1. Introduction
This Privacy Policy explains what personal data we collect when you visit our website, register an account or use our game server hosting services, why we collect it, how long we keep it, who we share it with, and the rights you have under EU data-protection law.
We have written this Policy to be as readable as possible. If anything is unclear, please contact us at privacy@pulsarservers.com.
2. Who is the data controller?
The controller of your personal data is:
- GMH SYSTEMS Sp. z o.o. (trading as PulsarServers)
- Marcina Kasprzaka 31 / 119, 01-234 Warsaw, Poland
- KRS
0001222046· VAT EUPL5273203762· REGON543929340 - Contact: privacy@pulsarservers.com
We have not appointed a statutory Data Protection Officer; instead, all privacy matters are handled by the address above.
3. What personal data we collect
We only collect what we need to deliver the Service and to meet our legal obligations. The categories are:
3.1 Account & billing data
- Name, email address, password (hashed)
- Postal address (required for VAT invoicing in the EU)
- Phone number (optional, for account-recovery)
- Tax / company identifiers (for business customers)
- Payment metadata — last 4 digits of card, brand, expiry; full card numbers never reach our systems, they are tokenised by our payment processor
3.2 Service operational data
- Game Panel username, server names, IP/port allocations
- Support tickets and messages exchanged with our team
- Server logs (process status, error messages) generated by the game software you run
- Customer Content — the files, worlds and configurations you upload. We treat these as data we process on your behalf and do not access except for support upon your request, abuse investigations or court orders.
3.3 Technical & usage data
- IP address used to access our websites and panels
- Browser user agent, language, timezone
- Pages visited, session duration, clickstream (for analytics — see section 9)
- Login timestamps and 2FA events for security auditing
3.4 Fraud-prevention data
To prevent fraud and chargebacks, our payment processors may collect device fingerprints, geolocation derived from IP, and risk scores. We retain only the outcome (approved / rejected / flagged) and the score, not the underlying data.
4. Purposes and legal bases for processing
Under Article 6 GDPR every processing operation must rely on a lawful basis. Ours are:
| Purpose | Data categories | Legal basis |
|---|---|---|
| Creating and managing your account; delivering the Service you ordered | Account, billing, operational | Performance of contract — Art. 6(1)(b) |
| Processing payments and issuing VAT invoices | Account, billing, payment metadata | Legal obligation (Polish VAT & accounting acts) — Art. 6(1)(c) |
| Customer support, ticket handling | Account, support correspondence | Performance of contract — Art. 6(1)(b) |
| Security monitoring, abuse and fraud detection | Technical, fraud-prevention | Legitimate interests — Art. 6(1)(f) |
| Sending service announcements & security alerts | Account email | Legitimate interests — Art. 6(1)(f) |
| Sending marketing emails about our own products | Account email | Consent — Art. 6(1)(a); withdrawable any time |
| Improving the website & understanding usage | Technical, usage | Consent (for analytics cookies) — Art. 6(1)(a) |
| Defending or pursuing legal claims | Anything relevant | Legitimate interests / legal obligation — Art. 6(1)(f)/(c) |
5. Who we share your data with
We do not sell your personal data. We share it only with the categories of recipients listed below, and only to the extent strictly necessary:
- Payment processor — Stripe — to authorise charges, issue invoices and prevent fraud.
- Infrastructure providers — our underlying data-centre and bare-metal partners in the EU, who host the physical servers your Service runs on.
- Email delivery — transactional email is sent via Postmark / SendGrid.
- Support & ticketing — the WHMCS billing platform we self-host, plus optional integrations with our internal tools.
- Analytics — privacy-respecting analytics (e.g. Plausible or self-hosted Matomo). Loaded only after you accept analytics cookies.
- Government authorities — where compelled by valid legal process (court order, subpoena, regulatory enquiry).
- Professional advisors — auditors, lawyers and accountants bound by confidentiality.
Every external processor has signed a Data Processing Agreement with us that meets the requirements of Article 28 GDPR.
6. International transfers
The Service infrastructure is operated entirely within the European Union. However, a small number of our processors (notably payment and email providers) may transfer data to the United States or other third countries.
