Privacy Policy
Last revised: 4 May 2026
1. Who we are
This policy is issued by the operator of the KVM Fleet service ("KVM Fleet", "we", "us"), established in Malta. For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") we act as a data controller for personal data collected directly from account holders (e.g. your email when you sign up), and as a data processor for personal data your team or users submit through the Service (e.g. emails of users you invite, audit log entries you generate).
You can reach our privacy team at privacy@kvmfleet.io. Where we process personal data on a Customer's behalf as a processor, that processing is also governed by our Data Processing Addendum.
2. What this policy covers
This policy applies to:
- the public website at
kvmfleet.io; - the application at
app.kvmfleet.io; - the KVM Fleet REST API;
- the KVM Fleet agent software you install on your KVM-over-IP hardware.
3. Personal data we collect
3.1 Information you give us
| Data | Why | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Email address, full name (optional) | Account identification, transactional email, password reset, 2FA recovery, billing receipts | Contract (Art. 6(1)(b)) |
| Password (stored as a bcrypt hash) or Google SSO subject | Authentication | Contract (Art. 6(1)(b)) |
| TOTP secret & recovery codes (recovery codes stored as bcrypt hashes) | Two-factor authentication | Legitimate interest in account security (Art. 6(1)(f)) |
| Organisation name, billing address, VAT ID | Subscription billing, invoicing, EU VAT compliance | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Payment method details | Subscription processing — handled directly by Stripe; we never see card numbers | Contract (Art. 6(1)(b)) |
| Email of team members you invite | Sending the invite, creating their membership when they accept | Contract (Art. 6(1)(b)) |
3.2 Information collected automatically
| Data | Why | Lawful basis |
|---|---|---|
| IP address, user-agent string, request method & path, timestamps | Security, abuse prevention, audit trail | Legitimate interest in security and integrity (Art. 6(1)(f)) |
| Audit-log entries (action, target, result, actor, IP) | Tamper-evident security and compliance record. Customers in regulated industries depend on this trail. | Legitimate interest and, for the customer's own users, contract |
| Console-session metadata (start time, end time, viewer email, device id) | Service operation, audit log, alerting on anomalous sessions | Contract and legitimate interest |
| Device telemetry from the agent (hardware id, agent version, CPU temperature, uptime, last-seen timestamp) | Operating the dashboard, alerts, version-drift monitoring | Contract |
| Refresh tokens, password-reset tokens (stored hashed) | Session continuity, secure password reset | Contract and security legitimate interest |
| Failed login attempts, brute-force counters | Throttling and account lockout | Legitimate interest in security |
3.3 What we explicitly do not collect or store
- The contents of your remote console sessions (video, keyboard input, mouse input). These are tunnelled in real time between your browser and your device through a WebSocket relay; we do not record them. (If you opt in to the future "session recording" feature, that will be controlled separately and clearly.)
- The credentials, files or data of the systems you remotely manage through KVM Fleet. We never see what's on the server you've connected to.
- Card numbers, CVV, or full bank account details — these stay with Stripe.
- Marketing trackers, advertising cookies, or third-party analytics scripts on the public website.
4. Cookies and similar technologies
EU ePrivacy rules (Directive 2002/58/EC, as transposed into national law) regulate the storing of information on, or the gaining of access to information already stored in, a user's terminal equipment — whether that information is held in cookies, localStorage, sessionStorage, IndexedDB, Service Worker caches, or any other mechanism. None of the items below are used for advertising, profiling, or cross-site tracking, and none require consent under those rules; each is strictly necessary to operate the Service the user has explicitly requested.
kvmfleet_consolecookie — HttpOnly, Secure, SameSite-strict, scoped to the console path. Carries a short-lived token authorising a remote-console session. Strictly necessary for the console feature to work.localStorageentry holding the API access token — strictly necessary to keep the user authenticated for the duration of their session.localStorageentry storing the user's language preference (en,de,fr, etc.) — strictly necessary to render the dashboard in the language the user explicitly selected.
The public website (kvmfleet.io) does not set any storage that requires user consent. No third-party advertising, analytics, or marketing tags are loaded. If we ever introduce non-strictly-necessary storage (for example optional product analytics), we will display a prior-consent banner and update this section.
5. How we use personal data
- To operate, maintain and improve the Service.
