Server Host Inc (“Company,” “we,” “us,” or “our”), a Wyoming corporation, operates the ServerPlane platform (the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our Service.
By creating an account or using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.
1. Information We Collect
We collect information in the following categories:
1.1 Account Information (Provided by You)
When you create an account, we collect:
- Name and email address
- Password (stored only as a bcrypt hash — we never store or have access to your plaintext password)
- Avatar URL (if provided)
- Two-factor authentication secrets (encrypted at rest, used solely for TOTP verification)
- Recovery codes (encrypted at rest)
1.2 OAuth Information (Received from Third Parties)
If you authenticate via GitHub or Google, we receive:
- GitHub: Your GitHub user ID and an access token (encrypted at rest). If you connect repositories for deployment, we receive a separate repository access token (encrypted at rest) scoped to the permissions you authorize.
- Google: Your Google user ID.
We receive only the information within the scopes you explicitly authorize. We do not request or receive your passwords from these providers.
1.3 Server Information (Provided by You and Collected by Our Agent)
When you connect a server to the Service, we collect:
- Server connection details: IP address, SSH port, SSH username
- SSH keys: Generated by the Service and stored with AES-256-GCM encryption at rest
- Agent authentication tokens: Encrypted at rest
- System information (reported by the Agent): operating system name and version, hostname, timezone, CPU core count, total RAM, total disk space
1.4 Server Monitoring Data (Collected Automatically)
Our Agent software collects performance metrics from your servers at regular intervals:
- CPU utilization percentage
- RAM usage (used and total)
- Disk usage (used and total)
- Network traffic (bytes received and transmitted)
- System load averages (1-minute, 5-minute, 15-minute)
- Running process count
- Server uptime
Retention: Server monitoring data is retained for 30 days and then automatically purged.
1.5 Application Data
When you deploy or manage applications through the Service, we collect:
- Application names, types, and configuration settings
- Git repository URLs and branch names
- Deploy keys (encrypted at rest) and webhook secrets (encrypted at rest)
- Environment variables (encrypted at rest — decrypted only on your server at runtime)
- Build commands and deployment commands
- Deployment logs and history (including commit SHAs and messages)
- Domain names associated with your applications
1.6 Database Information
When you create or manage databases through the Service, we collect:
- Database names, types (MariaDB, PostgreSQL, MongoDB), and sizes
- Database user credentials (encrypted at rest)
1.7 Backup Configuration
When you configure backups, we collect:
- Backup schedules and retention settings
- Restic repository encryption passwords (encrypted at rest)
- Backup destination information (S3 bucket details, SFTP host information)
- Backup execution history and status
1.8 SSL Certificate Data
When you provision or manage SSL certificates, we collect:
- Certificate type (Let’s Encrypt or custom)
- Certificate issuer and expiration date
- File paths to certificates on your server
We do not store your SSL private keys in our database. Private keys reside solely on your servers.
1.9 SFTP Account Data
When you create SFTP accounts, we collect:
- SFTP usernames and passwords (encrypted at rest)
- Home directory paths
1.10 Billing Information
When you subscribe to the Service:
- Processed by Stripe: Full credit card numbers, CVVs, and complete payment card details are handled entirely by Stripe, Inc. We never store, process, or have access to your full payment card information.
- Stored by us: Stripe customer ID, Stripe subscription ID, subscription status, plan selection, and billing interval. We may also store the last four digits and brand of your payment method for display purposes.
1.11 Usage and Log Data (Collected Automatically)
We automatically collect:
- Audit logs: Records of actions you perform within the Service (e.g., creating a server, deploying an app), including the action type, resource affected, description, and metadata
- IP addresses and user agent strings associated with your sessions and actions
- Session data: Login timestamps, session duration, and last activity time
- Terminal session metadata: Session tokens, connected server, start and end times, and last activity (we do not log terminal command input or output)
- Feature request submissions and votes
- Support ticket content and attachments you submit
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: Provision servers, deploy applications, manage databases, configure backups, issue SSL certificates, and perform all other functions of the Service
- Authenticate and secure your account: Verify your identity, enforce access controls, and protect against unauthorized access
- Process payments: Manage your subscription and process billing through Stripe
- Communicate with you: Send transactional emails (deployment notifications, monitoring alerts, billing receipts, security notices) and respond to support requests
- Maintain audit trails: Record actions for your security review and our operational integrity
- Improve the Service: Analyze usage patterns to identify bugs, improve performance, and develop new features
- Detect and prevent abuse: Identify violations of our Terms of Service and protect the integrity of the Service
- Comply with legal obligations: Respond to legal process, enforce our Terms, and protect our rights
We do not use your information for:
- Targeted advertising or ad profiling
- Selling to third parties
- Training machine learning models on your Content
3. Data Storage and Security
We implement the following security measures to protect your information:
3.1 Encryption at Rest
Sensitive data is encrypted using AES-256-GCM before storage, including:
- SSH private keys
- Agent authentication tokens
- GitHub and Google OAuth tokens
- Environment variables
- Database credentials
- SFTP passwords
- Restic backup passwords
- Webhook secrets
- Two-factor authentication secrets and recovery codes
3.2 Password Security
User passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
3.3 Infrastructure Security
- Database: PostgreSQL with encrypted connections
- Transport: All connections to the Service are encrypted via HTTPS/TLS
- Agent communication: Authenticated via bearer tokens and agent ID verification
- WebSocket connections: Secured via WSS (WebSocket Secure) through our self-hosted Laravel Reverb server
- Caching and queuing: Redis, self-hosted (not shared with third parties)
- CSRF protection: All state-changing requests are protected by CSRF tokens
3.4 Access Controls
- Role-based access control within Teams
- Row-level data isolation between Teams (enforced at the database level)
- API authentication via Sanctum personal access tokens
4. Data Sharing and Third Parties
4.1 Service Providers
We share information with the following third-party service providers solely to operate the Service:
| Provider |
Data Shared |
Purpose |
| Stripe |
Name, email, billing details |
Payment processing |
| GitHub |
OAuth profile, repository access (as authorized) |
Authentication and CI/CD deployment |
| Google |
OAuth profile |
Authentication |
| Let’s Encrypt |
Domain names |
SSL/TLS certificate issuance |
| Email provider (configurable: AWS SES, Postmark, Resend, or SMTP) |
Email addresses, notification content |
Transactional email delivery |
4.2 What We Do Not Do
- We do not sell, rent, or trade your personal information to any third party.
- We do not share data with advertising networks.
- We do not use third-party analytics or tracking services.
- We do not profile you for marketing purposes.
- We do not access your server data beyond what is strictly necessary to provide the Service.
4.3 Legal Disclosure
We may disclose your information if required to do so by law, regulation, subpoena, court order, or other governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to:
- Protect our rights, property, or safety
- Protect the rights, property, or safety of our users or the public
- Detect, prevent, or address fraud, security, or technical issues
- Enforce our Terms of Service
5. Cookies and Tracking Technologies
We use only the following cookies, all of which are essential to the operation of the Service:
| Cookie |
Purpose |
Duration |
| Session cookie |
Authenticates your session |
Expires on browser close or after inactivity |
| CSRF token |
Protects against cross-site request forgery |
Per session |
| Remember-me token |
Maintains persistent login (optional, only if you choose “Remember Me”) |
Up to 30 days |
We do not use:
- Third-party analytics cookies (e.g., Google Analytics)
- Advertising or retargeting cookies
- Tracking pixels or web beacons
- Any third-party tracking technologies
6. Data Retention
We retain your information for the following periods:
| Data Category |
Retention Period |
| Account information |
While your account is active, plus 30 days after deletion |
| Server monitoring stats |
30 days (automatically purged) |
| Audit logs |
90 days |
| Terminal session metadata |
30 days |
| Deployment logs |
While the associated application exists |
| Backup history |
While the backup configuration exists |
| Support tickets |
While your account is active, plus 30 days after deletion |
| Billing records |
7 years (as required by tax and accounting law) |
| SSL certificate metadata |
While the associated application exists |
After the applicable retention period, data is permanently deleted from our systems if explicitly requested, or as per our discretion.
7. Your Rights
7.1 Rights Available to All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete personal information.
- Deletion: Request that we delete your account and associated personal information, subject to our retention obligations.
- Export: Request your data in a portable, machine-readable format.
- Objection: Object to specific uses of your personal information.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7.2 Additional Rights for EEA and UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the General Data Protection Regulation:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal
- Right to lodge a complaint with your local supervisory authority
Legal Bases for Processing:
| Legal Basis |
Applies To |
| Performance of contract |
Providing the Service, processing payments, account management |
| Legitimate interests |
Security, fraud prevention, service improvement, audit logging |
| Consent |
OAuth authentication, optional communications |
| Legal obligation |
Tax record retention, responding to legal process |
7.3 Additional Rights for California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information
- Right to opt-out of the sale of personal information — we do not sell personal information
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
8. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your jurisdiction.
For users in the European Economic Area: where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers to the United States.
9. Children’s Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.
If we discover that we have inadvertently collected personal information from a child under 18, we will promptly delete that information from our systems. If you believe that a child under 18 has provided us with personal information, please contact us immediately at [email protected].
10. Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Notify affected users within 72 hours of becoming aware of the breach, consistent with GDPR requirements
- Provide notification via email or, in some cases, in-app notification
- Describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address and mitigate the breach
- Provide contact information for follow-up inquiries
Where required by law, we will also notify the relevant supervisory authorities.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at the address associated with your account at least 30 days before the changes take effect.
The “Last Updated” date at the top of this Privacy Policy indicates when the most recent revisions were made. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.
12. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Server Host Inc
1309 Coffeen Ave STE 1200, Sheridan
WY - 82801, United States of America
Email: [email protected]
For GDPR-specific inquiries, please contact us at the same address. As our user base grows, we may appoint a dedicated Data Protection Officer and/or an EU representative, and will update this section accordingly.