Privacy Policy.

1. Identity of the data controller

1.1. The data controller for the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Slovenian ZVOP-2 (Personal Data Protection Act 2023) implementing the GDPR is:

BIG BOX Hosting d.o.o.
Trg republike 3, Floor 2
Ljubljana 1000, Slovenia
Slovenian Business Register (AJPES): [VERIFY: Jxx/xxxxx/2002]
VAT identification number: [VERIFY: SIxxxxxxxx]
Email: [email protected]

1.2. The Data Protection Officer ("DPO") for BIG BOX Hosting d.o.o. is reachable at [email protected]. The DPO operates with the independence and reporting line described in GDPR Article 38, reports directly to the founder, and is operationally separate from customer-facing functions.

1.3. The supervisory authority for personal data processing by BIG BOX Hosting d.o.o. is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal ("Information Commissioner"), 28-30 G-ral. Gheorghe Magheru Bd., Sector 1, Ljubljana 010336, Slovenia. Data subjects have the right to lodge a complaint with Information Commissioner under GDPR Article 77 if they consider that processing of their personal data infringes the GDPR.

2. Scope of this Policy

2.1. This Policy applies to personal data processed by BIG BOX Hosting d.o.o. in the following contexts:

• Visitors to the website at bigboxhosting.com and its subdomains;
• Prospects and customers entering into a contract with BIG BOX Hosting d.o.o. for any of the services described on this website;
• Recipients of email communications sent through customer infrastructure operated by BIG BOX Hosting d.o.o., to the limited extent set out in section 4;
• Individuals who contact BIG BOX Hosting d.o.o. through any of the published email addresses for support, security disclosure, procurement, or general inquiry.

2.2. This Policy does not apply to personal data that BIG BOX Hosting d.o.o. processes solely as a processor on behalf of a customer who is the controller of that data. Such processing is governed by the Data Processing Agreement (DPA) entered into between BIG BOX Hosting d.o.o. and the customer, in accordance with GDPR Article 28. Data subjects whose personal data is processed under a customer's DPA should contact the customer (the controller) directly to exercise their rights.

2.3. The DPA template is published at /trust/ and is available on request.

3. Categories of personal data processed

3.1. BIG BOX Hosting d.o.o. processes the following categories of personal data:

3.1.1. Account and contract data. Name, email address, postal address, telephone number, company name, VAT identification number, billing currency, and contract reference. Collected when a prospect requests a quote, when a contract is signed, and updated by the customer through the customer dashboard.

3.1.2. Usage and operational data. Server access logs (timestamp, source IP address, requested resource, user-agent string), MTA delivery logs (timestamp, sender envelope address, recipient envelope address, message-id, SMTP response code, disposition), API access logs (timestamp, API key identifier, endpoint, HTTP status code), and infrastructure monitoring metrics (CPU, memory, disk, network throughput per virtual machine).

3.1.3. Customer message content. Email messages submitted by customers to our infrastructure for delivery to recipients pass through our MTA. Message envelope (sender, recipient, message-id) and headers are logged for the retention periods set out in section 5. Message bodies are processed only to the extent required for delivery (DKIM signing, DMARC alignment checks, bounce parsing). Message bodies are not retained after delivery is confirmed or after final disposition is recorded for non-deliverable messages.

3.1.4. Payment data. When customers pay by card or by SEPA direct debit, payment information is handled by Mollie B.V. (our payment sub-processor, see section 7). BIG BOX Hosting d.o.o. retains only the records required for invoicing and fiscal compliance: invoice number, invoice amount, payment date, payment method (e.g. "Visa **** 1234"), and the customer reference. We do not retain primary account numbers (PAN), CVV codes, or other sensitive payment data.

3.1.5. Communication and support data. Email correspondence between BIG BOX Hosting d.o.o. and prospects, customers, security researchers, and other third parties, retained to the extent required to provide ongoing support and to comply with legal obligations. Communications classified under attorney-client privilege or similar legal privilege are handled separately and are not retained in standard support systems.

3.1.6. Website navigation data. The website at bigboxhosting.com uses no third-party analytics scripts, no marketing tracking cookies, no cross-site tracking pixels, and no third-party JavaScript loaded from CDN providers outside the EU. The website uses a single first-party session cookie required for the customer dashboard. Server logs collect the standard fields (timestamp, source IP address, requested URL, user-agent, response code) and are retained according to section 5.

4. What we deliberately do not process

4.1. The following categories of processing are not performed by BIG BOX Hosting d.o.o. as a matter of operational policy:

• Inspection of customer message body content for any purpose other than delivery (no content-based analytics, no derived dataset for product training, no spam-classifier training on customer content);
• Marketing tracking of website visitors through third-party analytics platforms (no Google Analytics, no Adobe Analytics, no Mixpanel, no Segment, no equivalent);
• Cross-device or cross-site tracking through advertising identifiers, browser fingerprinting, or similar techniques;
• Sale, rental, or licensing of personal data to third parties for marketing or any other purpose;
• Profiling that produces legal or similarly significant effects on the data subject within the meaning of GDPR Article 22.

4.2. The architectural decision underpinning section 4.1 is documented in the founder's note (/about/) and reflected in the sub-processor list (/trust/#subprocessors).

5. Legal basis and retention periods

5.1. BIG BOX Hosting d.o.o. processes personal data on the legal bases set out in GDPR Article 6 as follows:

5.2. Where the legal basis is consent under Article 6(1)(a), the data subject may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Withdrawal mechanisms are described in section 8.

5.3. Where the legal basis is legitimate interests under Article 6(1)(f), the relevant legitimate interest is documented in our internal Records of Processing Activities (ROPA) maintained pursuant to GDPR Article 37. The ROPA is available for Information Commissioner inspection on request and summarised on request to the DPO.

6. Recipients of personal data

6.1. Internal access. Personal data is accessible to BIG BOX Hosting d.o.o. employees and contractors strictly on a need-to-know basis. Access to production systems is restricted to a named operations team (currently five engineers), with hardware-token multi-factor authentication, audit logging, and quarterly access matrix review. Access controls are described in detail at /trust/#technical.

6.2. Sub-processors. The complete and current list of sub-processors that may process personal data on behalf of BIG BOX Hosting d.o.o. is published at /trust/#subprocessors. All sub-processors are bound by Data Processing Agreements containing the safeguards required by GDPR Article 28. All sub-processors are domiciled in the European Union or in jurisdictions that have received an adequacy decision from the European Commission. Customers are notified of any intended change to the sub-processor list at least 30 days before the change takes effect.

6.3. Public authorities. Personal data may be disclosed to public authorities (Slovenian or, where applicable, foreign EU member state authorities) only in response to a lawful order issued by a competent court of the relevant jurisdiction, in accordance with Slovenian law and the GDPR. BIG BOX Hosting d.o.o. does not respond to unilateral requests from non-EU authorities. Foreign government requests must be channelled through Mutual Legal Assistance Treaty (MLAT) procedures via the Slovenian Ministry of Justice. The architecture and reasoning behind this position are documented at /trust/#corporate.

6.4. No sale or rental. BIG BOX Hosting d.o.o. does not sell or rent or license or otherwise transfer personal data to third parties for marketing or advertising or any other commercial purpose, in any circumstance.

7. International data transfers

7.1. BIG BOX Hosting d.o.o. processes personal data exclusively within the European Economic Area and Switzerland. Customer data is hosted on infrastructure across five jurisdictions — Slovenia plus Luxembourg plus Switzerland plus Iceland plus Sweden. Of these, four (Slovenia, Luxembourg, Sweden, Iceland) are within the EEA. Switzerland is a third country in respect of which the European Commission has adopted an adequacy decision under GDPR Article 45.

7.2. No customer personal data is transferred outside the EEA or Switzerland in the normal course of our service operation.

7.3. No personal data is transferred to the United States or the United Kingdom or Canada or any other third country that does not benefit from a current EU adequacy decision. The corporate structure of BIG BOX Hosting d.o.o. is engineered to make this position structurally enforceable rather than contractually aspirational, and the reasoning is set out in the founder's note (/about/#not-us).

7.4. Where a customer requests, by exception, that BIG BOX Hosting d.o.o. process their personal data outside the jurisdictions named in section 7.1, such processing is subject to a separate written agreement, the EU Standard Contractual Clauses (Implementing Decision 2021/914), and any additional safeguards required by the specific transfer.

8. Data subject rights

8.1. Under GDPR Articles 15 to 22, data subjects have the following rights with respect to their personal data processed by BIG BOX Hosting d.o.o.:

8.1.1. Right of access (Article 15). Confirmation of whether personal data concerning the data subject is being processed, and access to that data together with the information required by Article 15(1).

8.1.2. Right to rectification (Article 16). Correction of inaccurate personal data and completion of incomplete personal data.

8.1.3. Right to erasure (Article 17). Deletion of personal data in the circumstances set out in Article 17(1), subject to the exceptions in Article 17(3) (including legal obligations and the establishment, exercise, or defence of legal claims).

8.1.4. Right to restriction of processing (Article 18). Restriction of processing in the circumstances set out in Article 18(1).

8.1.5. Right to data portability (Article 20). Receipt of personal data provided to BIG BOX Hosting d.o.o. in a structured, commonly used, and machine-readable format, and transmission of that data to another controller where technically feasible.

8.1.6. Right to object (Article 21). Objection at any time to processing based on Article 6(1)(f) legitimate interests, on grounds relating to the data subject's particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

8.1.7. Rights related to automated decision-making (Article 22). The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them. BIG BOX Hosting d.o.o. does not perform such automated decision-making.

8.2. How to exercise these rights. Requests under any of the rights in section 8.1 should be directed to [email protected]. We will respond within 30 days of receipt of a request, in accordance with GDPR Article 12(3). Where a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, as permitted by Article 12(5). We may request additional information necessary to confirm the identity of the data subject, in accordance with Article 12(6).

8.3. Right to lodge a complaint. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular Information Commissioner (Slovenia) or the supervisory authority of the EU member state of the data subject's habitual residence, place of work, or place of the alleged infringement.

9. Security measures

9.1. BIG BOX Hosting d.o.o. implements technical and organisational measures appropriate to the risk presented by the processing, in accordance with GDPR Article 32. The current set of measures is documented at /trust/#technical and includes encryption at rest (LUKS / AES-256-XTS), encryption in transit (TLS 1.3 minimum on customer-facing endpoints), multi-factor authentication for production access, audit logging on append-only storage in a separate jurisdiction from production data, weekly vulnerability scanning, and incident response runbooks tested twice annually.

9.2. In the event of a personal data breach within the meaning of GDPR Article 4(12) that is likely to result in a risk to the rights and freedoms of natural persons, BIG BOX Hosting d.o.o. will notify Information Commissioner without undue delay and where feasible within 72 hours of becoming aware of the breach, in accordance with Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the affected data subjects will be notified without undue delay in accordance with Article 34.

10. Changes to this Policy

10.1. BIG BOX Hosting d.o.o. may update this Policy from time to time to reflect changes in our processing practices, legal obligations, or business operations. Material changes will be communicated to customers by email at least 30 days before the change takes effect. Non-material changes (clarifications of language, correction of typographical errors, addition of contact details) will be reflected in the version number and date at the top of this document and at /trust/.

10.2. Previous versions of this Policy are retained internally and are available on request to the DPO.