Game Hosting
VPS
Docs
Company
Try Pyro

Privacy Policy

Effective Date: July 14, 2026
Last Updated: June 14, 2026

1. Introduction

Pyro Inc. ("Pyro," "we," "us," or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our cloud hosting services at pyro.host and related platforms.

Data Controller Information

Pyro Inc.
1604 Philadelphia Pike, Suite 63
Wilmington, DE 19809
United States
Email: legal@pyro.host

For all data-protection and DSA matters, including inquiries from data subjects and supervisory authorities, you can contact us directly at legal@pyro.host. Where we designate a representative or point of contact for a particular region, we will publish those details in the relevant section below.

2. Scope and Application

This Privacy Policy applies to all Pyro services, including multiplayer server hosting, Virtual Private Servers (VPS), web hosting, database hosting, and related management interfaces. It covers both our website and service platforms. This policy describes how we process personal data and the legal bases on which we rely (see Section 4). Where processing requires your consent, for example, non-essential cookies, marketing analytics, or targeted advertising, we obtain that consent separately where required by applicable law. Continued use of our services does not, by itself, constitute consent to optional processing, and you may withdraw consent at any time as described in Section 8.

Our Role: Controller and Processor. We act as a controller for the personal data for which we determine the purposes, such as your account, billing, support, website-visitor, marketing, and controller-side analytics data. That processing is governed by this Privacy Policy. For the end-user data that you, as our customer, store on or transmit through the servers and services you host with us, we act as a processor or subprocessor (and, under U.S. state privacy laws, a service provider, contractor, or processor as applicable) that processes such data only on your instructions; in that role you or your customer are responsible for providing your own privacy notice to, and obtaining any required consents from, your end users. This Privacy Policy does not govern that customer-controlled data; your own privacy notice and any data processing terms that apply to your use of the services do.

3. Information We Collect

3.1 Information You Provide Directly

Account Information

  • Email address, username, and chosen password
  • Contact information including name, billing address, and phone number
  • Date of birth or age range where needed for eligibility, parental-consent, or minor-privacy compliance
  • Payment information processed by Stripe and PayPal (we do not store complete payment card details)
  • Communication preferences and account settings

Identity Verification

  • For users under 18 where verifiable parental consent or authorization is required: parental-consent records, which depending on the verification method we use may include a signed consent form, a notarized affidavit, government-issued identity verification through our designated provider, and guardian contact information (see Section 3.1 of our Terms of Service)
  • For business accounts: tax identification numbers and business verification documents
  • Government-issued identification when required for compliance purposes

Service Configuration Data

  • Server configurations, custom settings, and user preferences
  • Support tickets, chat logs, and communications with our team
  • User-generated content uploaded to the services you host is processed only on your behalf as a processor and is addressed by the controller/processor split described in Section 2, not by this Section

Required and Optional Information

Email, username, password, billing details, payment-processing information, and service configuration data are generally necessary to create and perform your contract with us. Date of birth, age range, parental-consent information, tax information, business verification information, or identity-verification information may be required where needed for eligibility, invoicing, tax, fraud-prevention, safety, or legal compliance. If you do not provide required information, we may be unable to create an account, provision services, process payments, verify eligibility, or comply with legal obligations. Optional profile, preference, survey, and marketing information may be withheld without affecting core service access.

3.2 Information Collected Automatically

Service Usage Data

  • Server performance metrics, resource utilization patterns, and access logs
  • Application usage statistics, connection data, and performance metrics
  • API usage patterns, system interactions, and service optimization data
  • Service uptime monitoring and availability metrics
  • Referral and affiliate attribution data, including referral code, landing URL, UTM parameters, and IP-derived request metadata used for attribution, fraud prevention, and commission tracking

Device and Connection Information

  • IP addresses, browser type and version, operating system, and device identifiers
  • Connection timestamps, session duration, and approximate geographic location
  • Referral sources, page navigation patterns, and feature usage analytics
  • Network diagnostic information and connectivity quality metrics

Cookies and Tracking Technologies

  • Essential cookies for authentication, session management, and security
  • Analytics cookies via Google Analytics and PostHog for usage insights
  • Advertising cookies through Google Ads for marketing optimization
  • Referral and affiliate attribution cookies, including WHMCSAffiliateID for up to seven (7) days and pyro_ref for up to thirty (30) days, where you arrive through an affiliate or referral parameter
  • Preference cookies for interface customization and user settings

3.3 Information from Third Parties

  • Payment processing data from Stripe and PayPal for transaction handling
  • Security monitoring data from our infrastructure partners and DDoS protection services
  • Datacenter access logs and facility security information from hosting providers
  • Identity verification information from compliance and fraud prevention services

Some of the information in this Section comes from third parties rather than from you directly, including the payment processors, security and infrastructure partners, and identity-verification and fraud-prevention providers identified in Section 6. Where we obtain personal data about you from such sources, we will, where required, inform you of the source within a reasonable period after obtaining it.

