Privacy Policy
Last updated: 2026-06-13.
This is an English translation of the Dutch privacy policy. In case of any discrepancy, the Dutch version prevails.
Netlonics takes your privacy seriously. This policy explains which personal data we process, why, how long we retain it, and what rights you have. Questions? Email [email protected].
1. Who is responsible?
Netlonics, established in Almelo, the Netherlands, is the controller for the personal data processed via netlonics.com and the associated dashboards. For the legal basics (KvK number, VAT, registered address), see our Imprint.
2. Which data do we process?
2.1 Account data
- Name (first and last name)
- Username
- Email address
- Password (stored hashed via bcrypt — we cannot read it ourselves)
- Optional: avatar and display preferences
2.2 Billing data
- Full name or company name
- Billing address
- VAT number (for business customers within the EU)
- Country — for correct VAT handling
2.3 Payment data
- We do not process card numbers or bank account numbers ourselves. Full payment processing runs through our external payment provider.
- We retain only the payment reference, the amount paid, the status, and the payment method category (e.g. "iDEAL", "credit card").
2.4 Service data
- Which Pack and tier you purchased
- Server UUID, region, allocated resources (CPU, RAM, disk)
- Resource usage (snapshots every few minutes for the dashboard)
- Console output from the game server — for troubleshooting and showing the live console in your dashboard
- File names and sizes of uploads (world files, mods, plugins). We see the contents of those files only insofar as you actively place them on the Server, not at our side.
2.5 Communication data
- Support tickets and any attachments submitted with them
- Chat conversations with our chat assistant (see § 4)
- Email correspondence with
[email protected]
2.6 Technical data
- IP address on every pageview and every API call (for security, rate limiting and abuse prevention)
- Browser integrity signals used by Cloudflare Turnstile to distinguish humans from automated abuse on login, registration and contact forms
- User-Agent / browser information
- Time and path of the visit
- Error messages and stack traces (only when something goes wrong in the application, see § 4)
2.7 Cookies and similar technology
See our Cookie Policy for the full list and categories. Short summary: only necessary cookies are enabled by default; analytics and marketing cookies require your consent.
2.8 Waitlist / notify-me data
For a game or product that is not live yet, you can leave your email address to be told when it becomes available. We then keep: your email address, your language preference, the moment you gave consent, a hashed version of your IP address (to prevent abuse), any campaign attribution (utm parameters), and — if you are signed in — a link to your account. Joining is entirely optional and happens only on the basis of your explicit consent via the checkbox on the form; you can opt out at any time.
3. Why do we process this data?
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Performing the Agreement (account creation, server provisioning, support) | Performance of contract (art. 6(1)(b)) |
| Invoicing and processing payments | Performance of contract + legal obligation (b + c) |
| Compliance with the Dutch tax retention obligation (7 years, art. 52 AWR) | Legal obligation (c) |
| Security, fraud and abuse prevention, rate limiting | Legitimate interest (f) |
| Troubleshooting and application stability | Legitimate interest (f) |
| Statistics and usage analysis (cookies) | Consent (a) |
| Marketing-related cookies / personalisation | Consent (a) |
| Notifying you when an announced product launches (waitlist) | Consent (a) |
| Improving the chat assistant and the Service | Legitimate interest (f), with opt-out |
We do not sell personal data. We do not share it for third-party marketing.
4. Who do we share data with?
Running the Service requires a handful of external technical providers. We are your point of contact; the suppliers behind us only receive what they minimally need to do their job, and are contractually bound to confidentiality and appropriate security.
By category:
- Payment processing — our payment provider handles card and bank data directly; we receive only a reference, amount and status.
- Transactional email — to deliver welcome, invoice and password-reset emails to your inbox.
- Hosting infrastructure — EU-based data centre and network providers where our servers physically run.
- DNS, CDN, DDoS protection and bot prevention — for availability and protection of netlonics.com. On login, registration and contact forms we use Cloudflare Turnstile in invisible mode. Turnstile may process technical browser and request signals to verify that a visitor is human without showing a visible challenge. This use is subject to Cloudflare's Turnstile Privacy Addendum.
- Error monitoring — anonymised stack traces when something goes wrong in the application, without passwords, payment data or world files.
- Analytics — only after your consent via the cookie banner, see Cookie Policy.
- Chat assistant — if you use the dashboard chat, your question is sent to an AI service to generate a response. When you are signed in, we may also send a limited read-only summary of your own services, recent tickets and recent invoices so the assistant can answer account-specific support questions. We do not send passwords, payment-method details, server files or world data, and the service does not use API input for model training.
An up-to-date list of the specific suppliers behind each category is available on request via [email protected]. We do not sell personal data and do not share it for third-party marketing.
Pursuant to a court order, a demand from Dutch law enforcement, or a similar legal obligation, we may share personal data with the competent authority. We do not provide more than legally required.
5. Retention periods
| Data | Period |
|---|---|
| Account data | As long as the account is active. After deletion: max. 30 days in backups |
| Server data (world files, configs, back-ups) | During the Agreement + 14 days after termination (see ToS § 11) |
| Invoices and invoice-related data | 7 years (Dutch tax retention obligation, art. 52 AWR) |
| Communication (support tickets, email) | 3 years after the last interaction |
| Waitlist signups (notify-me) | Until the product launches and we have notified you, or until you withdraw consent — at most 24 months |
| Access logs and security logs | 90 days |
| Error reports in monitoring | 90 days |
| Cookies | See Cookie Policy |
6. International transfers
Primary processing takes place within the EU/EEA. Some of our suppliers are American companies with EU establishments. For transfers outside the EEA we rely on the EU–US Data Privacy Framework (DPF) for parties certified under it, and on Standard Contractual Clauses (Decision 2021/914) for the remaining transfers.
7. Security
We take appropriate technical and organisational measures to protect your data:
- TLS 1.3 for traffic between your browser and our servers.
- Passwords are stored hashed (bcrypt).
- Production system access via SSH with keys, no passwords.
- Limited number of administrators with access, logged via an audit log.
- Regular back-ups and software updates.
No security is 100%. In case of a data breach posing a risk to your rights and freedoms, we will notify you and the Dutch Data Protection Authority within 72 hours of discovery, in line with GDPR articles 33 and 34.
8. Your rights
Under the GDPR you have the right to:
- Request access to the data we process about you. You can download a direct data export via your dashboard (
/account/data-export). - Request correction when data is incorrect or incomplete — most of which you can edit yourself in your dashboard.
- Request erasure ("right to be forgotten"). Note: invoices are retained for 7 years under tax law.
- Request restriction of processing.
- Data portability (in a common format — we provide JSON via the data export).
- Object to processing based on legitimate interest.
- Withdraw consent for cookies and marketing at any time, via the "Manage cookies" link in the footer.
Send requests to [email protected]. We respond within one month (extendable to 3 months for complex requests). We may verify your identity before processing.
Complaint? If you feel we do not handle your data correctly, you can lodge a complaint with the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl).
9. Children
Our Service is not specifically aimed at children under 16, but we know that many young players want to host Minecraft servers. For customers under 16, consent from a parent or legal guardian is required. See our Information for parents page for more.
10. Changes to this policy
We may amend this privacy policy when our service offering changes or legislation requires it. Material changes are announced 30 days in advance via email or dashboard. The date at the top of this page reflects the most recent change.
11. Contact
For all privacy questions, complaints and GDPR requests:
- Email:
[email protected] - By post: see Imprint
We have not (due to our size) appointed a formal data protection officer; all requests go via the address above.