1.Data controller
1.1. The data operator (and controller under GDPR) is a self-employed individual, Ivan Sergeevich Aleksandrov-Elizarov (INN 732895258528, Professional Income Tax payer, Ulyanovsk, Russia), operating under the "Elysium Hosting" brand. Contact: business@elysiumup.com.
1.2. This Policy describes what data we collect, how and why we use it, and your rights.
2.Data we collect
2.1. At registration: email address, display name, password (stored as a bcrypt hash).
2.2. During use: IP address, visit date/time and page, browser type, technical server logs (load, server activity).
2.3. Marketing attribution: referrer and UTM parameters (only with cookie consent).
2.4. We do not store payment details — transactions are handled by payment providers (e.g. NowPayments). We only receive a payment status and identifier.
3.Purposes & legal bases
3.1. Providing the service (account, server deployment and support) — basis: performance of a contract (Art. 6(1)(b) GDPR; 152-FZ Art. 6(1)(5)).
3.2. Payments and accounting — contract and legal obligation (Art. 6(1)(b),(c) GDPR).
3.3. Security, abuse prevention and diagnostics — legitimate interest (Art. 6(1)(f) GDPR).
3.4. Newsletters and analytics cookies — only with your consent (Art. 6(1)(a) GDPR; 152-FZ Art. 9), revocable at any time.
3.5. Legal compliance — compliance with legal obligations (Art. 6(1)(c) GDPR).
4.Cookies & analytics
4.1. Strictly necessary cookies (authentication, language) are always used. Analytics cookies are set only after your consent in the cookie banner.
4.2. We use first-party visit analytics and do not share data with third-party ad networks.
5.Sharing
5.1. We do not sell personal data. Data is shared only with processors, to the extent needed to provide the service:
- payment providers — to process payments;
- email delivery (Resend) — for verification and reset emails;
- data centres / hosting providers — to run the infrastructure;
- authorities — upon a lawful request.
5.2. We enter into data-processing agreements with processors (Art. 28 GDPR).
6.International transfer & localization
6.1. Infrastructure is hosted in data centres in Russia (Moscow) and the EU (Frankfurt, Amsterdam, Helsinki).
6.2. Under Art. 18(5) of 152-FZ, recording, systematization and storage of personal data of Russian citizens use databases located in Russia.
6.3. For data subject to GDPR, transfers outside the EEA rely on appropriate safeguards (EU Standard Contractual Clauses) or on your explicit consent.
7.Retention
7.1. Account data is kept while the account is active. After deletion it is removed within 30 days, except data we must keep by law (e.g. payment records).
7.2. Technical server logs are kept up to 90 days, then automatically deleted.
8.Security
8.1. Data in transit is encrypted (TLS/HTTPS). Passwords are stored hashed (bcrypt). Access to data is restricted and controlled.
8.2. We apply organizational and technical safeguards and keep systems updated.
9.Your rights
9.1. Under GDPR (Art. 15–22) and 152-FZ you may: access your data, request rectification, erasure ("right to be forgotten"), restriction, portability, object to processing, and withdraw consent.
9.2. Some rights can be exercised yourself in the client area (edit data, delete account). For other requests, email business@elysiumup.com — we respond within 30 days.
10.Children
10.1. The service is not intended for children under 16 without guardian consent. If you believe we processed a child's data without such consent, tell us and we will delete it.
11.Complaints
11.1. You may lodge a complaint with a supervisory authority: in Russia — Roskomnadzor; in the EU — the data-protection authority of your country of residence.
12.Changes
12.1. We may update this Policy. The current dated version is posted here; material changes are notified by email.