bear sole responsibility for maintaining the security of any environments maintained under your account(s). You are solely responsible for ensuring compliance with any and all applicable privacy guidelines and regulations for all jurisdictions in which you may operate with respect to appropriate practices for the collection, storage, and dissemination of personal information using your Bubbly Clouds service. In no event shall Bubbly Clouds be held liable for your failure to adopt and/or practice appropriate measures for safeguarding personal information stored within or transmitted through your Bubbly Clouds service.


What Type of Personal Data Do We Collect about You?

Type of Personal Data Purpose(s) for Processing Legal Basis for Processing

Identity Data includes first name, last name, company name, email and username, and passwords (hashed).

Contact Data - includes billing/delivery address, email address and telephone numbers.

Financial Data - Card details, bank account and other payment details are collected and used by our third party payment providers on their own servers only, our servers do not come into contact with these details.

Financial information provided by you to order our products will be collected, stored and processed by Stripe, PayPal, Barclays and any other third party payment service providers as designated by Bubbly Clouds. Each of these providers provides their own privacy policy to you and Bubbly Clouds has legal agreements with each sub-processor it uses.

This is for purposes of completing your purchase with us so we can provide you with the service you ordered from us.

As part of our Terms of Use we also agree to provide support, when contacting us you may also provide some of these details to us and we only use it for the purpose to fulfil the contract.

We will keep records of all our contact with you via email and via the support ticketing system. You can view our historical emails in your client area.

Processing is necessary for the performance of a contract or to enter into such a contract with you.

Marketing and Communications Data - includes your preferences in receiving marketing from us via email and your communication preferences.

Sending you news, information and special offers by email. We record a detailed log of all consent changes. You can opt in and out at any time via your client area.

Your consent – which you can withdraw at any time from your self-service client area.

Data you choose to host with us using our products

Usage Data includes information about how you use our website, products and services.

We do not use the data you host with us for any other purpose than to fulfil the contract you have with us and for us to meet our own legal requirements. The data is yours, you are responsible for it and you are the controller of all your own data.

For support purposes, when you request we support you give permission for us to view your data e.g. for diagnosing email delivery issues. We can impersonate your cPanel or portal login when you request us to support you. We automatically scan your data for security and legal issues.

As part of your contract with you we agree to provide support, security scanning and legal compliance to you in our Terms of Use.

Transaction Data - includes details about payments to and from you and other details of products and services you have purchased from us.

We require to collect payment from you in order to provide you with the product you ordered.

We require to store transaction logs for us to legally complete tax returns and financial record keeping.

Processing is necessary for the performance of a contract or to enter into such a contract with you.

The processing is necessary to comply with legal and regulatory obligations.

Technical Data - includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website, Requested pages, Referring Page, and other information which identifies your machine.

Logging includes client area access, intrusion prevention and web application firewall, access logs, error logs.

We are legally obliged for all our systems collect logging and diagnostic data for robust breach detection, investigation and internal reporting procedures so we can prevent and detect breaches and keep a record of them if they were to occur.

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. Our use of Google Analytics makes use of IP Anonymization and we do not transfer any personally identifiable information, we do not use advertising integration.

The processing is necessary to comply with legal and regulatory obligations.

The processing is necessary to support our legitimate business interests.


When will we contact you?

As part of your contract with us we will contact you regarding updates to the services you have with us. This includes renewal and billing reminders, notification of maintenance and security issues, updates about changes to your products.

If you open a support ticket or email us we will contact you regarding this and notify you when the ticket you opened is closed.

All our billing is paperless, so you will receive invoices and receipts via email.

You will not receive updates and marketing about products you have not purchased unless you have opted in to join our mailing list.


Data Retention Policy

Customer Data - on termination of contract, when you become an inactive customer with no active products or invoices, we retain customer data in our web based systems until the following tax year's tax return is completed by us unless it is requested for us to delete this sooner.

Backups of data - We keep backups over the past year to help us to restore any of your services in the event of a disaster caused by you or by us. We can erase individual accounts from our historical backups on request if they need to be erased sooner.

Analytics and logs of activity - We keep logs for at least the past year to help us comply with our legal obligations to prevent data breaches and to monitor usage. We cannot erase logs on request and by using our services you agree your usage will be logged.

Financial Records - We must legally keep financial records for 6 years from the end of the last company financial year they relate to. On termination of a contract we do not erase personal data from our financial records until after this time, but we do erase it from our web based systems.


Managing Your Data

Access and Rectify - You can access and rectify the majority of your personal information from our self-service client area. Anything you cannot see there you can contact us and we will be able to update records on your behalf and provide you with an export.

