PRIVACY POLICY – IPSPANEL
HYBRID DEPLOYMENT: CLOUD SAAS & SELF-HOSTED LICENSE
Effective Date: 15 October 2025
Last Updated: 15 October 2025
1. Introduction and Scope
This Privacy Policy explains how IPSPANEL (“IPSPANEL”, “we”, “us”, “our”) processes, stores, and protects Personal Data collected or handled through our platform, including both IPSPANEL Cloud (SaaS) managed hosting environments and IPSPANEL Self-Hosted installations deployed by clients on their own infrastructure. By accessing or using IPSPANEL, you acknowledge that you have read, understood, and agree to this Privacy Policy.
2. Role Definitions
In IPSPANEL Cloud (SaaS model), IPSPANEL acts as a Data Processor and the Client acts as Data Controller under GDPR. In IPSPANEL Self-Hosted deployments, the Client assumes full responsibility as both Data Controller and Data Processor. Personal Data refers to information relating to an identified or identifiable individual. End-User means any individual accessing the IPSPANEL interface including administrators, operators, finance staff, or resellers.
3. Deployment Responsibility Matrix
In IPSPANEL Cloud, IPSPANEL manages hosting, security patches, backups, database encryption, subprocessors, breach notification and GDPR compliance as Data Processor. In Self-Hosted deployments, the Client is responsible for hosting, server security, encryption, GDPR compliance, subprocessors, and breach notifications. IPSPANEL has no automatic data access in Self-Hosted environments and only provides technical support if explicitly requested under temporary secure access.
4. Categories of Data Processed
We may process the following data categories depending on deployment mode:
Account and Authentication Data: usernames, email addresses, hashed passwords, MFA tokens, API keys, access roles.
Billing and Financial Data: company name, invoice address, VAT/tax ID, transaction history, payment references.
Infrastructure and Service Assignment Data: server metadata, domain registrar actions, IP resource allocation history, bandwidth usage logs.
Audit and Activity Logs: timestamped records of actions performed in the system, including login events, configuration changes, provisioning commands, invoice generation, or IPAM assignments.
Support and Communication Data: ticket messages, email communications to support@ipspanel.com.
API Integration Data: inbound and outbound API events, webhook logs, status codes, and error returns.
5. Legal Basis for Processing (GDPR Alignment)
We process data under the following GDPR legal bases:
Contractual Necessity (Art. 6(1)(b)) for account access, panel operation, billing.
Legal Obligation (Art. 6(1)(c)) for financial record retention.
Legitimate Interest (Art. 6(1)(f)) for access logging, fraud prevention, operational integrity.
Consent (Art. 6(1)(a)) for optional marketing or non-operational communication.
6. Data Minimization and Purpose Limitation
Data is only processed to the extent necessary to operate the panel, manage billing, provide secure access control, ensure infrastructure integrity and legal compliance. IPSPANEL does not embed external tracking scripts such as Google Analytics or Facebook Pixel inside the control panel interface.
7. Security Measures
In IPSPANEL Cloud environments, the following measures apply: encryption in transit (TLS 1.2+), encryption of sensitive fields at rest, password hashing using bcrypt or argon2, enforced role-based access permissions, MFA support, segregated tenant databases, immutable audit logs, and access session security controls. In Self-Hosted environments, IPSPANEL provides recommended guidelines, but the Client is responsible for implementing these measures on their own infrastructure.
8. Subprocessors and Analytics
Full list of active subprocessors is maintained at /subprocessors and may include infrastructure hosting, email delivery, and payment processing providers necessary to run IPSPANEL Cloud. IPSPANEL does not use embedded third-party analytics or advertising trackers inside the admin interface by default. Self-Hosted users may configure their own subprocessors and are responsible for auditing and approving them under GDPR.
9. Client Responsibilities in Self-Hosted Deployments
When running IPSPANEL on Client infrastructure, the Client is responsible for server security, SSL configuration, firewall rules, data localization compliance, GDPR obligations, data subject requests, breach notifications, and technical backup routines. IPSPANEL does not access or monitor Client data in self-hosted mode unless the Client explicitly grants secure temporary access for support purposes.
10. Data Retention
In IPSPANEL Cloud, account and log data is retained as long as the account remains active. Billing and financial transaction data is retained for a minimum of 7–10 years to comply with tax regulations. Audit logs are retained up to 24 months unless extended by Client request. In Self-Hosted mode, retention is fully managed by the Client and must comply with applicable financial and data protection laws.
