Privacy Policy

1. Introduction

This Privacy Policy (hereinafter referred to as the "Policy") defines the procedure for processing and protecting personal data of users (hereinafter referred to as the "User" or "Data Subject") by VHost Consulting (hereinafter referred to as the "Company" or "Data Controller").

This Policy has been developed in accordance with the requirements of:

• Law of Ukraine "On Personal Data Protection" dated 01.06.2010 № 2297-VI;
• General Data Protection Regulation of the European Union 2016/679 (GDPR);
• Other applicable regulatory legal acts of Ukraine and the European Union.

By using the Company's website or applying for the Company's services, the User confirms their consent to this Policy and gives consent to the processing of their personal data in accordance with the terms of the Policy.

2. Terms and Definitions

The following terms are used in this Policy:

• Personal data — any information relating to an identified or identifiable natural person (data subject).
• Processing of personal data — any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Data Controller — VHost Consulting, which alone or jointly with others determines the purposes and means of the processing of personal data.
• Confidentiality of personal data — mandatory requirement for the Controller or other person who has gained access to personal data not to disclose to third parties and not to distribute personal data without the consent of the data subject, unless otherwise provided by law.
• Website User — a person who has access to the Company's website via the Internet and uses it.
• Cookie — a small piece of data sent by a web server and stored on the user's computer, which the web client or web browser sends back to the web server with each HTTP request when trying to open the page of the corresponding website.

3. Collection and Processing of Personal Data

3.1. Categories of Personal Data Collected

The Company may collect and process the following categories of personal data:

• Identification data: first name, last name, middle name, date of birth;
• Contact data: email address, phone number, postal address;
• Profile data: login, password (in encrypted form), company information, position;
• Financial data: bank details, payment history;
• Technical data: IP address, device data, operating system, browser, website behavior;
• Communication data: telephone conversation recordings (with explicit warning about recording), email correspondence history, chats and other communication channels;
• Contractual data: information about concluded contracts, services provided, technical support requests.

3.2. Purposes of Personal Data Processing

The Company processes personal data for the following purposes:

• User identification for concluding and executing a service contract;
• Providing the User with access to personalized resources of the Company's website;
• Establishing feedback with the User, including sending notifications, requests concerning the use of the website and the Company's services, processing inquiries and applications from the User;
• Determining the User's location to ensure security, prevent fraud;
• Confirming the accuracy and completeness of personal data provided by the User;
• Creating an account for providing services if the User has consented to creating an account;
• Notifying the User about the status of service requests;
• Processing payments, refunds, claims;
• Providing the User with effective customer and technical support in case of problems related to the use of the website or the Company's services;
• Carrying out advertising activities with the User's consent;
• Improving the quality of the website, services and developing new ones;
• Conducting statistical and other research based on anonymized data.

4. Legal Basis for Data Processing

The Company processes the User's personal data only if at least one of the following legal grounds exists:

• Consent of the data subject to the processing of their personal data for one or more specific purposes;
• Performance of a contract to which the User is a party or in order to take steps at the request of the User prior to entering into a contract;
• Compliance with a legal obligation to which the Company is subject under the legislation of Ukraine or the European Union;
• Protection of vital interests of the data subject or of another natural person;
• Performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
• Legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5. Data Subject Rights

In accordance with GDPR and Ukrainian legislation on personal data protection, the User has the following rights:

5.1. Right to Information

The User has the right to receive information about how and why the Company processes their personal data. The information must be provided in a clear and accessible form.

5.2. Right of Access

The User has the right to obtain confirmation as to whether or not the Company is processing their personal data and, where that is the case, access to the personal data and the following information:

• The purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients of the personal data;
• The retention period of personal data or the criteria used to determine that period;
• The source of the personal data if they were not obtained from the data subject;
• The existence of automated decision-making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

5.3. Right to Rectification

The User has the right to obtain from the Company without undue delay the rectification of inaccurate or incomplete personal data concerning them.

5.4. Right to Erasure ("Right to be Forgotten")

The User has the right to obtain from the Company the erasure of their personal data without undue delay in the following cases:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The User withdraws consent on which the processing is based, and there is no other legal ground for the processing;
• The User objects to the processing and there are no overriding legitimate grounds for the processing;
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation under Ukrainian or European Union law;
• The personal data have been collected in relation to the offer of information society services to a child.

