Privacy Policy

1. Introduction

This Privacy Policy explains how Akyros Labs LLC ("we", "us", "our") collects, uses, stores, shares, and protects your personal data when you use HostAtlas — our infrastructure monitoring and management platform available at hostatlas.app.

Akyros Labs LLC is a company registered in Sheridan, Wyoming, United States of America. We act as the data controller for the personal data processed through the HostAtlas platform.

By creating an account on HostAtlas or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should not use our platform.

For any privacy-related questions or concerns, please contact us at privacy@akyroslabs.com.

2. Data We Collect

We collect different categories of data depending on how you interact with HostAtlas. We only collect data that is necessary to provide, maintain, and improve our services.

2.1 Account Data

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a bcrypt hash — we never store your plaintext password)
• Profile picture (only if you authenticate via Google OAuth)
• Organization name (if applicable)
• Timezone and notification preferences

2.2 Server Data

When you install the HostAtlas agent on your servers, the agent collects and transmits the following data to our platform:

• Hostname and server identifiers
• IP addresses (public and private)
• Operating system type, version, and kernel information
• Discovered services (e.g., Nginx, Apache, MySQL, PostgreSQL, Redis)
• System metrics: CPU usage, memory usage, disk usage, network I/O, load averages
• Process lists and resource consumption
• Log snippets (streamed on demand, not stored permanently)
• Configuration snapshots (e.g., Nginx configs, cron jobs)
• SSL certificate details (issuer, expiry, SANs)
• Cron job schedules
• Docker containers and their status
• Hosted domains and virtual hosts

2.3 Monitoring Data

When you configure monitoring within HostAtlas, we collect:

• Uptime check results (HTTP status codes, response times, SSL validity)
• Heartbeat pings and their timestamps
• Alert events and their resolution status
• Incident records, timelines, and notes
• Status page configurations

2.4 Billing Data

All billing, payment processing, invoicing, and tax compliance are handled entirely by Polar.sh, which acts as our Merchant of Record. This means:

• We never store credit card numbers, bank account details, or any payment credentials on our systems
• Polar.sh processes all payment transactions, issues invoices, and handles tax compliance on our behalf
• Polar.sh is the legal seller for all paid HostAtlas plans
• We receive only your email address and subscription plan information from Polar.sh to associate your payment with your HostAtlas account
• For details on how Polar.sh handles your payment data, please refer to the Polar.sh Privacy Policy

2.5 Usage Data

We collect minimal usage data to understand how the platform is used and to improve our services:

• Pages visited within the HostAtlas platform
• Feature usage patterns (e.g., which dashboard views are used most)
• API call frequency and endpoints used
• Error logs and performance metrics related to your platform experience

We do not use third-party analytics services. All usage data is collected and processed internally.

2.6 Communication Data

When you communicate with us, we may collect:

• Support emails and their content
• Feedback submissions
• Any other correspondence you send to us

3. How We Use Your Data

We use the data we collect for the following purposes:

• Provide and maintain the HostAtlas platform — including server monitoring, auto-discovery, alerting, incident management, domain management, and all core features
• Monitor your infrastructure — as configured by you, using the agent software and uptime monitors you set up
• Send alerts and notifications — via email, webhook, or other configured channels when your infrastructure requires attention
• Process billing — by sharing your email and plan information with Polar.sh, our Merchant of Record
• Improve our platform — by analyzing aggregated usage patterns, fixing bugs, and developing new features
• Respond to support requests — by using your account and communication data to help resolve issues
• Send product updates — occasional emails about new features, platform changes, or maintenance. You may opt out of non-essential communications at any time
• AI-powered analysis — only when explicitly triggered by you. When you use an AI analysis feature, the specific context needed for analysis (e.g., server metrics, log snippets) is sent to your configured AI provider. AI features are optional and disabled by default

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

4.1 Contract Performance (Article 6(1)(b) GDPR)

Processing that is necessary to provide the HostAtlas service to you, including account creation, infrastructure monitoring, alerting, and all core platform features. This also covers processing necessary to manage your subscription and communicate about your account.

4.2 Legitimate Interest (Article 6(1)(f) GDPR)

Processing based on our legitimate interests, which include:

• Platform security and fraud prevention
• Bug fixing and platform improvement based on aggregated usage data
• Protecting our users and infrastructure from abuse
• Responding to support requests and feedback

We have conducted a balancing test for each legitimate interest to ensure your rights and freedoms are not overridden.

4.3 Consent (Article 6(1)(a) GDPR)

Processing based on your explicit consent, which includes:

• Marketing and product update emails (opt-in, with opt-out available at any time)
• Optional AI analysis features (explicitly triggered by you)
• Google OAuth authentication (only when you choose to sign in with Google)
• Cookies on the marketing website (via cookie consent banner)

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Data Storage & Security

We take the security of your data seriously and implement multiple layers of protection to safeguard it.

5.1 Infrastructure Location

• All primary platform data is stored on servers located in the European Union, specifically in data centers operated by Hetzner Online GmbH and Contabo GmbH in Germany
• Database backups are stored in the EU (Hetzner data centers)
• Offsite backups (when configured) are stored in Hetzner S3-compatible storage in the EU

5.2 Encryption

• Data in transit: All communication between your browser and HostAtlas, and between the agent and our API, is encrypted via TLS 1.3
• Agent authentication: All agent-to-platform communication uses HMAC-SHA256 request signing to verify authenticity and prevent tampering
• API keys: Stored as SHA-256 hashes. We never store your API keys in plaintext — you can only see the full key once at creation time
• Passwords: Hashed using bcrypt with a work factor that meets current security recommendations
• Offsite backups: Use client-side AES-256-GCM encryption. This is a zero-knowledge architecture — the encryption key is generated and stored on your server and never transmitted to our platform. We cannot decrypt your offsite backups

5.3 Access Controls

• Two-factor authentication (2FA) is available for all accounts
• Full tenant data isolation via database-level scoping — no user can access another user's data
• Role-based access control within organizations
• All administrative access to production infrastructure requires multi-factor authentication and is logged

6. Sub-Processors and Third-Party Services

We use a limited number of third-party service providers (sub-processors) to operate the HostAtlas platform. Each sub-processor has been evaluated for their data protection practices and is bound by appropriate contractual obligations.

6.1 Core Infrastructure Providers

6.2 AI Providers (Optional)

AI features in HostAtlas are optional and disabled by default. When you explicitly enable and trigger an AI analysis, only the specific context needed for the analysis (such as server metrics or anonymized log snippets) is sent to your chosen AI provider. No bulk data export occurs. You choose which provider to use.

7. Cookies

We use only essential cookies that are strictly necessary for the operation of the HostAtlas platform. We do not use advertising cookies, tracking pixels, or third-party analytics tools.

7.1 Cookies We Use

7.2 What We Do Not Use

• No advertising or remarketing cookies
• No tracking pixels or web beacons
• No third-party analytics (e.g., Google Analytics, Mixpanel, Amplitude)
• No social media tracking widgets

Our marketing website at hostatlas.app displays a cookie consent banner. Only essential cookies are used on the marketing site.

8. Your Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

8.1 Right of Access

You have the right to request a copy of all personal data we hold about you. We will provide this information in a commonly used, machine-readable format.

8.2 Right to Rectification

You have the right to request correction of any inaccurate personal data we hold about you. You can update most of your account information directly through the HostAtlas platform settings.

8.3 Right to Erasure

You have the right to request deletion of your account and all associated data. When you request account deletion, all your personal data, server data, monitoring data, and configuration data will be permanently removed from our systems within 30 days.

8.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. HostAtlas provides CSV export functionality for servers, domains, heartbeats, incidents, and other key data sets. You can export your data at any time from within the platform.

8.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you object to processing based on legitimate interest.

8.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interest. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority in your country of residence if you believe our processing of your personal data violates applicable data protection law.

To exercise any of these rights, please contact us at privacy@akyroslabs.com. We will respond to your request within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, in which case we will notify you of the extension.

9. Data Retention

We retain your data only for as long as necessary to provide our services and comply with legal obligations. The specific retention periods are as follows:

When data is deleted, it is permanently removed from our active systems. Backup systems may retain copies for up to an additional 30 days before they are overwritten.

10. International Data Transfers

Your data is primarily stored and processed within the European Union. However, some of our sub-processors operate in or have infrastructure in the United States and other countries.

Specifically:

• Cloudflare operates a global network and may process HTTP requests at edge locations outside the EU, though EU traffic is preferentially routed to EU data centers
• Google LLC processes OAuth data in the United States (only applicable if you choose Google login)
• AI providers (Groq, OpenAI, Anthropic) process data in the United States when you explicitly trigger an AI analysis
• Polar.sh may process billing data in both the EU and US

Where personal data is transferred outside the EEA, we ensure adequate safeguards are in place:

• Transfers to the United States are covered by the EU-US Data Privacy Framework (DPF) where the recipient is certified
• Where the DPF does not apply, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission
• We only transfer data to countries that have been determined by the European Commission to provide an adequate level of data protection, or where appropriate safeguards are in place

11. Children's Privacy

HostAtlas is a professional infrastructure monitoring platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as promptly as possible. If you believe that a child under 16 has provided personal data to us, please contact us at privacy@akyroslabs.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• The "Last updated" date at the top of this page will be revised
• Material changes will be communicated via email to all registered users at least 30 days before they take effect
• We may also post a notice within the HostAtlas platform to inform you of significant changes

Your continued use of HostAtlas after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you may delete your account before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days of receipt.