11. Breach Notification Policy
In the event of a confirmed Personal Data breach within IPSPANEL Cloud, IPSPANEL will notify affected Clients without undue delay and no later than 72 hours as required by GDPR Article 33. Notification will include description, incident scope, data categories affected, and recommended mitigation. In Self-Hosted environments, Clients hold full responsibility for breach detection, reporting to supervisory authorities, and informing affected data subjects.
12. International Data Transfers
Data stored in IPSPANEL Cloud is located within the European Union unless otherwise requested by the Client. Any transfer outside the EEA will follow GDPR-compliant safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms. Self-Hosted Clients choosing their own hosting providers are responsible for ensuring compliance with cross-border data transfer laws.
13. Data Subject Rights
Data subjects associated with IPSPANEL Cloud can exercise their rights under GDPR Articles 15–21, including right of access, rectification, erasure, restriction, objection, and data portability. Financial data required for legal compliance cannot be erased before mandated retention expires. Requests should be sent to support@ipspanel.com and will be processed within 30 calendar days. In Self-Hosted deployments, the Client is responsible for responding to such rights.
14. Logging and API Audit Trails
All access and administrative actions are recorded in immutable logs with user identifier, timestamp, action type, and affected module. API calls executed through IPSPANEL are logged for security, billing, and operational integrity. Logs cannot be overwritten to maintain audit reliability and may be exported in JSON or CSV formats for compliance audits.
15. Data Portability and Export
IPSPANEL provides the ability to export invoices, client records, IP assignments, domain actions, or usage metrics in machine-readable formats (CSV, JSON, XML, PDF). In IPSPANEL Cloud, such exports may be requested through the interface or through support@ipspanel.com. In Self-Hosted mode, the Client has full direct database access or API export control.
16. Financial and Tax Record Compliance
Invoices, tax documents, and financial transaction logs generated by IPSPANEL are classified as legally required financial documentation. They must be retained according to applicable jurisdiction laws, typically between 7–10 years. These cannot be modified or erased prematurely under GDPR "right to be forgotten" exemptions related to mandatory legal retention.
17. Privacy by Design and Default
IPSPANEL is engineered under GDPR Article 25 principles, implementing privacy and security controls such as encryption, role-based access control, audit logging by default, and no external data sharing without explicit Client configuration. No Personal Data is shared with external marketing or analytics platforms inside the panel environment unless configured by the Client.
18. No Children’s Data
IPSPANEL is intended solely for professional infrastructure management and is not directed at minors under 18 years old. Any data entry related to minors is outside the intended operational scope and the Client is fully responsible for such entries in Self-Hosted deployments.
19. Limitation of Access by Vendor
In Self-Hosted mode, IPSPANEL does not have access to Client data, servers, or credentials by default. Support interventions, including SSH or remote desktop sessions, occur only upon explicit Client request and under secure transport. All access events must be logged by the Client for compliance.
20. Compliance for Hosting Providers and Resellers
Clients operating IPSPANEL as part of hosting services, VDS/VPS reselling, domain provisioning, or IP resource allocation acknowledge their independent role as Data Controllers and must implement customer-facing privacy policies and contracts aligned with GDPR and local regulations. IPSPANEL provides only software functionality and does not establish a direct customer relationship with End-Users of those hosting services.
21. Policy Updates and Client Notification
This Privacy Policy may be updated to reflect legal changes, feature updates, or infrastructure adjustments. The latest version will always be published at /privacy-policy. IPSPANEL Cloud Clients will be notified of material changes that affect legal obligations. Self-Hosted Clients must review and implement updated terms manually.
22. Contact for Privacy Requests
For privacy-related inquiries, data subject requests, or GDPR matters related to IPSPANEL Cloud, contact:
Email: support@ipspanel.com
Subject line: “Privacy Request – IPSPanel”
23. Governing Law
Unless otherwise contractually agreed, this Privacy Policy is governed by the laws of the European Union with GDPR as the primary framework. Local jurisdictional rules may also apply depending on the Client’s country of operation or deployment infrastructure.
24. Acceptance
By using IPSPANEL, accessing its dashboard, deploying it on infrastructure, or continuing to operate an administrative account, you acknowledge that you have read, understood, and accepted the terms outlined in this Privacy Policy.