Privacy Policy – overview

For hosting clients

In order to help you comply with GDPR, Twelve Kites are making some changes to how your services may be accessed, to ensure that any personal data you record from you users is as secure as possible.

By 25 May 2018 we will cease support for all non-secure data transfer methods, except in certain legacy cases where encryption is not supported. This means that if you currently access your site using the FTP protocol, you will have to change to the encrypted SFTP protocol. Additionally, we will help you move your site from the non-secure HTTP protocol to the encrypted HTTPS protocol by default.

Twelve Kites uses various third-party providers for hosting services and will ensure that GDPR compliant data processing agreements are in place between Twelve Kites and those providers, and where applicable those providers comply with the CISPE Code of Conduct.

All hosted services provided are physically located within the EU unless you have requested otherwise.

If you are one of our hosting clients, we may process some user data in order to provide services to you. While we will not process any personal data gathered by your site as part of its normal operation, there is some data processing we undertake in order to provide you with these services, that you should ensure you tell your users about.

We log the IP address and the User Agent string of any browser that connects to your website, and additionally the IP address of any computer that attempts a connection to other services on the server. This information is recorded and kept for up to 30 days to allow us to analyse traffic and to detect malicious attempts to attack, disrupt or gain unauthorised access to the server. Additionally, we may use log files to help us diagnose and solve technical issues.

If an attack or other malicious behaviour is detected, we may retain the relevant data from the log file to maintain a blacklist of such IP addresses, and may also share the data with relevant legal authorities.

If you are a hosting backup services customer, you should be aware of our backup handling and retention policy. Backups are created on the server and transmitted by secure data transfer to encrypted storage, held within the EU. The default retention policy is that backups are retained for 90 days, and expired backups will be deleted by 98 days after the date they were created. If you want this retention period to be reduced, you may request this in writing. We will only use data in backups for disaster recovery purposes, or if you expressly request us to do something else with them. If you record personal information for your users within your website or database, you must make them aware of this retention policy. If technically feasible, it may be possible to exclude certain information from the regular backup process.

For full details, please refer to our privacy and data protection policy.

For website users

At Twelve Kites we respect your personal privacy and are committed to protecting your information while you are using the service.

This policy describes how we handle any information collected by or submitted to our website,

Information we collect and how we use it
We use the information we collect to operate and improve our website and to respond to requests for information.

When you visit our site, our server software stores basic technical information, including your IP address and your browser’s “User Agent” string. We use this information to detect whether a malicious user is trying to gain unauthorised access to our site or server, or to diagnose and resolve any technical issues the site might be having. We delete this technical information after 30 days, unless required to do so by law (e.g. by request from law enforcement agencies).

We also have a form on our site where you can ask us to get in touch with you. This form asks for your name, email address and a message for us. We store this information on our server, and Twelve Kites will only use this information to contact you about the message you send us. The data stored on the server will be deleted within 30 days. In certain cases, the data may also be stored in site backups that we hold for disaster recovery. These backups are stored in an encrypted environment and will be deleted within 98 days.

We use Google Analytics to provide us with aggregate reporting on users who are visiting the site. Google Analytics doesn’t tell us any of your personal information and we’re using the Google IP address anonymisation feature, but we’re able to see aggregate data such the number of visitors to our site, a breakdown their approximate location based on the first part of their IP address, the numbers of users visiting us from mobile or desktop devices and the number of users who arrived at our site directly or by using a search engine.

You can opt out of Google Analytics data collection. Read more about Google Analytics and find out how to opt-out visit this page.

Accessing, changing, or deleting your information
You may ask for a copy of the information we hold for you, or for us to delete information, by emailing In order to verify it’s you, we may need to ask for ID or verify you by some other means, for example verifying that you’re able to receive email at the address we hold for you.

Information for European Union Visitors
All data is collected and stored within the EU.

To report an incident of abuse, please email

Changes to this policy

If we decide to change our privacy policy, we’ll post the changes on this page. We will also add a summary of the changes to the list below:

8 May 2018: Removed references to information not collected by Twelve Kites. Clarified what information is collected. Edited for layout.
10 March 2016: First published