- To authenticate you, prevent abuse, and protect the security of the Service.
- To process payments and send invoices.
- To send transactional email (account verification, password reset, alerts you have configured, billing notices). We do not send marketing email without your consent.
- To respond to support requests.
- To comply with legal obligations and enforce our Terms.
We do not engage in automated decision-making producing legal or similarly significant effects, and we do not perform profiling for marketing purposes.
6. Who we share data with (sub-processors)
We share personal data only with the following sub-processors, each contractually bound by GDPR-aligned data protection terms:
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting (compute, storage, network) | Falkenstein, Germany (EU) |
| Stripe Payments Europe Ltd. | Subscription billing, invoicing, customer-portal self-service | Ireland (EU); some processing in the United States under the EU–US Data Privacy Framework |
| Sendinblue SAS (Brevo) | Transactional email delivery | France (EU) |
| ImprovMX SRL | Inbound mail forwarding for @kvmfleet.io aliases (support, security, privacy, hello, legal) | Belgium (EU) |
| Google Ireland Ltd. (only if you enable Google SSO) | Authentication | Ireland (EU); standard Google sub-processor chain applies |
We do not sell, rent or otherwise share personal data with third parties for their own commercial purposes. We may disclose data when required by law, court order, or to protect the rights, property or safety of KVM Fleet, our customers or others — in which case we will challenge over-broad requests where lawful and notify the affected customer where permitted.
7. International transfers
The Service is hosted in the EU and we keep data in the EU wherever possible. Limited transfers to non-EU countries may occur in connection with Stripe and Google sub-processors above. Such transfers rely on EU Standard Contractual Clauses or, where applicable, the EU–US Data Privacy Framework.
8. How long we keep data
| Data | Retention |
|---|---|
| Account data (email, name, hashed password) | For as long as your account is active. Deleted within 90 days of account closure. |
| Audit log entries | Indefinitely while the org is active — the audit log is tamper-evident by design and customers in regulated industries rely on its continuity. Deleted with the org on closure. |
| Console-session metadata | Same as audit log. |
| Refresh tokens, password-reset tokens | Until expiry, revocation, or account closure. |
| Billing records (invoices, subscription history) | Ten (10) years to satisfy Maltese accounting / VAT retention obligations. |
| Email transactional logs at Brevo | 30 days under Brevo's standard retention. |
| Web-server access logs | 14 days, then deleted. |
| Failed-login counters | 24 hours. |
9. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase data ("right to be forgotten"), subject to lawful retention obligations;
- Restrict or object to processing based on legitimate interest;
- Portability — export your data in a structured, machine-readable format. The audit log, device list and team list are exportable from the dashboard and via the API at any time;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with your local supervisory authority. Ours is the Office of the Information and Data Protection Commissioner (IDPC) in Malta — idpc.org.mt.
To exercise any of these rights, write to privacy@kvmfleet.io. We respond within thirty (30) days.
10. How we protect data
We implement organisational and technical measures appropriate to the risk:
- EU-only hosting on hardened infrastructure (non-root containers, capability drops, rotating secrets).
- HTTPS / TLS for all browser and API traffic; HSTS preload.
- Postgres row-level security so each tenant's data is isolated at the database level.
- Tamper-evident SHA-256 hash chain on the audit log, with database-level write protection.
- Bcrypt-hashed passwords and bcrypt-hashed TOTP recovery codes; no plaintext credential is ever stored.
- Refresh-token rotation with reuse detection; short-lived JWT access tokens with explicit audience claims.
- Rate limiting and brute-force throttling on authentication endpoints.
- Single-use opaque password-reset tokens with a fifteen-minute lifetime.
- Role-based access control for the platform team; access to production data is logged and limited to what is needed for support.
No service is perfectly secure. We will notify affected customers without undue delay (and the supervisory authority within 72 hours where required by Art. 33 GDPR) if we discover a personal-data breach affecting them. Vulnerability reports go to security@kvmfleet.io (see also /.well-known/security.txt).
11. Children
The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have, contact privacy@kvmfleet.io so we can delete it.
12. Changes to this policy
We may update this policy from time to time. The "Last revised" date at the top reflects the most recent material change. Where the change materially expands the data we collect or the purposes for which we use it, we will notify you in advance by email or through the application.