Privacy Policy

Last updated: 4 May 2026

This is the plain-English version of who we are, what we collect, and what we do with it. The longer formal sections below are the legally-relevant detail; if anything here contradicts that, the formal version wins.

The short version

We're NovaPanel — a UK-based business that sells a self-hosted hosting control panel under a paid licence. To do that, we collect: your email at purchase, the licence key we issue, and basic telemetry (hostname, server IP, panel version, machine fingerprint) that your panel sends us every hour so we can confirm the licence is bound to a real machine.

Payments go through Stripe and PayPal — they hold your card details, not us. Email goes through Google Workspace SMTP. Binary downloads happen on Cloudflare R2. We don't sell your data, don't run advertising trackers, and don't share anything beyond what's required to deliver the service.

1. Who we are

Data controller: NovaPanel.
Country: United Kingdom.
Contact: privacy@novapanel.dev for data-related questions; full registered address available on request.

As a UK-based business, we're regulated by the UK Information Commissioner's Office (ICO). You can complain to the ICO at ico.org.uk if you think we've mishandled your data.

2. What data we collect

2.1 At purchase

• Email address. Required — we email you the licence key, refund confirmations, and renewal warnings.
• Name (optional). Whatever Stripe / PayPal pass us with the checkout payload.
• Country / VAT ID (where relevant). Stripe collects this for tax purposes; we receive it as part of the customer record.
• Payment details. Card numbers and PayPal account details are never stored on our servers. Stripe and PayPal hold them; we receive only a customer ID and a subscription ID.

2.2 From your panel installation (telemetry)

Once you install NovaPanel and activate a licence, the panel sends a "heartbeat" to our licence server roughly once an hour. The heartbeat contains:

• Machine fingerprint. A SHA hash derived from your server's CPU + motherboard identity. Used to bind the licence to one machine and detect copying.
• Hostname. e.g., panel.example.com.
• Public IP address. Both as observed by our server and as self-reported by the panel.
• Panel version. e.g., 1.1.14.
• Last-seen timestamp. When the heartbeat arrived.

No website content, customer data, database contents, or end-user personal data is sent to us. Telemetry is operational metadata about your panel installation, not anything inside it.

2.3 From the customer portal

When you sign in to license.novapanel.dev/portal via a magic link, we set a session cookie (nps_portal, HttpOnly, Secure, 24-hour TTL) so you stay signed in. We log every action you take in the portal (manage subscription, reset binding, request refund) to an audit log for security and compliance purposes.

2.4 Marketing site

novapanel.dev itself sets no cookies and runs no third-party trackers. No Google Analytics, no Facebook Pixel, no advertising integrations. The site is static HTML served from Cloudflare's CDN; their network logs (standard web-server logs) include your IP and user agent for the duration Cloudflare retains them.

3. Why we collect it (legal basis)

Under UK GDPR we need a legal basis for each kind of processing.

• Performance of contract — we need your email + licence binding telemetry to deliver the licence you bought. Without this data the product literally can't work.
• Legitimate interest — fraud prevention (detecting copied licences via fingerprint), keeping the audit log for security incidents.
• Legal obligation — we keep invoices and tax records for 6 years (HMRC requirement).
• Consent — none. We don't ask for consent because we don't process any data that requires it (no marketing emails to non-customers, no cookies that aren't strictly necessary).

4. Who we share it with

The third parties that handle data on our behalf, and what they handle:

• Stripe (Stripe Payments UK Ltd, UK / Stripe Inc, US). Card processing, billing, invoices. Their privacy policy.
• PayPal (PayPal (Europe) S.à r.l., Luxembourg). Alternative payment provider. Privacy notice.
• Google Workspace (Google Ireland Ltd). Receives outbound transactional email (welcome emails, refund confirmations, renewal warnings). Privacy policy.
• Cloudflare (Cloudflare Inc, US). CDN for novapanel.dev + R2 for the binary download. They see your IP when you load the site or download a panel update. Privacy policy.
• Scaleway (Scaleway SAS, France). Hosts the licence server itself.

We don't share data with anyone else. We don't sell data, ever. We don't share with advertisers. If we're legally compelled to disclose data (court order, valid law-enforcement request), we'll do so but will notify you unless we're explicitly forbidden from doing so.

5. International transfers

Some of our processors (Stripe Inc, Cloudflare Inc) are based in the US. Transfers rely on the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) and Standard Contractual Clauses where applicable. You can request a copy of those clauses by emailing privacy@novapanel.dev.

6. How long we keep it

• Customer + licence records — for as long as the licence is active, plus 6 years after cancellation (HMRC + chargeback dispute window).
• Heartbeat / server-activation rows — last 90 days. Older rows are auto-deleted.
• Audit log — last 90 days. Configurable but defaults to 90.
• Outbound email logs — Google Workspace's default retention (typically 30 days).
• Cloudflare access logs — Cloudflare's default retention.

7. Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten") — subject to our legal retention obligations (e.g., we have to keep tax records).
• Export your data in a machine-readable format.
• Object to specific processing.
• Restrict processing while a complaint is being handled.
• Complain to the ICO (ico.org.uk).

To exercise any of these, email privacy@novapanel.dev. We respond within 30 days, usually within a few business days.

8. Security

Data at rest is stored in PostgreSQL on encrypted volumes. Sensitive secrets (Stripe API keys, PayPal credentials, SMTP passwords) are encrypted with AES-256-GCM before being written to the database. The encryption master key lives outside the database, in a file readable only by the licence-server process.

Data in transit is HTTPS-only (TLS 1.2+). The licence server's API and the customer portal both refuse non-HTTPS connections.

We don't pass payment card details through our servers — Stripe and PayPal handle PCI-scoped data directly.

9. Children

NovaPanel is sold to professional operators — typically system administrators, developers, or hosting resellers. We don't knowingly collect data from anyone under 16. If you're a parent and believe your child has registered an account, email us and we'll delete the record.

10. Changes to this policy

Material changes will be announced on this page with an updated "Last updated" date and, where the change is significant, by email to active customers. Minor wording fixes won't trigger an email.

Contact

Questions about this policy: privacy@novapanel.dev.
General contact: hello@novapanel.dev.
Customer support: support@novapanel.dev.