Privacy Policy

1. Responsible Entity

ComputeBox – Moritz Möller Workstations
Böhnhusener Weg 11, 24220 Flintbek
Email: [email protected]
Phone: +49 152 07190825

Moritz Möller is responsible for the processing of personal data within the meaning of the GDPR.

2. Types of Processed Data

We process the following personal data:

• Master data (name, address, email, phone number)
• Contract data (ordered services, domains, billing information)
• Payment data (e.g., credit card, SEPA, PayPal via Stripe)
• Support data (files transmitted in the course of support requests)
• Connection data (IP address, device information via Cloudflare)
• IP assignment data (which customer / VM was assigned which IP at what time, see section 9)
• Authentication data (login, signup, password reset, 2FA events, see section 9)
• Abuse reports received from third parties (see section 9)

3. Purpose of Processing

Data processing takes place for the purpose of:

• Contract fulfillment and customer communication (Art. 6 para. 1 lit. b GDPR),
• Payment processing via Stripe/PayPal (Art. 6 para. 1 lit. b GDPR),
• Technical security and delivery of our services via Cloudflare (Art. 6 para. 1 lit. f GDPR),
• Processing of support requests (Art. 6 para. 1 lit. b and f GDPR).

4. Sharing with Third Parties

a) Payment Service Provider – Stripe

Payment processing is handled by Stripe Payments Europe, Ltd. Personal payment data is transmitted on the basis of Art. 6 para. 1 lit. b GDPR.

More information: https://stripe.com/privacy

b) PayPal via Stripe

If you use PayPal through Stripe, the privacy policies of PayPal (Europe) S.à r.l. et Cie, S.C.A. also apply.

More information: https://www.paypal.com/us/webapps/mpp/ua/privacy-full

c) Cloudflare

Our infrastructure is secured by Cloudflare Inc. (USA). This includes processing your IP address. Cloudflare protects the connection (e.g., through DDoS protection) and is also used for storing support files.

We also use Cloudflare Turnstile, a bot and spam protection service, on our login and abuse-report forms. When you use these forms, Turnstile processes your IP address together with technical browser and interaction signals in order to tell human users apart from automated requests. This serves our legitimate interest in protecting our services against automated abuse, spam, and credential-stuffing attacks (Art. 6 para. 1 lit. f GDPR). Turnstile is only loaded on the relevant pages and is not used for advertising or cross-site tracking.

More information: https://www.cloudflare.com/privacypolicy/

5. Storage and Deletion

Data will be deleted as soon as it is no longer necessary for the fulfillment of the purpose, unless there are legal retention obligations. Support data is only stored for as long as necessary for processing.

6. Your Rights

You have the right:

• To information about your data (Art. 15 GDPR),
• To rectification of incorrect data (Art. 16 GDPR),
• To erasure (Art. 17 GDPR),
• To restriction of processing (Art. 18 GDPR),
• To data portability (Art. 20 GDPR),
• To object to processing (Art. 21 GDPR),
• To lodge a complaint with a data protection authority (Art. 77 GDPR).

7. Cookies and Local Storage

Our website uses only technically necessary cookies and local storage methods that are essential for the operation of the website. These are exempt from the consent requirement according to § 25 para. 2 TTDSG.

7.1 Which Technically Necessary Cookies Do We Use?

Session Cookies: These cookies store temporary information necessary for your login and use of protected areas of the website. They are deleted when you close your browser.

Cookie Banner Status: We store in your local storage the information that you have acknowledged our cookie notice so that it is not displayed to you again on every visit.

Country Detection for VAT Display: To show prices with the correct VAT setting, we read the two-letter country code that Cloudflare derives from your IP address (header cf-ipcountry) and store it in a cookie named computebox-country for 30 days. The IP address itself is not stored by us. You can change the displayed VAT setting at any time in the price view; your manual choice is then saved in your browser's local storage and overrides the auto-detection.

7.2 Optional: Marketing Cookies (Ad Conversion Tracking)

If you accept marketing cookies via our cookie banner, we use a cookie to track which advertising campaign or source you came from (e.g. ?source=google&campaign=summer in the URL). This allows us to measure the effectiveness of our advertising. The cookie is stored for 3 days and is only set when you explicitly accept marketing cookies. You can reject marketing cookies by clicking "Only necessary" in the cookie banner. No tracking takes place without your consent.

7.3 Legal Basis

The use of technically necessary cookies is based on our legitimate interest in the technically flawless operation and basic functionality of our website (Art. 6 para. 1 lit. f GDPR) as well as to fulfill the contract concluded with you for the use of our services (Art. 6 para. 1 lit. b GDPR). Marketing cookies for ad conversion tracking are based on your consent (Art. 6 para. 1 lit. a GDPR).

