CloudFirst Privacy Notice

Effective date: 08/15/2025

Classification: Public

Introduction

CloudFirst ("CloudFirst," "we," "us," or "our") is committed to protecting you and your Users' ("you" or "your") privacy. This Privacy Notice outlines how we collect, use, and protect your personal information when you use our website and our services.

We provide the following services:

• Cloud Hosting: Secure, scalable enterprise resources in isolated environments.
• Cloud Backup: Managed cloud backup with encryption, scheduling, retention, and retrieval features.
• Disaster Recovery: Comprehensive backup and restoration solutions.
• High Availability: Enterprise-grade system resources for seamless workload transition..

CloudFirst knows that your and your users' personal information is important. We appreciate the trust you place in us when you visit the CloudFirst website and use our services. As a result, we process the personal information we receive from you responsibly and follow applicable laws and regulations.

This Privacy Notice describes how we process the personal information collected when you and your Users access this website ("Website"). When you leave this site, this Privacy Notice may no longer apply to you. Any subsequent websites, applications, or services not operated by CloudFirst will have their own privacy notice and other applicable terms. In instances where CloudFirst is a subprocessor to an external data controller, the data controller's privacy notice should be referenced for any concerns related to how your information is collected and processed. CloudFirst may define additional privacy terms in a data processing agreement LDPA - sometimes referred to as a Data Processing Addendum) with data controllers that have contracted with CloudFirst for any of the services noted above.

This Notice tells you about your rights and choices concerning your personal information, including how you can contact us if you have any questions or concerns. In this Privacy Notice, "Personal Information" means any information relating to an identifiable individual.

Please read this Privacy Notice carefully. If you do not agree with this Privacy Notice or any part thereof, you should not access or use any part of the Services. If you change your mind in the future, you must stop using the Services. You may exercise your rights in relation to your Personal Information as set out in this Privacy Notice.

Types of Personal Information We Collect

• Contact information (e.g., name, email, phone number).
• Business details (e.g., company name, position).
• Account credentials for cloud services.
• System logs and metadata for operational support.

How We Collect Your Personal Information

We collect information directly when:

• You engage with our services.
• You contact us for support or inquiries.
• You use or view our website via browser cookies.

We may also collect information indirectly from the following:

• Automated monitoring systems for security and performance.

Website Cookies

A cookie is a file containing an identifier (a string of letters and numbers) sent by a web server to a web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either "persistent" cookies or "session" cookies. A persistent cookie is stored by a web browser and will remain valid until its set expiry date unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session when the web browser is closed.

Cookies may not contain any information that personally identifies a user, but the personal data we store about you may be linked to the information stored in and obtained from cookies.

We use cookies for several reasons:

Cookie Category: Strictly Necessary
Purpose: These cookies are essential for the website to function properly. They enable core features such as security, network management, and accessibility. Without these cookies, services you have asked for (like logging into secure areas or remembering cookie settings) cannot be provided. Consent is not usually required for strictly necessary cookies.
Examples: Session ID cookie (keeps you logged in during your visit), Cookie consent cookie (remembers your preferences)

Cookie Category: Analytics & Performance
Purpose: Helps us understand visitor interactions via Google Analytics and HubSpot.
Purpose: These cookies help us understand how visitors interact with our websites by collecting and reporting information anonymously. They allow us to count visits and traffic sources so we can measure and improve site performance. We use Google Analytics and HubSpot cookies in this category to track user engagement, page popularity, and to help improve our content and services. These cookies are not essential and will only be set if you give consent (where applicable).
Examples: Google Analytics cookies (e.g., _ga, _gid), HubSpot tracking cookies (e.g., __hstc, hubspotutk)

Cookie Category: Marketing
Purpose: Marketing cookies are used to track visitors across websites to display relevant ads or content. CloudFirst does not currently use third-party advertising or social media cookies on our sites. If this changes, we will update this policy accordingly.
Examples: None currently in use.

Below is a detailed list of first-party and third-party cookies actually in use on CloudFirst's main
website and Client Portal. For each cookie, we explain its name, purpose, type, duration, whether it is
first or third party, and its provider/source.

