Privacy Policy — PastePanel

This Privacy Policy explains what personal data PastePanel collects, why we collect it, how we process and protect it, how long we keep it, who we share it with, and the rights you have over it. It covers pastepanel.com, every domain connected through our service, and all associated applications, APIs, dashboards, emails, support channels, and ancillary services (together, the “Service”). This Privacy Policy forms part of, and should be read alongside, the Terms of Service.

1. Summary at a glance

We collect the minimum data we need to operate your account, protect it, deliver the Service, and comply with the law — nothing more.
We do not sell, rent, or trade personal data — not now, not ever. No data broker, no advertising network, no unnamed “partner” will receive your data from us.
Your customers' data belongs to you. You are the data controller; we act strictly as your data processor. We never mine, profile, or cross-market end-customer data.
You can delete everything at any time from the dashboard. Deletion is permanent and irreversible — we cannot recover it afterwards.
We do not track you across the web. No third-party tracking cookies, no fingerprinting scripts, no analytics that profile individuals.
We encrypt everything in transit and at rest, hash passwords with bcrypt, and operate multi-layered security defences.
Contact: Support or, without an account, contact.

2. Definitions

For clarity throughout this document:

“Personal Data” means any information relating to an identified or identifiable natural person, as defined by the GDPR, UK GDPR, CCPA, LGPD, PDPA, or equivalent applicable law.
“Account Holder” (or “you”) means the operator who signs up at pastepanel.com and manages one or more panels.
“End-Customer” means a visitor or registered user of the panel you operate.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means the entity that processes personal data on behalf of the controller.
“Sub-processor” means a third party engaged by us to assist in processing personal data.

3. Who is responsible

PastePanel (“we”, “us”, “our”) is the data controller for information about Account Holders — the operators who sign up at pastepanel.com and manage panels through our Service.

For information about your End-Customers — the people who visit, register on, and purchase from panels you operate — you are the controller and we act exclusively as your processor. We process that data only in accordance with your instructions, this Privacy Policy, and the Data Processing Agreement described in Section 16.

If you are both an Account Holder and an End-Customer of another operator's panel, we may hold data about you in both capacities — your Account Holder data under our controllership and your End-Customer data under the other operator's controllership.

4. What we collect & why

4.1 Account registration data

When you create an account we collect your username, email address, and a hashed password. If you sign up using Google OAuth or Telegram Login we receive only the basic profile identifier those services return (typically a unique ID and email). We never receive or store passwords from third-party authentication providers.

You can later add optional profile information — a display name, avatar, short bio, country, timezone, and contact handles. All of these are voluntary and can be removed at any time.

4.2 Panel operational data

To operate your panel we store:

The custom domains you connect and their DNS/SSL status.
The services, categories, and pricing you configure.
Orders placed on your panel by your End-Customers.
Payment transactions settled through payment providers you configure.
Support tickets you open or receive, including messages and attachments.
Theme configuration, branding assets, notification preferences, and other settings you choose.
API keys you generate and their usage metadata (not the key values themselves after initial display).

4.3 Security and audit telemetry

To protect accounts and the platform infrastructure, we automatically collect:

Authentication events: successful and failed sign-in attempts, including source IP address, user-agent string, approximate geolocation (country/city level from IP), timestamp, and authentication method used.
Administrative actions: timestamped logs of significant account operations (domain additions, settings changes, user management, payment configuration) for audit trail purposes.
API request metadata: endpoint, HTTP method, response status code, request timestamp, source IP, and rate-limit counters — but not request or response bodies.
Abuse-detection signals: behavioural anomalies, rate-limit triggers, brute-force attempt patterns, bot-detection signals, and DDoS traffic signatures.
Server-side error logs: application error traces (with personal data scrubbed) used solely for debugging and maintaining Service reliability.

Security telemetry is retained for the shortest period compatible with investigating incidents — typically 90 days — and is used solely to protect accounts, detect abuse, maintain system integrity, and comply with legal obligations.

4.4 Communications data

We store the support tickets you open, our replies, and any file attachments you include. This data is retained for as long as your account exists plus a short post-closure retention window (see Section 7). We may also retain records of communications required for legal compliance.

4.5 Device and browser data

We collect limited technical data automatically transmitted by your browser: IP address, browser type and version, operating system, device type, screen resolution, language preference, and referring URL. This data is used for security (fraud detection, session validation), compatibility (rendering correctly on your device), and aggregate analytics (understanding which browsers and devices our users use, without identifying individuals).

4.6 End-Customer data (you are the controller)

If your panel collects End-Customer accounts, orders, payments, or personal information, that data resides inside your isolated tenant and is strictly separated from all other tenants on the platform at every layer — database, application, and cache. We implement this through:

Row-level tenant isolation enforced at the ORM and raw SQL layers.
Automatic tenant-scoping on every database query.
Separate cache namespaces per tenant.
Access controls that prevent any Account Holder from accessing another Account Holder's tenant data.

We never mine, profile, aggregate across tenants, or use End-Customer data for any purpose other than hosting, processing, securing, and backing it up on your behalf as processor.

4.7 Data we do NOT collect

For the avoidance of doubt, we do not collect:

Biometric data (fingerprints, facial recognition, voiceprints).
Precise GPS geolocation.
Financial account numbers (bank accounts, credit card numbers) — payment processing is handled entirely by third-party payment providers you configure; card details never touch our servers.
Health, genetic, or medical data.
Political opinions, religious beliefs, trade-union membership, or sexual orientation.
Data from children under 16 (see Section 14).
Cross-site browsing history or activity on other websites.

5. Legal bases for processing (EEA / UK / equivalent frameworks)

Where the GDPR, UK GDPR, or equivalent data-protection law applies, we rely on the following bases:

Purpose	Legal basis
Creating and operating your account; connecting domains; serving panels	Performance of a contract (Art. 6(1)(b) GDPR)
Two-step authentication, anti-abuse telemetry, security logging, fraud prevention	Legitimate interest in protecting accounts and infrastructure (Art. 6(1)(f))
Transactional email (sign-in codes, deletion confirmations, ticket replies, security alerts)	Performance of a contract
Responding to legal requests, enforcing Terms, preventing fraud and abuse	Legal obligation (Art. 6(1)(c)) / legitimate interest
Processing personal data about your End-Customers on your behalf	Processor under your controller instructions (Art. 28)
Maintaining backups and disaster-recovery copies	Legitimate interest in Service continuity and data integrity
Aggregate analytics (non-identifying) to improve the Service	Legitimate interest in improving the Service
Communicating material Service changes, security advisories	Legitimate interest / performance of a contract

Where we rely on legitimate interest, we have conducted a balancing test and determined that the processing does not override your rights and freedoms. You may request a copy of this assessment.

6. How we use your data

We process personal data for the following specific purposes:

Account operation: authenticating you, maintaining your session, displaying your dashboard, and processing your instructions.
Panel delivery: serving your panel to your End-Customers at your connected domains, including DNS verification, SSL issuance and renewal, and content delivery.
Security: detecting and preventing unauthorised access, abuse, fraud, DDoS attacks, brute-force attempts, and other threats to the platform.
Support: responding to your tickets, troubleshooting issues, and providing technical assistance.
Transactional communications: sending you sign-in codes, two-factor authentication tokens, password reset links, security alerts, deletion confirmations, and ticket reply notifications.
System maintenance: performing backups, applying security patches, monitoring system health, and recovering from incidents.
Legal compliance: responding to lawful requests from authorities, enforcing our Terms, and fulfilling record-keeping obligations.
Service improvement: using anonymised, aggregated data to understand usage patterns, identify bugs, and improve features — never using individually identifiable data for this purpose.

We do not use your data for: automated decision-making that produces legal effects; profiling for marketing purposes; selling to third parties; or training machine-learning models on your personal or End-Customer data.

7. Data retention

7.1 Active account

Account data, panel data, and End-Customer data are retained for as long as your account exists and is active.

7.2 Account deletion

When you delete your account or a panel from the dashboard:

All panel content — admin users, End-Customer accounts, orders, payments, tickets, services, categories, branding assets, API keys, and configuration — is permanently and irreversibly erased from primary storage immediately.
Encrypted backup copies cycle out automatically within the backup retention window (currently 30 days). During this window, the deleted data exists only in encrypted backup archives and is not accessible to any person or system for operational purposes.
Security and audit logs referencing the account are anonymised or deleted within 90 days of account deletion.
Anonymised or aggregated statistical data (for example, total order counts) that cannot be used to identify any individual may be retained indefinitely.

7.3 Security and audit logs

Retained for 90 days from the date of the event, unless an active security investigation or legal obligation requires a longer period. Logs are automatically purged after the retention period expires.

7.4 Support tickets

Retained for as long as the account exists. After account deletion, ticket content is erased along with other account data.

