Skip to Content

Privacy Policy for Bithost 

  By ZHOST Consulting Private Limited

Last updated: 21 December 2025

IntroductionAboutScope of This PolicyKey DefinitionsInformation We CollectPurposes and Legal Bases for ProcessingData Collection and Usage PracticesData Sharing and DisclosureThird-Party Processors and SubprocessorsData Retention and DeletionData Security MeasuresInternational Data TransfersCookies and Tracking TechnologiesLawful Bases for Processing and Consent ManagementData Subject RightsChildren’s PrivacyPrivacy by Design and DefaultData Breach Notification and Incident ResponseRoles and ResponsibilitiesContact Information and Grievance RedressalPolicy Updates and NotificationsLinks to Other WebsitesAdditional Information for Regulated Services

Introduction

At BitHost, operated by ZHOST Consulting Private Limited (“ZHOST”, “we”, “us”, or “our”), we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you interact with our website https://www.bithost.in and utilize our services, including but not limited to DDoS Simulation, Penetration Testing, App Publishing, Email Migration, and other cybersecurity and cloud solutions. Our practices are designed to comply with major global data protection and security standards, including the General Data Protection Regulation (GDPR), India’s Digital Personal Data Protection Act (DPDP Act), HIPAA, SOC 2, SOC, and ISO 27001.

This policy outlines our data collection practices, usage, third-party sharing, user rights, data retention, security measures, international data transfers, cookies, consent mechanisms, and procedures for exercising your rights. We encourage you to read this policy carefully and contact us if you have any questions or concerns.

About

Bithost and ZHOST Consulting Private Limited

Bithost is the technology solutions brand of ZHOST Consulting Private Limited, an Indian company specializing in secure, scalable, and innovative IT services. Our offerings include cloud computing, cybersecurity, digital training, event management, application development, and managed cloud services. We serve clients globally, providing tailored solutions to enhance operational efficiency and digital resilience.

Scope of This Policy

This Privacy Policy applies to all users of Bithost’s website and services, including:

  • DDoS Simulation and Resilience Testing
  • Penetration Testing and Security Assessments
  • Application Publishing and Cloud Deployment
  • Email Migration and Collaboration Tools
  • Cybersecurity Consulting and Managed Security Services
  • Cloud Hosting, Infrastructure Setup, and Support
  • Digital Training, Event Management, and Reporting

It covers all personal and non-personal data collected through our website, applications, APIs, and communication channels, as well as data processed on behalf of clients as part of our service delivery.

Key Definitions

    Personal Data: Any information relating to an identified or identifiable individual, such as name, contact details, IP address, or device identifiers.
  • Data Controller: The entity that determines the purposes and means of processing personal data (typically ZHOST for its own services).
  • Data Processor: An entity that processes personal data on behalf of the controller (ZHOST may act as a processor for client data).
  • Data Principal: The individual whose personal data is being processed (as per DPDP Act).
  • Grievance Officer: The designated contact for privacy-related complaints and rights requests under Indian law.

Information We Collect

1. Information You Provide Directly

We collect personal data that you voluntarily provide when you:

  • Register for an account or service
  • Request a quote or consultation
  • Participate in events, webinars, or training
  • Submit support requests or feedback
  • Engage in contractual agreements

Examples of data collected:

  • Name, email address, phone number, company name
  • Billing and payment information
  • Usernames, passwords, and authentication data
  • Communications and support tickets
  • Event participation details

2. Information Collected Automatically

When you use our website or services, we automatically collect certain information, including:

  • IP address and device identifiers
  • Browser type, operating system, and language preferences
  • Usage data (pages visited, actions taken, time spent)
  • Log files and diagnostic data
  • Cookies and similar tracking technologies (see Cookies section)

3. Information from Third Parties

We may receive information about you from:

  • Business partners, resellers, or affiliates
  • Public databases and social media platforms (if you interact with us there)
  • Service providers (e.g., payment processors, analytics platforms)

4. Special Categories of Data

For certain regulated services (e.g., healthcare-related cloud hosting), we may process sensitive data such as Protected Health Information (PHI) in compliance with HIPAA. Such data is handled with enhanced security and only as required for service delivery.


