Privacy Policy.

// Effective 2026-02-26 Andy Web Service · Hong Kong v 1.0

This Privacy Policy describes how Andy Web Service ("AWS", "we", "us") collects, uses, and protects personal information when you visit andyws.io, use the customer portal at idc.andyws.io, or otherwise interact with our services.

Information We Collect

We collect the minimum information needed to operate the service:

Account data: name, email, organization, billing address, phone number.
Authentication data: hashed password, 2FA secret, session tokens.
Billing data: invoice history, payment method metadata (we do not store full card numbers — Stripe and other gateways hold those).
Service data: server hostnames, IP addresses assigned to you, region, plan tier, OS image.
Technical logs: IP addresses, user agents, request timestamps for customer-portal access and SSH/console actions.
Support data: the contents of tickets you send us and our replies.

How We Use It

We use your information to:

Provision, operate, and maintain the services you ordered.
Send invoices, payment receipts, and service-related notices.
Respond to support requests.
Detect and prevent fraud, abuse, or attacks against our infrastructure.
Comply with legal obligations imposed by Hong Kong or Singapore law.

We do not sell personal data, and we do not use it for behavioural advertising. We do not share your data with third parties except as described below.

Third-Party Processors

We rely on a small number of third-party processors to operate the service:

Stripe / PayPal / Alipay: payment processing.
SMTP relay providers: delivery of transactional email (invoices, welcome messages, alerts).
Datacenter operators in Hong Kong and Singapore: physical hosting of our hardware.
Let's Encrypt: issuance of SSL certificates on your behalf.

Each processor receives only the data strictly required for its function.

Cookies

The customer portal sets a session cookie to keep you logged in (HttpOnly, Secure). The marketing site at andyws.io does not use tracking cookies, third-party analytics, or fingerprinting beacons.

Data Retention

We retain account data for as long as you have an active service with us, plus up to five (5) years after closure for accounting, legal, and dispute-resolution purposes. Service data (VM disks, snapshots, backups) is deleted within 14 days of service termination. Technical access logs are rotated and discarded after 90 days unless required for an active investigation.

Your Rights

You may, at any time:

Request a copy of the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and associated data (subject to legal retention obligations).
Withdraw consent to non-essential processing.

Submit such requests via an authenticated ticket on the customer portal.

Security

We protect your data with industry-standard measures: TLS in transit, bcrypt-hashed passwords, restricted internal access on a need-to-know basis, encrypted off-site database backups, and 2FA enforcement for administrative accounts. No system is ever 100% secure; we will notify affected users in writing within 72 hours of becoming aware of a personal-data breach.

International Transfers

Our infrastructure operates in Hong Kong and Singapore. If you access the services from outside these jurisdictions, your data will be transferred to and processed in Hong Kong and Singapore. By using the services, you consent to this transfer.

Children

The services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

Changes

We may update this Policy from time to time. Material changes will be announced in the customer portal at least 14 days before they take effect.

Contact

For privacy questions or data-subject requests, open a ticket at idc.andyws.io/submitticket.php.

← Back to home