Privacy Policy

1. Introduction

This Privacy Policy explains how Tyga.Cloud Ltd (Company No. 14643275), trading as SSLWebsites, ("we", "us", "our") collects, uses, stores, and discloses personal data when you use the SSLWebsites website at sslwebsites.com and the SSLWebsites agent-first SSL certificate management platform, including our API, dashboard, documentation, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Our registered office is: Ground Floor, Unit 2 Mallard Court, Mallard Way, Crewe Business Park, Crewe, Cheshire, England, CW1 6ZQ.

2. Applicability — Controller vs. Processor

When we are the Controller: We act as the data controller for personal data we collect directly from you, such as your account information, billing details, API key metadata, and usage data. We determine the purposes and means of processing this data to provide and improve the Service.

When we are the Processor: When you store SSL certificate data (certificates, private keys, CA bundles) through the Service, we act as a data processor on your behalf. You (or your organisation) are the data controller for any personal data contained within your certificate data. We process this data solely to provide the Service in accordance with your instructions and our Terms of Service. We do not access, inspect, or analyse the content of your certificate data except as required for technical operations (e.g., certificate issuance, renewal, validation) or as required by law.

If you are using SSLWebsites on behalf of an organisation, that organisation is the controller of any personal data processed through SSL certificate operations, and you should refer to your organisation's privacy policy for how that data is handled.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Organisation name (if provided)
• Account credentials (passwords are hashed and salted; we never store plaintext passwords)

3.2 Billing Information

When you subscribe to a paid plan, we collect payment information via our payment processor, Stripe. We do not store full credit card numbers on our servers. Stripe processes and stores your payment details in accordance with PCI-DSS standards. We receive and store:

• Stripe customer ID
• Last four digits of your card
• Card brand and expiration date
• Billing address
• Subscription status and plan details

3.3 SSL Certificate Data

You and your agents manage SSL certificate data through the Service, including certificates, private keys, and CA bundles. We host this data on our infrastructure but treat it as your data. We do not access the content of your certificate data for any purpose other than providing the Service (including certificate issuance, renewal, validation, and backups). Certificate data is stored with tenant isolation and encryption at rest.

3.4 API Keys

We generate and store API keys (with the ssl_free_ prefix) that authenticate your access to the Service. We store:

• API key identifiers and hashed key values
• Key creation timestamps and last-used timestamps
• Key permissions and scopes
• Associated account and organisation metadata

3.5 SSL Certificate Metadata

We collect metadata about your SSL certificate operations, including:

• Domain names associated with certificates
• Certificate issuance, expiry, and renewal dates
• Certificate signing request (CSR) metadata
• Domain validation method and status
• Certificate type and issuing authority

3.6 Usage Data

We automatically collect usage data when you interact with the Service, including:

• API request logs (endpoint, method, timestamp, response status, latency)
• Certificate provisioning and renewal events
• Certificate metrics (issuance counts, expiry tracking, validation success rates)
• IP addresses used to access the API and dashboard
• Browser type and version (for dashboard access)
• Dashboard interaction events (page views, feature usage)

4. How We Use Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, issue and manage SSL certificates, authenticate API requests, process domain validation, process payments, and deliver certificate monitoring and expiry alerts.
• Billing and Payments: To process subscription payments, generate invoices, enforce plan limits, and manage payment verification.
• Security: To detect and prevent fraud, abuse, and unauthorised access. To enforce rate limits, monitor for anomalous activity, and protect the integrity of the platform.
• Operational Communication: To send transactional emails (account verification, password resets, billing receipts, certificate expiry alerts) via our email processor, tygaemail.com.
• Improving the Service: To analyse aggregate usage patterns, diagnose technical issues, optimise performance, and develop new features.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.

We do not sell your personal data. We do not use your personal data for behavioural advertising. We do not use the content of your SSL certificate data (certificates, private keys, CA bundles) for any purpose beyond providing the Service.

5. Information Sharing

We share personal data only in the following circumstances:

• Stripe: We share billing information with Stripe, our payment processor, to process payments and manage subscriptions. Stripe's privacy policy is available at stripe.com/privacy.
• tygaemail.com: We share email addresses with our transactional email service to deliver account and service notifications.
• Buggazi: If you submit a bug report or support request, relevant technical details may be processed through our bug tracking platform, Buggazi.
• Hetzner: Our infrastructure is hosted on Hetzner servers. Hetzner provides the physical and network infrastructure but does not have access to application-level data.
• Legal Requirements: We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Tyga.Cloud Ltd, our users, or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users of any such change.

We do not share personal data with third parties for their marketing purposes.

6. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at dpo@tyga.cloud.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Portability: Request your personal data in a structured, commonly used, machine-readable format.
• Objection: Object to processing of your personal data for certain purposes.
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit (TLS) for all API and dashboard connections
• Encryption at rest for persistent storage, including certificate and private key data
• Tenant isolation — each customer's certificate data is stored in an isolated environment with separate credentials
• API key authentication with hashed storage
• Rate limiting and anomaly detection
• Regular security reviews and updates
• Access controls limiting employee access to personal data on a need-to-know basis

No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API keys and account credentials.

9. International Transfers

Our infrastructure is hosted on Hetzner servers. If you are located outside the region where your data is hosted, your data may be transferred to and processed in a different jurisdiction.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure that your personal data is protected.

Tyga.Cloud Ltd is incorporated in England and Wales. Our processing activities are subject to UK data protection law, including the UK GDPR and the Data Protection Act 2018.

10. EU/UK GDPR Rights

If you are located in the European Economic Area or the United Kingdom, the following additional provisions apply:

Legal Bases for Processing

We process your personal data on the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you have requested, including account creation, certificate issuance, API authentication, and billing.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and aggregate analytics. We balance these interests against your rights and freedoms.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax and accounting requirements.
• Consent (Article 6(1)(a)): Where we rely on consent, you may withdraw it at any time.

Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. After account deletion, we may retain certain data for up to 90 days for backup and recovery purposes, and longer where required by law (e.g., billing records for tax compliance). API request logs are retained for the period specified by your plan.

Data Protection Officer

You may contact our Data Protection Officer at dpo@tyga.cloud.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11. CCPA Disclosures

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.

Categories of Personal Information Collected:

• Identifiers: Email address, name, IP address, API key identifiers.
• Commercial Information: Subscription plan, billing history, payment method details (last four digits only).
• Internet/Network Activity: API request logs, dashboard usage data, browser information.
• Professional Information: Organisation name (if provided).

Sale of Personal Information: We do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

Your CCPA Rights:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to exceptions permitted by law.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at dpo@tyga.cloud. We will verify your identity before processing your request.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a revised effective date. For material changes that significantly affect your rights, we will also notify you via the email address associated with your account.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.

13. Contact