Privacy Policy.

Plain-language version: we collect what we need to run your domain, hosting, and email. We don't sell it, don't track you across the internet, don't build profiles. You can ask for a copy of your data or deletion at any time.

This policy explains what information Firmcrate ("we") collects, how we use it, and the rights you have over it. Firmcrate is a sole proprietorship based in Paramaribo, Suriname.

1. What we collect

You give us directly when you sign up:

• Business name, contact name, billing address
• Email address and phone number
• Preferred domain name and desired email addresses
• Any content you upload to your hosting account

Paddle (our Merchant of Record) collects for payment processing:

• Payment card details (Paddle stores these — we never see card numbers)
• Billing country, tax ID where applicable
• Transaction history

Collected automatically when you use the site or service:

• IP address, browser type, device identifiers (standard web server logs)
• Pages visited and actions taken on firmcrate.com
• Email delivery logs (bounces, opens on marketing emails only)

2. How we use it

We use the information to:

• Provide the Service (register domains, provision hosting, set up email)
• Send you operational emails (welcome, billing notices, incident alerts)
• Respond to support requests
• Comply with legal obligations (tax reporting, abuse response, law-enforcement requests)
• Improve the service (aggregated analytics only — we do not build profiles on individual buyers)

We do not:

• Sell or rent your data
• Share your data with advertisers
• Use your hosted content or email content for any purpose beyond storing and delivering it

3. Who we share it with

We share the minimum necessary data with:

• Paddle.com Inc. — payment processing, tax, invoicing. Paddle's privacy policy: paddle.com/legal/privacy
• Namecheap Inc. — domain registration. Registrant details are required by ICANN and forwarded to Namecheap as the registrar.
• Our hosting provider — server infrastructure for your site and email
• Zoho Mail — operational email ([email protected] inbox; your mailboxes are hosted separately)
• Law enforcement or courts — only when legally compelled, and we will notify you where legally permitted

All subprocessors are bound by data-processing terms at least as protective as this policy.

4. Where data is stored

• Customer records and billing data: stored in services operated by Paddle (US/EU) and our operations database (hosted in the EU)
• Website files and email: stored on hosting infrastructure in the US or EU, depending on the datacenter assigned to your account
• Server logs: 30 days, then purged

If you are in the EEA, UK, or Switzerland, transfers outside your region rely on Standard Contractual Clauses (SCCs) where required.

5. How long we keep it

• Account data: for as long as your subscription is active, plus 12 months after cancellation for tax/legal records
• Website and email content: deleted 30 days after subscription ends, unless you request earlier deletion
• Server logs: 30 days
• Payment records (Paddle): per Paddle's retention policy, typically 7 years for tax compliance

6. Your rights

Regardless of where you live, you can:

• Request a copy of the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data (subject to tax-record retention obligations)
• Object to or restrict specific types of processing

If you're in the EEA, UK, or Switzerland (GDPR), you also have the right to lodge a complaint with your national data protection authority.

If you're in California (CCPA/CPRA), you have the rights above plus the right to know and the right to non-discrimination for exercising them. We do not "sell" personal information as defined by CCPA.

To exercise any right, email [email protected] from the email address on your account. We respond within 30 days.

7. Cookies and tracking

firmcrate.com uses minimal cookies:

• Essential: session cookies for logged-in account access
• Analytics: a privacy-respecting analytics tool (Plausible or similar — no third-party tracking, no personal identifiers)

We do not use advertising cookies, Facebook Pixel, or Google Ads retargeting.

8. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If we learn we have, we will delete it.

9. Security

We protect data with:

• HTTPS across all pages and login flows
• Encrypted storage of credentials
• Access controls limiting staff access to customer data (currently: operator only)
• Regular software updates on hosting infrastructure

No system is 100% secure. If we discover a breach affecting your data, we will notify you by email within 72 hours of confirmation, describe what happened, and what we're doing about it.

10. Changes

We may update this policy. Material changes will be notified by email at least 30 days before taking effect. Trivial changes (typos, clarifications) we post without notice.

11. Contact

Data controller: Firmcrate (sole proprietorship)
Paramaribo, Suriname
Email: [email protected]

For GDPR or CCPA requests, reference this policy in your subject line.