Privacy Policy

1. Who we are

Nemea is a hosting platform operated from the Netherlands. When this policy refers to "Nemea", "we", "us", or "our", it means the Nemea operating entity responsible for your data.

For the purposes of EU/EEA residents, Nemea acts as the data controller in respect of the personal data described in this policy.

2. Data we collect

Account data

When you register, we collect your email address, a hashed version of your password, and optionally your name and a billing address.

Payment data

Payments are processed by Stripe. We never see or store full card numbers. Stripe provides us with a tokenised reference and basic billing details (last 4 digits, expiry, cardholder name).

Usage data

We collect resource usage metrics for your services (CPU, memory, bandwidth, disk) to power your dashboard and enforce plan limits. These metrics are aggregated and do not include the content of your applications.

Log data

Our infrastructure automatically generates logs including IP addresses, timestamps, HTTP status codes, and request paths. These are used solely for security monitoring, abuse prevention, and diagnosing platform issues.

Support data

When you contact us, we retain the content of your message, your email address, and the context of any conversation thread.

Cookies and analytics

We set a session cookie to keep you logged in. We may use a self-hosted analytics tool to understand aggregate traffic patterns. We do not use third-party advertising trackers.

3. Why we collect it

To provide the service — account management, deployment, billing, and the control panel all require basic account data.
To monitor infrastructure — usage metrics allow us to ensure fair resource allocation and enforce plan limits.
To ensure security — log data helps us detect and respond to attacks and abuse.
To communicate with you — service notifications, billing receipts, and support replies.
To improve the platform — anonymised aggregate usage data helps us make product decisions.

We do not sell your data, share it with advertisers, or use it to train machine-learning models.

4. Lawful basis (GDPR)

For EU/EEA residents, our lawful bases are:

Contract performance — most processing (account, billing, service delivery) is necessary to fulfil our contract with you.
Legitimate interests — security logging, fraud prevention, and product analytics, where our interests are not overridden by your rights.
Legal obligation — where required by applicable law.
Consent — for optional communications such as product newsletters (you can withdraw consent at any time).

5. Who we share data with

Third party	Purpose	Data shared
Stripe	Payment processing	Billing details (no full card numbers)
Cloudflare	DDoS protection and CDN	IP addresses, request headers
Email provider	Transactional email	Your email address, message content

We do not share data with any other third parties except where required by law or a valid court order, in which case we will notify you unless prohibited from doing so.

6. How long we keep it

Account data — retained for the life of your account plus 90 days after deletion.
Billing records — retained for 7 years to comply with financial regulations.
Infrastructure logs — 30 days, then automatically purged.
Backups — 7 days rolling, then destroyed.
Support conversations — 2 years from last activity.

7. Your rights

Under GDPR you have the right to:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data (subject to legal retention obligations).
Restriction — ask us to pause processing while a dispute is resolved.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — where processing relies on consent, withdraw it at any time.

To exercise any of these rights, email privacy@nemea.uk or contact us via Discord. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies

Cookie	Purpose	Duration
`nemea_session`	Keeps you logged in to the control panel	Session / 30 days
`nemea_csrf`	CSRF protection on forms	Session

We do not set advertising cookies or cross-site tracking cookies. You can disable cookies in your browser but the control panel will not function without the session cookie.

9. International data transfers

Our primary infrastructure is located in the EU/EEA. Some sub-processors (notably Stripe and Cloudflare) may process data outside the EEA. Where this occurs, transfers are governed by Standard Contractual Clauses approved by the European Commission, or equivalent safeguards.

10. Children

Nemea is not intended for users under 13 years of age. We do not knowingly collect personal data from children. If you believe a minor has created an account, contact us immediately and we will delete the data.

11. Changes to this policy

We will notify you by email at least 14 days before any material change takes effect. Minor clarifications may be made without notice. The date at the top of this page always reflects the current version.

12. Contact

Questions, requests, or concerns about this policy:

Email: privacy@nemea.uk
Discord: discord.gg/2GY9VKZcVW

Privacy Policy.