Cookie Name: cookieconsent_status
Provider: CloudFirst (Website)
Purpose: Remembers your cookie consent preference so that the cookie banner is not shown again once acknowledged. Does not store personal data
Type: Essential
Duration: 1 year
First/Third Party: First-party

Cookie Name: Session ID
Provider: CloudFirst (Client Portal)
Purpose: A session cookie used to maintain your login session when you access the Client Portal. It ensures that you remain signed in as you navigate the portal's pages.
Type: Essential
Duration: Session
First/Third Party: First-party

Cookie Name: _ga
Provider: Google Analytics
Purpose: Used to distinguish unique users by assigning a random ID, allowing us to count visits and understand site usage.
Duration: 2 years
First/Third Party: First-party

Cookie Name: _gid
Provider: Google Analytics
Purpose: Used to store information about how visitors use the site and to distinguish users on a daily basis.
Type: Analytics
Duration: 1 day
First/Third Party: First-party

Cookie Name: __hstc
Provider: HubSpot
Purpose: The main tracking cookie for HubSpot analytics. Keeps track of visitor sessions and timestamps.
Type: Analytics
Duration: 6 months
First/Third Party: First-party

Cookie Name: hubspotutk
Provider: HubSpot
Purpose: Tracks a visitor’s identity. Passed to HubSpot on form submissions to connect submissions to a single contact record.
Type: Analytics
Duration: 6 months
First-Party or Third-Party: First-party

Cookie Name: __hssc
Provider: HubSpot
Purpose: Keeps track of session count and timestamps to determine if HubSpot should increment the session number.
Type: Analytics
Duration: 30 minutes 
First-Party or Third-Party: First-party

Cookie Name: __hssrc
Provider: HubSpot
Purpose: Determines if the user has restarted their browser. Contains the value "1" and lasts only for the browser session.
Type: Analytics
Duration: Session (expires on browser close)
First-Party or Third-Party: First-party

Possible Cookie Name: Remember Me Token (Client Portal)
Provider: CloudFirst (Client Portal)
Purpose: Optional cookie set if the user selects "Remember Me" during login, to keep them logged in across sessions. Stores an encrypted token.
Type: Functional
Duration: Typically 7-14 days or until you log out
First-Party or Third-Party: First-party (set by CloudFirst portal)

Note:
The above cookies are primarily first-party cookies, which means they are set by our domains (cloudfirst.host or cloudfirst.host's subdomains). We use third-party services like Google Analytics and HubSpot to help run these cookies, but the cookies themselves are stored under our domain.  We do not currently use any third-party advertising cookies (which would be stored by external domains). If we integrate any new cookies or third-party tools in the future, we will update our cookie list and categories.

When you first visit our site, you will see a cookie notice or banner requesting your consent for non-essential cookies (such as analytics cookies). You can choose to accept all cookies or reject non-essential cookies. If you click "Accept All," we will enable all cookies listed above. If you select "Decline" or similar, we will not set analytics cookies - only the essential cookies necessary for the site to function will be used.

Even after you've given consent, you have the right to change your cookie preferences or withdraw consent at any time. You can do this by:

Using our Cookie Settings: (If available) Click the "Cookie Settings" link or revisit the cookie banner (usually found as a footer link or by clearing your cookies to trigger the banner again). From there, you can adjust which categories of cookies you permit.

Browser Settings: Alternatively, you can disable or remove cookies through your web browser settings. Most browsers allow you to block cookies or delete cookies that have already been set. Please note that disabling all cookies (especially strictly necessary cookies) may impact the functionality of our site — for example, you may not be able to log in or use certain features if essential cookies are blocked.

Opt-Out Tools: For third-party analytics like Google Analytics, you can install opt-out browser add-ons if you prefer. For example, Google provides a Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics.

Purposes and Legal Basis for Processing

We process your data to:

• Provide and support our services.
• Comply with legal obligations (e.g., fraud prevention).
• Prepare for and engage in internal and external audits and other assurance-providing processes and procedures.
• Improve service performance and security.

Legal bases include:

• Consent - You may withdraw consent anytime by contacting us..
• Contractual necessity - To fulfill service agreements.
• Legal obligation - For compliance with applicable laws.
• Legitimate interests - For operational efficiency and security.

Sharing of Personal Information

We may share your information with:

• CloudFirst affiliates
• Service providers for technical support
• Auditors
• Regulatory authorities if required by law.

CloudFirst does not share your information with any third parties for the purposes of direct marketing.

Subprocessors

CloudFirst uses subprocessors, which are third parties that support our services to you. We have contracts in place with our subprocessors. This means they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organization apart from us. They will hold it securely and retain it for the period we instruct.

• Teamwork Crew, Ltd., Purpose:  Customer Support Platform, Processing Location: US-multiple regions
• Salesforce, Inc., Purpose: Customer Sales and Communication, Processing Location: US
• Microsoft Corporation, Purpose: Customer Communication, Processing Location: US
• CloudFirst Europe, Purpose: A UK-based CloudFirst subsidiary that provides customer 
  support in the UK and EU, Processing Location: UK
• Sophos, Ltd., Purpose: Managed security monitoring and response software, Processing 
  Location: US - hosted in AWS

Transfer of Data to Third Countries

We may transfer your personal data to countries outside the UK and European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place, such as:

• Adequacy decisions by the European Commission.
• Standard Contractual Clauses (SCCs).
• Binding Corporate Rules (BCRs) where applicable.

For further information on these safeguards, please contact us at privacy@cloudfirst.host

Data Storage and Retention

Your information is securely stored on servers within the UK and the United States.
Retention periods depend on the nature of the data:

• Account-related information: Retained for the duration of your service.
• Logs and metadata: Retained for up to [Insert Time Period] for security purposes.

After this period, data is securely deleted using [Describe Method, e.g., encryption wipe].

Your Data Protection Rights

Under GDPR, you have the following rights:

• Right to access your data - You may request a copy of your personal data. 
• Right to rectify inaccuracies - You may request that CloudFirst correct any information you believe is inaccurate or complete information that appears incomplete. 
• Right to request data erasure - You may request CloudFirst erase personal data under certain conditions. 
• Right to restrict processing - You may request that CloudFirst restrict or limit the processing of your personal data under certain conditions. 
• Right to object to processing - You may object to CloudFirst's processing of your personal data under certain conditions. 
• Right to data portability - You may request CloudFirst transfer your data to you or another organization under certain conditions. 
• Right to lodge a complaint - You may lodge a complaint with a supervisory authority, including in your country of residence, place of work, or where the potential incident is believed to have occurred.

Requests to exercise your rights are addressed promptly. CloudFirst will respond to any valid request within one month of receipt. To exercise your rights, contact us at privacy@cloudfirst.host

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling in our processing activities. If this changes in the future, we will update this Privacy Notice accordingly. If we implement automated decision-making, we will notify you in advance and provide an opt-out mechanism where applicable.

Mandatory or Optional Provision of Data

Providing personal data may be a contractual requirement necessary for the performance of our services. If you choose not to provide this data, we may not be able to fulfill our contractual obligations to you.

Children's Privacy

CloudFirst does not knowingly solicit or collect personal data from children under the age of 16. If we learn that we have collected personal data from a child under age 16 without parental consent, we will either seek parental consent or promptly delete that information. If you believe that a child under age 16 may have provided us with personal data without parental consent, please contact us as specified in the Contact Details section of this Privacy Notice.

Changes to this Privacy Notice

CloudFirst regularly reviews and updates this Privacy Notice to ensure it is accurate and complies with all applicable privacy regulations, laws, and other requirements.

Contact Details

Company Name: CloudFirst

Address: 
225 Broadhollow Rd Suite 307
Melville, NY 11747 
Email: privacy@cloudfirst.host 
Phone: +1 631.608.1200 
For data protection inquiries, please contact our Data Protection Officer (DPO) at privacy@cloudfirst.host.

How to Complain

If you have concerns, contact us at privacy@cloudfirst.host. 

You may also contact the Information Commissioner's Office (ICO): 
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 
Helpline: 0303 123 1113 
Website: https://www.ico.org.uk