5.5. Right to Restriction of Processing

The User has the right to obtain from the Company restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the User, for a period enabling the Company to verify the accuracy of the personal data;
• The processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead;
• The Company no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defense of legal claims;
• The User has objected to processing, pending the verification whether the legitimate grounds of the Company override those of the User.

5.6. Right to Data Portability

The User has the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Company, where:

• The processing is based on the User's consent or on a contract with them;
• The processing is carried out by automated means.

5.7. Right to Object

The User has the right to object, at any time, to processing of their personal data which is based on the legitimate interests of the Company or a third party, including profiling. In this case, the Company must stop processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defense of legal claims.

5.8. Right Not to Be Subject to Automated Decision-Making

The User has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except in cases where such decision:

• Is necessary for entering into, or performance of, a contract between the User and the Company;
• Is authorized by Ukrainian or European Union law;
• Is based on the User's explicit consent.

5.9. Right to Withdraw Consent

If the processing of personal data is based on the User's consent, they have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5.10. Right to Lodge a Complaint with a Supervisory Authority

The User has the right to lodge a complaint about the actions or inaction of the Company with the Authorized Body for Personal Data Protection of Ukraine or, if applicable, with the relevant supervisory authority of the European Union.

6. Data Storage and Deletion

6.1. Retention Periods

The Company retains Users' personal data for no longer than is necessary for the purposes for which they were collected, or for compliance with legal obligations. Specific retention periods are determined as follows:

• Data necessary for the performance of a contract with the User — for the duration of the contract and 5 years after its termination (statute of limitations period for obligations);
• Data for accounting and tax purposes — for the periods established by Ukrainian legislation (typically 3-7 years);
• Data for marketing purposes — until the User withdraws consent or until the purpose of processing is achieved;
• Technical data and cookies — in accordance with the cookie policy, but not more than 2 years.

6.2. Deletion Procedure

Upon expiration of the personal data retention period or upon receiving a request from the User to delete their personal data, the Company takes the following measures:

• Irreversible deletion of personal data from active databases;
• Deletion or anonymization of data in backup copies during the next backup update cycle;
• Destruction of physical media containing personal data;
• Notification of third parties to whom personal data were transferred about the need to delete this data.

7. Data Protection Measures

The Company takes necessary and sufficient organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions by third parties with personal data. These measures include:

7.1. Technical Measures

• Use of SSL certificates for data encryption;
• Storage of passwords in encrypted form using modern hashing algorithms;
• Regular software updates to eliminate vulnerabilities;
• Use of multi-level protection system against unauthorized access;
• Implementation of intrusion detection and prevention systems;
• Data backup;
• Physical protection of servers and equipment.

7.2. Organizational Measures

• Appointment of a person responsible for organizing the processing of personal data;
• Restricting employee access to personal data;
• Training employees on the rules for processing and protecting personal data;
• Implementation of policies and procedures for protecting personal data;
• Regular internal audits of personal data processing systems;
• Documentation of all actions with personal data;
• Development and testing of security incident response plans.

8. Use of Cookies

8.1. What Are Cookies

Cookies are small text files that are stored on the User's device when visiting the Company's website. They help the website remember information about the User's visit, preferences and actions, which helps improve the website and personalize its content.

8.2. Types of Cookies Used

The Company uses the following types of cookies:

• Necessary cookies — provide basic website functionality, such as user authentication or saving the state of the shopping cart;
• Functional cookies — allow remembering the User's selected settings and preferences;
• Analytical cookies — help analyze website usage, identify problems and improve its operation;
• Marketing cookies — used to track visitors on websites and display relevant advertisements.

8.3. Cookie Management

The User can manage cookie settings or disable their use through their browser settings. The procedure for managing cookies in different browsers may vary, so it is recommended to refer to the "Help" function in the User's browser.

Disabling cookies may result in limited access to some features of the Company's website or deterioration of their performance.