7.5 Backups

Rolling encrypted daily backups are stored on separate infrastructure with automatic expiry within 30 days. Backups are encrypted at rest with AES-256 and are used solely for disaster recovery — not for analytical, commercial, or other secondary purposes.

7.6 Legal holds

Where applicable law requires longer retention (for example, tax regulations, anti-fraud requirements, or court orders), we retain only the specific data the law requires, for only as long as it requires, and isolate it from general access.

8. Who we share data with

We share personal data only with the sub-processors strictly necessary to operate the Service, each bound by confidentiality and data-protection commitments at least as protective as this Policy:

8.1 Infrastructure providers

Hosting, compute, and network infrastructure providers that run our servers. These providers process data on our instructions and do not have independent access to your data for their own purposes.

8.2 Transactional email

A reputable third-party transactional email provider, used exclusively for delivering sign-in codes, two-factor tokens, deletion confirmations, security alerts, and ticket reply notifications. The provider processes only the email address and message content needed for delivery.

8.3 Certificate authorities

Publicly trusted certificate authorities issue and renew SSL/TLS certificates for the domains you connect. Only the domain name is shared; no personal data is transmitted.

8.4 Push-notification provider

A third-party push service is used only where your panel explicitly opts in to browser push notifications. Only a device token and notification payload are transmitted.

8.5 Payment providers

The payment providers you enable for your panel process payment data directly with your End-Customers. Card numbers, bank account details, and other financial credentials never touch or pass through PastePanel's servers. Each payment provider operates under its own privacy policy and terms.

8.6 DNS providers

Domain verification may involve querying public DNS infrastructure. Only domain names (not personal data) are transmitted.

8.7 Situations where we may disclose data

Beyond the sub-processors listed above, we may disclose personal data only in the following narrow circumstances:

Law enforcement and legal process: where required by a valid court order, subpoena, warrant, or binding legal obligation in the applicable jurisdiction. We will notify you before disclosure unless prohibited by the legal process itself (e.g., a gag order).
Imminent safety threat: where we reasonably believe disclosure is necessary to prevent death, serious physical injury, or a serious threat to the security of the Service or its users.
Corporate transactions: in connection with a merger, acquisition, bankruptcy, or sale of substantially all assets, provided the successor entity is bound by privacy protections at least as strong as this Policy. We will notify you in advance of such a transfer.
With your explicit consent: for any purpose you expressly authorise.

We never sell personal data. We do not run advertising on the platform. We do not share data with advertising networks, data brokers, or marketing companies.

9. Cookies and similar technologies

9.1 Cookies we use

Cookie	Purpose	Duration	Type
Session cookie	Authenticates your session and maintains login state	Session / configurable expiry	Strictly necessary
CSRF token	Prevents cross-site request forgery attacks	Session	Strictly necessary
Trusted-device cookie	Remembers a device after successful 2FA so you are not challenged every visit	30 days	Strictly necessary
Theme/preference cookie	Remembers your display preferences (theme, language)	1 year	Functional

9.2 What we do NOT use

No third-party tracking cookies.
No advertising cookies or pixels.
No analytics cookies that profile individuals across websites.
No browser fingerprinting scripts.
No invisible tracking pixels in emails (beyond basic delivery confirmation by the email provider).

Because we use only strictly necessary and functional cookies, no cookie consent banner is required under most frameworks. We include this section for full transparency.

9.3 Local storage

We may use browser local storage to remember non-sensitive UI preferences (such as a selected tab or collapsed sidebar state). This data never leaves your browser and is not transmitted to our servers.

10. International data transfers

Data may be processed in countries other than the one you reside in. Where we transfer personal data out of the European Economic Area (EEA), the United Kingdom, or Switzerland to a third country that does not have an adequacy decision from the European Commission or UK authorities, we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs): the European Commission's approved clauses, including the supplementary measures recommended by the EDPB.
UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, where applicable.
Encryption in transit and at rest: ensuring data is unreadable even if intercepted during transfer.

You may request a copy of the applicable transfer mechanism by contacting us.

11. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour them regardless of legal obligation where reasonable and technically feasible:

11.1 Rights under GDPR / UK GDPR

Right of access (Art. 15): obtain confirmation of whether we process your personal data and, if so, receive a copy of it.
Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
Right to erasure (Art. 17): request deletion of your personal data, subject to legitimate retention obligations.
Right to restriction (Art. 18): request that we limit the processing of your data in specific circumstances.
Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to object (Art. 21): object to processing based on legitimate interest, including profiling (we do not profile).
Right to withdraw consent (Art. 7(3)): withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint: with your local supervisory authority (for example, the UK ICO, the CNIL in France, or your national DPA in the EEA).
Right not to be subject to automated decision-making (Art. 22): we do not make automated decisions with legal or similarly significant effects about you.

11.2 Rights under CCPA / CPRA (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you additional rights:

Right to know: what personal information we collect, use, disclose, and sell (we sell nothing).
Right to delete: request deletion of your personal information.
Right to opt-out of sale/sharing: we do not sell or share (as defined by CCPA) personal information, so there is nothing to opt out of.
Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.
Right to correct: correct inaccurate personal information.
Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined by CCPA.

11.3 Rights under LGPD (Brazil)

If you are a Brazilian resident, the Lei Geral de Proteção de Dados grants you rights including: confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, information about consent denial consequences, and consent revocation.

11.4 Rights under PDPA (Southeast Asia)

If you are a resident of Thailand, Singapore, or another jurisdiction with a Personal Data Protection Act, you have equivalent rights to access, correction, deletion, restriction, and portability as described above.

11.5 How to exercise your rights

Most rights can be exercised directly from the dashboard: you can edit your profile, change your email, enable or disable features, delete your account, and export the data associated with it. For anything you cannot do in-app, send us a ticket at /panels/support with the subject line “Privacy Rights Request” and we will respond within:

30 days for EEA/UK requests (extendable by 60 days for complex requests, with notice).
45 days for CCPA requests (extendable by 45 days with notice).
15 days for LGPD requests.

We may need to verify your identity before processing certain requests. We will never charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.

12. Do Not Track signals

Some browsers send a “Do Not Track” (DNT) signal. Since we do not track users across third-party websites and do not serve targeted advertising, our Service behaves the same way regardless of whether a DNT signal is received.

13. Email communications

We send only transactional and security-related emails:

Sign-in verification codes and two-factor authentication tokens.
Password reset links.
Account deletion confirmations.
Security alerts (unusual sign-in activity, password changes, new device detections).
Support ticket reply notifications.
Critical Service announcements (security advisories, Terms changes, scheduled maintenance).

We do not send marketing emails, promotional newsletters, product recommendations, or third-party offers. There is no marketing email list to unsubscribe from because none exists.

14. Children's privacy

The Service is not directed at children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has created an account or provided personal data to us, please contact us immediately. We will verify the situation and promptly delete all data associated with the child's account.

As an Account Holder, you are responsible for ensuring that your panel complies with applicable child protection laws, including COPPA (US), the UK Age Appropriate Design Code, and equivalent frameworks.

15. Security practices

Defence in depth is a core design requirement of the Service, not an add-on or upsell. Our security measures include but are not limited to:

15.1 Encryption

In transit: all connections to the Service are encrypted using TLS 1.3 with modern cipher suites. Older TLS versions (1.0, 1.1) are not supported. HTTP connections are automatically redirected to HTTPS.
At rest: all data at rest is encrypted using AES-256 encryption, including databases, file storage, and backup archives.

15.2 Authentication security

Passwords are hashed using bcrypt with per-user random salts and constant-time verification. We never store passwords in plain text.
Two-factor authentication (2FA) via authenticator app (TOTP) or email code is available and strongly recommended.
Trusted-device memory reduces friction for verified devices while maintaining security.
Progressive rate limiting and exponential backoff on failed authentication attempts.
Automatic account lockout after repeated failed attempts, with email notification.

15.3 Infrastructure security

Tenant isolation: strict multi-tenant isolation at the database (row-level security), application (ORM query scoping), and cache (namespace separation) layers.
DDoS protection: multi-layer filtering at L3/L4 (network/transport) and L7 (application) with automatic traffic analysis, intrusion detection, and adaptive blocking.
Web Application Firewall (WAF): protection against OWASP Top 10 vulnerabilities including SQL injection, XSS, CSRF, and request smuggling.
Rate limiting: per-IP and per-account rate limits on all endpoints to prevent abuse.
Intrusion detection: automated monitoring for suspicious patterns with real-time alerting.
Network segmentation: databases and internal services are not exposed to the public internet.

15.4 Operational security

Automatic daily encrypted backups stored on separate infrastructure.
Continuous security patching of the operating system, runtime, and all dependencies.
Principle of least privilege for all internal access.
Comprehensive audit logging of all administrative and security-relevant actions.
Secure software development practices including input validation, parameterised queries, output encoding, and CSRF protection.

15.5 Incident response

Despite our best efforts, no service is invulnerable. If we become aware of a personal data breach:

We will assess the scope and severity within 24 hours of discovery.
If the breach is likely to result in a risk to your rights and freedoms, we will notify affected Account Holders without undue delay.
Where required by law (e.g., GDPR Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
We will provide details of the breach, the data affected, the measures taken to contain it, and recommendations for steps you can take to protect yourself.

16. Data Processing Agreement (DPA)

Where GDPR, UK GDPR, or an equivalent framework applies to the personal data of your End-Customers that flows through the panel you operate, the following provisions constitute our Data Processing Agreement with you:

Subject matter and duration: we process End-Customer personal data for the duration of your use of the Service, for the sole purpose of hosting and operating your panel.
Nature and purpose: storage, retrieval, display, transmission, and backup of End-Customer data as necessary to deliver the Service.
Types of data: as determined by your panel configuration — typically End-Customer usernames, email addresses, order history, and payment transaction references.
Controller instructions: we process End-Customer data only on your documented instructions, which are embodied in the Service configuration and these Terms.
Confidentiality: all personnel with access to personal data are bound by confidentiality obligations.
Security measures: as described in Section 15 of this Privacy Policy.
Sub-processors: we use the sub-processors listed in Section 8. We will inform you of any intended additions or replacements, giving you reasonable opportunity to object.
Data subject rights: we will assist you in responding to data-subject rights requests by providing technical tools and reasonable cooperation.
Breach notification: we will notify you without undue delay after becoming aware of a personal data breach affecting your End-Customer data.
Deletion and return: upon termination of the Service or at your request, we will delete all End-Customer data as described in Section 7.2, or return it to you in a machine-readable format upon request before deletion.
Audits: we will make available to you all information necessary to demonstrate compliance with our processor obligations, and allow for and contribute to audits, including inspections, conducted by you or your designated auditor.

A formal, separately signed DPA addendum is available upon request for Account Holders who require it for their own compliance programmes.

17. Third-party links and services

The Service may contain links to third-party websites or integrate with third-party services that you choose to enable. This Privacy Policy applies only to the Service. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party service before providing personal data to it.

18. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, the law, or the Service. When we do:

Minor changes (clarifications, formatting, grammatical corrections that do not affect your rights) will be posted here with an updated “Last updated” date.
Material changes (new data collection, new sharing, changes to retention, changes to your rights) will be announced on What's new, in the dashboard notification system, or by email, at least 14 days before they take effect.

If you disagree with a material change, you may delete your account before the change takes effect. Continued use of the Service after a change takes effect constitutes acceptance of the updated Privacy Policy.

19. Jurisdiction-specific disclosures

19.1 European Economic Area & United Kingdom

You have the rights described in Section 11.1. Our legal bases are described in Section 5. For international transfers, see Section 10. To lodge a complaint, contact your national data protection authority.

19.2 California, United States

Under the CCPA/CPRA: we do not sell personal information; we do not share personal information for cross-context behavioural advertising; we do not collect or use sensitive personal information beyond what is necessary to provide the Service. See Section 11.2 for your rights.

19.3 Brazil

Under the LGPD: your rights are described in Section 11.3. Our legal bases for processing are equivalent to those described in Section 5 and include consent, contract performance, legitimate interest, and legal obligation.

19.4 Other jurisdictions

If you reside in a jurisdiction with data-protection legislation not specifically addressed above (for example, Canada's PIPEDA, Australia's Privacy Act, Japan's APPI, South Korea's PIPA, India's DPDP Act), we will honour your applicable rights to the extent required by your local law. Contact us for jurisdiction-specific inquiries.

20. Data protection officer

Given the nature and scale of our processing, we have not appointed a formal Data Protection Officer (DPO) at this time. All privacy-related inquiries are handled by the PastePanel team with appropriate expertise and authority. Should our processing activities require a DPO in the future, we will appoint one and update this section accordingly.

21. Contact us

For privacy questions, data-subject rights requests, DPA inquiries, or to report a security concern, reach the PastePanel team through:

The in-app Support channel (recommended — fastest response).
The contact page if you do not yet have an account.

We aim to acknowledge all privacy-related inquiries within 48 hours and to provide a substantive response within the legally required timeframe for your jurisdiction.

Plain-English summary: we keep the minimum we need, we don't sell your data, we encrypt everything, we isolate every tenant, we back it up daily, you own your data and can delete it any time, and we'll tell you quickly if anything goes wrong. We honour privacy rights from every major jurisdiction. The formal text above controls where it conflicts with this summary.