4. Legal Basis for Processing (GDPR Article 6)

For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b))

  • Providing hosting services, account management, and customer support
  • Processing payments, billing operations, and subscription management
  • Service delivery, maintenance, and technical support

Legitimate Interests (Article 6(1)(f))

  • Security monitoring, fraud prevention, and abuse detection (our interest in protecting the security and integrity of our network, our customers, and third parties)
  • Service improvement, analytics, and performance optimization (our interest in understanding and improving our services)
  • Internal business operations and financial management (our interest in administering and running our business)
  • Postal and email marketing to our existing customers about similar services (our interest in promoting our services), being the "soft opt-in," subject at all times to an unconditional right to object

In each case we balance these interests against your rights and freedoms, and you may object as described in Section 8.2.

Legal Obligations (Article 6(1)(c))

  • Tax compliance, accounting requirements, and financial reporting
  • Data protection law compliance and regulatory obligations
  • Responding to legal process, government requests, and law enforcement

Consent (Article 6(1)(a))

  • Non-essential cookies, marketing analytics, and targeted advertising
  • Electronic direct marketing to prospects and other marketing communications where opt-in consent is required by applicable law
  • Sharing of online identifiers with advertising partners for cross-context behavioral advertising and remarketing
  • Processing of special categories of data with explicit consent

Children and the Age of Digital Consent (Article 8)

Where we rely on consent to provide an information society service offered directly to a child below the applicable age of digital consent, that processing is lawful only with the authorization of a person holding parental responsibility. The age of digital consent ranges from 13 to 16 across EU/EEA member states (and is 13 in the United Kingdom). We make reasonable efforts to verify parental authorization and will not knowingly provision services to a child below the applicable age without it. See Section 10 and Section 3.1 of our Terms of Service.

5. How We Use Your Information

5.1 Service Provision and Management

  • Creating, managing, and securing your account and services
  • Providing, maintaining, and improving our hosting infrastructure
  • Processing payments, managing billing, and handling subscription changes
  • Delivering customer support, technical assistance, and account communications

5.2 Security and Compliance

  • Monitoring for security threats, unauthorized access, and fraudulent activity
  • Implementing access controls, authentication measures, and data protection
  • Complying with legal obligations, regulatory requirements, and industry standards
  • Enforcing our Terms of Service and Acceptable Use Policy, including the prohibited activities in AUP Sections 3 and 4

5.3 Analytics and Service Improvement

  • Analyzing usage patterns, performance metrics, and user behavior
  • Conducting research and development for new features and capabilities
  • Optimizing infrastructure performance, reliability, and user experience
  • Understanding customer needs, preferences, and satisfaction levels

5.4 Communication and Marketing

  • Sending service notifications, maintenance alerts, and account communications
  • Providing customer support, technical guidance, and educational resources
  • Sharing product updates, feature announcements, and promotional offers with your consent or where otherwise permitted by applicable law, subject to your right to opt out
  • Conducting surveys, collecting feedback, and responding to inquiries

5.5 Automated Decision-Making and Profiling

We use limited automated processing, for example, to detect fraud and abuse and to screen for prohibited content. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing: a person reviews adverse account actions before they become final, consistent with the manual review and graduated enforcement described in our Acceptable Use Policy (AUP Section 4.1 and Section 5). You have the right to obtain human review of, to express your point of view on, and to contest such decisions (GDPR Article 22), and residents of states such as Virginia, Colorado, and Connecticut may opt out of profiling in furtherance of decisions producing legal or similarly significant effects.

6. Information Sharing and Disclosure

6.1 Service Providers and Partners

We share information with trusted third parties who assist in service delivery:

  • Payment Processors: Stripe and PayPal for secure payment processing and fraud prevention
  • Analytics Providers: Google Analytics and PostHog for usage analytics and service optimization
  • Advertising Partners: Google Ads (Google LLC) for cross-context behavioral advertising, remarketing, and advertising measurement. We share only online and cookie-based identifiers and pseudonymous audience and usage data with this partner; we do not share your account credentials, payment details, or the content you host. This relationship is distinct from our use of Google Analytics, and under the CPRA it constitutes "sharing." See Section 6.5 and Section 8.3 for your right to opt out.
  • Security Partners: Third-party DDoS protection providers (currently including TCPShield) when advanced mitigation is needed
  • Infrastructure Partners: Datacenter operators for physical security, connectivity, and facility management
  • Communication Services: Email and messaging providers for customer communications and support
  • Referral and Affiliate Services: Pyro's referral and partner services, including partners.pyro.host, for referral attribution, fraud prevention, and commission tracking

All third-party processors are contractually bound to protect your information and use it only for specified purposes under data processing agreements or equivalent written data-protection terms.

Infrastructure Partners and Security Partners may act as our sub-processors of customer-stored data. This Section identifies the categories of sub-processors we use, but it is not a complete named sub-processor list. For customers who are controllers, we will provide available sub-processor information on request and, where you have an active controller relationship with us, notify you of material changes so that you may object on reasonable data-protection grounds, as set out in any applicable data processing terms. Communication Services may also act as our sub-processors to the extent they transmit or store customer content on your behalf. By contrast, our Payment Processors, Analytics Providers, Advertising Partners, and Referral and Affiliate Services process controller-side data that we determine, and are not sub-processors of the data you store with us.

6.2 Legal Requirements and Protection

We may disclose information when required by law or to protect legitimate interests:

  • Compliance with legal process, court orders, subpoenas, and government requests
  • Protection of our rights, property, and safety, and that of our users and the public
  • Prevention and investigation of fraud, security threats, and illegal activities
  • Enforcement of our agreements, policies, and terms of service

6.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and ensure continued protection under this Privacy Policy or a successor policy with equivalent protections.

6.4 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for business purposes, research, or industry analysis.

6.5 Sale and Sharing of Personal Information

We do not sell your personal information for money, and we do not engage in data brokerage. We do not rent or otherwise disclose your personal information to third parties for those parties' own independent marketing purposes.

However, our use of Google Ads remarketing may involve disclosing online identifiers to an advertising partner to deliver advertising across other websites and services. Under the California Privacy Rights Act (CPRA), this may constitute "sharing" for cross-context behavioral advertising (Cal. Civ. Code § 1798.140(ah)), and certain other state laws may treat it as a "sale" or "targeted advertising." You have the right to opt out of this sharing at any time where applicable law grants that right. You may exercise this right through the cookie or privacy controls we make available, by emailing legal@pyro.host, or by submitting a request at portal.pyro.host. Where our website detects a legally required opt-out preference signal, we treat it as an opt-out request for that browser or device, and where you are logged in we also apply it to your account where applicable law requires.

7. Data Storage and Security

7.1 Data Centers and Infrastructure

Your service data is stored in the service region selected or assigned for your plan, as shown at checkout, in the account dashboard, or in service documentation. Available regions may change over time as we add, remove, or modify infrastructure locations.

Some ancillary processing, such as billing, support, monitoring, anti-abuse, backups, security tooling, and DDoS mitigation, may occur outside the selected service region under the safeguards described in Section 9. Region selection is intended to support latency and operational preferences; it is not a guarantee that all personal data will remain only in that region unless we expressly agree otherwise in writing.

7.2 Security Measures

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS for Pyro-managed web, API, billing, and control-panel connections where supported, with current production configurations generally using TLS 1.2 or higher; where supported by the service, data at rest is encrypted using industry-standard encryption such as AES-256 (for unmanaged services, encryption within customer-controlled volumes, databases, applications, game protocols, and other customer-controlled traffic is the customer's responsibility)
  • Multi-factor authentication and role-based access controls for administrative systems where applicable
  • Periodic security assessments and vulnerability management covering Pyro's own infrastructure (this does not extend to content, applications, or configurations you deploy, which remain your responsibility)
  • DDoS protection, network monitoring, and intrusion detection and alerting where appropriate
  • Physical security controls and environmental monitoring at datacenter facilities
  • Confidentiality obligations binding personnel and contractors with access to customer data or production infrastructure, access management, security training, and, where appropriate and permitted by applicable law, background screening of personnel in sensitive roles

7.3 Data Retention

  • Service Data: Retained for up to six (6) months after service termination to allow for account reactivation, billing and chargeback reconciliation, and dispute handling, and deleted earlier on request, subject to legal-hold or legal-obligation exceptions
  • Analytics Data: Visitor analytics collected through Google Analytics and PostHog are retained according to the retention controls configured in those tools, which we set to no more than fourteen (14) months.
    • For account holders, identifiable analytics data (such as IP addresses and device or session identifiers tied to a user) is deleted or irreversibly anonymized within six (6) months of service termination, consistent with Service Data.
    • Only data that has been truly and irreversibly anonymized, so that it can no longer be attributed to you, may be retained for up to twelve (12) months for statistical analysis, after which it is purged.
    • Where irreversible anonymization is not feasible, the data is deleted within thirty (30) days. Pseudonymized or otherwise reversible data continues to be treated as personal data.
  • Children's Data: If a parent or guardian withdraws consent, or if we discover that we hold personal data of a user below the applicable minimum age, we delete that data promptly and in any event within thirty (30) days, subject only to legal-hold or legal-obligation exceptions.
  • Account Data: Core account and billing records retained as required by tax, accounting, and regulatory obligations (generally up to seven (7) years)
  • Fraud Prevention: Certain data may be retained for up to twenty-four (24) months, in anonymized or minimized form where practicable, where necessary to detect and prevent repeat fraud, chargeback abuse, and security incidents that recur over multi-month cycles
  • Legal Obligations: Data subject to a legal hold or a specific legal, regulatory, or legal-process requirement is retained only for as long as, and to the extent, that requirement applies