Where this happens, we rely on one of the safeguards permitted under Chapter V of the GDPR:
- An adequacy decision of the European Commission (e.g. the EU–U.S. Data Privacy Framework for certified U.S. recipients);
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Binding Corporate Rules of the recipient.
You can request a copy of the safeguards in place for any specific transfer by writing to privacy@pulsarservers.com.
7. How long we keep your data
| Category | Retention period |
|---|---|
| Account data (active customers) | For the duration of the contract |
| Account data after closure | 3 years (general claims limitation under Polish Civil Code) |
| Invoices and accounting records | 5 years from the end of the fiscal year (Polish Accounting Act) |
| Customer Content (server files) | Deleted 14 days after the Service is terminated |
| Support tickets | 3 years after the last interaction |
| Security & access logs | 12 months |
| Marketing-consent records | Until consent is withdrawn, plus 3 years for proof |
8. Your rights under GDPR
You have the following rights, free of charge, with respect to your personal data:
- Right of access (Art. 15) — to know what data we hold about you and obtain a copy.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — to have your data deleted, subject to our legal-retention obligations.
- Right to restriction (Art. 18) — to limit how we use your data in specific situations.
- Right to data portability (Art. 20) — to receive the data you provided in a machine-readable format and transmit it to another controller.
- Right to object (Art. 21) — to processing based on our legitimate interests (including direct marketing).
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making (Art. 22) — we do not make decisions producing legal effects solely by automated means. Some fraud-prevention scoring is automated, but final decisions are reviewed by a human if disputed.
To exercise any of these rights, email privacy@pulsarservers.com from the email associated with your account. We will respond within one month, with a possible extension of two further months for complex requests (we will tell you if this applies).
9. Cookies and similar technologies
Our websites use a minimal set of cookies. We group them into three categories:
- Strictly necessary — session, CSRF token, login state. Loaded without consent; the site cannot function without them.
- Preferences — remember UI choices like cookie-banner dismissal, dark/light theme. Loaded without consent (no third-party tracking).
- Analytics — aggregate visit counts and page popularity. Loaded only after you click Accept on the cookie banner. We use privacy-friendly analytics that do not set persistent identifiers.
You can withdraw analytics consent at any time by clearing the cookie banner state in your browser, or by setting your browser's Do-Not-Track / Global Privacy Control signal which we honour.
10. How we protect your data
We implement appropriate technical and organisational measures, including:
- TLS 1.2+ on every public endpoint (HSTS preloaded)
- Passwords stored using modern memory-hard hashing (Argon2id/bcrypt)
- Optional two-factor authentication on billing and Game Panel accounts
- Network-level DDoS protection at the edge
- Encrypted backups stored on infrastructure independent of production
- Role-based access control internally, with audit logging
- Regular vulnerability scans and prompt patching
No system is perfectly secure. If we discover a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Polish supervisory authority (UODO) within 72 hours and, where the risk is high, inform you directly without undue delay.
11. Children's privacy
Our Services are not directed at children under 16. We do not knowingly collect personal data from anyone under that age without verifiable parental consent. If you become aware that a child has provided us with personal data, please contact privacy@pulsarservers.com and we will delete it.
12. Changes to this Policy
We may update this Privacy Policy when our practices change or when required by law. The "Effective" date at the top of this page indicates the latest revision. Where the changes are material we will notify customers by email and/or via the billing area at least 14 days before they take effect.
13. Complaints & supervisory authority
We hope to address any concerns directly. However, you also have the right to lodge a complaint with a supervisory authority:
- President of the Personal Data Protection Office (Prezes UODO)
- ul. Stawki 2, 00-193 Warsaw, Poland
- uodo.gov.pl
If you live in another EU/EEA country, you may also complain to your local supervisory authority.
14. Contact
For any question about this Privacy Policy or how we process your data:
- Email: privacy@pulsarservers.com
- Postal: GMH SYSTEMS Sp. z o.o., Marcina Kasprzaka 31 / 119, 01-234 Warsaw, Poland
© 2026 GMH SYSTEMS Sp. z o.o. · See also: Terms of Service.