InstantNode logo

Privacy Policy

Last updated: June 2026

This Privacy Policy informs you about the processing of personal data when using InstantNode, in particular the website, the customer panel, billing, support, and the hosting and management functions provided.

1. Controller

The controller for the data processing within the meaning of the General Data Protection Regulation (GDPR) is the provider of InstantNode named in the Legal Notice.

Contact for data protection enquiries: [email protected]

2. What Data We Process

Depending on how you use the panel, we process in particular the following data:

  • Master data such as username, email address, role, password hash and information on the consent status for legal texts.
  • Billing data such as invoice name, address, country, invoices, payment status, payment method and transaction data.
  • Account security data such as session information, 2FA status, 2FA secret, backup codes, passkey/WebAuthn credentials, reset tokens and verification tokens with their expiry times.
  • Linking data from optionally connected accounts at Discord, Google and GitHub, such as external user identifiers, names, email addresses, avatars and linking timestamps.
  • Support data such as tickets, subject, category, priority and communication content.
  • Service and usage data relating to booked services, for example container, bot, game server, VNC, reseller, partner or panel-related management data.
  • Technical data such as IP address, browser/user-agent data, timestamps, request metadata, log data and security-relevant events.
  • Communication data when you contact us by email or via the panel.

3. Purposes and Legal Bases of Processing

We process personal data only insofar as this is legally permissible. Processing is based in particular on the following legal bases:

  • Art. 6(1)(b) GDPR for registration, performance of the contract, provision of the panel, management of booked services, handling of support and billing.
  • Art. 6(1)(c) GDPR to comply with legal obligations, for example retention and documentation obligations under commercial, tax or supervisory law.
  • Art. 6(1)(f) GDPR to ensure IT security, misuse detection, error analysis, system stability, defense of rights and internal administration.
  • Art. 6(1)(a) GDPR, insofar as you give voluntary consent or use optional functions such as the linking of external accounts or advertising cookies.

4. Use of the Website and the Panel

When you access our website and our customer panel, we process technically necessary connection and usage data so that pages can be delivered, sessions managed, errors detected and attacks averted. This may include in particular the IP address, the date and time of access, the URL requested, the referrer, the user agent, status codes and comparable technical metadata.

The processing is based on our legitimate interest in a secure and functional online offering pursuant to Art. 6(1)(f) GDPR.

5. Registration, Customer Account and Login

When you create a customer account, we process the registration data you provide in order to set up and manage your account. Your password is not stored in plain text, but only as a cryptographic hash.

During login, logout and comparable security-relevant operations, we process session data and security information in order to enable access to your account and to prevent unauthorized use.

6. Email Verification, Password Reset and Security Functions

To secure accounts, we send verification and password-reset emails. In doing so, we process in particular the email address, username and time-limited security tokens. This processing takes place for the performance of the contract and on the basis of our legitimate interest in account protection and misuse prevention.

If you activate two-factor authentication, we store the activation status, a 2FA secret and, where applicable, backup codes, so that the additional protection of your account can be implemented technically. If you register a passkey (WebAuthn), we store the associated public key credential and related metadata for the same purpose.

7. Login and Linking via Third-Party Providers

Depending on availability, you can use external accounts from Discord, Google or GitHub to log in to or link with your InstantNode account. In this case, we receive from the respective provider only the data required for authentication, association and account management, in particular external user IDs, display names, email addresses and avatar information.

The use of these functions is voluntary. The legal basis is Art. 6(1)(b) GDPR for the technical performance of the login you have requested and, where applicable, Art. 6(1)(a) GDPR for the voluntary linking of external accounts.

8. Provision of Hosting and Panel Services

To provide booked services, we process the data required for management, allocation, operation, billing and support. This includes in particular service and instance data for containers, virtual machines, bots, game servers, VNC access, reseller functions, partner functions, as well as technical associations to nodes, networks, IDs, resources, status values and runtime data.

Insofar as you store content or configurations within your services, we also process this data for the provision of the service. The processing takes place for the performance of the contract pursuant to Art. 6(1)(b) GDPR.

9. External Infrastructure and Management Services

To technically provide individual functions, InstantNode may integrate external or separate management services, in particular Proxmox for virtualization, Feather for game server management, and VNC/noVNC components for console access. In this context, the technical data required for provisioning, authentication, association and operation is processed.

For dedicated servers, provisioning and management may be carried out via OVH; the data required for ordering, setup and operation of the dedicated server is processed for this purpose.

Insofar as such services are provided by external providers or separate systems, data is transferred only to the extent necessary for the function.

10. Domain Registration via Porkbun

If you register, transfer or manage a domain, the data required for this is transmitted to our domain registrar Porkbun. This includes in particular registrant and WHOIS data such as name, address, email address and the domain concerned, as required by the registry rules and registration regulations. The processing takes place for the performance of the contract pursuant to Art. 6(1)(b) GDPR and to comply with the applicable registration requirements.

11. Payments and Balance Top-ups

For payments and balance top-ups, various payment methods may be offered in the panel depending on the configuration, in particular SumUp, PayPal and OxaPay. If you use such a payment method, the data required for processing the payment is transmitted to the selected payment service provider. This may include in particular name, email address, billing data, amount, currency, payment references and transaction identifiers.

The actual processing of the payment is carried out by the respective payment service provider under its own data protection responsibility. Their data protection information applies in addition.

12. Invoices, Accounting and Tax Obligations

We process invoicing and billing data in order to document payments, create invoices, keep track of credits or charges, and comply with statutory documentation and retention obligations. This includes in particular the invoice name, address, invoice items, tax information, payment status, PDF invoices and internal booking operations.

The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR.

13. Support and Communication

When you create tickets or send us messages, we process your information and content in order to handle your request, analyze errors and provide ongoing support for your customer account. Support data may include in particular subject, category, priority, message content, processing status and the times of responses.

The legal basis is Art. 6(1)(b) GDPR insofar as the communication relates to the contract, and otherwise Art. 6(1)(f) GDPR.

14. Sending Emails via SMTP

Transactional emails, in particular for verification and password reset, are sent via SMTP using the configured mail provider (the application uses nodemailer for this). In this process, the recipient, content and technical metadata required for sending are processed. This is used for the reliable delivery of security- and contract-related messages on the basis of the performance of the contract and our legitimate interest in account protection.

15. Bot Protection with InstantBlock

To protect against bots and abusive registration or login attempts, we use the InstantBlock service (bots-wont.bypass.fyi). In this process, technical usage data is transmitted to InstantBlock in order to distinguish between legitimate users and automated access. This is used for our legitimate interest in misuse prevention, availability and the security of the panel pursuant to Art. 6(1)(f) GDPR.

16. Cookies, Sessions and Local Storage

We use technically necessary cookies and comparable storage mechanisms, in particular for session management, authentication, security functions, CSRF protection, language settings or other necessary panel functions. Without these mechanisms, the panel cannot be operated properly.

The processing is based on Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR and, where applicable, on the provisions of the German Telecommunications Digital Services Data Protection Act (TDDDG) for technically necessary storage.

17. Consent Management with Silktide Consent Manager

To obtain and manage your consent for non-essential cookies and comparable technologies, we use the Silktide Consent Manager. The associated script is loaded via the jsDelivr content delivery network. Your consent decisions are stored so that they can be respected on subsequent visits. The use of this consent banner is necessary in order to comply with the legal requirements for consent and to enable you to manage your choices.

18. Advertising with Google AdSense

We may display advertising via Google AdSense, a service provided by Google. Advertising cookies and comparable technologies are only set after you have given your consent via the consent manager. In this context, technical data such as the IP address and device and usage information may be transmitted to Google and used to deliver and measure advertising. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR, which you can withdraw at any time with effect for the future via the consent settings.

19. Avatars via Gravatar

To display profile pictures, we may use the Gravatar service operated by Automattic. For this purpose, a hash value derived from your email address may be transmitted to Gravatar in order to retrieve any avatar image stored there. If no avatar exists, a generic placeholder image is used. The use serves our legitimate interest in a user-friendly presentation of accounts pursuant to Art. 6(1)(f) GDPR.

20. Content Delivery and Proxy via Cloudflare

Our offering may be delivered via Cloudflare as a content delivery network and proxy. In this process, Cloudflare processes technical connection data, in particular the IP address and request metadata, in order to deliver content securely and efficiently, to mitigate attacks and to ensure availability. The use serves our legitimate interest in the security and performance of the offering pursuant to Art. 6(1)(f) GDPR.

21. Logging, Misuse Detection and Webhooks

To secure and make the panel operation traceable, we log administrative and user-related actions. In this process, request metadata, status codes, user agent, paths, form data, session reference, user identifier, role information and security-relevant events may be processed in particular.

Depending on the configuration, such action logs may additionally be transmitted to an external webhook service, currently in particular Discord webhooks. Sensitive fields are reduced or redacted where possible, but the transmission may nevertheless contain personal data. The legal basis is Art. 6(1)(f) GDPR on the basis of our legitimate interest in operational monitoring, misuse prevention and incident response.

22. Recipients of Data

Personal data may be transmitted to external recipients insofar as this is necessary for the stated purposes. These include in particular:

  • Payment service providers such as SumUp, PayPal and OxaPay.
  • The email transport (SMTP) provider configured for sending transactional emails.
  • Bot protection and security services such as InstantBlock.
  • Consent management and advertising services such as Silktide Consent Manager and Google AdSense.
  • The domain registrar Porkbun (for domain registration and WHOIS data).
  • OAuth and identity services such as Discord, Google and GitHub.
  • Technical infrastructure and management services such as Proxmox, Feather, OVH (dedicated servers), Cloudflare (CDN/proxy) or VNC-related systems.
  • Avatar services such as Gravatar/Automattic.
  • Tax advisors, accounting, banks, legal advisors or authorities, insofar as there is a legal basis for this.

23. International Transfers

Some of the providers used may process data in countries outside the European Union or the European Economic Area, in particular in the USA. Where this is the case, we ensure appropriate safeguards, such as adequacy decisions, certification under the EU-US Data Privacy Framework, EU standard contractual clauses (SCCs), or comparable protective mechanisms of the respective provider, insofar as no statutory permission directly applies.

24. Storage Duration

We store personal data only for as long as it is necessary for the respective purposes or for as long as statutory retention obligations exist. Decisive are in particular:

  • Account data for the duration of the contractual relationship and subsequently until the expiry of statutory or contractual documentation and limitation periods.
  • Invoicing and accounting data for the duration of statutory commercial and tax retention obligations.
  • Security, session and log data, as a rule, only for as long as they are needed for operation, security, traceability and misuse prevention.
  • Support data for as long as they are necessary for handling, documentation and follow-up questions.

25. Your Rights

Within the framework of the statutory requirements, you have in particular the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 15-21 GDPR). You can withdraw any consent you have given at any time with effect for the future.

You also have the right to lodge a complaint with a data protection supervisory authority.

26. No Automated Individual Decision-Making

Solely automated decision-making within the meaning of Art. 22 GDPR, including profiling, does not take place in our current panel operation, unless otherwise stated in this Privacy Policy.

27. Changes to This Privacy Policy

We may adjust this Privacy Policy if legal requirements, technical functions or our services change. The respective current version is available via the panel and the public legal texts. The version and effective date stated there are decisive.