1. Who we are & scope
AES Services LLC, a Texas limited liability company, is the data controller for personal data processed via the Metalhost marketing site, dashboard, API, and related services (the "Service"). When you process personal data of your own customers through the Service, you are the controller and we are the processor — that relationship is governed by our Data Processing Agreement.
We do not own Customer Data. Personal data and any other content you or your users upload to, generate on, or process through the Service ("Customer Data") remains your property. We do not use Customer Data to train AI/ML models, sell or "share" Customer Data for cross-context behavioral advertising, or process it for our own commercial purposes beyond operating the Service for you. We act as a neutral hosting intermediary for Customer Data; you are solely responsible for its legality, accuracy, and the lawful basis on which it is processed. See our Terms of Service Sections 7 and 8 for the full statement.
2. What we collect
Account data: name, email address, password hash, organization and project names, billing contact, team membership, API key metadata, and — when you use SSO — OIDC subject, provider name (e.g. GitHub or Google), and linked identity tokens stored as opaque references.
Payment data: card and bank-account information is handled by Stripe; we receive tokenized payment-method IDs and display metadata (brand, last four digits), never the full PAN or account number. Cryptocurrency top-ups are processed by Coinbase Commerce; we receive checkout status, settled amount, and an external transaction reference — not your wallet keys. Wallet, top-up, invoice, and ledger records (amount, time, currency, payment-method reference) live on our servers.
Usage telemetry: resource metering events (VM-hours, vCPU-hours, memory-hours, GPU-hours, bare-metal lease hours, disk-hours, file-share-hours, public-IP-hours, transfer bytes) generated by your workloads, plus operational metrics like API request timestamps, response codes, and source IPs (used for rate-limiting and abuse investigation).
Customer-uploaded content: VM disk contents, cloud-init data, object-store uploads, snapshot data. We do not inspect this content except as required to operate the Service or to investigate AUP violations.
Support communications: tickets, emails, and any attachments you send to support, abuse, security, or legal addresses.
Waitlist data: email address submitted on metalhost.net. Stored on Cloudflare D1 until you sign up or unsubscribe.
3. How we use it
- Provide the Service: create accounts, authenticate logins, provision resources, run workloads, deliver email.
- Bill you: compute charges, post wallet entries, generate invoices, process refunds where applicable.
- Operate & secure the platform: capacity planning, abuse detection, incident response, security audits.
- Support: answer your tickets, contact you about your account.
- Comply with law: respond to lawful legal process, retain records required by tax law, report illegal content where mandated (e.g. CSAM to NCMEC).
4. Legal bases (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, the legal bases under Article 6 GDPR are:
- Contract (Art. 6(1)(b)) — for delivering the Service you signed up for.
- Legal obligation (Art. 6(1)(c)) — tax records, anti-fraud, illegal-content reporting.
- Legitimate interests (Art. 6(1)(f)) — fraud prevention, security, troubleshooting, anonymous product analytics. We balance these interests against your rights and offer opt-out where required.
- Consent (Art. 6(1)(a)) — for non-essential analytics or marketing email; you can withdraw consent at any time.
5. Sub-processors
We use the following third parties to provide the Service. Each is contractually bound to GDPR/CCPA-compliant data-protection terms. We maintain this list publicly so customers can audit who else processes their data.
| Sub-processor | Purpose | Region |
|---|---|---|
| Stripe, Inc. | Card and bank payments, payment-method storage, wallet top-ups, auto-recharge, and refunds | United States |
| Coinbase Global, Inc. | Cryptocurrency (USDC) wallet top-ups via Coinbase Commerce checkout and webhooks | United States |
| Resend, Inc. | Transactional email (account verification, org invites, billing alerts, invoices, support) | United States |
| Cloudflare, Inc. | DNS, DDoS mitigation, CDN/edge, marketing-site hosting (Pages), waitlist database (D1), and object storage (R2) for invoice PDFs, image uploads, bare-metal ISO library, and audit exports | United States (global edge) |
| GitHub, Inc. (Microsoft) | Optional OIDC single sign-on; public SSH key lookup when you opt in to import from GitHub | United States |
| Google LLC | Optional OIDC single sign-on (Google account login) | United States |
We will give at least 30 days' notice before adding a new sub-processor that handles Customer Data. Customers under an executed DPA have a right to object; see the DPA for the objection process.
6. International transfers
AES Services LLC is based in the United States, and most sub-processors are also in the US. When we transfer personal data from the EEA, UK, or Switzerland to the US or another third country, we rely on:
- The EU Standard Contractual Clauses (Commission Decision 2021/914) for EEA → US transfers.
- The UK International Data Transfer Addendum to the EU SCCs for UK transfers.
- The Swiss FDPIC-recognized SCCs (with FDPIC amendments) for Swiss transfers.
We supplement transfers with technical and organizational measures (encryption in transit, encryption at rest where supported, access controls, audit logging).
7. Retention
We keep personal data only as long as we need it for the purpose collected:
- Account data: for the life of your account, plus 30 days after account closure for soft-delete recovery, then permanent purge.
- Billing & ledger records: 7 years from the transaction date (US tax records requirement).
- Customer-uploaded content (disks, snapshots, objects): until you delete it, or 30 days after account closure.
- Operational telemetry: 90 days hot, 13 months total before aggregation/anonymization.
- Support tickets: 3 years after last activity, then archive in anonymized form.
- Waitlist email: until you sign up for an account (which moves it to account data) or unsubscribe.
8. Your rights
Depending on where you live, you have some or all of the following rights over your personal data:
- Access — a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure / "right to be forgotten" — delete your account and associated data, subject to legal retention obligations.
- Restriction — pause processing pending a dispute.
- Portability — export your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — for consent-based processing.
- Lodge a complaint — with a supervisory authority. EEA residents: your local Data Protection Authority. UK residents: the Information Commissioner's Office (ICO).
- California-specific (CCPA/CPRA): right to know, right to delete, right to correct, right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising), and the right not to be discriminated against for exercising your rights.
To exercise any right, email dpo@metalhost.net from the address on your account. We will respond within 30 days (45 for CCPA where extension is justified) and may ask for verification before acting.
9. Cookies & analytics
The marketing site (metalhost.net) does not set tracking cookies and does not use third-party analytics. Cloudflare may log request metadata at the edge for DDoS protection and rate limiting (request-scope only; not joined to your identity). We load web fonts from Google Fonts; Google may receive your IP address and browser user-agent for font delivery.
The dashboard at app.metalhost.net sets a
session cookie (mh_session) on login so subsequent API calls
authenticate. This cookie is strictly necessary and not subject to consent under
e-Privacy.
The API reference page loads its interactive viewer from a public CDN (Scalar via jsDelivr). That script runs in your browser and does not receive your account credentials; it fetches our public OpenAPI specification only.
10. Security
We protect personal data with industry-standard technical and organizational measures: TLS everywhere, encrypted credentials at rest, scoped API keys with rotation, MFA for human accounts, principle-of-least-privilege internal access, audit logging on every administrative action, and security training for staff. Detail on our security program is at /security.
If we discover a breach of personal data, we will notify affected customers and relevant authorities without undue delay and in any case within 72 hours where required by law.
11. Children
The Service is intended for users 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, email dpo@metalhost.net and we will delete it.
12. Changes
We may update this Policy from time to time. Material changes will be announced at least 30 days before they take effect, by email to the address on your account or via in-product notice. The "Effective" date at the top tells you which version you're looking at.
Contact
AES Services LLC — Data Protection
Texas, USA
dpo@metalhost.net · privacy + data-subject requests
security@metalhost.net · security incidents
legal@metalhost.net · general legal
EU/UK customers do not require us to appoint a Representative under Art. 27 GDPR for the closed-beta scale of our operations; we will appoint one before the processing volume requires it, and will update this page when we do.