8. Wallet and Referral System Privacy Notice

8.1 Processing of Personal Data When Using the Wallet

When you use our wallet system, we process personal data to enable you to top up, manage, and use your wallet balance. This includes in particular:

• Customer data (e.g., name, email, customer number)
• Transaction data (e.g., top-up amounts, bonuses, redemptions)
• Usage data (e.g., date/time of wallet activity, redeemed services)

The legal basis is Art. 6 para. 1 lit. b GDPR (contract fulfillment) as well as Art. 6 para. 1 lit. f GDPR (legitimate interest in fraud prevention and system functionality).

8.2 Top-up Bonus and Promotional Credit

As part of promotions (e.g., top-up bonuses or referral programs), additional credit may be credited to your account. In this context, we process:

• Date and type of promotion (e.g., top-up amount, bonus amount)
• Technical assignment of bonus allocation to your customer account

This data is used exclusively for the correct crediting and internal traceability of bonus promotions.

8.3 Referral Program

When you refer new users through our referral program, we store:

• Your referral ID or customer identifier
• Date and result of the referral (e.g., registration, first top-up of the referred person)

This data processing is carried out for the proper execution of the referral program in accordance with Art. 6 para. 1 lit. b GDPR. The use of the program is voluntary.

8.4 Storage Period

Wallet and referral data are stored for the duration of the customer account and archived after contract termination in accordance with legal retention obligations (e.g., § 147 AO). Technical log data for bonuses or referrals are deleted after 3 years, unless there are longer legal or contractual obligations.

8.5 No Disclosure to Third Parties

The data collected through the wallet or referral program is not disclosed to third parties, unless this is legally required or necessary for contract fulfillment (e.g., tax advisors, accounting systems such as sevDesk).

9. Security Logging, Abuse Prevention and DSA Notices

9.1 IP Assignment History

To enable forensic investigation of misuse and to be able to respond to lawful information requests from public authorities (in particular law enforcement), we record every assignment, release, and reassignment of an IPv4 or IPv6 address to a virtual server. For each event we store: the IP address, the IP type, the assigned VM, the affected customer (project / user), the timestamps of assignment and release, the reason for the assignment / release, and, where applicable, the administrator who triggered the change.

Legal basis: Art. 6(1)(c) GDPR (compliance with legal obligations, in particular requests by law enforcement under §§ 100j StPO, § 113 TKG, § 14 TMG), Art. 6(1)(f) GDPR (legitimate interest in preventing and prosecuting misuse of our infrastructure and protecting the rights of third parties).

Retention: IP assignment records are stored for at least 6 months. Records older than 12 months may be deleted at our discretion unless they are part of an active investigation or subject to a longer statutory retention obligation.

9.2 Authentication Audit Log

We log security-relevant events of your customer account, namely: successful and failed login attempts, signups, password reset requests and completions, email verifications, two-factor authentication events, account bans, and admin impersonation. For each event we store: timestamp, event type, the affected user id and email (where known), the source IP address, the user-agent string, and, for failed attempts, the reason for failure.

Legal basis: Art. 6(1)(b) GDPR (provision of a secure customer account), Art. 6(1)(f) GDPR (legitimate interest in IT security and fraud prevention), Art. 32 GDPR (security of processing).

Retention: Authentication audit records are stored for at least 6 months and at most 12 months unless they form part of an active security incident or a legal proceeding.

9.3 Abuse Reports (DSA Article 16)

We operate a Notice-and-Action mechanism under Article 16 of Regulation (EU) 2022/2065 (Digital Services Act). If you submit a report via our abuse form or by email to [email protected], we will process the following personal data: your name, email address, organization (if provided), reporter role, the reported URL/IP/domain, the description of the alleged violation, any evidence and legal basis you provide, and the IP address from which the report was submitted.

Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 16 DSA (legal obligation to maintain a notice-and-action mechanism), Art. 6(1)(f) GDPR (legitimate interest in protecting third-party rights and ensuring the lawful use of our infrastructure).

Retention: Reports and the associated processing data are stored for as long as required to handle the report and any related dispute, in any case at least 12 months after closure of the matter, or longer where required by law (e.g. as evidence in a legal proceeding).

Disclosure: We may forward reports together with the relevant IP assignment data (see 9.1) and authentication logs (see 9.2) to law-enforcement agencies, competent regulatory authorities, or affected rights holders where we are legally obliged or entitled to do so.

9.4 Disposable Email Blocklist

To prevent the abusive creation of accounts with throwaway email providers, we check the domain part of the email address submitted at signup against an internal blocklist of known disposable email providers. The check is performed locally. No data is transmitted to third parties. Email addresses from blocked domains are rejected before any account is created; no personal data of rejected applicants is stored, except for the event of the rejection itself in the authentication audit log (see 9.2).

9.5 Your Rights

The rights set out in section 6 (information, rectification, erasure, restriction, portability, objection, complaint) apply in full to the data processing described in this section 9, subject only to statutory retention obligations and the necessity of keeping records for the defense of legal claims or the investigation of criminal offences.