Purposes and Legal Bases for Processing

We process your personal data for the following purposes, relying on one or more lawful bases as required by applicable law:

Purpose

Legal Basis (GDPR/DPDP/HIPAA)

Service provision and contract fulfillment

Contractual necessity

Account management and authentication

Legitimate interests / Contract

Customer support and communications

Legitimate interests / Consent

Security monitoring and incident response

Legal obligation / Legitimate interests

Marketing and event invitations

Consent / Legitimate interests

Compliance with legal and regulatory duties

Legal obligation

Research, analytics, and service improvement

Legitimate interests / Consent

Processing PHI for healthcare services

HIPAA-compliant authorization / Contract0

Data Collection and Usage Practices

1. Service Delivery

We use your data to:

  • Set up and manage your account
  • Deliver requested services (e.g., DDoS simulations, penetration tests, app publishing)
  • Provide technical support and respond to inquiries
  • Generate reports and analytics for your use
2. Security and Compliance

We process data to:

  • Authenticate users and prevent unauthorized access
  • Monitor systems for threats, vulnerabilities, and incidents
  • Maintain audit logs and compliance records (e.g., for SOC 2, ISO 27001, HIPAA)
  • Conduct risk assessments and enforce security policies
3. Communications

We may use your contact information to:

  • Send service-related notifications and updates
  • Communicate about events, webinars, or training
  • Respond to feedback or support requests
4. Marketing (with Consent)

With your explicit consent, we may:

  • Send newsletters, promotional materials, or event invitations
  • Conduct surveys or request feedback

You can withdraw consent or opt out of marketing communications at any time.

5. Research and Analytics

We analyze usage data to:

  • Improve our website, services, and user experience
  • Develop new features and offerings
  • Monitor trends and performance metrics

All analytics are performed in compliance with data minimization and anonymization principles where possible.


Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

1. With Service Providers and Subprocessors

We engage trusted third-party vendors to assist with:

  • Cloud hosting and infrastructure (e.g., AWS, Azure, Google Cloud)
  • Payment processing
  • Email delivery and communications
  • Security monitoring and incident response
  • Analytics and reporting

All subprocessors are contractually bound to comply with applicable data protection laws and our security standards. Data Processing Agreements (DPAs) are in place as required by GDPR and DPDP Act.

2. With Business Partners

In some cases, we may share data with partners or resellers for joint service delivery, subject to your consent or contractual agreement.

3. For Legal and Regulatory Compliance

We may disclose your data if required to:

  • Comply with applicable laws, regulations, or legal processes
  • Respond to lawful requests from authorities (e.g., subpoenas, court orders)
  • Protect our rights, property, or safety, or that of our users or the public
4. In Business Transfers

If Bithost or ZHOST undergoes a merger, acquisition, or asset sale, your data may be transferred as part of the transaction, subject to continued protection under this policy.

5. With Your Consent

We may share your data with third parties for purposes not covered above only with your explicit consent.

Third-Party Processors and Subprocessors

We maintain a list of authorized subprocessors, updated regularly. Each subprocessor is evaluated for compliance with GDPR, DPDP Act, HIPAA, SOC 2, and ISO 27001, and is contractually required to:

  • Process data only on our documented instructions
  • Implement appropriate technical and organizational security measures
  • Assist in fulfilling data subject rights requests
  • Notify us promptly of any data breaches

A summary of our main subprocessors and their roles is available upon request.


Data Retention and Deletion

We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law, regulation, or contractual obligation.​

Data Category

Typical Retention Period

Deletion/Anonymization Policy

Account and profile data

Duration of account + 2 years

Deleted or anonymized upon closure

Service logs and diagnostics

12–24 months

Aggregated or deleted after expiry

Transaction and billing data

7 years (for legal compliance)

Secure deletion after statutory period

Security and audit logs

12–36 months (per compliance)

Deleted after compliance period

PHI (HIPAA services)

As required by HIPAA/contract

Secure deletion upon request/expiry

Secure Deletion:

When data is no longer needed, we use industry-standard methods to securely delete or anonymize it, ensuring it cannot be reconstructed or retrieved

Backups:

Backups are retained for disaster recovery and business continuity, with strict access controls and scheduled deletion in line with retention policies.

Data Security Measures

We implement a comprehensive set of technical and organizational controls to protect your data, aligned with ISO 27001, SOC 2, and HIPAA requirements:

  • Encryption: All data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256 or equivalent).
  • Access Controls: Role-based access, multi-factor authentication, and least-privilege principles.
  • Network Security: Firewalls, intrusion detection/prevention systems, DDoS mitigation, and network segmentation.
  • Vulnerability Management: Regular security assessments, penetration testing, and patch management.
  • Incident Response: Documented procedures for detecting, reporting, and responding to security incidents.
  • Physical Security: Data centers are protected by physical access controls, surveillance, and environmental safeguards.
  • Employee Training: All staff undergo regular security and privacy awareness training.
  • Audit and Monitoring: Continuous monitoring, logging, and regular internal/external audits.

We regularly review and update our security measures to address evolving threats and regulatory requirements

International Data Transfers

As a global service provider, we may transfer your personal data to countries outside your jurisdiction, including to our data centers, partners, or subprocessors.

