Privacy Policy

How we collect, use and protect your personal data.

Last updated: March 2025

1. Who we are

One2ManySites is a managed web hosting provider. We provide WordPress and PHP hosting services with a fully managed control panel. When we say "we", "us" or "our" in this policy, we mean One2ManySites.

If you have any questions about this privacy policy or how we handle your data, please contact us.

2. What data we collect

We collect and process the following types of personal data:

Account data

When you create an account, we collect your email address. We use passwordless authentication (magic links), so we do not collect or store passwords.

Website data

We store the files, databases and configurations that you upload to your hosting account. This data belongs to you and is necessary for us to provide the hosting service.

Usage data

We collect server logs that include IP addresses, timestamps, requested URLs and HTTP status codes. This data is used for security monitoring, troubleshooting and protecting our infrastructure.

Payment data

Payments are processed by our payment processor, Paddle. We do not collect, store or have access to your credit card details, bank account numbers or other payment instrument data. Paddle acts as the merchant of record and handles all payment processing, invoicing and tax compliance on our behalf.

Support data

When you contact us through support tickets or the contact form, we collect the content of your messages along with your email address so that we can respond to your enquiry.

3. How we use your data

We use your personal data for the following purposes:

  • Providing the service — to create and manage your hosting account, provision your website and deliver the features described in our plans.
  • Transactional emails — to send you account-related communications such as magic link login emails, service notifications and important updates about your account.
  • Security monitoring — to detect and prevent abuse, unauthorised access and other security threats to our infrastructure and your websites.
  • Support — to respond to your enquiries and resolve any issues with your account or hosting service.
  • Service improvement — to understand how our platform is used so that we can improve reliability and performance.

4. Legal basis for processing

Under the UK and EU General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

  • Contract performance — processing your account data and website data is necessary to provide you with the hosting service you have signed up for.
  • Legitimate interests — we process usage data (server logs) for security monitoring, fraud prevention and protecting our infrastructure. We have assessed that these interests do not override your rights and freedoms.
  • Consent — if we ever send marketing communications, we will only do so with your explicit consent. You can withdraw consent at any time.

5. Data storage and location

All customer data is hosted in European Union data centres operated by Hetzner Online GmbH in Germany and Finland. Your data does not leave the EU.

Data is encrypted in transit using TLS and encrypted at rest on our servers. Backups are also encrypted and stored within EU data centres.

6. Data sharing

We do not sell, rent or share your personal data with third parties for marketing purposes. We only share data with the following service providers who are necessary for us to deliver our service:

  • Paddle — our payment processor and merchant of record. Paddle processes your payment information and handles billing, invoicing and tax compliance. Paddle's privacy policy.
  • SMTP2GO — our transactional email provider. SMTP2GO delivers account-related emails such as magic link logins and service notifications on our behalf. SMTP2GO's privacy policy.
  • Hetzner — our infrastructure provider. Hetzner provides the physical servers and network infrastructure where your data is hosted. Hetzner's privacy policy.

We may also disclose personal data if required to do so by law, regulation or valid legal process.

7. Data retention

We retain your data for only as long as necessary:

  • Account data — kept for the duration of your active account. If you cancel your account, your data is deleted within 30 days of cancellation.
  • Website data — files, databases and configurations are kept while your account is active and deleted within 30 days of account cancellation.
  • Backups — retained according to your backup schedule and deleted within 30 days of account cancellation.
  • Server logs — retained for 90 days for security and troubleshooting purposes, then automatically deleted.
  • Support correspondence — kept for the duration of your account to provide continuity of support.

8. Your rights under GDPR

Under the UK and EU GDPR, you have the following rights regarding your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct any inaccurate or incomplete personal data.
  • Right to erasure — you can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it.
  • Right to data portability — you can request your data in a structured, commonly used and machine-readable format.
  • Right to restrict processing — you can ask us to limit how we process your data in certain circumstances.
  • Right to object — you can object to our processing of your data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us. We will respond to your request within 30 days.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

9. Security measures

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS) and at rest.
  • Container isolation — each website runs in its own isolated container, preventing cross-contamination between accounts.
  • Strict access controls — only authorised personnel can access infrastructure systems, and access is logged.
  • Regular security updates — we keep all server software, operating systems and dependencies up to date with security patches.
  • Automated backups — daily backups ensure your data can be recovered in the event of an incident.

10. Cookies

Our website uses only essential cookies that are necessary for the site and control panel to function. We do not use tracking cookies, advertising cookies or analytics cookies.

For full details, please see our cookie policy.

11. Children

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory or operational reasons. If we make significant changes, we will notify you by email or through a notice on our website.

We encourage you to review this policy periodically. The "last updated" date at the top of this page indicates when this policy was last revised.

13. Contact us

If you have any questions about this privacy policy, your personal data, or wish to exercise your rights, please get in touch.