Big Wet Fish Hosting and GDPR

GDPR – General Data Protection regulations is coming into force on 25 May 2018 and applies to all businesses doing business in or with a person in the EU. We wanted to take this opportunity to share with you what actually happens to your personal data when you sign up for a web hosting or domain name product from Big Wet Fish Hosting.  All the information below will be in our updated privacy policy but we felt a summary would be beneficial.

What Data do we Collect?
When you sign up for a web hosting or domain product from Big Wet Fish Hosting we collect the following information:

• Your name (and company name if applicable), address, postcode, phone number and email address plus you choose a password of your choice as well as a security question and answer;
• Your chosen domain name that will be used to set up the hosting account and domain or the server hostname in case of a client buying a full server from us;
• The hosting product or domain you have signed up for and any specific information required by the domain registry.  eg In the case of UK domains we need to ask for the registration type (Individual, Sole Trader, Limited Company etc);
• Your payment details which will be passed onto our third party payment processors
• Your tick box to indicate you accept our terms of service (which includes our privacy policy) before you buy our services
• The IP address where the order has come from (we pass this as well as your city to maxmind.com who we employ for our fraud protection. Any orders rejected by maxmind.com are manually reviewed within 8 hours for false positives)

Why do you need this data?
We only collect enough data to allow us to provide web hosting services to you.  We do not collect any data that is not relevant to providing a web hosting or domain name service to our clients and we can explain fully to any client on request exactly why a piece of data is needed.  For example in order to register a domain name we need to supply the domain registry with your full name, full address, phone number and email address.  If you are just buying web hosting there is no need to provide your address details but bear in mind if you try to register a domain name without fully completing your client area record the domain registration will fail.

Where is this data stored?
When you register for a client area your data is stored on a secure server in an ISO27001 compliant data centre in the EU.  This server has regular vulnerability scans run and action is taken if any updates are found needing to be done.  We use whmcs.com billing software installed on our EU based servers to manage your data.  We do not pass this data onto any third parties. All data sent to us is encrypted using an SSL certificate on the website.

What happens to this data when I buy web hosting?
When you buy web hosting the domain name and your email address are passed across to the server and your account is set up.  No other data of yours is passed to the server.  Where that data is passed to will depend upon the location of the server you have chosen to buy web hosting on.  If you buy shared hosting in the USA then we need to pass your domain name and email address across to web host manager on the USA server in order to set up your account.  You can log into your cPanel account at any time and remove this email address but Web Host Manager has email as a required field when setting up a hosting account so we must pass this across initially or we cannot set up your account.

What happens to this data when I buy a domain name?
When you buy a domain name all of your name, address, phone and email data is required to be passed across to the relevant domain registrar partner in order to register your domain name.  If you do not consent to your data being passed across to the domain registry then it is impossible for us (or any web host for that matter) to register your domain.  All our domain registrar partners have their own GDPR policies and we can let you know who your domain registrar partner is on request.  The domain registrars are taking steps to make the WHO IS database GDPR compliant and we will post a separate blog post about that real soon.

What happens to this data when I make a payment by Card?
When you pay by Credit or Debit card you enter your details into an iframe form directly on the stripe.com website (even though it looks to be our website it is embedded).   stripe.com process your payment details and send us back the reference number so the invoice can be marked as paid.  Any saved card details are stored at stripe.com and we only store the last 4 digits and the expiration date in your client area.  You can log into your client area and delete your card details at any time.  You also do not need to save your card when paying simply do not tick the box to save your card and it will not be saved anywhere.

What happens to this data when I make a payment by Direct Debit?
We do not pass any of your data to our direct debit processor. We use the company GoCardless to collect direct debits.  You register direct on the GoCardless website via a special link we send you to register for direct debits so you enter your data yourself (it is not passed from our systems).  GoCardless handle all the storage and data processing and we enter the unique reference number for the payment against your invoice when we mark it as paid.  When we call for payment we search for your GoCardless record, enter the invoice number and amount and call for payment.  No other personal data is passed to GoCardless when we call for payment.

When will you email me?
We will only email you if you have an active hosting account and the email is deemed necessary to be sent.  We will no longer send marketing emails via our billing system and instead a separate Mailchimp list that you need to opt in to has been created.  Examples of where we will email you would be (1) Invoices, (2) Domain expiry notices that are required to be sent by the domain registry (3) Account action emails such as suspension, termination or creation (4) Emails relating to service outages, (5) Email pertaining to the security of your hosting account

I’m no longer a client when will you delete my data?
We cannot delete your client area for 6 years as we are required by HMRC to keep invoice data relating to VAT returns.  However we will make your client area ‘anonymous’ and we will delete any personal data and replace it with ‘GDPR-DELETE’ so no personal data belonging to you personally will remain when you are no longer a client.  This preserves the financial records in case of an HMRC query but also protects your personal data as it is removed from our database.  We will remove all non active client personal data within 6 months of the account being closed.  We’ll of course remove any personal data on request usually within 24 hours of a request being received.

Access to data we hold on you?
We’ll make available a record of all the data we hold on you on request within 30 days of you requesting this formally in writing as required by the new GDPR regulations.  However our whmcs client area database is the only location where we store client data so you can simply view your data from within there and the data we send you will be identical to what you can view yourself.

GDPR Questions?
We’re not GDPR experts so we advise that any advice we give is checked with the Information Commissioner’s Office Helpline or by employing the services of a GDPR expert.  However if any client has any questions about GDPR we are more than happy to share our thoughts with you on how we think the new regulations should be interpreted.  Just open a ticket from your client area.