1. GDPR Compliance

For transfers from the European Economic Area (EEA), we ensure adequate protection by:

  • Relying on countries with European Commission adequacy decisions (e.g., UK, Japan, Switzerland, USA under Data Privacy Framework).
  • Using Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Implementing additional safeguards (e.g., encryption, pseudonymization) as required by Schrems II and subsequent guidance.
  • Conducting Transfer Impact Assessments (TIAs) for high-risk transfers.

2. DPDP Act (India)

For cross-border transfers of personal data from India, we comply with DPDP Act and Rules, ensuring:

  • Transfers are made only to jurisdictions approved by the Indian government or with adequate safeguards.
  • Data localization requirements are met for sensitive categories as mandated.
3. HIPAA

For PHI, we ensure that all international transfers comply with HIPAA and Business Associate Agreements (BAAs), restricting access to authorized personnel and entities only.

4. User Rights and Safeguards

You have the right to request information about international transfers of your data and the safeguards in place.

Cookies and Tracking Technologies

1. What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us enhance your experience, remember your preferences, and analyze site usage.

2. Types of Cookies We Use
  • Essential Cookies: Necessary for website functionality (e.g., authentication, security).
  • Analytics Cookies: Help us understand how visitors interact with our site (e.g., Google Analytics).
  • Preference Cookies: Remember your settings and preferences.
  • Marketing Cookies: Used for targeted advertising and event promotion (only with your consent).
3. Cookie Consent Mechanisms
  • We display a cookie banner on your first visit, allowing you to accept, reject, or customize cookie preferences.
  • Non-essential cookies are only set with your explicit opt-in consent.
  • You can change your cookie preferences at any time via our cookie management interface.
4. Cookie Policy and Transparency

Our Cookie Policy provides detailed information about the types of cookies used, their purposes, retention periods, and how to manage them. We follow best practices under GDPR, DPDP Act, and ePrivacy Directive, ensuring:

  • Granular consent options (per cookie category)
  • Real-time updates to preferences
  • Easy withdrawal of consent
  • Multi-language support for notices

Note: You can also manage cookies through your browser settings, but disabling certain cookies may affect site functionality

Lawful Bases for Processing and Consent Management

We process your personal data only when we have a valid lawful basis, such as:

  • Consent: For marketing, analytics, and non-essential cookies, we obtain your explicit, informed consent.
  • Contractual Necessity: For service delivery, account management, and support.
  • Legal Obligation: For compliance with laws, regulations, and court orders.
  • Legitimate Interests: For security, fraud prevention, and service improvement, provided your rights are not overridden.

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.


Data Subject Rights

You have specific rights regarding your personal data, depending on your jurisdiction. The table below summarizes your rights under major regulations:

Right

GDPR (EU/EEA)

DPDP Act (India)

HIPAA (US)

SOC 2 / ISO 27001

Access

✔️

✔️

✔️

✔️

Rectification/Correction

✔️

✔️

✔️

✔️

Erasure/Deletion

✔️

✔️

✔️

✔️

Restriction of Processing

✔️

✔️

✔️

✔️

Data Portability

✔️

✔️

✔️

✔️

Object to Processing

✔️

✔️

✔️

✔️

Withdraw Consent

✔️

✔️

✔️

✔️

Lodge Complaint

✔️

✔️

✔️

✔️

Not Subject to Profiling

✔️

✔️

✔️

Restrict Automated Decisions

✔️

✔️

✔️

Exercising Your Rights:

  • GDPR/EEA: Submit a Data Subject Access Request (DSAR) via our online form or contact our Data Protection Officer (DPO).
  • DPDP Act (India): Contact our Grievance Officer using the details below. We will acknowledge your request within 72 hours and respond within 7 working days, as per DPDP Rules.
  • HIPAA: For PHI, you may request access, correction, or restriction through our HIPAA compliance contact.
  • General: We may require verification of your identity before processing your request. If you are unsatisfied with our response, you may escalate to the relevant supervisory authority.

Templates and Guidance:

Sample DSAR templates and guidance are available on our website to facilitate your requests

Children’s Privacy

Our services are not directed to children under the age of 16 (or as defined by local law). We do not knowingly collect personal data from children without appropriate parental consent. If you believe we have inadvertently collected such data, please contact us for prompt removal.

