HomeLegalPrivacy Policy

Privacy Policy

Terms of ServicePrivacy PolicyGDPR DPA

HummingTribe (hummingtribe.com)

Effective date: March 11, 2026  |  Last updated: March 11, 2026

1. Introduction

This Privacy Policy explains how HummingTribe (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website (hummingtribe.com) or use our services.

We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and applicable Romanian data protection law.

2. Data Controller

The data controller for the purposes of the GDPR is:

HummingTribe
Email: hello@hummingtribe.com

3. What Data We Collect

3.1. Account Data

When you create an account, we collect:

  • Email address
  • Password (stored as a cryptographic hash — we never store plaintext passwords)

3.2. Billing Data

When you make a purchase, Stripe (our payment processor) collects:

  • Name, billing address, and payment card details

We do not store your full payment card details. Stripe processes and stores this data under their own privacy policy. We receive from Stripe: your Stripe customer ID, subscription status, and the last four digits of your card.

3.3. Service Data

In the course of providing our services, we process:

  • Server IP addresses, hostnames, and configuration data
  • SSH public keys you provide
  • Domain names you configure
  • Storage bucket names and access keys
  • Usage data (disk usage, bandwidth, CPU/memory metrics for managed servers)

3.4. Content Data

Data you store using our services (files in S3 buckets, website files on hosting, data on VPS/dedicated servers) is stored and processed solely for the purpose of providing the service. We do not access, read, or analyze your content except as necessary for technical support at your explicit request, or as required by law.

3.5. Communication Data

When you contact us via email, we collect:

  • Your email address and the contents of your message
  • Any attachments you send

3.6. Website Analytics

We use Plausible Analytics, a privacy-focused analytics tool that:

  • Does not use cookies
  • Does not collect personal data
  • Does not track individual visitors
  • Processes all data in the EU

We collect aggregate, anonymous data such as page views, referral sources, and browser types. This data cannot be used to identify individual visitors.

3.7. Log Data

Our servers automatically record:

  • IP addresses of visitors and API requests
  • Request timestamps, URLs, and HTTP methods
  • User-agent strings

Log data is retained for security, troubleshooting, and abuse prevention purposes.

4. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 of the GDPR:

PurposeLegal Basis
Account creation and managementPerformance of a contract (Art. 6(1)(b))
Billing and payment processingPerformance of a contract (Art. 6(1)(b))
Service provisioning and deliveryPerformance of a contract (Art. 6(1)(b))
Sending transactional emails (order confirmations, service notifications, password resets)Performance of a contract (Art. 6(1)(b))
Security monitoring and abuse preventionLegitimate interest (Art. 6(1)(f))
Server logs and troubleshootingLegitimate interest (Art. 6(1)(f))
Responding to support inquiriesPerformance of a contract / Legitimate interest
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

We do not process personal data for marketing purposes without your explicit consent. We do not send newsletters or promotional emails unless you explicitly opt in.

5. How We Use Your Data

We use your personal data to:

  • Create and manage your account
  • Provision and deliver the services you purchase
  • Process payments via Stripe
  • Send transactional emails related to your account and services (order confirmations, service alerts, security notifications, password resets)
  • Provide technical support
  • Monitor and maintain the security and integrity of our infrastructure
  • Comply with legal obligations
  • Prevent fraud and abuse

6. Data Sharing

6.1. Sub-processors

We share personal data with the following third-party service providers (sub-processors) as necessary to deliver our services:

Sub-processorPurposeData SharedLocation
Stripe, Inc.Payment processingEmail, billing details, payment card dataEU (primary processing), US (corporate)
Brevo (Sendinblue)Transactional email deliveryEmail address, email contentEU
Hetzner Online GmbHInfrastructure hosting (servers, storage)Server metadata, IP addressesGermany
Plausible AnalyticsWebsite analyticsAnonymous aggregate data onlyEU

6.2. No Selling of Data

We do not sell, rent, or trade your personal data to third parties. We do not share your data with advertisers.

6.3. Legal Requirements

We may disclose personal data if required by law, court order, or governmental authority. We will notify you of such requests where legally permitted.

7. Data Storage and Location

7.1. All customer data and service data is stored exclusively on infrastructure located in Germany (Hetzner data centers in Falkenstein and Nuremberg).

7.2. Our billing processor (Stripe) may process billing data in the United States. Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for international data transfers.

7.3. Our email delivery provider (Brevo) processes transactional emails within the EU.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

Data TypeRetention Period
Account data (email, password hash)Duration of account + 30 days after account deletion
Billing records10 years (Romanian fiscal law requirements)
Service data (server configs, access keys)Deleted upon service cancellation and expiry of billing period
Content data (files, databases)Deleted upon service cancellation and expiry of billing period
Support emails2 years after last communication
Server logs90 days
Website analyticsAggregate data only, retained indefinitely (non-personal)

9. Data Security

9.1. We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of passwords using industry-standard cryptographic hashing (PBKDF2)
  • Access controls limited to the data controller (sole proprietor)
  • Server hardening, firewalls, and intrusion detection (fail2ban)
  • Internal communications via encrypted private network (Tailscale/WireGuard)
  • Secure credential management via HashiCorp Vault
  • Database access restricted to internal network only (no public exposure)
  • Regular security patching of all systems

9.2. While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

10.1. Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you.

10.2. Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data.

10.3. Right to Erasure (Art. 17)

You have the right to request deletion of your personal data, subject to legal retention requirements.

10.4. Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict processing of your personal data under certain circumstances.

10.5. Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

10.6. Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests.

10.7. Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

10.8. Right to Lodge a Complaint

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, România
Website: dataprotection.ro
Email: anspdcp@dataprotection.ro

10.9. Exercising Your Rights

To exercise any of these rights, contact us at hello@hummingtribe.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

11. Cookies

11.1. We use only essential cookies necessary for the functioning of our services:

CookiePurposeDurationType
session_idUser authentication (HttpOnly, Secure)7 daysEssential / Functional

11.2. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11.3. Plausible Analytics does not use cookies.

12. Children

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it.

13. Changes to This Policy

13.1. We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before the changes take effect.

13.2. The date of the last update is indicated at the top of this policy.

13.3. Your continued use of our services after the effective date constitutes acceptance of the updated policy.

14. Contact

HummingTribe
Email: hello@hummingtribe.com
Website: hummingtribe.com

This Privacy Policy was last updated on March 11, 2026.

Last updated: March 11, 2026