Privacy Policy

Panelica, LLC ("Panelica", "we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy describes how we collect, use, process, store, and protect your personal data when you access our website (license.panelica.com), use the Panelica server management software ("Software"), the customer portal ("Portal"), APIs, and all associated services (collectively, the "Services").

1. Introduction

1.1. This Privacy Policy applies to all users of our Services, including customers, website visitors, trial users, and reseller partners. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

1.2. Panelica acts as a data controller for personal data collected through account registration, billing, and portal usage. Panelica does NOT act as a data processor for any content hosted on customer servers, as we do not access, store, or process such content.

1.3. This Policy should be read together with our Terms of Service, which governs your use of the Services.

2. Information We Collect

2.1. Information You Provide Directly

When you create an account, purchase a license, or contact us, we collect:

• Account Information: First name, last name, email address, company name (optional), phone number (optional)
• Billing Information: Billing address, company tax ID/VAT number. Payment card details are processed directly by our payment provider (Stripe) and are never stored on our servers
• Support Communications: Information you provide when submitting support tickets, including descriptions, attachments, and correspondence
• Contact Form Submissions: Name, email, company, phone, subject, message content, and inquiry type

2.2. Information Collected Automatically

When you use our Services, we automatically collect:

• License Validation Data: License Key, bound server IP address, hardware fingerprint (CPU, disk, OS hash used for license binding), activation status
• Heartbeat Data: Server IP, software version, PHP version, operating system, resource usage summary (CPU/RAM/disk percentage), domain count, uptime, last heartbeat timestamp
• Portal Usage Data: Login timestamps, IP addresses, pages visited, actions performed, browser type, device type, operating system
• Authentication Data: Login attempts (IP, timestamp, success/failure), two-factor authentication method, session tokens
• Cookies: Session cookies, authentication tokens, CSRF tokens, preference settings (see Section 8)

2.3. Information We Do NOT Collect

3. How We Use Your Information

We process your personal data for the following purposes:

Purpose	Data Used	Legal Basis
Account creation & management	Name, email, company, password hash	Contract performance
License validation & enforcement	License key, server IP, hardware fingerprint	Contract performance
Heartbeat monitoring	Server status, version, resource usage	Contract performance
Payment processing	Billing address, order details, payment method	Contract performance
Customer support	Ticket content, attachments, communications	Contract performance
Security & fraud prevention	Login attempts, IP addresses, device info	Legitimate interest
Service notifications	Email address	Legitimate interest
Product updates & security alerts	Email address, license data	Legitimate interest / Legal obligation
Service improvement & analytics	Aggregated, anonymized usage data	Legitimate interest
Legal compliance	As required by applicable law	Legal obligation

4. Legal Basis for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR) and similar legislation, we process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Services you requested, including account management, license validation, billing, and support
• Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as fraud prevention, security monitoring, service improvement, and marketing communications to existing customers. You may object to processing based on legitimate interest at any time
• Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, such as tax regulations, anti-fraud requirements, and legal proceedings
• Consent (Art. 6(1)(a) GDPR): Where we rely on your consent (e.g., optional marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing

5. Information Sharing & Disclosure

5.1. We do NOT sell your personal data. We only share your information in the following limited circumstances:

5.2. Service Providers (Sub-Processors)

We engage trusted third-party providers to help deliver our Services:

Provider	Purpose	Data Shared	Location
Stripe	Payment processing	Billing info, transaction data	USA (EU SCCs)
SMTP Provider	Transactional emails	Email address, name	EU/US (EU SCCs)

All sub-processors are bound by Data Processing Agreements (DPAs) and are only authorized to process data as necessary to provide their services.

5.3. Legal & Compliance Disclosure

We may disclose your information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to: (a) comply with applicable law; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of Panelica, our customers, or the public; (d) detect, prevent, or address fraud, security, or technical issues.

5.4. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your data.

