This Privacy Policy explains what data PastePanel collects, why we collect it, how long we keep it, who we share it with, and the rights you have over it. It covers pastepanel.com, every domain connected through our service, and the associated apps, APIs, emails, and support channels (together, the “Service”). Read it alongside the Terms of Service.
1. Short summary
- We collect the minimum we need to run your account, protect it, and deliver the Service.
- We do not sell personal data — not now, not ever. No broker, no ad network, no “partners” we can't name.
- Your customers' data belongs to you. You are the controller; we are the processor.
- You can delete everything from the dashboard. Deletion is permanent and we cannot recover it afterwards.
- Contact: Support or, without an account, contact.
2. Who is responsible
PastePanel (“we”, “us”, “our”) is the data controller for information about account holders — the operators who sign up at pastepanel.com. For information about your customers — the end-users who visit and buy on panels you operate — you are the controller and we act as your processor.
3. What we collect & why
3.1 Account data
When you create an account we collect your username, email, and hashed password. If you sign up with Google or Telegram we receive the basic profile identifier those services return. You can later add a display name, an avatar, a short bio, a country, a timezone, and contact handles — all optional.
3.2 Operational data
To operate your panel we store the domains you connect, the services you sell, orders placed on your panel, payments settled through configured providers, tickets you open or receive, and the configuration you choose (themes, branding, pricing, refill policy, etc.).
3.3 Security telemetry
We log sign-in events (successful and failed, with source IP and user-agent), admin actions, API requests, and abuse-detection signals. This is kept for the shortest period compatible with investigating incidents — typically 90 days — and is used solely to protect accounts and the platform.
3.4 Communications
We keep the support tickets you open, the replies we send, and any attachments you include, for as long as your account exists plus a short post-closure retention window.
3.5 End-customer data (you are the controller)
If your panel collects customer accounts, orders, or payments, that data sits inside your tenant and is strictly isolated from other tenants on the platform. We never mine it, profile it, or use it to cross-market. Our role is to host, process, and protect it on your behalf.
4. Legal bases (EEA / UK)
Where the GDPR or UK GDPR applies, we rely on the following bases for processing:
| Purpose | Legal basis |
|---|---|
| Creating and running your account; serving panels at your domain | Performance of a contract |
| Two-step authentication, anti-abuse telemetry, security logging | Legitimate interest (protecting accounts) |
| Transactional email (sign-in codes, deletion confirmations, ticket replies) | Performance of a contract |
| Responding to legal requests, enforcing Terms, preventing fraud | Legal obligation / legitimate interest |
| Processing personal data on your behalf about your customers | Processor under your controller instructions |
5. How long we keep data
- Active account data: for as long as the account exists.
- Deleted account or panel: the panel's content — admin users, customers, orders, tickets — is erased immediately and cannot be recovered. Aggregated or anonymised statistics may remain.
- Security and audit logs: typically 90 days, longer only if an active investigation requires it.
- Backups: rolling encrypted daily backups kept on separate storage, with automatic expiry within the retention window stated in the Terms.
- Legal holds: where the law requires a longer retention (tax, anti-fraud), we keep only what the law requires and for only as long as it requires.
6. Who we share it with
We share personal data only with the sub-processors needed to operate the Service, each under a confidentiality and data-protection commitment:
- Infrastructure & hosting providers that run our servers and network.
- Transactional email provider (currently Resend) to deliver sign-in codes, deletion confirmations, and ticket replies.
- Certificate authorities (Let's Encrypt, ZeroSSL) to issue SSL certificates for the domains you connect.
- Push-notification provider (OneSignal) where your panel opts in.
- Payment providers you enable (Cryptomus, Heleket, KHQR, etc.) for the transactions your customers submit.
We never sell personal data. We do not run advertising on the platform and do not share data with advertising networks.
7. Cookies and similar technologies
We use strictly necessary cookies for the session (signing you in, keeping you signed in, and carrying the CSRF protection token). A short-lived trusted-device cookie may be set after a successful two-step sign-in so you're not challenged again on every visit from the same device.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that profile individuals across sites.
8. International transfers
Data may be processed in countries other than the one you live in. Where we transfer personal data out of the EEA or UK to a third country that does not have an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or equivalent transfer mechanism) with our sub-processors.
9. Your rights
Depending on where you live, you may have the following rights. We honour them regardless of legal obligation where reasonable:
- Access — see what we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to legitimate retention obligations.
- Restriction / objection — pause or object to a particular processing activity.
- Portability — receive the data in a structured, machine-readable format.
- Withdraw consent — at any time, without affecting earlier lawful processing.
- Complain — to your local data-protection authority (for example, the UK ICO or your national DPA in the EEA).
Most rights can be exercised directly from the dashboard: you can edit your profile, change your email, delete your account, and export the data associated with it. For anything you can't do in-app, send us a ticket at /panels/support and we'll respond within the legally required window (30 days in the EEA/UK).
10. Children
The Service is not directed at children under 16. If you believe a child has created an account, contact us and we will verify and delete it.
11. Security practices
Defence in depth is a core design requirement, not an upsell. Standard defaults include:
- Encryption in transit (TLS 1.3 only, modern ciphers) and at rest.
- Password hashing with bcrypt (and constant-time verification) — we never store passwords in plain text.
- Two-step sign-in with authenticator app or email code, plus trusted-device memory.
- Strict tenant isolation at the ORM and SQL level.
- Rate limiting, DDoS filtering (L3/L4 and L7), brute-force lockout, and anomaly alerts.
- Automatic daily backups, encrypted at rest, on separate infrastructure.
- Continuous security patching of the underlying stack.
No service is invulnerable. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected accounts and, where required, the relevant authority within the legally mandated window (72 hours under GDPR).
12. Data processing for your customers (DPA)
Where GDPR or an equivalent framework applies to the personal data of your customers that flows through the panel you operate, these Terms form the core of our data-processing agreement with you. Specifically: we process that data only on your documented instructions; we require every sub-processor to uphold equivalent protection; we assist you in responding to data-subject rights requests; and we assist with breach notification obligations. A detailed DPA addendum can be signed on request.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices, the law, or the Service. Material changes will be announced on What's new, in the dashboard, or by email at least seven days before they take effect where practicable.
14. Contact us
For privacy questions, data-subject requests, or to flag a security concern, reach the PastePanel team through the in-app Support channel, or — if you do not yet have an account — through the contact page.
Plain-English summary: we keep the minimum we need, we don't sell your data, we back it up and lock it down, you can delete it any time, and we'll tell you quickly if anything goes wrong. The formal text above controls where it conflicts with this summary.