Gotright Hosting

Privacy Policy

Last updated: June 2025

This Privacy Policy explains how Gotright Hosting ("we", "us", "our") collects, uses, and protects your personal data when you use our platform at hosting.gotright.net. It applies to registered users (creators) and visitors to public station and podcast pages.

1. Information We Collect

Account information: when you register, we collect your name, email address, and password (stored as a bcrypt hash).

Billing information: payment details (card number, billing address) are collected and processed directly by Stripe or Flutterwave. We store only a payment reference ID — we never see or store your full card details.

Usage and activity data: station listener counts, page views, podcast episode plays, ad impressions, earnings activity, support ticket content, and team membership records.

Communications: messages and attachments you send via support tickets or email.

Technical data: IP addresses, browser type, and device information collected automatically in server logs. Log data is retained for a maximum of 90 days.

2. How We Use Your Information

We use your data to:

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions
  • Calculate and pay out advertising revenue credits
  • Send transactional emails (account verification, password reset, station provisioned, payout notifications)
  • Respond to support requests
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for automated profiling or decision-making that produces significant legal effects.

3. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for (account management, billing, content hosting)
  • Legitimate interests — preventing fraud, improving the platform, server security monitoring
  • Consent — optional monetisation features (advertising cookies), marketing emails
  • Legal obligation — compliance with financial record-keeping and applicable law

Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

4. Data Storage and Security

Your data is stored on infrastructure provided by Railway (database and backend API) and Vercel (frontend application). Both providers operate enterprise-grade security standards.

We implement the following security measures:

  • TLS encryption for all data in transit
  • Encrypted database connections
  • Passwords stored as bcrypt hashes (never in plain text)
  • Access to personal data restricted to authorised team members
  • Regular security reviews of our infrastructure

No method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it.

5. Third-Party Services

We share data with the following third-party processors where necessary to provide the Service:

  • Stripe — payment processing (stripe.com/privacy)
  • Flutterwave — payment processing (flutterwave.com/ng/privacy-policy)
  • Resend — transactional email delivery (resend.com/privacy)
  • AzuraCast — radio station and podcast infrastructure (azuracast.com)
  • Railway — backend hosting and database (railway.app/legal/privacy)
  • Vercel — frontend hosting and edge network (vercel.com/legal/privacy-policy)

If you enable monetisation on your station or podcast, additional processors may apply:

  • Google AdSense / Google LLC — display advertising. Google may set cookies and process data as described at policies.google.com/privacy.
  • Triton Digital — audio advertising for radio stations (tritondigital.com/privacy-policy)
  • AdsWizz / Spotify — VAST audio ads for podcast episodes (adswizz.com/privacy-policy)

Each of these services has its own privacy policy governing how they handle your data. We have Data Processing Agreements in place with processors where required by applicable law.

6. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Strictly necessary: authentication tokens and session cookies required to keep you logged in. These cannot be disabled without breaking core functionality.
  • Functional: user preference storage (e.g. cookie consent choice stored in your browser).
  • Advertising (conditional): if you visit a public station or podcast page where the creator has enabled Google AdSense monetisation, Google may set advertising cookies to serve and measure ads. These are only active when monetisation is enabled by the creator for that specific page.

You can manage your cookie preferences using the cookie banner that appears on your first visit. You can also manage cookies through your browser settings at any time. Blocking cookies may affect some platform functionality.

We do not use analytics cookies or third-party tracking on authenticated dashboard pages.

7. Your Rights

Depending on your location, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate or incomplete data
  • Erasure: request deletion of your account and personal data ("right to be forgotten")
  • Portability: receive your data in a structured, machine-readable format
  • Restriction: request that we limit processing of your data in certain circumstances
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: at any time where processing is based on consent

California residents (CCPA/CPRA): you have the right to know what personal information we collect and share, the right to delete your personal information, and the right to opt out of the sale or sharing of personal information. We do not sell personal information.

To exercise any of these rights, contact us at hello@gotright.net. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before acting on your request.

If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

  • Account data: retained until account deletion, then removed within 30 days
  • Financial records (invoices, payment history): retained for 7 years as required by financial regulation
  • Server logs: retained for a maximum of 90 days
  • Support tickets: retained for 2 years after closure

Backups may retain data for up to 60 days after deletion from live systems.

9. International Data Transfers

Our infrastructure providers (Railway, Vercel, Resend) may transfer and process data in countries outside your own, including the United States. Where such transfers occur from the EEA or UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and/or a notice on the Service at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related questions, data subject requests, or complaints, contact us at:

Gotright Hosting
hello@gotright.net

We aim to respond to all privacy enquiries within 5 business days.