6. Data Security

6.1. We implement comprehensive technical and organizational security measures to protect your personal data, including:

• Encryption in Transit: All communications between your browser/server and our systems use TLS 1.2+ (HTTPS)
• Encryption at Rest: Sensitive data (private keys, tokens) is encrypted with AES-256. Passwords are hashed using bcrypt with appropriate cost factors
• Cryptographic Signing: License tokens are digitally signed using industry-standard algorithms, preventing tampering and ensuring authenticity
• Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access, principle of least privilege
• Audit Logging: All administrative actions and security events are logged with timestamps, user identifiers, and IP addresses
• Infrastructure Security: Firewalls, intrusion detection, regular security updates, isolated environments
• Incident Response: Documented incident response procedures with defined escalation paths

6.2. While we employ industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practical level of protection.

7. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Policy:

Data Category	Retention Period	Reason
Account information	Duration of account + 12 months	Service provision, legal compliance
Billing & invoice records	7 years after transaction	Tax and accounting obligations
License validation logs	90 days	Security monitoring, debugging
Heartbeat data	90 days	Service monitoring, compliance
Login/authentication logs	12 months	Security, fraud prevention
Support tickets	Duration of account + 24 months	Service continuity, dispute resolution
Audit logs	24 months	Security, compliance
Contact form submissions	12 months	Communication follow-up

After the retention period expires, data is securely deleted or anonymized. You may request earlier deletion subject to our legal obligations (see Section 9).

8. Cookies & Tracking Technologies

8.1. Types of Cookies We Use

Cookie Type	Purpose	Duration	Required
Session cookies	Authentication, CSRF protection	Browser session	Yes
Remember me	Persistent login	30 days	Optional
Preference cookies	Theme (dark/light), language	1 year	No

8.2. What We Do NOT Use

• We do NOT use third-party advertising cookies or tracking pixels
• We do NOT use Google Analytics or similar third-party analytics services on the Portal
• We do NOT participate in cross-site tracking or retargeting networks
• We do NOT use fingerprinting techniques for marketing purposes

8.3. Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies (session, CSRF) will prevent you from using the Portal. Preference cookies are optional and can be disabled without affecting core functionality.

9. Your Rights

9.1. Rights Under GDPR (EU/EEA Residents)

If you are located in the European Economic Area, you have the following rights under the GDPR:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to our legal obligations
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller
• Right to Object (Art. 21): Object to processing based on legitimate interest, including direct marketing
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

9.2. Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with:

• Right to Know: What personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (note: we do NOT sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

9.3. Rights Under Other Jurisdictions

Depending on your location, you may have additional rights under local data protection laws, including but not limited to: the Turkish Personal Data Protection Law (KVKK), Brazil's LGPD, South Africa's POPIA, and other applicable regulations. These laws may provide you with rights to access, rectify, erase, object, and request information about your data processing. Exercise these rights by contacting our Data Protection Officer.

9.4. Exercising Your Rights

To exercise any of the above rights, please contact us at [email protected] with your request. We will verify your identity before processing and respond within thirty (30) days (or as required by applicable law). Complex or numerous requests may take up to sixty (60) days with prior notice.

10. International Data Transfers

10.1. Our primary servers are located in the United States and European Union. Your personal data may be transferred to and processed in countries outside your country of residence, including countries within the EU/EEA and the United States.

10.2. When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) with our sub-processors
• Adequacy decisions by the European Commission, where applicable
• Data Processing Agreements with all third-party processors

10.3. You may request a copy of the relevant safeguards by contacting [email protected].

11. Children's Privacy

11.1. Our Services are not intended for individuals under the age of 18 (or the age of majority in the applicable jurisdiction). We do not knowingly collect, solicit, or process personal data from children.

11.2. If we become aware that we have collected personal data from a child without verified parental consent, we will take immediate steps to delete such data. If you believe we may have collected data from a child, please contact us immediately at [email protected].

12. Third-Party Links & Services

12.1. Our Services may contain links to third-party websites, services, or resources. Panelica is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

12.2. Our integration with payment providers (Stripe) means you may be directed to their platform for payment processing. These interactions are governed by the respective provider's privacy policy.

13. Data Breach Notification

13.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Panelica will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34)
• Document the breach, its effects, and the remedial action taken
• Take immediate steps to contain and remediate the breach

13.2. Notification will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, measures taken to address the breach, and contact information for further inquiries.

14. Changes to This Privacy Policy

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this page
• We will notify registered users via email at least thirty (30) days before material changes take effect
• We will post a prominent notice on the Portal

14.2. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you must discontinue use of the Services.

15. Contact & Data Protection Officer

For questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact: