Privacy Policy

The privacy policy is the document that sets out the operator’s data-protection practices in relation to the personal data of subscribers and prospective subscribers. The policy is published in plain editorial English in preference to the boilerplate register that the commercial-hosting industry has gravitated toward, on the view that an obligation that turns on the subscriber’s understanding of how the operator handles the subscriber’s data should be expressed in language the subscriber can read. The substantive content of the policy — the data the operator collects, the periods for which the operator retains the data, the third parties who see it, and the rights the subscriber has against the operator in respect of the data — is binding on the operator and forms an integral part of the contractual terms set out at /legal/tos.

The operator’s overall posture on personal data is to collect the minimum that is operationally necessary to provide the service and to discharge the operator’s legal obligations under the law of its filing jurisdiction. The anonymous-signup posture documented on the /principles page and the relevant product pages is the substantive expression of that posture: the operator does not require a legal name, a government-issued identifier, or any other piece of know-your-customer information as a precondition for the establishment of a subscriber’s account. The operator’s data-collection footprint flows from that posture and is described below.

1. Data the operator collects

The operator collects the following categories of personal data in connection with the service.

1.1 Account email address

The subscriber’s contact email address is the operator’s primary contact channel for the service. The operator stores the email address on its systems for the duration of the subscriber’s account plus a minimal post-closure period as required by the operator’s tax and audit obligations. The operator does not require the email address to be a personal email address; the subscriber may use a pseudonymous mailbox, an alias, or a Tor-hidden-service mail provider, and the operator’s systems do not perform reverse-lookups, deliverability scoring, or behavioural profiling on the email address. The operator does not transmit the email address to any third party for marketing purposes and does not share the email address with the operator’s network of sibling brands.

1.2 Billing record

The operator retains a record of each invoice issued to the subscriber, the payment received against the invoice, and the cryptocurrency wallet address (where applicable) the payment originated from or was returned to. The retention period for the billing record is seven years from the date of the relevant invoice, in line with the standard tax-audit retention norm in the operator’s filing jurisdiction. The operator does not voluntarily disclose the billing record to any third party other than the operator’s appointed accountants for the purposes of tax-return preparation; the operator does, however, comply with a court order from a court of competent jurisdiction in the operator’s filing jurisdiction that orders the disclosure of the billing record to a party with a legal claim to it.

1.3 IP address at signup

The IP address from which the subscriber’s account was created is logged at the point of account creation. The operator’s rationale for the log is the operator’s incident-response need to correlate suspected abuse to the originating account; the operator’s posture on the log is that the field is reviewed only in the course of a substantive abuse-response review and is not used for behavioural profiling, geolocation marketing, or any analytics purpose. The retention period for the signup-IP log is thirty days, after which the field is overwritten with a null value in the operator’s account record.

1.4 Server access logs

The operator’s web server, mail server, and customer-portal server retain access logs for operational purposes — the diagnosis of incidents, the detection of abuse against the operator’s own infrastructure, and the operator’s own compliance with security-monitoring norms in the operator’s filing jurisdiction. The default retention period for access logs is thirty days; subscribers on plans with extended-retention add-ons may have a longer period, which is disclosed on the relevant product page. The operator does not aggregate access logs across subscribers for marketing purposes and does not transmit access logs to any third-party analytics platform.

1.5 Subscriber content

The data the subscriber stores on the infrastructure is subscriber content, not data the operator collects from the subscriber for its own purposes. The operator does not assert ownership of subscriber content and does not access subscriber content other than in the limited circumstances set out in the acceptable use policy at /legal/aup (substantive abuse-complaint review, court order, automated abuse-signal investigation, emergency public-safety circumstance). The operator’s data-protection obligations in respect of subscriber content are limited to the obligations of a processor where the subscriber is a controller in respect of the content; where the subscriber is processing third-party personal data on the infrastructure, the subscriber is responsible for the controller-side obligations of the relevant data-protection regime.

1.6 Plausible self-host analytics

The operator’s website analytics are collected by a self-hosted Plausible instance dedicated to the OffshorePress site. Plausible does not set cookies, does not store IP addresses, and does not perform cross-site tracking. The operator’s analytics dashboard records page views, referrers, and aggregate browser/operating-system metadata, in a form that the operator considers compatible with the GDPR and the Swiss revFADP without the requirement of a consent banner. The operator does not run Google Analytics, Adobe Analytics, or any third-party analytics service on the OffshorePress site.

