Privacy Policy

Effective January 1, 2020.

This Privacy Policy is for Tornado VPS only and is not applicable to services provided by any of our customers.

Summary

We do not sell personal information. We share personal information with third parties during activities related to providing services on your behalf and as required by law.

Definition of Personal Information

Personal information we interact with includes the following:

• Name
• Email address
• Phone number
• Physical address
• Cryptographic public keys, when they are associated with other personal information
• IP address used to access our own services, when it is associated with other personal information

How We Do Not Use and Share Information

• We do not use third-party analytics on our website.
• We do not use third-party advertising partners to show ads on our services.
• We do not collect or pay for additional information about you from third-party sources.
• We do not provide any personal information to third parties for advertising or marketing purposes.
• When we use third-party advertising services, we will not use personally targeted ads except based on the current keyword search, location, and professional demographics.
• We do not attempt to collect or analyze any content from customer-administered services, except as needed to handle actual or potential Acceptable Use Policy violations or as required by law.
• We will not share personal information for research purposes.
• We will not share aggregated information if the information is derived from personal information and identifies fewer than 100 customers.

Information We Collect

We may routinely store and access:

• Any personal data provided to us during account registration or via subsequent billing account updates. We need this information to bill you for service, to verify your identity when requesting account recovery, and to supply service related notifications.
• Any information provided to us while creating or modifying a service, including but not limited to: operating system to install, cryptographic public keys to associate with the service, coupons, referral codes, and service hostname.
• Financial records, including but not limited to: amounts, unique identifiers, third-party account information, and times of such transactions. These are required business records.
• Customer support requests, abuse reports, and pre-sale inquiries, including the content and metadata such as email address and mail headers.
• The IP address, time, cryptographic public key, username, operating system, browser, URL, cookies, or MAC address used to log into or access any services we control. We use this data to find fraudulent use, protect the security of our services, and to debug or improve our services. An example use is debugging extremely high system load from a web server, or using self-hosted analytics to determine how users are interacting with our services.
• Legal requests made to us, such as notifications of unlawful activity or Digital Millennium Copyright Act (DMCA) complaints.
• Information needed to verify the accuracy of reports of Acceptable Use Policy (AUP) violations.
• Information needed to determine if an Acceptable Use Policy violation has been resolved, such as whether a given URL still returns data.
• Service-related statistics, including but not limited to the amount of CPU, disk, and network usage, uptime, and time of reboots. We use this to detect potential security incidents, and to debug, maintain, and improve our services.
• IRC chat logs of #tornadovps on the OFTC IRC network.
• Mailing list activity for any mailing lists we control.
• Survey results from surveys we administer.

We routinely store but do not access:

• A timestamped log of when an action has been performed on a service, including but not limited to starting and stopping the service or performing a reinstall. This may be used retrospectively if we are informed of fraudulent account access, or to debug or improve our own services. An example of when we would use this information is if we receive an automatic notification telling us of a service-related job failure.
• Partial packet captures for the purpose of collecting network traffic metadata, such as: source and destination IP address, source and destination MAC address, packet size, packet protocol, protocol ports. We use this to detect fraudulent use and security incidents, and to debug and improve our own services. Example uses are debugging why there was packet loss 5 minutes ago, despite there being no current packet loss, or to aid in determining if an abuse report is legitimate.
• Failed name server lookup requests made via one of our recursive domain name service (DNS) resolvers. This is used for debugging only.
• The data on a virtual machine's block device. Other than the files initially used to boot a service such as a bootloader, kernel, and initramfs, you can encrypt this data using the virtual machine's own resources.

We collect only as needed:

• Full packet capture of network traffic. We collect this only if we are required to by law, in the unlikely case we need the information to debug an active degradation or loss of network service, or if a customer positively reports that they are not generating abusive traffic after we notify them of an abuse report and we continue to receive abuse reports after that time.
• Whois or DNS lookups for domains associated with services. This is to detect fraudulent use and security incidents, to aid us while performing customer support, or for debugging.
• Port scans. This is primarily used when debugging or if necessary to continue provide service. For example, we have used port scans to guess at the operating system running on a service so that the service could be handled appropriately during infrastructure updates.
• Service serial console logs, when we are debugging on your behalf or when a service fails to bring up its network interface after we start it and we are not aware that this is an expected state.
• Information about networking services that we preinstall, including but not limited to ssh. For example, we have collected service ssh public keys to determine if they are known to be vulnerable or otherwise compromised.

We may additionally collect any information you request us to collect regarding your own services.

