Privacy Policy
Last updated: April 2025
Version 2.0
1. Data Controller and Processor Roles
ServerMind as Data Controller: ServerMind (ExelionTech EOOD) acts as a data controller for account data, billing records, and licensing information collected through our cloud services. We determine the purposes and means of processing this data.
On-Premise Data: ServerMind does not act as a data processor for customer data stored within on-premise installations. All data on customer infrastructure (server logs, configurations, user data, application data) remains under the sole control of the customer. ServerMind agents operate locally and do not transmit customer operational data to our cloud services.
Telemetry Data: For the limited technical telemetry transmitted from on-premise installations (instance IDs, hardware fingerprints, agent count), ServerMind acts as a data controller, processing this data for license validation and service reliability purposes.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you provide directly to us when creating an account or using the Services, including:
- email address
- company name
- account-related information
Payment information is not stored or processed by ServerMind and is handled exclusively by Paddle as Merchant of Record.
2.2 On-Premise Installation Data
ServerMind follows strict data minimization principles.
From on-premise installations, we collect only technical and non-personal data, including:
- Instance ID (random, non-identifying identifier)
- Hardware fingerprint (hashed, non-reversible)
- Active agent count (licensing and usage metrics)
- Software version number
We do not collect directly identifiable personal data from on-premise installations. Instance identifiers and hardware fingerprints are pseudonymous technical identifiers that cannot be used to identify individuals without additional information held by the customer.
3. How We Use Information
We use the collected information to:
- provide, operate, and maintain the Services
- manage subscriptions and licensing
- process transactions via Paddle
- communicate service-related notices and support messages
- monitor usage for reliability, security, and abuse prevention
- comply with legal and regulatory obligations
4. Legal Basis for Processing (GDPR)
We process personal data based on one or more of the following legal grounds:
- performance of a contract
- compliance with legal obligations
- legitimate interests related to service security and operation
- consent, where applicable
5. Data Storage and Security
Account and licensing data are stored on Amazon Web Services (AWS) infrastructure in the United States. We use appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) as approved by the European Commission.
We apply industry-standard security measures, including:
- encryption in transit (TLS 1.3)
- encryption at rest (AES-256)
- access controls and audit logging
6. Data Sharing and Third Parties
We do not sell personal data.
We may share data with:
- Paddle – payment processing, invoicing, VAT handling
- Amazon Web Services (AWS) – cloud infrastructure hosting in the United States
- authorities or regulators when required by law
- successors in the event of a merger, acquisition, or restructuring
All third parties process data under appropriate contractual safeguards.
7. International Data Transfers
Where data is transferred outside the European Economic Area, appropriate safeguards are applied, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914), supplemented by additional technical measures where required by the CJEU Schrems II ruling.
8. Your Rights (GDPR)
If you are located in the European Economic Area, you have the right to:
- access your personal data
- correct inaccurate or incomplete data
- request deletion of your data
- restrict or object to processing
- request data portability
- withdraw consent where processing is based on consent
Requests can be submitted to [email protected].
9. Specific Legitimate Interests
Where we rely on legitimate interests as a legal basis, our specific interests include:
- License enforcement: verifying compliance with the Licensed Agent Tier to protect commercial interests
- Service security: detecting and preventing abuse, unauthorized access, and fraud
- Service improvement: analyzing aggregated, non-personal usage patterns to improve reliability and performance
- Infrastructure integrity: monitoring system health and diagnosing errors to maintain service availability
We balance these interests against the rights and freedoms of data subjects. Telemetry data collected from on-premise installations is limited to non-personal, technical identifiers and cannot be used to identify individuals.
10. Automated Decision-Making
ServerMind may apply automated processes in the following cases:
- License suspension: if the active agent count exceeds the Licensed Agent Tier, functionality may be automatically limited until compliance is restored
- Abuse detection: automated systems may temporarily restrict access in response to patterns indicating security threats or Terms of Service violations
- Payment-related suspension: non-payment or unresolved payment disputes may trigger automatic service restriction
These automated decisions are based on objective technical and billing data, not personal profiling. You have the right to request human review of any automated decision by contacting [email protected].
11. Data Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
- We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34
- Notifications will include: the nature of the breach, categories of data affected, approximate number of individuals concerned, likely consequences, and measures taken to address the breach
To report a suspected data breach, contact: [email protected]
12. Right to Erasure — On-Premise Clarification
ServerMind operates a self-hosted, on-premise model. We can erase personal data held in our cloud services (account data, licensing records) upon valid request.
However, telemetry data transmitted from on-premise installations to our cloud services is limited to non-personal technical identifiers (instance IDs, hardware fingerprints). These identifiers cannot be linked to individuals and therefore do not constitute personal data under GDPR.
Data stored locally on Customer infrastructure (logs, configurations, user data) is under Customer control. ServerMind does not have access to Customer systems and cannot erase data from on-premise installations.
13. Subprocessors
We use the following subprocessors to deliver the Services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Paddle | Payment processing, invoicing, VAT handling (Merchant of Record) | United Kingdom |
| Amazon Web Services (AWS) | Hosting of licensing, authentication, and management services | United States |
| Google LLC | Website analytics (Google Analytics) and advertising measurement (Google Ads), with user consent | United States |
We will notify Customers of any changes to subprocessors with reasonable advance notice. Customers may object to new subprocessors by contacting [email protected].
A Data Processing Agreement (DPA) is available at servermind.io/dpa. To request a signed copy, contact [email protected].
14. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you
- Right to delete: you may request deletion of your personal information, subject to certain exceptions
- Right to opt-out of sale: we do not sell personal information. We do not share personal information for cross-context behavioral advertising
- Right to non-discrimination: we will not discriminate against you for exercising your privacy rights
- Right to correct: you may request correction of inaccurate personal information
- Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined by CPRA
To exercise these rights, contact [email protected]. We will respond within 45 days as required by CCPA.
In the preceding 12 months, we have collected the following categories of personal information: identifiers (email address), commercial information (subscription details), and internet activity (IP addresses, browsing behavior via Google Analytics with consent). We have not sold any personal information. Google Analytics data is used for website improvement only and is not linked to your ServerMind account.
15. Cookies and Tracking
We use essential cookies for authentication and security, and with your consent, analytics cookies (Google Analytics) and advertising cookies (Google Ads conversion tracking). Non-essential cookies are only set after consent. See our Cookie Policy for details.
16. Data Retention
We retain data according to the following schedule:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account data (email, company) | Duration of account + 30 days | Contract performance |
| Billing and transaction records | 7 years | Bulgarian Accounting Act, EU VAT Directive |
| Audit logs | 1 year | Security, compliance best practice |
| Licensing and telemetry logs | 90 days | Legitimate interest (service reliability) |
| Backups | 90 days | Operational continuity |
| Analytics data (Google Analytics) | 14 months (Google default) | Consent |
After the retention period, data is deleted or anonymized. Where deletion is not technically feasible (e.g., backup archives), data is isolated and protected until deletion is possible.
17. Lawful Access Requests
ServerMind may be required to disclose personal data in response to lawful requests from public authorities, including law enforcement or national security agencies.
Our policy on government and legal requests:
- We will comply only with legally valid requests (court orders, warrants, or requests meeting the legal requirements of the applicable jurisdiction)
- We will narrow the scope of any disclosure to the minimum data required
- We will notify the affected customer before disclosure, unless legally prohibited from doing so
- We will challenge requests that we believe are overly broad, vague, or otherwise inappropriate
- We do not provide law enforcement with direct access to our systems or infrastructure
As our cloud infrastructure is hosted on AWS in the United States, data may be subject to US legal process (including under CLOUD Act). Standard Contractual Clauses and supplementary measures are in place to protect EU data subjects.
18. Children's Privacy
The Services are not intended for children under the age of 16. We do not knowingly collect personal data from children.
19. Changes to This Policy
We may update this Privacy Policy from time to time. Changes become effective upon publication on this page.
20. Contact Information
For privacy-related inquiries, contact:
- Email: [email protected]
- Data Protection Officer: [email protected]