Export and Data Portability - We can generate a report to provide your account data in JSON format on request. Our Portal and cPanel also allow you to export most of your own data without needing to ask us. We can provide tools to help you export all data to switch providers on request.

Erasure - We will respond to all requests to erase data within one month, this will come with no fees unless it is unfounded or excessive. If you contact us and no longer want your details on record, we can erase these records on request. If you wish to terminate your contract with us we will erase data according to our data retention policy, but can do this quicker on request. Some data, such as financial records, we are legally obliged to keep for longer.


Security and Integrity of your Personal Data

You will keep your data up to date via your self-service portal. If we learn of any changes we will update your account accordingly to keep your details up to date.

We will never request your password, you should never pass on your password to anybody, only you are permitted to sign into your Bubbly Clouds services with your password.

When signing up you will be assigned a password for setup purposes. Bubbly Clouds will need to email your initial setup password in plain text, for this reason once your account is setup we strongly recommend you login and immediately change your passwords which will be hashed and unreadable by us or anyone else. We never share setup passwords and you should never tell us or anybody else your password after setup, we will never ask you for this.

We provide Single Sign On so you can sign into your client area with a single email+password and use the portal to sign into any of your product cPanels without entering another password. This allows you to maintain one single set of secure credentials to access all your services with us.

Your personal information will be transmitted over an secure encrypted connection when you use our billing systems, portal, cPanel and other service from us.

Our system administrator's initial login has limited permissions which requires escalation to become root. Administration is only done on our servers from devices with hard drive encryption which are connected to secure private networks.

We have a strong understanding of Information Security. We use web application firewalls to block known attack request signatures, we use spam blacklists and virus checking to try to fight spammers delivering malicious material, we use 2 factor on all services which support it and rely on cryptographic keys instead of passwords where possible.

We have procedures to respond to security incidents caused by somebody either internal or external breaching a security invariant or negatively affecting system performance and integrity.

We take daily backups and regularly restore past backups to test our disaster recovery process.

All our own servers and backups are located in the UK.


Third Parties

We only partner with third parties to reliably deliver the services you purchased, we do not use third parties if it is not necessary for the product you have purchased.

We only use third parties who sub-process personal data who meet our data protection and compliance requirements for us to be compliant ourselves.

Some third parties help us to take payments and provide you with domains and SSL, in many cases you will provide your data directly to their servers instead of to us, in these cases they will be the controller of your data for that purpose instead of Bubbly Clouds and you will need to read their own privacy policy to decide if it adequately protects your data.

Domains use a WHOIS system, if you provide your data for that purpose you should ensure you only provide information you wish to be displayed publicly. SSL Certificates also have a subject portion which can publicly list your company details.

If you breach our terms of use, or if Bubbly Clouds is under a duty to disclose or share your personal data in order to comply with any legal obligation, we may disclose your information to a relevant authority. Disclosure may include, but is not limited to, exchanging information with other companies and organizations for the purposes of fraud protection. In particular, Bubbly Clouds may release the information it collects to third parties when we believe that it is appropriate to comply with the law, to enforce its' legal rights, to protect the rights and safety of others, or to assist with industry efforts to control fraud, spam or other undesirable conduct.


Cookies

Our web applications may use cookies, this is to track your login sessions and to help with analytics.

Essential; i.e. required to make the website work

Login session cookies for our client area, cPanel and WHM. These cookies identify you as being logged in to the secure parts of our website for the duration of your visit. Our secure areas will not work unless cookies are enabled.

Non-essential; i.e. that aren’t needed to make the website work

Google Analytics uses cookies to help us analyse how our visitors use the site. Find out more about how these cookies are used on the Google privacy site.


Sensitive Information

Bubbly Clouds will not intentionally collect or maintain, and requests that you do not provide, any information regarding your medical or health condition, sexual orientation, race or ethnic origin, political opinions, religious or philosophical beliefs or other sensitive information.

If you host any material or information that is sensitive, such information and compliance with applicable privacy laws remains solely your responsibility.

Bubbly Clouds is not responsible for any sensitive information stored by you on its systems.


Children's Online Privacy Protection

If you are under thirteen (13) years of age you must not sign up for any Bubbly Clouds products.

If you are a customer of Bubbly Clouds, you must not intentionally collect or maintain the data of anyone under thirteen (13) years of age.

Bubbly Clouds services are not designed for or directed to children under thirteen (13) years of age and Bubbly Clouds will not intentionally collect or maintain information about anyone under thirteen (13) years of age.


Amendments to this document

We aim to notify you via email of amendments made to this document, if you disagree with any changes made you will be permitted to request a termination of your account.