Who we are
Your personal data is controlled by BAREMETA LTD, a company registered in England and Wales.
- Company number: 17142694
- Registered address: 124-128 City Road, London, England, EC1V 2NX
- Data protection contact: hello@baremeta.cloud
When we say "BareMeta", "we", "us", or "our" in this policy, we mean BAREMETA LTD. When we say "you" or "your", we mean you as a user of our cloud infrastructure platform.
What we collect
We only collect what we need to run the service. Here is exactly what we hold:
| Data | When collected | Purpose |
|---|---|---|
| Email address | Registration | Account login, verification, billing and service notifications |
| Username | Registration | Account identification |
| Full name (optional) | Account settings | Display and invoice personalisation |
| Password (hashed) | Registration | Authentication — stored as a bcrypt hash, never in plaintext |
| IP address | Each request | Security, abuse prevention, and audit logging |
| Payment details | Checkout | Processed by our payment provider — we never see or store your full card number |
| Organisation name | Registration | Multi-user account management |
| SSH public keys | Uploaded by you | Server access — public keys only, we never ask for private keys |
| Usage and metering data | Continuously | Billing calculations, bandwidth monitoring, spending cap enforcement |
Why we collect it
We use your personal data for the following purposes and nothing else:
- Providing the service — creating and managing your account, provisioning servers, processing payments
- Billing and invoicing — calculating usage charges, generating invoices, collecting payment
- Service communications — email verification, password resets, spending cap alerts, bandwidth warnings, maintenance notices
- Security and abuse prevention — detecting unauthorised access, enforcing our Acceptable Use Policy, audit logging
- Platform improvement — understanding aggregate usage patterns to improve capacity planning and service reliability
Our legal grounds for processing
Under UK GDPR, we need a lawful basis for processing your personal data. Here is the basis we rely on for each purpose:
- Contract performance (Article 6(1)(b)) — processing your account data, provisioning servers, and billing you are all necessary to deliver the service you signed up for
- Legitimate interests (Article 6(1)(f)) — security monitoring, fraud prevention, audit logging, and aggregate analytics to improve service reliability. We have assessed that these interests do not override your rights
- Legal obligation (Article 6(1)(c)) — retaining billing records and invoices as required by HMRC for a minimum of 6 years
- Consent (Article 6(1)(a)) — only where we specifically ask for it (e.g. optional marketing communications in the future). You can withdraw consent at any time
Who we share it with
We share your data with as few third parties as possible, and only where necessary to provide the service:
| Provider | Purpose | Data shared |
|---|---|---|
| Payment processor | Payment processing | Email, name, billing amounts — card details go directly to the processor, never through our servers |
| Email delivery provider | Transactional email delivery | Email address, email content (verification, alerts, invoices) |
We do not use any analytics, tracking, or advertising services. We do not embed third-party scripts that track your behaviour.
We may also disclose your data if:
- Required by UK law, court order, or regulatory authority
- Necessary to protect the rights, safety, or property of BareMeta or other users
- Required to enforce our Terms of Service or Acceptable Use Policy
Where we store it
Your data is stored and processed in the United Kingdom. Our infrastructure is located in UK datacentres.
- Account and billing data — stored in our databases on UK-based servers
- Virtual machine data — stored on UK-based hypervisors that you have direct control over
- Payment data — processed and stored by our payment processor (who operate under their own privacy policy and are certified under international data protection frameworks)
- Transactional emails — delivered via our email provider, whose servers may process email content outside the UK. Email content is transient and not stored long-term by the provider
How long we keep it
We keep your data only as long as we need it. Here are our retention periods:
- Active account data — retained while your account is active
- Closed account data — deleted 30 days after account closure, unless we are required to keep it longer
- Billing records and invoices — retained for 6 years after the transaction as required by HMRC
- Server usage/metering data — retained for 12 months for billing reconciliation, then aggregated and anonymised
- Audit logs — retained for 12 months for security purposes
- VM data after suspension — retained for 14 days after account suspension, then permanently deleted
Cookies and local storage
We keep it simple. We do not use tracking cookies, analytics cookies, or any third-party cookies.
- Authentication token — stored in your browser's local storage to keep you signed in. This is removed when you log out
- Session preferences — your selected project and view preferences are stored locally in your browser
That's it. No cookie banners needed because we don't use any cookies that require consent under the Privacy and Electronic Communications Regulations (PECR).
Your data protection rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — ask us to delete your personal data (subject to legal retention requirements)
- Right to restrict processing — ask us to limit how we use your data while a concern is resolved
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
We will not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act, and we will explain why.
Age restriction
BareMeta is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has created an account, please contact us and we will delete the account and associated data promptly.
Updates to this policy
We may update this privacy policy from time to time. When we do:
- Minor changes (clarifications, formatting) — updated without notice
- Material changes (new data collection, new third parties, changes to your rights) — we will notify you by email at least 14 days before the changes take effect
The effective date and version number at the top of this page will always reflect the latest version.
Contact us or make a complaint
If you have any questions about this privacy policy, or want to exercise your data rights, get in touch:
BAREMETA LTD
Company number: 17142694
124-128 City Road, London, England, EC1V 2NX
Data protection enquiries: hello@baremeta.cloud
Billing data queries: billing@baremeta.cloud
ICO
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk