Privacy Policy.

This Privacy Policy explains how Flash Tune Trading Limited ("NineHost", "we") collects, uses and protects personal data when you use our website and Services at ninehost.net.

NineHost is the data controller for personal data collected through ninehost.net. Our registered office is Unit 1507A, 15/F., Eastcore, 398 Kwun Tong Road, Kwun Tong, Kowloon 999077, Hong Kong. We comply with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO") and, where applicable, the EU General Data Protection Regulation (the "GDPR") and the UK GDPR.

We collect data in three categories:

A. Data you give us

• Account data: name, email address, password (hashed), phone number (optional), company name (optional).
• Billing data: billing address, country, tax ID where relevant. Payment-card details are processed by our payment-service provider; we never see or store your full card number.
• Support data: the contents of chat messages, tickets and emails you send us.
• Customer Content: data, files and applications you host on our infrastructure. We treat this as confidential and do not inspect it unless required for security or legal reasons (see our Terms).

B. Data we collect automatically

• Service logs: IP addresses, timestamps, request paths, error codes, server response times.
• Device & browser: user agent, screen resolution, approximate location derived from IP (city level).
• Cookies: session, preference and (with consent) analytics cookies. See our Cookie Policy.

C. Data from third parties

• Fraud-prevention: risk signals and verification status from our payment processor.
• Registry data: domain-registration confirmations and WHOIS records from registries when you register or transfer a domain.

We use personal data to:

• Provide and operate the Services (provisioning, billing, support).
• Verify your identity, prevent fraud and abuse, and secure our infrastructure.
• Send operational emails (provisioning confirmations, invoices, security alerts).
• Send marketing emails — only to the extent permitted, and only with an unsubscribe link.
• Comply with legal obligations (tax, accounting, lawful requests from competent authorities).
• Improve the Services (anonymous analytics, performance benchmarking).

We do not sell personal data to third parties. We never share Customer Content with advertisers or data brokers.

Where the GDPR applies, we rely on the following legal bases:

• Contract — to provide the Services you have ordered.
• Legitimate interests — to secure our infrastructure, prevent abuse, improve the Services, and pursue commercial activity, balanced against your rights.
• Legal obligation — to comply with applicable laws (tax, anti-money-laundering, lawful requests).
• Consent — for non-essential cookies and marketing emails, withdrawable at any time.

We share personal data only with the categories of recipients below, under written contracts that require equivalent or stricter data-protection standards:

• Infrastructure providers — Hetzner Online GmbH (Germany), Contabo GmbH (Germany), and similar upstream data-centre operators that host the underlying capacity.
• Domain registries & registrars — when you register, transfer or renew a domain, we share the data registries require to process the request.
• Payment processors — for billing and fraud prevention; they receive billing data but never Customer Content.
• Auth & email infrastructure — for sign-in flows and transactional email delivery (e.g. our SMTP relay).
• Analytics — privacy-respecting analytics for traffic measurement; you can opt out via cookie banner.
• Professional advisors — lawyers, accountants and auditors under confidentiality.
• Authorities — where required by valid court order or applicable law.

We use cookies and similar technologies to keep you signed in, remember preferences, secure forms against CSRF, and (with your consent) measure traffic. Full details are in our Cookie Policy.

Personal data may be transferred outside Hong Kong, in particular to data centres in the European Union (Germany, Finland), the United Kingdom and the United States operated by our upstream providers. Where we transfer data from the European Economic Area, the United Kingdom or Switzerland, we rely on the European Commission's Standard Contractual Clauses (or equivalent UK Addendum) and, where required, supplementary measures such as encryption in transit and at rest.

We retain personal data for as long as is necessary to provide the Services and comply with our legal obligations:

• Active accounts: for the lifetime of the account.
• Closed accounts: 30 days grace period (data export available), then deletion of Customer Content. Account billing records retained for 7 years for tax compliance.
• Service logs: 30 days, then deleted or aggregated to anonymous metrics.
• Backups: rolling 30-day window, then overwritten.
• Support tickets: 2 years from last activity, then anonymised.

Subject to the PDPO and, where applicable, the GDPR, you have the right to:

• Request access to and a copy of your personal data we hold.
• Request correction of inaccurate or incomplete data.
• Request deletion of your data (subject to legal retention requirements).
• Object to processing on the basis of legitimate interests, including direct marketing.
• Withdraw consent for cookies or marketing at any time.
• Request data portability (a machine-readable export).
• Lodge a complaint with a data-protection authority — in Hong Kong, the Office of the Privacy Commissioner for Personal Data (PCPD); in the EU, your local supervisory authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

We protect personal data using a defence-in-depth approach: TLS 1.3 in transit, AES-256 at rest, role-based access with audit logging, hardware-token MFA for staff, network segmentation between customer environments, daily off-site backups, and quarterly external penetration tests. We notify affected customers and competent authorities of a personal-data breach without undue delay where required by law.

The Services are not intended for use by individuals under 18 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be notified to active customers by email at least 14 days in advance. The "last updated" date at the top of this page always reflects the latest revision.

For privacy questions or to exercise your rights, contact: