Privacy Policy

Last updated: 2026-02-12

1. Introduction

NugetHosting is a service operated by Loty LLC, doing business as NugetHosting ("NugetHosting", "we", "us", or "our"). We respect your privacy and are committed to protecting it through our compliance with this Privacy Policy ("Policy"). This Policy describes our practices for collecting, using, maintaining, protecting, and disclosing your information through nugethosting.com (our "Website"), our APIs, and our products, services, technology platforms and related applications (collectively, the "Services"). Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our terms, your choice is not to use our Services. By accessing or using our Services, you agree to this Privacy Policy.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contractual necessity: Processing necessary to provide you the service you signed up for (account creation, package hosting, billing)
  • Legitimate interest: Processing for service improvement, security monitoring, fraud prevention, and analytics
  • Consent: Processing based on your explicit consent (marketing emails, optional analytics). You may withdraw your consent at any time by contacting us
  • Legal obligation: Processing required to comply with applicable laws (tax reporting, law enforcement requests)

3. Information We Collect

Information You Provide to Us

In the course of using our Services, we collect information that identifies you as a specific individual ("Personal Information"):

  • Account information: Full name, email address, company name, industry
  • Payment information: Processed securely via Stripe — we never store your full card number, CVV, or banking details. By submitting your payment information, you consent to our providing it to Stripe as necessary to process your transactions
  • User content: NuGet packages and Docker container images you upload to the service
  • API tokens: Tokens you create and their usage metadata (last used date, IP whitelist configuration)
  • Communication preferences and support tickets
  • User contributions: Feedback, support requests, or posts you submit to us or through third-party platforms. Your contributions are posted at your own risk — we cannot guarantee they will not be viewed by unauthorized persons

Information Collected Automatically

As you navigate through and interact with our Services, we may automatically collect:

  • Usage information: Pages visited, links clicked, API requests made, timestamps, and response times
  • Device information: IP address, approximate geolocation, browser type, operating system
  • Download and usage metrics for your packages and container images
  • Performance data and error reports

Information Received from Third Parties

We may receive information about you from third parties when you choose to access the Services through another service:

  • When you sign in via a third-party authentication provider (e.g., Google, GitHub), we may receive your name, email address, and profile information as permitted by your privacy settings with that provider
  • We do not have access to your third-party account credentials — authentication is handled through industry-standard OAuth protocols

4. How We Use Your Information

We use the information we collect to:

  • Provide you with an account and deliver, maintain, and improve our Services
  • Process transactions and send billing-related communications
  • Send technical notices, security alerts, updates, and support messages
  • Respond to your comments, questions, and support tickets
  • Protect against fraudulent, unauthorized, or illegal activity
  • Generate aggregated, anonymized analytics about service usage
  • Enforce our Terms of Service and Fair Use Policy
  • Comply with legal requirements and assist law enforcement
  • Communicate with you about products, services, and offers from NugetHosting

5. Do Not Track Signal

Do Not Track (DNT) is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. We honor Do Not Track signals and do not track users or allow third parties to track the personal information of our users on our Website when a DNT browser mechanism is activated.

6. Email Communications

We send the following types of emails:

  • Transactional emails: Account verification, password resets, payment receipts, security alerts (cannot be opted out — these are essential to the service)
  • Service emails: Package published/deleted notifications, token expiration warnings, quota alerts (can be configured in your notification settings)
  • Product emails: Feature announcements, tips, and best practices (can be unsubscribed from via the link in each email)

We use SendGrid (Twilio) as our email delivery provider. Your email address is shared with SendGrid solely for the purpose of delivering emails. You can manage your email preferences in your account settings. You may opt-out of promotional emails by following the unsubscribe instructions in the promotional email itself.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • TLS 1.3 encryption for all data in transit
  • AES-256-GCM encryption at rest for uploaded artifacts (packages and container images)
  • Row Level Security (RLS) ensuring strict data isolation between tenants
  • TOTP-based two-factor authentication (2FA) available for all accounts
  • API token hashing using SHA-256 — we never store your raw API tokens
  • Rate limiting and brute force protection on all API endpoints
  • IP whitelisting capability for API tokens
  • Security headers (HSTS, X-Content-Type-Options, X-Frame-Options) on all responses

While we use commercially reasonable efforts to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and API tokens.

8. Information Sharing & Sub-Processors

We do not sell your personal information to third parties. We share data with the following categories of service providers (sub-processors):

With Our Service Providers

We employ third-party companies to provide Services on our behalf, to perform Service-related operations (e.g., without limitation, database management, web analytics, server hosting, fraud detection, and improvement of NugetHosting's features) or to assist us in providing and analyzing how our Service is used. These third parties may have access to your Personal Information in order to perform these tasks on our behalf. For example, we use Stripe to process your payments. We use SendGrid (Twilio) as our email delivery provider. You may access their privacy policies on their respective websites.