2. Third parties who see subscriber data

The operator engages the following categories of third party in connection with the service. The operator’s contracts with each category are written to limit the third party’s processing to the operator’s instructions and to require the third party to implement the security measures the operator considers proportionate to the risk.

The operator’s data-centre providers in Iceland and Switzerland have physical access to the servers the operator runs in their facilities. The operator’s contracts with the providers limit the providers’ access to physical-maintenance access (replacing failed disks, replacing failed power supplies) and do not extend to logical access to the servers’ file systems. The operator runs full-disk encryption on every server and the providers do not hold the encryption keys.

The operator’s carrier providers carry the operator’s traffic across their networks. The operator’s contracts with the carriers do not give the carriers logical access to the operator’s servers. The carriers see the operator’s traffic in transit on their networks; the operator’s encryption-in-transit posture (TLS for all subscriber-facing services, IPsec or WireGuard for inter-data-centre traffic) limits what the carriers see to the metadata of the traffic flows.

The operator’s appointed accountants see the operator’s billing record for the purposes of preparing the operator’s tax returns. The operator’s contract with the accountants binds them to the operator’s confidentiality requirements and to their professional confidentiality obligations under the law of the accountants’ jurisdiction.

The operator’s outside counsel sees subscriber data in the limited circumstances counsel is engaged on a matter that requires it — the response to a court order, a litigation matter, a regulatory inquiry. Counsel’s access is governed by the legal-professional-privilege framework of counsel’s jurisdiction.

The operator does not transmit subscriber data to any third-party marketing service, behavioural-profiling service, or advertising platform. The operator does not transmit subscriber data to the operator’s own sibling brands; the operator’s network of sibling brands does not share an analytics ID, a customer database, or a subscriber-correspondence pipeline.

3. Retention

The retention periods set out above are the operator’s default retention periods. The operator does not retain personal data beyond the relevant period; the operator’s data-retention automation runs daily and overwrites or deletes records that have aged beyond the retention period. The operator does not maintain a retain-everything posture on its operational systems and does not maintain warm or cold archives of personal data outside the retention windows above.

A subscriber who closes the account triggers the post-closure deletion of the subscriber’s data on the operator’s systems. The operator retains the closed-account record (the email address, the closure date, the outstanding-balance flag) for the post-closure period required by the operator’s tax obligations; the rest of the subscriber’s data is irreversibly deleted within thirty days of closure.

4. Rights of EEA, Swiss, and UK subjects

A subscriber who is a natural person located in the European Economic Area (which includes Iceland, where the operator runs hosting capacity), in Switzerland, or in the United Kingdom has the rights enumerated below in respect of the personal data the operator holds about the subscriber. The rights are set out in Articles 15-22 of the EU General Data Protection Regulation, in the corresponding articles of the Swiss revised Federal Act on Data Protection (revFADP) which came into force in September 2023, and in the corresponding articles of the UK General Data Protection Regulation as adopted by the United Kingdom on 1 January 2021.

4.1 Right of access (Article 15)

The subscriber has the right to obtain confirmation from the operator as to whether the operator is processing personal data about the subscriber and, where the operator is processing such data, a copy of the data and the categories of recipients to whom the data has been disclosed. The operator processes such requests within thirty days of receipt at the contact form at /contact. The operator does not charge a fee for the first request in any twelve-month rolling window.

4.2 Right to rectification (Article 16)

The subscriber has the right to obtain from the operator the rectification of inaccurate personal data and the completion of incomplete personal data. The operator’s account-portal interface allows the subscriber to update the contact email address directly; rectification of any other field that the operator holds proceeds via the contact form at /contact.

4.3 Right to erasure (Article 17)

The subscriber has the right to obtain from the operator the erasure of personal data concerning the subscriber where the data is no longer necessary for the purposes for which it was collected, where the subscriber withdraws consent on which the processing is based and there is no other legal ground for the processing, or where the data has been unlawfully processed. The operator’s deletion responses are limited by the operator’s tax-retention obligation in respect of the billing record (which the operator considers a legal obligation under Article 17(3)(b)) and by any pending legal-process matter that requires the operator to retain the data.

4.4 Right to restriction of processing (Article 18)

The subscriber has the right to obtain from the operator the restriction of processing in the circumstances set out in Article 18.

4.5 Right to data portability (Article 20)

The subscriber has the right to receive the personal data the operator holds about the subscriber in a structured, commonly used, machine-readable format and to transmit those data to another controller. The operator processes portability requests in JSON or CSV format at the contact form at /contact; the operator does not impose a transmission-format requirement on the receiving controller.

