Our Commitment
HOSXI Ltd is a UK-registered company fully committed to protecting your personal data. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and align with EU GDPR principles for international customers. We follow guidance issued by the Information Commissioner's Office (ICO).
UK GDPR Compliant
Full compliance with UK GDPR and the Data Protection Act 2018.
ICO Registered
Registered with the UK Information Commissioner's Office.
Privacy by Design
Data protection built into our platform architecture from the ground up.
EU GDPR Alignment
Our practices align with EU GDPR for international customers.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that governs how personal data is collected, stored, processed, and shared. The UK version (UK GDPR) applies in Great Britain following the departure from the EU.
Lawful Processing
Data must be processed on a clear, lawful basis — such as contract, consent, or legitimate interest.
Transparency
Individuals must be clearly informed about how their data is used, and by whom.
Purpose Limitation
Data may only be used for the specific, stated purposes for which it was collected.
Accountability
Organisations must demonstrate their compliance through policies, training, and records.
Data Minimisation
Only the minimum necessary data should be collected and retained.
Individual Rights
People have strong rights to access, correct, delete, and port their personal data.
Data We Collect
We collect only the personal data necessary to deliver our services. The table below summarises the categories, examples, and processing purposes:
| Category | Examples | Purpose | Lawful Basis |
|---|---|---|---|
| Identity Data | Full name, company name | Account creation & service delivery | Contract |
| Contact Data | Email address, phone number | Service communication & support | Contract |
| Billing Data | Address, payment method (tokenised) | Invoice processing & fraud prevention | Contract / Legal |
| Technical Data | IP address, browser, device type | Security monitoring & performance | Legitimate Interest |
| Account Activity | Login history, service usage logs | Platform security & abuse prevention | Legitimate Interest |
| Support Communications | Ticket content, chat transcripts | Customer support & quality assurance | Contract |
| Marketing Data | Email preferences, campaign interactions | Promotional communications (where consented) | Consent |
We never collect sensitive personal data (special category data) unless explicitly required and with your clear, explicit consent.
How We Process Data
Personal data flows through our systems in a structured, controlled manner. The diagram below illustrates our data processing pipeline:
You
Visit hosxi.com or use client portal
Website
Secure HTTPS connection, cookie consent
Secure Servers
UK/EU data centres, ISO 27001 certified
Billing (WHMCS)
PCI-DSS compliant payment processing
Hosting Infra
Service provisioning & management
Encrypted Backups
Retained per data retention policy
Processing Purposes
- Account creation, management, and authentication
- Provisioning and managing hosting, domain, and SSL services
- Payment processing and invoice management
- Fraud detection, abuse prevention, and platform security
- Customer support and helpdesk responses
- Service-critical communications (renewal reminders, outage alerts)
- Regulatory and legal compliance obligations
Lawful Basis
Under UK GDPR, every act of processing must have a defined lawful basis. HOSXI relies on the following four grounds, depending on the processing activity:
Contractual Necessity
The primary basis for most processing. When you purchase a hosting plan or register a domain, we must process your data to fulfil that contract — provision services, process payments, and manage renewals.
Legal Obligation
Certain data must be retained to comply with UK law — for example, financial records for HMRC tax purposes (7 years) or responding to lawful law enforcement requests.
Legitimate Interests
We may process data where we have a genuine business interest that does not override your rights — such as platform security monitoring, fraud prevention, and improving service quality.
Consent
Where none of the above grounds apply — for instance, marketing emails or optional analytics — we will ask for your explicit consent. You may withdraw it at any time without affecting prior lawful processing.
Security Measures
HOSXI implements layered technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:
SSL/TLS Encryption
All data in transit is encrypted via industry-standard SSL/TLS. All HOSXI-managed services include free SSL.
Secure Data Centres
Infrastructure hosted in ISO 27001-certified UK/EU facilities with 24/7 physical security and redundant power.
Firewall & DDoS
Enterprise-grade firewalls and always-on DDoS mitigation protect our network layer and application stack.
Access Controls
Strict role-based access ensures only authorised staff can access customer data on a documented need-to-know basis.
24/7 Monitoring
Continuous security monitoring, log analysis, and anomaly detection operate across our entire infrastructure.
Encrypted Backups
All backups are encrypted at rest and stored in geographically separate locations with restricted access.
Confidentiality Agreements
All HOSXI employees and contractors handling personal data are bound by formal confidentiality agreements.