If Required By Law

We will disclose information about you to government or law enforcement officials or private parties as we believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), or as otherwise necessary to protect the rights, property, or safety of NugetHosting or others.

For Corporate Transactions

NugetHosting may share information, including Personal Information, with any current or future subsidiaries or affiliates, primarily for business and operational purposes, in connection with a merger, acquisition, reorganization, or sale of assets, or in the event of bankruptcy.

With Your Consent

You may submit Personal Information to us and consent to receive communication from us based on the information provided. We will only share your information with other parties with your explicit consent.

All service providers are contractually bound to process your data only for the purposes we specify and to maintain appropriate security measures. An up-to-date list of sub-processors is available upon request at [email protected].

9. International Data Transfers

Your data is processed and stored in the United States, where our infrastructure providers operate. If you are accessing the Services from another country, please be advised that you may be transferring your personal information to the United States and you consent to that transfer, processing, and storage in accordance with this Privacy Policy. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies and Tracking Technologies

We and our partners use cookies or similar technologies to collect information. The technologies used may include:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled. Session cookies expire at the end of your browser session; persistent cookies remain to save your login preferences.
  • Preference cookies: Store your language preference and UI settings. Duration: 1 year.
  • Analytics cookies: Help us understand how the service is used. These are anonymized and do not track you across other websites.
  • Web beacons: Small graphics used to track online activity, such as counting visitors or measuring email open rates.

We do not use third-party advertising cookies or share cookie data with advertisers. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functionality of the Service.

11. Your Rights and Choices

You have several ways to exercise control over your information:

  • Account Settings: You may access, update, or delete your personal information through your account settings in the application.
  • Contact Us: You may contact us to access, update, or delete your personal information at [email protected].
  • E-Mail: You may opt-out of receiving marketing emails by following the opt-out instructions provided in those emails. Transactional account messages may be unaffected.

European Residents (GDPR)

Under the General Data Protection Regulation (GDPR), European residents have the following additional rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete personal information
  • Right to erasure: Request deletion of your personal data ('right to be forgotten')
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw previously given consent at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) may provide you with additional privacy rights:

  • The right to know what personal information we have collected and how we have used and disclosed it in the preceding 12 months
  • The right to request deletion of your personal information
  • The right to be free from discrimination related to the exercise of any of your privacy rights
  • The right to opt out of the sale of your personal information

NugetHosting does not sell personal information, nor do we share personal information with third parties for marketing purposes. To exercise your rights, contact us at [email protected]. We may require you to verify your identity before processing your request.

12. Account Deletion

You can request account deletion at any time through your account settings (Settings > Danger Zone) or by contacting us at [email protected]. Upon deletion request:

  • Your account will be deactivated immediately and your API tokens revoked
  • Active paid subscriptions will be cancelled automatically
  • You will have a 30-day grace period to log back in, download your packages and data, or cancel the deletion to reactivate your account
  • After 30 days, all personal data, packages, container images, and associated records will be permanently and irreversibly deleted
  • Billing records may be retained for up to 7 years as required by tax laws. Anonymized, aggregated analytics data may be retained indefinitely

During the 30-day grace period, you may cancel the deletion and fully reactivate your account from the Settings page. After the grace period expires, deletion is permanent and cannot be reversed.

13. Data Retention

Unless you request deletion, we retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy. Our retention periods include:

  • Account data: For the duration of your account plus 30 days after deletion
  • Billing and transaction records: Up to 7 years (legal requirement)
  • Access logs and security data: 90 days
  • Support tickets: 2 years after resolution
  • Anonymized analytics: Indefinitely

The criteria used to determine our retention periods include the length of our ongoing relationship with you, legal obligations, and whether retention is advisable considering our legal position.

14. Children's Privacy

The Services are general audience and intended for users 16 and older. We do not knowingly collect personal information from anyone younger than age 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

15. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. Notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommendations for protecting yourself. We may deliver electronic notifications about breaches of security to the email address on record on your account.

16. Automated Decision-Making

We use automated systems for fair use monitoring, rate limiting, brute force protection, and fraud detection. These systems may automatically throttle or temporarily suspend accounts that exhibit abusive patterns. No automated decisions are made that have significant legal effects on you. You can contact us to request human review of any automated decision.

17. Third-Party Websites and Links

Our Services may contain links and features to other websites and online platforms operated by third parties. We do not control such other platforms and are not responsible for their content, their privacy policies, or their use of your information. Information collected by third parties is governed by their privacy practices.

18. Changes to This Policy

We may update this Privacy Policy at any time and any changes will be effective upon posting. For material changes, we will provide at least 30 days advance notice via email and a prominent notice on our website. We will notify you of any changes by posting the new policy on this page and updating the 'Last updated' date. Your continued use of the service after changes constitutes acceptance of the updated policy.

19. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a data protection concern, please contact us.

Data Protection Inquiries: [email protected]

General Inquiries: [email protected]

Loty LLC (d/b/a NugetHosting)