You may request immediate data deletion by submitting a ticket at portal.pyro.host or emailing support@pyro.host, subject to legal and regulatory retention requirements.

8. Your Privacy Rights

8.1 Universal Rights

You have the right to:

  • Access and review your personal information through your account dashboard
  • Update, correct, and modify inaccurate or incomplete information
  • Export your data in machine-readable formats for portability
  • Manage cookie preferences through your browser settings
  • Opt out of marketing communications via unsubscribe links or account preferences

8.2 GDPR and UK GDPR Rights (EU/UK Residents)

Under the General Data Protection Regulation, you have additional rights:

  • Right of Access: Request copies of your personal data and information about our processing activities
  • Right to Rectification: Correct inaccurate or incomplete personal information
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we process your data under certain circumstances
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent: Withdraw consent for processing based on consent at any time
  • Rights Relating to Automated Decision-Making: Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and to obtain human review of, and to contest, such a decision (see Section 5.5)

Direct marketing. You have the absolute right to object at any time, free of charge, to our use of your personal data for direct marketing, including any related profiling. If you object, we will stop. Use the unsubscribe link in any marketing message or email legal@pyro.host.

Unmanaged Service Limitations. As an unmanaged infrastructure provider, our access to customer data is limited to legitimate support, security, system administration, and maintenance purposes. We do not provide managed data services. Data portability and access requests relating to content stored within customer-controlled systems may require your cooperation to retrieve. This limitation does not affect the account-level rights and obligations we administer directly, including those relating to registration data, age verification, and parental consent (see Section 3.1 of our Terms of Service).

To exercise these rights, contact legal@pyro.host. We will respond without undue delay and in any event within one month of receipt. Where a request is complex or we receive a number of requests, we may extend this period by up to two further months; in that case we will inform you of the extension and the reasons for it within the first month. We may request information reasonably necessary to verify your identity before acting on a request.

Swiss Residents. Swiss residents have rights under the Swiss Federal Act on Data Protection that are broadly similar to the access, correction, objection, and deletion rights described above. To exercise those rights, contact legal@pyro.host. Where Swiss law requires a representative or additional transfer safeguards, we will provide them before relying on this Privacy Policy for affected Swiss data subjects.

8.3 California Privacy Rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act:

  • Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and share
  • Right to Delete: Request deletion of personal information, subject to the exceptions enumerated in Cal. Civ. Code § 1798.105(d) (for example, completing a transaction you requested, detecting security incidents or fraud, complying with a legal obligation, exercising or defending legal claims, or certain compatible internal uses)
  • Right to Correct: Request correction of inaccurate personal information in our records
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information for money, but our use of Google Ads remarketing may constitute "sharing" for cross-context behavioral advertising under the CPRA. You have the right to opt out of this sharing by emailing legal@pyro.host, submitting a request at portal.pyro.host, using the cookie or privacy controls we make available, or sending a legally required opt-out preference signal where our website detects it
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Limit Sensitive Personal Information: Request limitations on the use of sensitive personal information

Sensitive Personal Information. The sensitive personal information (SPI) we collect may include government-issued identification and identity-verification documents, business and tax-verification information, account login credentials, date of birth or age range, and parental-consent documentation. We use this SPI solely for the purposes permitted by Cal. Civ. Code § 1798.121(a), namely identity verification, parental-consent verification, providing and securing the services, fraud prevention, and compliance with child-safety and eligibility obligations, and not to infer characteristics about you. We obtain consent where required by applicable state law. Because we do not use SPI beyond these permitted purposes, we are not required to offer a separate "Limit the Use of My Sensitive Personal Information" link; we will provide one if our use ever changes.

California and State Privacy Category Notice. In the preceding twelve (12) months, we may have collected the categories of personal information described in Sections 3.1 through 3.3, including identifiers, customer records information, commercial information, internet or electronic network activity, approximate geolocation, account credentials, government identification or other verification information, and inferences drawn from service usage. We do not sell personal information for money. The only category we share for cross-context behavioral advertising is online identifiers and internet or electronic network activity information (such as cookie and device identifiers), which we share with our advertising partner as described in Section 6.5. We do not share any other category, and we do not sell or share the personal information of consumers we know to be under 16. We disclose the categories above to the recipient categories listed in Section 6.1 for the business purposes in Section 5.

How to Exercise These Rights. Submit a request by emailing legal@pyro.host, via portal.pyro.host, through the cookie or privacy controls we make available, or by sending a legally required opt-out preference signal where our website detects it. We will acknowledge your request within ten (10) business days and respond within forty-five (45) days, extendable by an additional forty-five (45) days with notice where reasonably necessary. We will verify your identity before acting and, for correction requests, may ask for documentation supporting the correction. You may use an authorized agent to submit a request on your behalf, subject to verification. If we decline a correction or deletion request, we will explain why in writing.

8.4 Other State Privacy Rights

Residents of states that have enacted comprehensive consumer privacy laws, including California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota, Tennessee, Indiana, Kentucky, Rhode Island, and others, may have rights that include access, deletion, correction, portability, and opt-out rights for targeted advertising, sale of personal data, and certain profiling. Some state laws apply only where a business meets specific revenue or data-volume thresholds, and we honor the rights described here to the extent a given law applies to our processing of your personal data.

You can exercise the opt-out using the mechanisms in Section 8.3, and you can submit other requests as described in Section 8.3.

Unless a shorter period is required by applicable law, we respond to these requests within forty-five (45) days after receipt and may extend once for an additional forty-five (45) days where permitted by law and reasonably necessary.

Right to Appeal. Where your state's law provides a right to appeal, you may appeal our decision to decline a request by emailing legal@pyro.host with the subject "Appeal." We will respond within sixty (60) days (or as your state's law requires) with our decision and the reasons for it; if we deny the appeal, we will provide instructions for contacting your state attorney general or other privacy regulator, including an online complaint form where the regulator makes one available.

Minors. We do not sell or share (including for cross-context behavioral advertising), engage in targeted advertising to, or profile (for decisions producing legal or similarly significant effects) any user we know, or should know where applicable law uses that standard, is a minor under the applicable state threshold. For California, we do not sell or share the personal information of a consumer we know to be under 16 without the opt-in consent required by Cal. Civ. Code section 1798.120(c). Where a state requires opt-in consent to process a minor's data for these purposes, we do not do so without that consent; where a state prohibits it outright for known users under 18, we do not do so at all. This is reinforced by the under-18 provisioning controls in Section 3.1 of our Terms of Service and the cookie and tracking controls described in Section 11.2.

Canada. Processing of Canadian residents' personal information is also governed by PIPEDA and, for Quebec, Law 25. You have rights to access and correct your information and to withdraw consent (and, in Quebec, to data portability and to de-indexing/cessation of dissemination). The person accountable for personal information under PIPEDA can be reached at legal@pyro.host.

8.5 Data Protection Contact

We have assessed the criteria in Article 37(1) of the EU GDPR and the UK GDPR and determined that our processing does not involve regular and systematic monitoring of data subjects on a large scale as a core activity, nor large-scale processing of special categories of data, so we are not required to designate a Data Protection Officer. We keep this under review and will appoint a DPO and publish their contact details if our processing changes such that designation becomes mandatory. For all data-protection inquiries, contact legal@pyro.host.

8.6 Supervisory Authority

EU residents may lodge complaints with their local data protection authority, and UK residents with the Information Commissioner's Office (ICO), if privacy concerns are not adequately addressed through our internal processes.

8.7 EU and UK Data Protection Representatives

Data subjects and supervisory authorities can raise EU and UK data-protection matters with us directly at legal@pyro.host. Where we designate a regional point of contact or representative, we will publish those contact details here.

  • Current contact: Contact us directly at legal@pyro.host.

8.8 EU Digital Services Act: Points of Contact and Legal Representative

To the extent the EU Digital Services Act (DSA) applies to our services, we designate a single point of contact for electronic communications:

  • For Member State authorities, the European Commission, and the European Board for Digital Services (Article 11): legal@pyro.host
  • For recipients of the service (Article 12): legal@pyro.host (the abuse-reporting channels in our Acceptable Use Policy, Section 8, also serve as the mechanism for notifying us of illegal content)

Communications may be made in English. If we designate an EU Digital Services Act legal representative in a Member State, we will also identify any additional official language supported for DSA communications. These contact points are not solely automated.

DSA legal representative. Where Article 13 of the DSA requires a provider established outside the European Union to designate a legal representative in a Member State, that representative is mandated to receive, comply with, and cooperate on DSA communications and decisions from Member State authorities, the European Commission, and the European Board for Digital Services. Until any such designation is published here, the points of contact identified above remain the channel for DSA communications, and you may also reach us at legal@pyro.host.

