Legal

Your data.

What we collect, why, who we share it with, and how to get it deleted. In plain language, under the GDPR.

Data controller

We’re responsible for your data.

Per Art. 4 (7) GDPR, the data controller for personal data processed via HProxy is:

Controller
Obsidian UG (haftungsbeschränkt)
HRB 20982 · AG Bad Oeynhausen
Address
Leopoldstr. 2-8, 32051 Herford
Bundesrepublik Deutschland
Privacy contact
[email protected]
Direct line for data requests, deletion, portability
What we collect
Account data

When you sign up, we collect your email address and (if you choose Google sign-in) your Google profile basics. We do not require a name, phone number, or physical address to open an account.

Payment data

Card details are never stored on our servers. They flow directly to our PCI-DSS Level 1 payment processor. We retain only the transaction reference and the last 4 digits for invoicing and chargeback handling.

Usage logs

When you route through our proxy infrastructure we log: timestamp, target hostname, bytes transferred, and response code. We do NOT log request bodies, response bodies, or full URL paths. Logs are retained 30 days for billing reconciliation and abuse investigation.

Telecommunications metadata (Verkehrsdaten)

When you route traffic through our proxy infrastructure, we process Verkehrsdaten within the meaning of §9 (1) TKG (destination host, timestamp, bytes, status code). We retain this for 30 days strictly for: (a) billing reconciliation (§9 (3) TKG) and (b) detection of abuse, fraud, and system disruption (§10 (3) TKG). After 30 days we permanently delete or anonymise the data. We do not process traffic contents (request bodies, response bodies, full URL paths) and we do not retain them in any form.

Customer source IP

Your IP when connecting to our infrastructure is logged for authentication, abuse prevention, and fraud monitoring; legal basis Art. 6 (1) (f) GDPR legitimate interest. Retained 30 days, then deleted.

Support correspondence

Emails, chat messages, and ticket history sent to support@ or legal@. Retained 24 months for service quality and legal-hold purposes.

Legal basis & retention
Legal basis

We process personal data under the following legal bases per Art. 6 GDPR:

  • Art. 6 (1) (b). Performance of the contract you signed up for (account, billing, proxy service delivery)
  • Art. 6 (1) (c). Legal obligations (tax records, identity checks for crypto payments above €1,000)
  • Art. 6 (1) (f). Legitimate interest (fraud prevention, abuse investigation, infrastructure security)
Retention

Account data is retained for the lifetime of your account plus 6 months after deletion. Billing records are retained 10 years (HGB §257). Usage logs are retained 30 days. Support correspondence is retained 24 months. Beyond these windows, data is securely erased or anonymised for aggregate metrics.

Sub-processors
Who we share data with

We use a small number of sub-processors to run the service. Each is bound by a Data Processing Agreement (Art. 28 GDPR). We do NOT sell your data to third parties under any circumstance.

  • Cloudflare (USA / EU edge). DNS, DDoS protection, and CDN
  • EU-based server hosting (Germany). Our application and database run on our own servers; the database is not handed to a third party
  • Resend (USA). Transactional email (account and billing notifications)
  • Upstash (USA, EU region). Redis cache for session and rate-limit state
  • PostHog (EU Cloud, Frankfurt). Product analytics and session replay, only with your analytics-cookie consent; see PostHog’s DPA
  • PCI-DSS-compliant payment processors. Card and cryptocurrency transactions, handled through our payment infrastructure
Product analytics (PostHog)

We use PostHog for product analytics and session replay, hosted on PostHog’s EU Cloud (Frankfurt) so your data stays within the EU/EEA. PostHog runs only after you opt in via the analytics cookie category; with analytics consent off, it is not loaded and sets no cookies. PostHog acts as a sub-processor under a Data Processing Agreement (Art. 28 GDPR). See PostHog’s published DPA.

International transfers

Where a sub-processor is based outside the EU/EEA, transfers occur under Standard Contractual Clauses (SCC) per Art. 46 GDPR, with a transfer impact assessment where required. The full sub-processor list and DPAs are available from [email protected] on request.

Your rights
Rights under the GDPR

You have the following rights regarding personal data we hold about you:

  • Art. 15. Right of access (Auskunftsrecht): request a copy of all data we hold
  • Art. 16. Right to rectification (Berichtigung): correct inaccurate data
  • Art. 17. Right to erasure (Löschung): delete your data, subject to legal retention obligations
  • Art. 18. Right to restriction (Einschränkung): limit processing while a dispute is open
  • Art. 20. Right to portability (Datenübertragbarkeit): receive your data in a machine-readable format
  • Art. 21. Right to object (Widerspruch) to processing based on legitimate interests
How to exercise these rights

Email [email protected] from the address on your account. We respond within 30 days per Art. 12 (3) GDPR. No fee for routine requests.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For HProxy, the competent authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.

Automated decisions
Automated decisions (Art. 22 GDPR)

We use automated risk scoring to decide whether to auto-fulfill, hold for manual review, or decline an order. The scoring considers: order velocity, card-BIN diversity per user, IP velocity, payment-attempt patterns. If your order is held, a human reviews it before any final decision. You have the right under Art. 22 (3) GDPR to (a) obtain human intervention, (b) express your point of view, (c) contest the decision. Email [email protected] to invoke any of these.

Children
Children's data

HProxy is not directed to children. We do not knowingly collect personal data from children under 16 (Art. 8 GDPR). If you become aware that a child has provided us personal data, contact [email protected] and we will delete it.

Cookies

We use a small number of cookies for session authentication, fraud prevention, and (with your consent) anonymous analytics. The full breakdown of categories and durations is on our cookies page.

Read the cookie policy
Last updated 5 May 2026.
Privacy Policy | HProxy