Privacy by Design and Default

We embed privacy and security into our products and services from the outset, following the principles of Privacy by Design and Default:

  • Data Minimization: We collect only the data necessary for specified purposes.
  • Purpose Limitation: Data is used only for the purposes stated at collection.
  • Access Controls: Only authorized personnel have access to personal data.
  • Default Privacy Settings: Maximum privacy is enabled by default; users must opt in for additional data sharing.
  • Continuous Review: We regularly assess and update our privacy practices to address new risks and regulatory changes

Data Breach Notification and Incident Response

We have robust procedures for detecting, reporting, and managing data breaches:

  • Detection: Continuous monitoring and automated alerts for suspicious activity.
  • Assessment: Prompt evaluation of the scope, impact, and risk to individuals.
  • Notification: If a breach is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours (GDPR) or as required by law (DPDP Act, HIPAA).
  • Mitigation: Immediate steps to contain and remediate the breach.
  • Documentation: All breaches are documented, including facts, effects, and remedial actions.

Roles and Responsibilities

1. Data Controller and Processor
  • ZHOST Consulting Private Limited acts as the data controller for personal data collected for its own purposes (e.g., user accounts, marketing).
  • For client data processed as part of our services (e.g., penetration testing, cloud hosting), we act as a data processor, following the instructions of the client (data controller) and applicable Data Processing Agreements.
2. Grievance Officer (India)

As required by the DPDP Act and Rules, we have appointed a Grievance Officer responsible for:

  • Acknowledging and resolving data principal grievances within statutory timelines
  • Maintaining records of requests and responses
  • Cooperating with the Data Protection Board of India
  • Ensuring compliance with DPDP Act and Rules
3. Data Protection Officer (DPO)

For GDPR and global compliance, our DPO oversees:

  • Implementation of privacy policies and controls
  • Handling data subject rights requests
  • Liaising with supervisory authorities



Contact Information and Grievance Redressal

If you have any questions, concerns, or wish to exercise your rights, please contact us:

Data Protection Officer (DPO):

Email: dpo@bithost.in

Address: ZHOST Consulting Private Limited, Minashi Sadan, 70 Feet Road, Patna, Bihar 800002, India

Grievance Officer (India):

Name: [Grievance Officer Name]

Email: grievance@bithost.in

Phone: [+91-9113366525]

Address: ZHOST Consulting Private Limited, Minashi Sadan, 70 Feet Road, Patna, Bihar 800002, India

Supervisory Authorities:

  • EU/EEA: Contact your local Data Protection Authority (DPA)
  • India: Data Protection Board of India (DPB)
  • US (HIPAA): Office for Civil Rights (OCR), US Department of Health & Human Services

We aim to respond to all inquiries within 15 working days. If you are unsatisfied with our response, you may escalate your complaint to the relevant authority.

Policy Updates and Notifications

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. Updates will be posted on our website with a revised “Last updated” date. For material changes, we will notify you via email or prominent notice on our site.

Your continued use of our services after such changes constitutes your acceptance of the updated policy.

Links to Other Websites

Our website may contain links to third-party sites. We are not responsible for the privacy practices or content of such sites. We encourage you to review their privacy policies before providing any personal data.

Additional Information for Regulated Services

1. HIPAA Compliance

For clients in the healthcare sector, we offer HIPAA-compliant cloud hosting and managed services. We sign Business Associate Agreements (BAAs) as required and implement:

  • Encryption of PHI at rest and in transit
  • Access controls and audit trails
  • Incident response and breach notification procedures
  • Regular risk assessments and compliance audits
2. SOC 2 and ISO 27001

We maintain SOC 2 and ISO 27001 certifications, demonstrating our commitment to security, availability, confidentiality, and privacy. Our controls are regularly audited by independent third parties.

Summary Table: User Rights by Regulation

Right

GDPR (EU/EEA)

DPDP Act (India)

HIPAA (US)

SOC 2 / ISO 27001

Access

✔️

✔️

✔️

✔️

Rectification/Correction

✔️

✔️

✔️

✔️

Erasure/Deletion

✔️

✔️

✔️

✔️

Restriction of Processing

✔️

✔️

✔️

✔️

Data Portability

✔️

✔️

✔️

✔️

Object to Processing

✔️

✔️

✔️

✔️

Withdraw Consent

✔️

✔️

✔️

✔️

Lodge Complaint

✔️

✔️

✔️

✔️

Not Subject to Profiling

✔️

✔️

✔️

Restrict Automated Decisions

✔️

✔️

✔️


Frequently asked questions

Here are some common questions about our software services.

Our company specializes in software development, consulting, and technical support. We tailor our services to fit the unique needs of businesses across various sectors, helping them innovate and succeed in a competitive market.

You can reach our customer support team by emailing support@yourcompany.example.com, calling +1 555-555-5556, or using the live chat on our website. Our dedicated team is available 24/7 to assist with any inquiries or issues related to our software solutions.

We’re committed to providing prompt and effective solutions to ensure your satisfaction with our software services.

We offer a 30-day satisfaction guarantee for all software services. Projects must be in their original scope, unused, and include the agreement or proof of purchase. Refunds are processed within 5-7 business days of receiving the cancellation request.