Privacy
policy.
UK GDPR · Data Protection Act 2018 · Privacy and Electronic Communications Regulations (PECR) where relevant
This policy explains how COZQ Limited (“Stone Hosting”, “we”, “us”) processes personal data when we act as a data controller - for example when you enquire, contract, or pay for UK hosting infrastructure. It also clarifies how bare-metal and dedicated services relate to data you hold about your own customers or users.
Last updated: March 2026
1. Who is responsible?
The data controller for personal data described in this policy is COZQ Limited, trading as Stone Hosting, company number 16592649, registered in England and Wales. Registered office: 20 Wenlock Road, London, England, N1 7GU.
cozq.com
If we process personal data only on your instructions when providing hosting (for example, data on disks on a server you fully control), you are typically the controller for that data and we act as a processor. That relationship should be documented in your contract or a data processing agreement where required by law.
2. UK data protection framework
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we send electronic marketing or use cookies and similar technologies on our own sites, we also take account of the Privacy and Electronic Communications Regulations 2003 (PECR).
The Information Commissioner’s Office (ICO) is the UK supervisory authority: ico.org.uk.
3. Data location and hosting industry context
Stone Hosting is built around UK-located infrastructure. Personal data we process as controller (account, billing, support) is stored and handled in the United Kingdom unless we tell you otherwise and provide an appropriate safeguard where required.
Bare metal and dedicated servers
You choose what runs on the machine. We do not routinely access your operating system or application data unless you request support that requires it, or we must act for security, abuse mitigation, or legal compliance.
Logs and security
We process connection metadata, firewall, and anti-abuse telemetry as necessary to run a UK hosting network, meet legal obligations, and protect our infrastructure and other customers.
4. Categories of personal data
Depending on how you interact with us, we may process:
- - Identity and contact - name, email, telephone, organisation, role.
- - Account and billing - address, payment references, transaction history, VAT status; payment card data is handled by our payment providers where used, not stored on our servers in clear form.
- - Technical and usage - IP addresses, device and browser type, timestamps, pages viewed on our marketing site, support ticket content you provide.
- - Communications - records of enquiries, contracts, and correspondence.
We do not sell personal data. We do not profile individuals for automated decisions with legal or similarly significant effects.
5. Purposes and lawful bases
| Purpose |
Lawful basis (UK GDPR) |
| Providing hosting, billing, and support |
Performance of a contract; legitimate interests in operating a sustainable UK hosting business |
| Network security, abuse prevention, and incident response |
Legitimate interests; legal obligation where applicable |
| Legal, regulatory, and tax records |
Legal obligation; legitimate interests in defending claims |
| Marketing by email (where used) |
Consent or soft opt-in under PECR where applicable; legitimate interests for B2B in limited circumstances |
| Website analytics (if configured) |
Consent where non-essential cookies or similar are used |
6. Your services and end-user data
If you host websites, applications, or customer databases with us, you are responsible for providing your own privacy notices and lawful bases to your end users. Where we process personal data on your behalf solely to deliver the infrastructure, we act as processor: we follow your documented instructions, assist with UK GDPR Article 28 obligations where agreed, and implement appropriate technical and organisational measures.
7. Recipients and subprocessors
We share personal data with trusted third parties only where needed: for example payment processors, accountants, legal advisers, data centre operators (within the scope of our service), email delivery, and IT providers under contract. They must process data only on our instructions or as required by law and provide appropriate confidentiality and security commitments.
A current list of categories of subprocessors can be provided on request for enterprise agreements; we will notify material changes where your contract requires it.
8. International transfers
Our default posture is UK processing. If any processor stores or accesses personal data outside the UK, we ensure an appropriate transfer mechanism under UK GDPR (for example the UK extension to the EU-US Data Privacy Framework where certified, UK international data transfer agreement / IDTA, or UK addendum to standard contractual clauses), and we assess risk where required.
9. Retention
We keep personal data only as long as necessary for the purposes above: for example for the life of the contract, plus a period for disputes, tax, and regulatory requirements (typically up to seven years for accounting records where applicable). Technical security logs may be kept for shorter rolling periods unless needed for an investigation.
10. Security
We implement measures appropriate to the nature of hosting operations: access control, encryption in transit where we control channels, monitoring, and staff training. No online service is risk-free; you must also secure your systems, credentials, and backups.
11. Your rights
Under UK data protection law you may have the following rights, subject to conditions and exemptions:
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making (we do not use such decisions for individuals covered here)
To exercise your rights, contact us using the details below. You may complain to the ICO without prejudice to other remedies.
12. Cookies and similar technologies
Our public website uses essential storage so basic features work (including your display theme). If we enable optional analytics or similar technologies, we will only activate them where you choose “Accept all” on our cookie banner. Your choice is stored locally in your browser (for example under the key stone_cookie_prefs) so we remember it; you can change it anytime via “Cookie preferences” in the site footer. Where PECR requires consent for non-essential technologies, we obtain it through that banner. You can also adjust browser settings to block cookies, though parts of the site may not function.
13. Children, changes, and contact
Our services are aimed at businesses and professionals. We do not knowingly collect personal data from children under 13 for marketing purposes. We may update this policy from time to time; the “last updated” date will change and, where appropriate, we will notify you by email or dashboard notice.
Data protection enquiries
For privacy requests or questions about this policy, please use our contact page or the address given on your contract. We will respond within one month in most cases, extendable where UK GDPR permits.
ICO · Wycliffe House, Wilmslow, Cheshire SK9 5AF · ico.org.uk