How We Use Information

• We use the personal information you give us to provide services and account access.
• We will contact you via the contact information you provide to us regarding invoices and other information specifically related to your service or business relationship with us.
• At your request, we may separately contact you informing you of new service offerings or promotions.
• We publicly publish DNS entries that include service hostnames.
• We use information to satisfy customer support requests, and to prevent customer support requests by proactively debugging and fixing loss or degradation of service.
• We may analyze or otherwise internally use information to debug, operate, and improve our own services.
• We may analyze information to detect fraudulent use or security incidents.
• If we're provided a referral code during service signup, we may use it to notify or credit the referrer.
• If you request us to collect information about your own services, we may share with you the collected information or an analysis of that information.
• We access virtual machine block devices only as needed to perform explicitly requested actions on the service, to allow the service to boot, or when upgrading a service. Examples of requested actions are a service downgrade or a conversion between different virtualization technologies. An example of processing data storage to allow the service to boot is accessing or modifying bootloader related configuration files when the bootloader configuration file on the block device does not result in a running service.
• We review, use, and retain financial records to determine if we were paid and to provide refunds.
• We use information provided to us to calculate our tax liability and otherwise comply with any legal requirements.
• Abuse reports or legal complaints sent to us may be forwarded unredacted to the contacts for the service unless we are explicitly requested not to.
• Abuse reports or legal complaints may be used as evidence of violations of our Acceptable Use Policy.
• We may notify you of potential security problems with your services, though we assume no liability from failing to notify you. For example, this may occur if a third party informs us of a potential issue, if we recognize out of date software when viewing serial console logs, or if incidental to other debugging, we discover network traffic that is likely associated with a compromised system.

How We Share Information

• The service hostname and the associated IP addresses are shared publicly because there are domain name entries that include the service hostname. These are provided for the convenience of the customer and to aid us while operating and debugging our own services.
• We may share a subset of personal information with non-merchant gateways, such as Paypal, when you use the non-merchant gateway to pay us. This is so that the payment checkout forms can be pre-filled.
• We share financial records with third-party financial services, such as banks and accounting services. We do this for legal compliance and for internal business analytics.
• We may share relevant non-personal information when reporting software or hardware bugs, such as what software we believe to be running on a service.
• We will share information with contractors whom we have hired to perform services on our behalf, including, but not limited to, customer support. These contractors access our systems directly on an as-needed basis and do not maintain separate data copies outside of equipment we own.
• We will share information as explicitly requested by you.
• Any information you have provided to us or that we would share with the primary account holder, we may share with any additional contacts you have designated in your account. For example, if you add someone as a contact to your account and they write back to us asking why we are contacting them about a service, we may share your personal information with them.
• We may share aggregated information, such as the number of customers who purchase a service, the number of customers in a specific industry or profession, or the number of customers in a geographic location.
• If you sign up using a referral code, the person providing the referral code may be informed of this.
• We share information as required by law.
• We will share relevant information when reporting known or suspected unlawful activity to law enforcement.
• If the business or business assets are sold, all personal information will be transferred to the new owners. You will be notified if none of the current owners of Tornado VPS retain majority ownership of the business assets.

California Consumer Privacy Act

To request personal data deletion, or if you have any questions or concerns about our Privacy Policy, please contact us via email at support@tornadovps.com or you may write us at:

Tornado VPS, Inc.
705 S. Mustang Rd. #300
Yukon, OK 73099

Much of the personal information we have about you can be accessed at will from your account at TornadoVPS.com. Otherwise, you may request for us to provide any personal information we have about you up to twice in a 12 month period. We will not reidentify or link data that we would not normally recognize as your personal data in order to satisfy this request. We will verify your identity before doing so.

You may ask us to delete personal information, which we will comply with as able unless we need to retain the information for a legitimate business purpose, such as but not limited to: preventing future fraud, detecting security incidents, debugging our own services, complying with legal requirements, or providing service. We will verify your identity before deleting personal information. We will retain records of requests for a time period no less than 24 months. We will not delete personal information from backups, but will re-perform the request if a backup must be restored.

We will not discriminate against you if you exercise these rights.

Children's Privacy

If you are under the age of 13 you are prohibited from using our services. If you are made aware of a child accessing our services, please write support@tornadovps.com.

Additional Information

• When you contact Tornado VPS via phone, you may be in contact with a third-party provider contracted to perform services on our behalf rather than interacting directly with a Tornado VPS employee.
• We may delegate non-technical customer support to a third party provider.
• Cookies are required for using some of our services, such as our billing system. These cookies are used only with our own systems and are only used as needed for the service to operate.
• In the event that you access any third-party services through our site, we are not responsible for their privacy policies.

Changes to this Privacy Policy

This is a living document, which we shall adjust based on the needs and wants of ourselves and our customers. If this document is amended, it will be posted at https://TornadoVPS.com/privacy, and we will send email notifications to any address associated with any active, non-fraudulent account in our billing system should those amendments change the meaning of the document. For future changes, we will additionally provide a public log of these changes in a unified diff format at https://TornadoVPS.com/privacy-changelog.txt.

By continuing to use our services, you agree that you consent to this most recent Privacy Policy. If customers wish to terminate a long term contract because of an amendment to this document, any early termination fees will be waived, and the customer will be given a prorated refund based on time used.