Personal Information Protection Notice

KvmZone (referred to as "we") treats privacy protection as an integral part of the product. This policy explains the scope of personal information processing, purposes of use, and retention rules.

By continuing to use the website, console, or API, you have read and agreed to this policy. If you do not agree, please stop using. This policy and the User Service Agreement are complementary and apply together.

Information You Actively Provide

• Account data: email address, optional name, password stored after hashing
• Payment records: card numbers are processed by licensed payment institutions; we only store transaction results, amounts, dates, and desensitized billing fields
• Support content: issue descriptions, attachments, and correspondence in tickets and emails
• Order parameters: model specifications, data center node, billing cycle

Automatically Generated Records

• Access logs: IP address, HTTP metadata, timestamps, referring page, browser and OS information
• Device identifiers: terminal type and client identifier issued by us (SSAID), used for risk control and anomalous behaviour detection
• Usage data: login time, feature clicks, console operation logs, bandwidth and compute consumption statistics
• Cookies / local storage: used to maintain login sessions, remember language preferences, etc. (see Section 6 for details)

Collected data is used for the following purposes:

• Delivery & operations: creating accounts, provisioning instances, processing payments and renewals
• Identity & risk control: verifying login identity, identifying abusive behaviour, blocking unauthorized access
• Customer support: responding to ticket requests, assisting with troubleshooting
• Experience improvement: analysing usage paths in aggregated or anonymized form to optimize performance and develop new features
• Transactional notifications: sending billing, expiry reminders, maintenance announcements, and security notification emails
• Product information: we may send product-related updates or promotional information until you unsubscribe
• Compliance obligations: cooperating with law enforcement requirements, meeting regulatory requirements, protecting the platform's lawful interests
• Technical research: using anonymized technical logs for system stability analysis and tuning

We do not sell your personal information. We only disclose to third parties in the following circumstances:

Service processors and infrastructure partners

To complete necessary steps such as payment processing, email delivery, and network access, we share the minimum required fields, including:

• Payment gateways (subject to their own privacy policies)
• Email delivery service providers (for verification codes and notification emails)
• Self-hosted Matomo analytics (data stored on our own servers)
• Data centres and bandwidth providers

We sign data processing agreements with these parties, limiting the purposes of use and requiring equivalent levels of security measures.

Legal Requirements

We may disclose necessary information when required by law, regulation, judicial ruling, or administrative order, or when necessary to protect our and users' lawful rights and interests.

Mergers or Business Restructuring

In the event of a merger, acquisition, asset sale, or bankruptcy liquidation, user information may be transferred as an asset; we will announce this in advance and require the successor to provide equivalent protections.

With Your Consent

Only after obtaining your separate consent may we provide your information to third parties beyond the scope described in this policy.

• Account fields: retained during the account's lifetime and for a reasonable period after cancellation, up to approximately 12 months for audit purposes
• Financial records: invoices and payment evidence retained for at least 7 years as required by law
• Access logs: routinely retained for approximately 90 days for security audits and troubleshooting
• Tickets: during the account's validity period and for 12 months after cancellation
• Instance disk: permanently deleted within 72 hours after service stops

If law requires a longer retention period, that requirement prevails.

We employ industry-standard security practices, including but not limited to:

• Encryption in transit: TLS 1.2 and above encrypted channels
• Password storage: strong hashing algorithms such as bcrypt; original passwords are irreversible
• Internal access control: employees follow the principle of least privilege; sensitive operations are fully logged
• Physical security: 24/7 access control and video surveillance at data centres
• Security operations: regular internal reviews and vulnerability scanning

We currently use the following types of technical identifiers:

You may disable cookies in your browser settings; however, disabling essential cookies may prevent the console and ordering process from functioning properly.

Please submit a request via ticket and we will respond within approximately 30 days:

• Right of access: obtain a copy of your personal information held by us
• Right to rectification: request corrections to inaccurate information (basic fields can also be self-updated in the console)
• Right to erasure: request deletion of relevant data after account cancellation, except for transaction records that must be retained by law
• Opt out of marketing: unsubscribe from promotional communications via the link in email footers; billing and security notifications are unaffected
• Withdraw consent: where processing is based on consent, you may withdraw it at any time; this does not affect the validity of activities already lawfully carried out

When an account is still active and the service is still within its commitment period, some deletion requests may be deferred to balance service delivery and statutory retention obligations.

This service is intended for persons aged 18 and above and is not directed at minors. We do not actively collect information from children. If you are a guardian and discover that a minor has submitted personal information without authorization, please contact us via ticket and we will delete it promptly.

We operate data centres in Hong Kong, Japan, South Korea, the United States, and other locations; your data may be stored or processed outside your country of residence. Privacy legislation varies across jurisdictions.

To manage cross-border transfer risks, we sign data processing agreements with data recipients, apply standard encryption and access control measures, and comply with applicable cross-border data transfer rules.

This site may contain links to third-party websites. We cannot control their content, privacy practices, or security measures, and we accept no responsibility for them. Please read the relevant site's privacy statement before visiting.

We may revise this policy from time to time; revised versions will be published on this page with an updated date.

If changes will materially affect the purpose of data use or the scope of sharing, we will notify you in advance via registered email or in-platform messages. Continuing to use the service after a policy update constitutes your acceptance of the revisions. If you disagree, please stop using and cancel your account.

For human assistance, please contact us through any of the following channels: