Privacy Policy & GDPR

S.C. DreamServer S.R.L. is committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Romanian data protection legislation.

Last updated: April 2026. Supplements the Terms and Conditions.

1. Data Controller

The data controller for personal data processed through dreamserver.ro, the client area, and all services listed in the Terms and Conditions is:

S.C. DreamServer S.R.L.
VAT ID: 29975003
CIF: RO36208038
EUID: ROONRC.J2012003481409
Registered office: Str. Mircea Vulcanescu, Nr. 2, Et. 7, Ap. 25, Sector 1, Bucharest, Romania

For any questions regarding the processing of your personal data, or to exercise your GDPR rights, contact our data-protection point of contact at gdpr@dreamserver.ro.

2. Definitions & Scope

This Privacy Policy applies to personal data (as defined in Art. 4 GDPR) that S.C. DreamServer S.R.L. (the "Provider") processes in connection with the operation of dreamserver.ro, the Client Area at dreamserver.ro/client/, and all Services (Dedicated Servers, VPS, VDS, Domain Registration, LIR Services, DSIX, Reseller) described in the Terms and Conditions.

Key GDPR roles used in this Policy:

  • Data Controller: the party that determines the purposes and means of processing. The Provider is the Controller for all data it processes about its Clients and website visitors.
  • Data Processor: the party that processes data on behalf of a Controller. For Client-hosted content (data that Clients store on their servers/VPS/VDS), the Client is the Controller and the Provider is the Processor. See Article 15 and Article 21 (DPA).
  • Data Subject: the identified or identifiable natural person to whom the personal data relates.

3. Categories of Data We Collect

We collect and process the following categories of personal data:

CategoryExamplesSource
Identity dataFull name, company name, VAT number, national ID number (where required by Romanian fiscal law for invoicing)You, at order time
Contact dataEmail address, phone number, postal addressYou, at order time
Billing dataPayment method details (card last 4 digits), bank account IBAN, transaction history, invoicesYou + payment processor
Account dataClient Area username, hashed password, 2FA tokens, session cookies, login timestampsYou, the Client Area
Technical dataIP addresses (yours, visiting our site and Client Area), server and web logs, user-agent strings, support ticket contentOur infrastructure
Communication dataEmails you send us, support tickets, phone conversation notes, WhatsApp messages, chat transcriptsYou
Service dataChosen plan, server hostname, domain names, IP addresses assigned, DSIX port details, ASN, abuse-cYou + our systems
Website dataPages visited on dreamserver.ro, referrer, browser type, operating system (via server logs only, not third-party tracking)Server logs

We do not collect any special category data (health, political opinions, religious beliefs, biometric data) because our services do not require it.

4. Cookies & Tracking

What is a cookie?

A cookie is a small text file that a website places on your browser (PC, phone, or tablet) when you visit it. Cookies allow the site to recognize you on subsequent visits, remember your preferences (such as preferred language), and keep you signed in to authenticated areas.

Cookies are used by the vast majority of websites to make browsing smoother. They cannot contain viruses or executable code, they cannot read data from your computer, and they are not "spyware". You can delete them at any time from your browser settings.

Types of cookies by purpose

  • Strictly necessary: required for the site to work (session, authentication, language preference). No consent is required under GDPR and the ePrivacy Directive.
  • Functional / preference: remember choices you made (layout, region).
  • Analytics: measure aggregated site usage (page views, traffic sources).
  • Marketing / advertising: track users across sites to deliver personalized ads and retarget visitors. These require explicit consent under Romanian Law 506/2004 and GDPR.
  • Third-party cookies: set by external domains when the site embeds content from them (e.g., social media share buttons, video players, ad networks).

Types of cookies by duration

  • Session cookies: deleted automatically when you close the browser.
  • Persistent cookies: stored on your device for a fixed duration or until you delete them; allow the site to remember you on future visits.

Cookies used on dreamserver.ro

We use only strictly necessary cookies required for the proper functioning of the site and the Client Area:

CookiePurposeTypeDuration
langRemembers your preferred language (EN/RO)Preference (necessary)1 year
lang_mapMaps incoming legacy paths for language redirectionSessionBrowser session
WHMCS auth cookiesAuthentication and CSRF protection in the Client Area at /client/SessionSession / until logout

What we do NOT use

  • Third-party advertising or retargeting cookies (no Google Ads, Meta Pixel, LinkedIn Insight, TikTok Pixel, etc.).
  • Cross-site user tracking.
  • Third-party analytics platforms that identify individual users (no Google Analytics, Hotjar, Matomo Cloud, etc.).
  • Social media embed cookies (no Facebook "Like" pixel, no embedded YouTube players on the main pages, etc.).

Why no consent banner? Because dreamserver.ro uses exclusively cookies classified as strictly necessary, the ePrivacy Directive (2002/58/EC and its 2009/136 amendment) and Romanian Law 506/2004 do not require prior consent or a consent banner. We still inform you explicitly through this section, in line with the transparency principle of GDPR (Art. 12).

How to control or delete cookies

You can block or delete cookies at any time through your browser settings. Instructions for the most common browsers:

  • Chrome: Settings → Privacy and Security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Edge: Settings → Cookies and site permissions

Note: disabling strictly necessary cookies may prevent you from signing in to the Client Area or using certain parts of the site.

6. Purposes of Processing

Your personal data is used only for the following purposes:

  • Provisioning and managing your hosting services, servers, virtual servers, domains, IP resources, and DSIX peering.
  • Processing payments, issuing invoices (in Romanian and English), and fulfilling Romanian fiscal obligations.
  • Providing technical support and responding to Client Area tickets, email, and phone inquiries.
  • Maintaining network security, including monitoring for attacks, abuse, spam, and AUP violations.
  • Triggering RTBH DDoS mitigation when sFlow telemetry detects volumetric anomalies (see SLA § 7).
  • Complying with legal obligations (tax reporting, law enforcement requests, RIPE/RoTLD/ICANN policies).
  • Sending service-related notifications: maintenance windows, SLA-affecting incidents, security alerts, billing reminders, policy updates.
  • Improving our services and infrastructure through aggregated, anonymized analytics derived from server logs.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes listed above:

CategoryRetention periodBasis
Account dataDuration of the service agreement + 30 days after closureContract + short transition window
Billing & invoice data10 years from the end of the fiscal year of the transactionRomanian accounting law
Support tickets3 years after last messageService improvement + dispute defense
Server & web access logs12 monthsSecurity & forensics
Email correspondence3 years after last interactionBusiness continuity
Abuse / incident reports5 yearsLegal & regulatory
RIPE database recordsLifetime of the assigned resources (managed by RIPE NCC)RIPE policy
WHOIS / domain registrant dataLifetime of the registered domain + registry-required retention (typically 1-2 years after deletion)Registry policy (RoTLD/ICANN/EURid)
Client-hosted content on servers / VPS / VDSUntil the Client deletes it, or 7 days after service termination (per Terms § 24)Contract

After the retention period expires, data is securely deleted or anonymized using industry-standard methods (cryptographic erasure for encrypted data, multi-pass overwrite or secure disposal for hardware).

8. Data Sharing & Recipients

We do not sell your personal data. We share data only with the following categories of recipients, and only as necessary for the stated purposes:

  • Domain registries: RoTLD (for .ro), ICANN-accredited registries (for gTLDs), EURid (for .eu), and other TLD registries. WHOIS data is transmitted as required by each registry's policies.
  • Payment processors: for secure card processing (the Provider does not store full card numbers). Bank transfer data is exchanged with our Romanian banking partner.
  • RIPE NCC: for IP address, ASN, and prefix registration. Contact details are published in RIPE Database objects (inetnum, inet6num, aut-num, abuse-c) as required by RIPE policy. GDPR-compliant redaction of personal data is applied where possible.
  • PeeringDB: for DSIX members and LIR clients, the ASN and technical contact may be published (by the Client) on peeringdb.com.
  • Legal authorities: when required by a valid Romanian or EU court order, law enforcement request, or regulatory mandate. We challenge overly broad requests and notify the affected Client when legally permitted.
  • Professional advisors: accountants, auditors, and legal counsel bound by professional confidentiality.
  • Sub-processors (infrastructure): upstream Transit Providers, datacenter power/cooling suppliers, and hardware vendors. These receive only the minimum technical data required to deliver their services; they do not access Client personal data or hosted content.

9. International Transfers

All personal data processed by the Provider is stored and processed exclusively within the European Economic Area (EEA), specifically in our own datacenter in Bucharest, Romania.

We do not transfer personal data outside the EEA unless:

  • You explicitly request it (for example, by registering a gTLD domain whose registry is located outside the EEA, or by publishing information in WHOIS/RIPE/PeeringDB that is globally replicated).
  • A valid legal basis under Chapter V GDPR exists (e.g., adequacy decision, standard contractual clauses, your explicit consent).

10. Dedicated Servers (Blade, Enterprise, Game, Micro)

When you order a Dedicated Server, we process the data needed to provision and operate the physical hardware on your behalf.

What we collect specifically

  • Server hostname you choose, assigned IPv4/IPv6 addresses, assigned DSIX port (where applicable).
  • Out-of-band management (iLO/IPMI/IMM/iRMC) VPN credentials we issue to you.
  • Installed OS / ISO you selected; we do not inspect the contents of your drives.
  • Hardware event logs (PSU failures, drive SMART warnings, temperature alerts) necessary for replacement SLA (see SLA § 6).

What we do not access

  • The contents of your drives, RAM, or network traffic. You have root access and we do not log into your server except (a) at your request via ticket, or (b) for emergency maintenance limited strictly to network-level intervention.

11. Virtual Servers (VPS LXC & VDS KVM)

For VPS (LXC) and VDS (KVM) instances, the Provider operates the shared host and network but does not access the contents of individual containers or virtual machines.

What we collect

  • Configuration chosen (vCPU, RAM, storage, IP allocation).
  • VM/container state metadata (start/stop times, resource usage for billing and capacity planning).
  • Network logs at the hypervisor level (source/destination IP, byte counts), aggregated, not inspected payload.

The Client, as Controller of data stored inside the VPS/VDS, is responsible for compliance with GDPR for data subjects affected by the Client's own services. A DPA is available (Article 21).

12. Domain Registration & WHOIS

Domain registration requires disclosure of registrant contact details to the top-level registry (RoTLD for .ro, ICANN for gTLDs, EURid for .eu, and other country-code registries).

WHOIS & GDPR

Since the entry into force of GDPR and ICANN's Temporary Specification, registrant contact details are no longer published in public WHOIS for natural persons in the EEA; the public WHOIS shows only registrar and registration date. Full registrant data remains accessible to legitimate requestors (law enforcement, trademark holders proving legitimate interest).

  • For .ro domains: registrant details are registered with RoTLD under their GDPR-compliant policy. See rotld.ro.
  • For gTLDs (.com, .net, .org, etc.): data handling follows ICANN's GDPR-adjusted rules.
  • For .eu: EURid follows the EU GDPR requirements natively.

By registering a domain, you authorize the Provider to transmit the registrant data to the applicable registry.

13. LIR & RIPE Database

When you receive IP resources (IPv4, IPv6, ASN) through our RIPE NCC Local Internet Registry, your contact details are published in the RIPE Database as required by RIPE policy. This is a mandatory requirement for the operation of the internet-number system.

Published RIPE objects may include: inetnum, inet6num, aut-num, org, person/role, mntner, and abuse-c. The RIPE Database is publicly searchable.

The Provider takes reasonable measures to minimize the personal data published (for example, using role objects and organizational contacts instead of individual names where possible). The full RIPE NCC privacy statement is available at ripe.net/about-us/legal/privacy-statement.

14. DSIX Internet Exchange

Members of the DreamServer Internet Exchange (DSIX, AS58218) provide the following data which becomes visible to other DSIX members and, to the extent the Member chooses, to the public:

  • ASN, AS name, NOC/peering contact email (published in DSIX member list and synchronized to PeeringDB by the Member).
  • Peering policy (open / selective / restrictive).
  • IPv4/IPv6 addresses assigned on the DSIX peering fabric (published in IX-F Member Export).
  • BGP session state (established / idle) visible in the DSIX looking glass and route-server diagnostics.

The Provider does not inspect the traffic content exchanged over DSIX. Traffic statistics (byte/packet counters at the switch port level) are collected for capacity planning and are anonymized before publication in aggregate graphs.

15. Client Hosted Content (Controller vs Processor)

When a Client runs a website, database, mail server, application, or any other service on DreamServer infrastructure and that service processes personal data of end-users (e.g., your website's visitors, your customers, your employees), the following GDPR roles apply:

  • The Client is the Data Controller of the data subjects whose personal data they process on their service.
  • The Provider is the Data Processor, acting only on the Client's documented instructions (for infrastructure operation, backup, incident response at the Client's request).

In this configuration, the Client is responsible for: providing privacy notices to their own data subjects, securing a lawful basis for processing, responding to data subject requests, and reporting personal data breaches to the Romanian authority where applicable.

A Data Processing Agreement (DPA) is available on request to formalize this relationship (see Article 21).

16. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): obtain a copy of all personal data we hold about you, along with information about how we process it.
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17, "right to be forgotten"): request deletion of your personal data where there is no legal obligation to retain it (note: billing data is retained for 10 years under Romanian fiscal law).
  • Right to restrict processing (Art. 18): limit how we use your data in certain circumstances (e.g., while a correction request is being verified).
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): we do not perform automated profiling with legal effects; the only automated processing we run is technical (RTBH trigger, spam filters, log rotation).

17. How to Exercise Your Rights

To exercise any of your rights, send an email to gdpr@dreamserver.ro or open a ticket in the Client Area. Include:

  • The right you wish to exercise.
  • Sufficient information to verify your identity (typically your registered email address and, for sensitive requests, additional ID verification).
  • A description of the specific data or processing the request relates to.

We will respond within 30 days of receiving a valid request. In complex cases this period may be extended by up to 2 additional months, with notification to you. If we cannot fulfill your request, we will provide a reasoned explanation and inform you of your right to complain.

Exercising your rights is free of charge unless the request is manifestly unfounded or excessive (e.g., repetitive), in which case a reasonable fee may apply or the request may be refused.

18. Complaints to ANSPDCP

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing:

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

You also have the right to bring a claim before competent Romanian courts, or the courts of the EU member state where you reside or where the alleged infringement took place.

19. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit: TLS 1.2+ with modern cipher suites on all public endpoints (dreamserver.ro, Client Area, email, control panels).
  • Access controls: role-based permissions in internal systems; principle of least privilege.
  • Authentication: strong password policy and optional 2FA (TOTP) in the Client Area.
  • Network isolation: out-of-band management is reachable only through per-Client VPN, never exposed to the public internet.
  • Logging & monitoring: access to internal systems is logged; anomaly detection via sFlow at the network edge.
  • Physical security: on-site staff, access control, CCTV in our Bucharest datacenter.
  • Staff training: internal data-protection awareness for all personnel with access to Client data.
  • Secure disposal: drives removed from rotation are wiped (multi-pass overwrite) or physically destroyed before leaving the facility.

20. Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, the Provider will:

  • Notify the Romanian supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR.
  • Notify affected Clients without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Art. 34 GDPR.
  • Communicate (at minimum): the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
  • Maintain an internal record of all personal data breaches, their effects, and remedial actions, as required by Art. 33(5) GDPR.

21. Data Processing Agreement (DPA)

Where the Provider acts as a Data Processor on behalf of the Client (typically when the Client's services running on our infrastructure process personal data of end-users), a Data Processing Agreement conforming to Art. 28 GDPR is available on request.

The standard DPA covers:

  • Subject matter, duration, nature, and purpose of the processing.
  • Categories of data subjects and types of personal data.
  • Processor obligations (confidentiality, security measures, sub-processor engagement rules, assistance with data subject requests, breach notification to the Controller).
  • List of authorized sub-processors (Transit Providers, PeeringDB, RIPE NCC, payment processors).
  • Return or deletion of personal data at the end of the processing.

Request a copy by emailing gdpr@dreamserver.ro.

22. Changes to This Policy

The Provider may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Material changes will be communicated:

  • Via email to active Clients, at least 15 days before the change takes effect (mirroring the Terms § 27 notification rule).
  • By publishing the updated version at dreamserver.ro/en/privacy/ with the "Last updated" date visible at the top and bottom of the page.

Continued use of the Services after the effective date constitutes acceptance of the updated Policy. If you do not agree with a change, you may exercise your GDPR rights (Article 17) and terminate the Services under Terms § 24.

23. Contact

For any privacy-related inquiry, to exercise your GDPR rights, or to request a DPA:

Last updated: April 2026.

Trusted By & Member Of

We are proud members of leading internet infrastructure organizations.

RIPE NCC MANRS PeeringDB RoTLD DSIX SBIX 4IXP LOCIX Euro-IX RIPE NCC MANRS PeeringDB RoTLD DSIX SBIX 4IXP LOCIX Euro-IX