Legal

Your data.

What we collect, why, who we share it with, and how to get it deleted — in plain language, under the GDPR.

Data controller

We’re responsible for your data.

Per Art. 4 (7) GDPR, the data controller for personal data processed via HProxy is:

Controller
Obsidian UG (haftungsbeschränkt)
HRB 20982 · AG Bad Oeynhausen
Address
Leopoldstr. 2-8, 32051 Herford
Bundesrepublik Deutschland
Privacy contact
[email protected]
Direct line for data requests, deletion, portability
What we collect
Account data

When you sign up, we collect your email address and (if you choose Google sign-in) your Google profile basics. We do not require a name, phone number, or physical address to open an account.

Payment data

Card details are never stored on our servers. They flow directly to our PCI-DSS Level 1 payment processor. We retain only the transaction reference and the last 4 digits for invoicing and chargeback handling.

Usage logs

When you route through our proxy infrastructure we log: timestamp, target hostname, bytes transferred, and response code. We do NOT log request bodies, response bodies, or full URL paths. Logs are retained 30 days for billing reconciliation and abuse investigation.

Support correspondence

Emails, chat messages, and ticket history sent to support@ or legal@. Retained 24 months for service quality and legal-hold purposes.

Legal basis & retention
Legal basis

We process personal data under the following legal bases per Art. 6 GDPR:

  • Art. 6 (1) (b) — performance of the contract you signed up for (account, billing, proxy service delivery)
  • Art. 6 (1) (c) — legal obligations (tax records, identity checks for crypto payments above €1,000)
  • Art. 6 (1) (f) — legitimate interest (fraud prevention, abuse investigation, infrastructure security)
Retention

Account data is retained for the lifetime of your account plus 6 months after deletion. Billing records are retained 10 years (HGB §257). Usage logs are retained 30 days. Support correspondence is retained 24 months. Beyond these windows, data is securely erased or anonymised for aggregate metrics.

Sub-processors
Who we share data with

We use a small number of sub-processors to run the service. Each is bound by a Data Processing Agreement (Art. 28 GDPR). We do NOT sell your data to third parties under any circumstance.

  • Cloudflare (USA / EU edge) — DNS, DDoS protection, and CDN
  • EU-based server hosting (Germany) — our application and database run on our own servers; the database is not handed to a third party
  • Resend (USA) — transactional email (account and billing notifications)
  • Upstash (USA, EU region) — Redis cache for session and rate-limit state
  • PCI-DSS-compliant payment processors — card and cryptocurrency transactions, handled through our payment infrastructure
International transfers

Where a sub-processor is based outside the EU/EEA, transfers occur under Standard Contractual Clauses (SCC) per Art. 46 GDPR, with a transfer impact assessment where required. The full sub-processor list and DPAs are available from [email protected] on request.

Your rights
Rights under the GDPR

You have the following rights regarding personal data we hold about you:

  • Art. 15 — Right of access (Auskunftsrecht): request a copy of all data we hold
  • Art. 16 — Right to rectification (Berichtigung): correct inaccurate data
  • Art. 17 — Right to erasure (Löschung): delete your data, subject to legal retention obligations
  • Art. 18 — Right to restriction (Einschränkung): limit processing while a dispute is open
  • Art. 20 — Right to portability (Datenübertragbarkeit): receive your data in a machine-readable format
  • Art. 21 — Right to object (Widerspruch) to processing based on legitimate interests
How to exercise these rights

Email [email protected] from the address on your account. We respond within 30 days per Art. 12 (3) GDPR. No fee for routine requests.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For HProxy, the competent authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.

Cookies

We use a small number of cookies for session authentication, fraud prevention, and (with your consent) anonymous analytics. The full breakdown of categories and durations is on our cookies page.

Read the cookie policy
Last updated 5 May 2026.