Privacy Policy

(Effective Date: April 18, 2021 | Last Updated: April 18, 2024)

I. Introduction

StoneCDN (hereinafter referred to as "we"), as a leading global provider of CDN and security services, strictly adheres to the General Data Protection Regulation (GDPR), the Personal Information Protection Law of the People's Republic of China, and other global privacy protection regulations, and is committed to being transparent with you through this policy about how we collect, use, store and protect your personal information and your control over it. We are committed to transparently explaining to you through this policy: how we collect, use, store and protect your personal data, and the control you have over your personal data. Scope of applicationThis policy applies to all services under stonecdn.com and its subdomains, including website access, API calls, account management and technical support scenarios.

II. Types of Personal Information We Collect

  1. Unsolicited information
    • Account Information: Business name, contact name, email address and contact phone number are required for registration; legal person accounts need to be supplemented with unified social credit code and business license information.
    • Operational data: Includes records of domain name configuration, traffic logs, security protection rules, and other operations that are directly related to CDN services.
    • Payment InformationWhen processing a transaction through a third-party payment platform (e.g. PayPal, Alipay), you will be required to provide your bank card number or account credentials, which are encrypted and processed by the payment institution, and we will only receive information on the status of the transaction.
  2. Information collected automatically
    • Devices and Logs: IP addresses, browser types, device identifiers (e.g. IMEI), access timestamps, page clickstream data for analyzing service performance and attack detection.
    • Cookies and Tracking Technology: Use session cookies to maintain login status and optimize the user experience through performance analysis cookies (e.g., Google Analytics); you can refuse non-essential cookies through your browser settings.
  3. Third-party sharing of information
    • cooperative partner: Share node deployment data with cloud service providers (e.g., AWS, AliCloud); share attack signatures with security vendors for collaborative defense.

III. Purpose of Use and Legal Basis for Personal Information

usedata typelegal basis
Service delivery and contract performanceAccount information, business dataArticle 6(1)(b) GDPR (need for compliance)
Security and Threat ResponseIP addresses, attack logsArticle 6(1)(f) GDPR (legitimate interests)
Billing and payment processingTransaction records, payment vouchersExpress consent of the user (Article 6(1)(a) GDPR)
Service Optimization and MarketingDevice Information, CookiesUser consent (obtained via cookie banner)

IV. Data sharing and cross-border transmission

  1. Shared Scope Limitations
    • Data will only be shared in the following situations:
      • Cooperate with judicial investigations (official legal documents are required);
      • Disclosure of necessary financial information to the auditor to complete a compliance audit ;
      • Signing a DPA (Data Processing Agreement) when using a sub-processor (e.g. data center operator).
  2. Cross-border transmission mechanisms
    • Rely on the EU-U.S. Data Privacy Framework (DPF) certification to ensure GDPR compliance for EU user data crossing borders to the U.S.

V. Data security and retention periods

  1. technical protection
    • Data is transmitted using AES-256 encryption, and static data is protected using the TLS 1.3 protocol;
    • Quarterly penetration tests are performed to ensure physical and cyber security through ISO 27001 certification.
  2. retention policy
    • Operational data (e.g., configuration logs) are retained for 3 years;
    • Financial records are retained for seven years as required by tax law;
    • The anonymized statistics are stored permanently .

VI. Your data rights

  1. Access and corrections
    • Log in to your account to view and modify your personal data; if you need to export your business data, you can request it through the work order system .
  2. Deletion and restriction of processing
    • Data deletion will be completed within 30 days after account cancellation (except where retention is required by law);
    • Where the accuracy of data is disputed, the relevant data processing may be temporarily frozen.
  3. Rejecting automated decision-making
    • If you believe that a security policy such as automatic IP blocking has been misjudged, you can submit a manual review request.

VII. Protection of children's privacy

Our services are not intended for minors under the age of 16. If a child is found to have provided information without the consent of his/her guardian, the relevant data will be deleted immediately and the service will be terminated.

VIII. Policy Updates and Contacts

EU users can complain to Ireland's Data Protection Commission (DPC)

Update Notification

Major changes (e.g. addition of new data categories) will be notified 30 days in advance via the website announcement and registered email address.

Dispute resolution

For privacy complaints, please contact:privacy@stonecdn.comThe