If we qualify as a micro or small enterprise under the DSA, we may rely only on the size-based exemptions the DSA actually provides for such enterprises, namely the exemption from Article 15 transparency reporting and the exemption from obligations that apply only to online platforms under Chapter III, Section 3. These exemptions do not relieve us of the baseline duties that apply to hosting and intermediary services regardless of size, including responding to authority orders, maintaining points of contact and (where required) a legal representative, our notice-and-action process, statements of reasons, and reporting suspicions of serious criminal offences, which we address in our Acceptable Use Policy. If Article 15 applies to us, we will publish the required transparency report at least annually. The baseline obligations applicable to hosting and intermediary services continue to apply.

9. International Data Transfers

9.1 Cross-Border Processing

Data may be transferred to and processed in countries other than your residence. We ensure appropriate safeguards for international transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs
  • For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner's recognized safeguards, including appropriate adaptations to the SCCs where required
  • Reliance on a European Commission adequacy decision where one covers the destination and the recipient (we acknowledge that adequacy decisions may be amended, suspended, or invalidated, and we will adopt an alternative safeguard if that occurs)
  • Technical and organizational measures to ensure data protection during transfers

The safeguards in this Section 9.1 apply to transfers of personal data for which Pyro acts as a controller. Transfers of customer-controlled data, for which Pyro acts as a processor or subprocessor, are governed by the data-processing and transfer terms in Section 5A of our Terms of Service.

You may request a copy of the applicable SCCs, UK Addendum or IDTA, Swiss adaptations, and a summary of supplementary measures by emailing legal@pyro.host. We may redact commercial terms and security-sensitive information, but we will provide the data-protection terms and a meaningful summary of safeguards.

9.2 Transfer Impact Assessments

For transfers to countries without an adequacy decision, we conduct Transfer Impact Assessments in line with the EDPB's recommendations, Swiss guidance where applicable, and the Schrems II judgment. These assessments consider the laws of the destination country that may permit government access to data, including U.S. Foreign Intelligence Surveillance Act § 702, Executive Order 12333, and the CLOUD Act, and the supplementary measures we apply, which include TLS for Pyro-managed web, API, billing, and control-panel connections where supported, encryption at rest where supported by the service, access controls, and data minimization.

We review these assessments at least annually and upon any material change in the relevant legal framework. If we determine that a transfer cannot be carried out lawfully, we will not make the transfer.

EU, UK, and Swiss data subjects may object to the transfer of their personal data outside their region and may request that their data be hosted in an available EU/EEA or other applicable regional location. If a lawful transfer is not possible and you require it, you may terminate the affected services without penalty and receive a pro-rata refund of prepaid fees for the unused period. We will issue any such pro-rata refund within thirty (30) days of the effective termination date.

Where you select EU hosting, primary service data is stored in the selected EU service region, but certain ancillary processing, such as off-site backups, anti-DDoS scrubbing, and support tooling, may involve transfers to the United States under the safeguards in Section 9.1 and the supplementary measures described above.

9.3 US Government Access

As a US company, we may be subject to US government data access requests under laws such as the USA PATRIOT Act and Foreign Intelligence Surveillance Act. We will resist overbroad requests and notify users when legally permitted.

10. Children's Privacy

10.1 Age Requirements

Pyro account registration and paid hosting services are intended for users age 13 and older. Some customer-hosted game servers may be accessed by children; for those services, the customer is responsible for child-directed or child-accessed end-user compliance, while Pyro remains responsible for Pyro-controlled account, billing, support, security, and website data. We do not knowingly collect personal information from children under 13 as Pyro account holders. If we learn that we have collected personal information from a child under 13, we will delete it promptly and in any event within thirty (30) days, subject only to legal-hold or legal-obligation exceptions, consistent with the Children's Data entry in Section 7.3. For EU/EEA and UK users, the age of digital consent determines when a child may consent on their own to consent-based processing. Users age 13 or older but below the applicable age of digital consent may use Pyro only with required parental authorization, which must be verified within the deadline and subject to the account-closure and deletion consequences set out in Section 3.1 of our Terms of Service.

10.2 Parental Consent and Authorization (Minors)

Where parental consent or authorization is required, namely for an account holder who is below the age of majority in their jurisdiction or, for consent-based processing, below the applicable EU/EEA or UK age of digital consent, parents and guardians may:

  • Review their child's personal information and account activity
  • Request modification, correction, or deletion of information
  • Refuse further collection or use of their child's information
  • Withdraw consent at any time as described in Section 10.3

10.3 Parental Rights and Controls

Parents have the right to review information collected from their children, request deletion, and control future collection. To exercise these rights, a parent or guardian may contact us at legal@pyro.host or via portal.pyro.host. We will verify the requester's identity and authority before acting, and we will respond within thirty (30) days. Withdrawal of consent will result in closure of the account and deletion of the associated personal data within thirty (30) days, as described in the "Children's Data" entry in Section 7.3, subject only to legal-hold or legal-obligation exceptions. Withdrawing consent will never be made more difficult than granting it.

11. Cookies and Tracking Technologies

11.1 Types of Cookies and Tracking Technologies

  • Strictly Necessary: Authentication, session management, security features, and fraud prevention
  • Performance and Analytics: Google Analytics and PostHog for website and service usage analysis
  • Marketing and Advertising: Google Ads for advertising performance measurement and remarketing campaigns
  • Functional and Preferences: User interface customization, settings storage, and feature preferences
  • Security and Anti-Fraud: Bot detection, spam prevention, and security monitoring

11.2 Cookie Management and Control

Strictly necessary cookies are set without your consent because they are essential to provide the service. We use or enable non-essential analytics, advertising, referral, affiliate, and similar technologies only where permitted by applicable law and, where legally required, after consent through our cookie popup or subject to opt-out controls. You may withdraw consent or opt out where applicable by using the cookie controls we make available, by emailing legal@pyro.host, or by submitting a request through portal.pyro.host.

Our cookie controls identify the non-essential cookies and similar technologies we use, their provider, purpose, and retention period, and will be updated as those technologies change.

In addition, you can control cookies and tracking through:

  • Browser settings to block, delete, or restrict cookies and tracking technologies
  • The cookie controls we make available on our website or in account settings
  • Third-party opt-out tools and privacy controls:
    • Google Analytics Opt-out Browser Add-on
    • Google Ads Settings and personalization controls
    • PostHog privacy settings and opt-out mechanisms

11.3 Impact of Cookie Settings

Disabling essential cookies may affect website functionality, account access, and your ability to use certain features of our services. Analytics and marketing cookies can be disabled without affecting core service functionality.

11.4 Do Not Track Signals

We do not currently respond to legacy "Do Not Track" (DNT) browser signals, as there is no common industry standard for them. Where our website detects Global Privacy Control (GPC) or another legally required opt-out preference signal, we treat a valid signal as a request to opt out of sale, sharing, targeted advertising, and profiling where applicable law requires us to honor such a signal (see Sections 6.5, 8.3, and 8.4). You can also manage tracking preferences through the methods described above and in your browser settings.

12. Third-Party Services and Integrations

12.1 External Links and Services

Our services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to third parties. We encourage you to review their privacy policies before providing information or using their services.

12.2 Third-Party Privacy Policies

Key third-party services and their privacy policies:

  • Stripe: Stripe Privacy Policy
  • PayPal: PayPal Privacy Statement
  • Google Analytics: Google Privacy Policy
  • PostHog: PostHog Privacy Policy
  • TCPShield: TCPShield Privacy Policy

12.3 Integration Responsibilities

When you integrate third-party services with our platform, you are responsible for reviewing and complying with their privacy policies and terms of service.

13. Business Communications

13.1 Transactional Communications

We send service-related communications including:

  • Account notifications, security alerts, and authentication messages
  • Billing statements, payment confirmations, and subscription changes
  • Service updates, maintenance notifications, and system status alerts
  • Policy changes, legal notices, and important account information

These communications are necessary for service provision and cannot be opted out while maintaining an active account.

13.2 Marketing Communications

With your consent or where permitted by law, we may send:

  • Product announcements, feature updates, and service enhancements
  • Educational content, implementation guidance, and technical resources
  • Promotional offers, discounts, and special programs
  • Industry news, insights, and community updates

You can opt out of marketing communications at any time via unsubscribe links, account settings, or by contacting support.

14. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the EU/UK GDPR
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, and otherwise as required by applicable law, including U.S. state breach-notification laws (for example, "in the most expedient time possible and without unreasonable delay" under Cal. Civ. Code § 1798.82)
  • Where required by applicable law, offer identity-theft prevention and mitigation services or other protective measures
  • Provide information about the nature, scope, and impact of the breach as required by law and as reasonably available
  • Explain steps taken to address the breach, mitigate harm, and prevent recurrence
  • Offer guidance on protective measures you can take to reduce potential impact
  • Cooperate with law enforcement where appropriate

Where required, we will also notify the relevant state attorneys general (and consumer reporting agencies where applicable, such as for breaches affecting 500 or more California residents under Cal. Civ. Code § 1798.82(f)) within the shortest applicable statutory deadline. Where Canadian law applies, we will notify the Office of the Privacy Commissioner of Canada (and, for Quebec, the Commission d'accès à l'information) where a breach poses a real risk of significant harm; where Australian law applies, we will notify the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme.