Vulnerability Management
Regular penetration testing, security patching, and vulnerability scanning are conducted across our platform.
Data Retention
We retain personal data only as long as necessary for the purposes it was collected, or as required by applicable law:
Active Account Data
All personal and account data retained for the duration of your active subscription with HOSXI.
Financial & Billing
Required by HMRC regulations and UK financial legislation. Includes invoices, payment records, and VAT data.
Server & Access Logs
Security monitoring, incident investigation, and infrastructure performance analysis.
Support Records
Helpdesk tickets and communications retained for quality assurance and legal protection.
Marketing Consent
Consent records maintained until you unsubscribe or explicitly withdraw.
Post-Cancellation Data
Following account cancellation, personal data is queued for deletion within 30 days unless legally required to retain.
You may request deletion of your personal data at any time by contacting privacy@hosxi.com. We will process your request within 30 days, subject to legal retention obligations.
International Transfers
HOSXI is a UK-based company and stores your data primarily within the United Kingdom and European Economic Area. In some cases, third-party service providers may process data in countries outside the UK/EEA.
Where international transfers occur, HOSXI ensures appropriate safeguards are in place:
- Transfers to countries with UK adequacy decisions (e.g. EU/EEA, Canada, New Zealand).
- UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) where required.
- Binding Corporate Rules (BCRs) where applicable within multinational group entities.
- Supplementary technical measures where additional data protection is warranted.
To obtain details of the specific safeguards applied to your data transfers, contact our privacy team at privacy@hosxi.com.
Your Rights
Under UK GDPR, you have the following enforceable rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you (Subject Access Request). We will respond within 30 days.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data where there is no compelling reason to continue processing.
Right to Restrict Processing
Request that we limit processing in certain circumstances, for example while a dispute is resolved.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Right to Data Portability
Receive data processed with your consent or for a contract in a structured, machine-readable format.
Right to Withdraw Consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
We will acknowledge your request within 5 business days and respond in full within 30 days. We may need to verify your identity before processing.
DPA
Depending on how you use HOSXI services, we act in different legal capacities under UK GDPR:
Data Controller
When processing your billing information, account data, and marketing communications, HOSXI acts as the Data Controller — we determine the purposes and means of processing.
- Billing & invoicing
- Account management
- Marketing communications
Data Processor
When hosting your website or application files, databases, and emails, HOSXI acts as a Data Processor — processing data on your behalf as the Data Controller.
- Website files & databases
- Hosted applications
- Email hosting
Data Processing Agreement (DPA)
Enterprise and reseller customers who require a signed DPA can request one from our legal team.
Third-Party Processors
To deliver our services, HOSXI shares limited personal data with carefully vetted third-party processors. All processors are contractually bound to handle data in compliance with UK GDPR:
Payment Gateways
Stripe, PayPal — PCI-DSS compliant. We do not store full card numbers.
Domain Registries
ICANN-accredited registries require registrant data for WHOIS compliance.
Cloud Infrastructure
UK/EU-based data centre operators hosting our server infrastructure.
Analytics Services
Anonymised analytics providers (e.g. Google Analytics with IP masking).
Email Services
Transactional email providers for billing notifications and support replies.
Security Services
DDoS mitigation and threat intelligence providers protecting our network.
HOSXI does not sell, rent, or trade your personal data to any third party for commercial purposes. Ever.
Breach Policy
In the unlikely event of a personal data breach, HOSXI has a structured incident response procedure in place:
Detection & Containment
Our security team immediately investigates any suspected breach, contains the incident, and assesses its scope and severity.
ICO Notification
If the breach is likely to result in a risk to individuals' rights and freedoms, we notify the Information Commissioner's Office within 72 hours of becoming aware.
Individual Notification
If the breach is likely to result in a high risk to you, we will contact you directly without undue delay, with clear information about what happened and what we are doing.
Remediation & Review
We document the breach, implement remediation measures, and conduct a post-incident review to prevent recurrence.
Contact DPO
For data protection enquiries, Subject Access Requests, or to raise a concern, contact our privacy team:
Privacy / DPO Team
privacy@hosxi.comRegistered Address
HOSXI Ltd, 71–75 Shelton Street,
London WC2H 9JQ, UK
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
Frequently Asked
GDPR Questions
Is HOSXI GDPR compliant?
Where is my data stored?
Can I request deletion of my data?
Does HOSXI sell my data?
Who is HOSXI's Data Protection Officer?
Related Policies & Pages