Before you begin
Last updated: February 25, 2026 · Applies site-wide
VpsGona ("we") treats privacy as part of the product. This policy explains the boundaries, purposes, and retention of personal information processing.
By continuing to use the website, console, or API, you acknowledge that you have read and agree to this policy. If you do not agree, please stop using the service. This policy and the User Service Agreement are complementary.
What data we handle
Two categories: information you actively provide, and data automatically recorded by the system.
Provided by you
- Account details: email address, optional name, and hashed password
- Payment traces: card data processed by licensed payment providers; we only store transaction results, amounts, dates, and de-identified billing fields
- Support materials: descriptions, attachments, and correspondence in tickets and emails
- Order parameters: machine spec, data center region, billing plan
Generated automatically
- Access logs: IP, HTTP metadata, timestamps, referrer, browser and OS information
- Device fingerprint: device type and a client identifier (SSAID) we issue, used for risk control and anomaly detection
- Usage telemetry: login timestamps, feature clicks, console actions, bandwidth and compute consumption statistics
- Cookies / local storage: maintaining sessions, remembering language preferences, etc. (see Section 6 for details)
Purposes & legal basis
Data is used only where necessary for performance of the contract or our legitimate interests.
Data will be used to:
- Delivery & operations: account creation, instance provisioning, payment processing, and renewal management
- Identity & risk control: verifying sign-ins, detecting abuse, blocking unauthorized access
- Customer success: responding to tickets, diagnosing issues
- Experience improvement: analyzing usage paths in aggregated or anonymized form to improve performance and new features
- Transactional notifications: billing, expiry, maintenance, and security emails
- Product updates: we may send product-related updates or offers until you opt out
- Compliance obligations: cooperating with law enforcement, meeting regulatory requirements, protecting our legitimate interests
- Infrastructure research: anonymized technical logs used for stability tuning
Who we share with and when
Minimal disclosure; we never sell personal information.
We do not sell your personal information. We only disclose it to third parties in the following scenarios:
Processors & infrastructure partners
To complete payments, email delivery, network connectivity, and similar functions, we share necessary fields with providers such as:
- Payment gateway (subject to its own privacy policy)
- Email delivery service (verification codes and notifications)
- Self-hosted Matomo analytics (data resides on our own servers)
- Data center and bandwidth providers
We sign data processing agreements with these parties, restrict their permitted uses, and require them to implement comparable security measures.
Legal compulsion
We may disclose necessary information when required by law, regulation, judicial order, or administrative authority, or to protect our legitimate interests and those of our users.
Merger or restructuring
In the event of a merger, acquisition, asset sale, or insolvency proceedings, user information may be transferred as an asset. We will give advance notice and require the successor to uphold equivalent protections.
With your consent
We will not share your information beyond the scope described in this policy without first obtaining your separate, explicit consent.
How long we keep it
Retention periods are set based on compliance requirements and business necessity.
- Account fields: retained throughout the account's lifetime and for a reasonable period after deletion — up to approximately 12 months to satisfy audit requirements
- Financial records: invoices and payment receipts retained for at least 7 years as required by law
- Access logs: typically retained for approximately 90 days for security auditing and troubleshooting
- Tickets: retained during the account's active lifetime and for 12 months after deletion
- Instance disk: permanently deleted within 72 hours after service stops
Where law requires a longer retention period, we follow that requirement.
How we protect it
Technical controls and access governance work in tandem.
We apply industry-standard practices, including but not limited to:
- Transport layer: TLS 1.2 or higher encrypted channels
- Password storage: bcrypt and equivalent strong hashing — original passwords cannot be recovered
- Internal access: staff operate on a least-privilege basis; sensitive actions are logged
- Physical environment: data centers with 24/7 access control and monitoring
- Security operations: regular self-assessments and vulnerability scanning
Cookies & local identifiers
Managed by category; essential cookies cannot be disabled.
We currently use the following types of technologies:
You can disable cookies at the browser level. Disabling essential cookies may break the console and checkout flow.
Your controls
Depending on applicable law, you may have the following rights.
Submit a request via ticket and we will respond within approximately 30 days:
- Access: obtain a copy of the data we hold about you
- Correction: request corrections to inaccurate data (basic fields can also be updated directly in the console)
- Deletion: request erasure after account closure, subject to transaction records we are legally required to retain
- Marketing opt-out: use the unsubscribe link at the bottom of any promotional email; billing and security notifications cannot be opted out
- Withdraw consent: where processing is based on consent, you may withdraw at any time without affecting the lawfulness of activities prior to withdrawal
Some deletion requests may be deferred while an account is still active and contractual obligations are ongoing, to balance service delivery and legal requirements.
Children's privacy
The service is designed for adults.
This service is not directed at persons under 18. We do not knowingly collect children's data. If you are a guardian and believe a minor has submitted information without authorization, please contact us via ticket and we will delete it promptly.
Cross-border & multi-region deployment
Data centers are distributed across multiple jurisdictions.
We operate data centers in Hong Kong, Japan, Korea, the United States, and other locations. Data may be stored or processed outside your country of residence. Privacy laws differ across jurisdictions.
To mitigate risk, we sign data processing agreements with recipients, apply standard encryption and access controls, and comply with applicable cross-border transfer rules.
Third-party sites
External links are for convenience only — please review their policies.
Our site may contain links to external websites. We have no control over their content, privacy practices, or security measures and accept no responsibility for them. Please review the relevant privacy statement before visiting.
How this policy evolves
The online text governs; significant changes receive additional notice.
We may update this policy periodically. The revised version is published on this page with an updated date at the top.
If a change would materially affect the purposes or sharing scope, we will notify you via your registered email or an in-product message. Continued use after the update is posted constitutes acceptance. If you do not agree, please stop using the service and close your account.
Privacy contact
For questions, complaints, or rights requests, reach us by email or ticket.
For human assistance, choose any of the following:
Email: [email protected]
Ticket: Sign in to the console → submit a ticket (recommended, trackable)
Response time: General inquiries within approximately 2 business days; rights requests within 30 days