We document all personal data breaches, including the facts, effects, and remedial action taken, so that the relevant supervisory authority can verify our compliance (Article 33(5) of the EU/UK GDPR).

Where we act as a processor for a customer, we will notify the affected customer of a relevant breach without undue delay so that the customer can meet its own notification obligations, and we require our own sub-processors to notify us promptly.

15. Privacy by Design and Data Minimization

15.1 Privacy by Design Principles

We implement privacy by design throughout our services by:

  • Building privacy protections into relevant systems and processes
  • Configuring privacy-protective defaults where practicable
  • Embedding privacy considerations into our business practices and decision-making
  • Seeking to protect personal data throughout its lifecycle using appropriate technical and organizational measures

15.2 Data Minimization Practices

We practice data minimization by:

  • Collecting only personal data that is necessary for specified, legitimate purposes
  • Limiting data retention to the minimum period necessary for our purposes
  • Regularly reviewing and purging unnecessary or outdated personal data
  • Implementing automated deletion procedures where appropriate

For Maryland residents, consistent with the Maryland Online Data Privacy Act, we limit our collection of personal data to what is reasonably necessary to provide the services, and we do not sell sensitive personal data or process it for targeted advertising. We also do not sell the personal data of, or serve targeted advertising to, any consumer we know to be under 18.

This Privacy Policy is also intended to satisfy our obligations to data subjects in Brazil under the Lei Geral de Proteção de Dados (LGPD): you may request confirmation of processing, access, correction, anonymization or deletion, portability, and information about data sharing, and you may be informed of the consequences of refusing consent. The ANPD is the supervisory authority. We rely on the ANPD's small-scale processing-agent basis for not appointing an encarregado (data-protection officer), and you may use legal@pyro.host as the contact channel; international transfers rely on the safeguards described in Section 9.

16. Privacy Policy Updates and Changes

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, business operations, or technology. Material changes will be communicated via:

  • Email notifications to your registered address with at least 30 days advance notice
  • Prominent notices on our website and service platforms
  • Updates to the "Last Updated" date and change logs in this policy
  • In-app notifications for significant changes affecting your rights

Where a material change requires your consent or affirmative acceptance under applicable law or Section 15.1 of our Terms of Service, we will request it before the change applies to you. Otherwise, continued use of our services after changes become effective constitutes acceptance of the updated policy.

Relationship to Other Agreements

This Privacy Policy forms part of your agreement with Pyro together with the Terms of Service, Service Level Agreement, and Acceptable Use Policy. Where it conflicts with those documents, the order of precedence in the Order of Precedence section of the Terms of Service (currently Section 15.8) applies.

17. Contact Information and Data Protection

For privacy-related inquiries, requests, or concerns:

  • General Privacy Questions: legal@pyro.host
  • Data Subject Rights Requests: legal@pyro.host
  • Data Protection Contact: legal@pyro.host
  • Security Incidents: Submit tickets at portal.pyro.host or email support@pyro.host
  • Customer Support: Submit tickets at portal.pyro.host or email support@pyro.host

Mailing Address

Pyro Inc.
Attention: Privacy Team
1604 Philadelphia Pike, Suite 63
Wilmington, DE 19809
United States

Response Times. We review general privacy inquiries as promptly as practicable. For data subject rights requests under the GDPR/UK GDPR, we respond without undue delay and within one month of receipt, extendable by up to two further months for complex or numerous requests, with notice of the extension and reasons given within the first month (see Section 8.2). For requests under the CCPA/CPRA, we acknowledge within 10 business days and respond within 45 days, extendable by a further 45 days with notice (see Section 8.3). In all cases we comply with the timelines required by applicable law.

This Privacy Policy is effective as of the date listed above and governs our collection, use, and protection of information across all Pyro platforms and services.

Contents

Our Platform

  • Virtual Private Servers
  • Game Server Hosting

Support & Community

  • Submit a Support Ticket
  • Email Our Team
  • Join Our Community

Company

  • About Pyro
  • Brand Guidelines
  • Engineering Blog
  • Infrastructure Monitoring

Legal & Policies

  • Terms of Service
  • Privacy Policy
  • Acceptable Use Policy
  • Service Level Agreement

Get in Touch

1-888-909-PYRO
Toll-free support • 9am-5pm EST
Pyro Inc.
1604 Philadelphia Pike, Apt. 63
Wilmington, DE 19809
United States

© 2026 Pyro Inc. • AS401839

© 2026 Pyro Inc. • AS401839