4.6 Right to object (Article 21)

The subscriber has the right to object at any time to the processing of the subscriber’s personal data on the basis of legitimate interest, where such processing is for direct-marketing purposes (which the operator does not conduct in respect of the subscriber’s data) or for any other purpose under Article 21.

4.7 Rights in relation to automated decision-making (Article 22)

The operator does not subject subscribers to any decision based solely on automated processing that produces legal effects concerning the subscriber or significantly affects the subscriber. The operator’s abuse-response decisions are made by the operator’s incident-response staff under the process set out in the acceptable use policy at /legal/aup.

4.8 Right to lodge a complaint with a supervisory authority

A subscriber who considers that the operator has not complied with the operator’s obligations under the relevant data-protection regime has the right to lodge a complaint with the supervisory authority of the subscriber’s jurisdiction. The operator encourages the subscriber to raise the matter at the contact form at /contact in the first instance so the operator has an opportunity to address the matter directly.

5. No third-party trackers

The operator does not embed any third-party tracker, pixel, fingerprinting script, or behavioural-analytics tag on any page of the OffshorePress site. The site does not load resources from Google Analytics, Google Tag Manager, Facebook Pixel, Twitter Pixel, LinkedIn Insight, Hotjar, FullStory, Mixpanel, Segment, Amplitude, Heap, Pardot, Marketo, HubSpot, Salesforce Pardot, or any other third-party analytics or marketing-automation service. The site does not load resources from Google Fonts; the operator self-hosts the woff2 font files on its own infrastructure under the /fonts/ path.

6. Cookie policy

The operator’s site sets a single cookie, used to remember the subscriber’s preference between the light and dark theme variants. The cookie is a strictly-necessary cookie under the EU ePrivacy Directive and does not require consent; the cookie is set only after the subscriber has interacted with the theme toggle, contains the literal string “light” or “dark”, and is scoped to the OffshorePress domain.

The operator’s customer portal sets a session cookie used for authentication. The session cookie is a strictly-necessary cookie under the ePrivacy Directive, is HTTP-only, is Secure-flagged, and is set with the SameSite=Strict attribute. The session cookie is destroyed on logout and on session expiry.

7. International transfers

The operator’s data-centre facilities are located in Iceland and in Switzerland. Iceland is a member of the European Economic Area and personal data of EEA subjects may be transferred to Iceland without the requirement of an Article 46 transfer mechanism. Switzerland has been recognised by the European Commission as providing an adequate level of protection for personal data; transfers of EEA-subject data to Switzerland do not require an Article 46 mechanism. The operator does not transfer subscriber personal data to any third country other than the EEA or Switzerland; in particular, the operator does not transfer subscriber personal data to the United States.

8. Security

The operator’s security posture is set out in the operator’s internal security-controls document, which is summarised below for the subscriber’s reference.

The operator runs full-disk encryption on every server in the operator’s fleet using the LUKS framework on Linux and the equivalent on the operator’s BSD machines. Encryption keys are held in the operator’s hardware-security module and are not held by the operator’s data-centre providers.

The operator’s customer-facing services run TLS 1.2 and TLS 1.3 with HSTS preloading. The operator’s certificate-issuance pipeline runs against a single certificate authority for each domain; the operator does not maintain pinned alternate issuers.

The operator’s email service runs OpenPGP support for subscribers who want end-to-end encrypted mail; the operator’s WebMail interface integrates with Mailvelope for in-browser PGP. The operator does not hold the subscriber’s PGP private keys.

The operator’s incident-response programme runs a daily automated review of the operator’s intrusion-detection signals, a weekly manual review of the operator’s authentication logs, and a monthly review of the operator’s vulnerability-scan output against its public-facing surface. The operator publishes a security advisory to the contact form at /contact subscribers within forty-eight hours of confirming an incident that affects subscriber data.

9. Amendments

The operator may amend this policy at any time by publishing a revised version. The revised version takes effect on the effective-from date stated in its frontmatter; the operator will, where reasonably practicable, give notice of a material amendment to existing subscribers by email at least thirty days before the effective-from date. Continued use of the service after the effective-from date constitutes acceptance of the revised policy.

10. Operator contact

Subject-access requests, rectification requests, erasure requests, and any other rights exercise under the policy are routed to the contact form at /contact. The mailbox is monitored by the operator’s data-protection officer; the PGP key for the mailbox is published on the /principles/team page.