9. Sharing Data with Third Parties

9.1. Categories of Data Recipients

The Company may share Users' personal data with the following categories of third parties:

• Service providers — companies that help the Company provide services (hosting providers, payment systems, delivery services, analytics systems, etc.);
• Partners — companies with which the Company collaborates to provide joint services or products;
• Government authorities — in cases provided for by law;
• Professional consultants — lawyers, auditors, accountants and other professional consultants to whom the Company provides information as part of receiving professional services.

9.2. Conditions for Data Sharing

The sharing of personal data with third parties is carried out under the following conditions:

• Existence of an appropriate legal basis for data sharing;
• Conclusion of a confidentiality and personal data protection agreement with the data recipient;
• Sharing only the data that is necessary to achieve a specific purpose;
• Informing Users about the categories of recipients of their personal data;
• Respecting the rights and interests of Users when sharing their data.

10. International Data Transfers

10.1. Conditions for Data Transfers Outside Ukraine and the EU

The Company may transfer Users' personal data to countries outside Ukraine and the European Union if one of the following conditions is met:

• The country ensures an adequate level of protection of personal data in accordance with a decision of the European Commission or an authorized body of Ukraine;
• Standard Contractual Clauses approved by the European Commission have been concluded with the data recipient;
• The existence of other appropriate safeguards for data protection;
• The User has given explicit consent to the transfer after having been informed of the possible risks;
• The transfer is necessary for the performance of a contract with the User or for the implementation of pre-contractual measures at their request;
• The transfer is necessary for the conclusion or performance of a contract in the interest of the User;
• The transfer is necessary to protect the vital interests of the User or other natural persons, if the User is physically or legally incapable of giving consent;
• The transfer is necessary for important reasons of public interest;
• The transfer is necessary for the establishment, exercise or defense of legal claims;
• The transfer is authorized by a competent authority of Ukraine or the European Union.

10.2. Security Measures for International Transfers

For international data transfers, the Company takes additional measures to ensure the security of Users' personal data, including:

• Assessment of the legislation of the recipient country for ensuring adequate protection;
• Use of encryption when transferring data;
• Minimization of the amount of data transferred;
• Regular verification of data recipients for compliance with personal data protection requirements;
• Providing Users with information about the countries to which their data may be transferred.

11. Children's Data Protection

The Company recognizes the need to provide enhanced protection for children's personal data and takes the following measures for this purpose:

11.1. Limitation on Collecting Children's Data

The Company's website and services are not intended for use by persons under 16 years of age without the consent and supervision of parents or legal guardians. The Company does not intentionally collect personal data from children under 16 years of age.

11.2. Actions in Case of Unintentional Collection of Children's Data

If the Company becomes aware that it has unintentionally collected personal data from a child under 16 years of age without the consent of a parent or legal guardian, the Company will take measures to:

• Immediately cease processing of this data;
• Obtain consent from the child's parent or legal guardian for data processing;
• Delete the data if such consent is not obtained.

11.3. Obtaining Parental Consent

To process personal data of children under 16 years of age, the Company requests and verifies the consent of the child's parent or legal guardian. For verification, the Company may use various methods, including requesting supporting documents or contact information to communicate with the parent or legal guardian.

12. Changes to Privacy Policy

12.1. Procedure for Making Changes

The Company reserves the right to make changes to this Privacy Policy. Changes take effect from the moment they are published on the Company's website, unless otherwise specified in the new version of the Policy.

12.2. Notification of Changes

In case of making substantial changes to the Policy that may have a significant impact on the rights and freedoms of Users, the Company notifies Users through one or more of the following ways:

• Posting a notice on the Company's website;
• Sending an email to the address provided by the User;
• Displaying a notification the next time the User logs into their account;
• Other methods that ensure effective information to Users.

12.3. Continued Use After Changes

Continued use of the website or the Company's services after the publication of changes to the Privacy Policy means the User's consent to such changes. If the User does not agree with the changes, they should stop using the Company's website and services and delete their account.

13. Contact Information

For questions regarding this Privacy Policy, the processing of personal data, as well as for the exercise of data subject rights, the User may contact the Company in the following ways:

• Email: privacy@vhost.com.ua
• Telegram: @vhost_consulting

The Company has appointed a Data Protection Officer who can be contacted using the above contact details.

Last updated: March 3, 2025