CloudFirst Privacy Notice

Effective date: 15/08/2025

Classification: Public

Introduction

CloudFirst (‘CloudFirst’, ‘we’, ‘us’, or ‘our’) is committed to protecting you and your users’ (‘you’ or ‘your’) privacy. This Privacy Notice outlines how we collect, use, and protect your personal data when you use our website and our services.

We provide the following services:

  • Cloud Hosting: Secure, scalable enterprise resources in isolated environments.
  • Cloud Backup: Managed cloud backup with encryption, scheduling, retention and retrieval features.
  • Disaster Recovery: Comprehensive backup and restoration solutions.
  • High Availability: Enterprise-grade system resources for seamless workload transition.

CloudFirst knows that your and your users’ personal data is important. We appreciate the trust you place in us when you visit the CloudFirst website and use our services. As a result, we process the personal data we receive from you responsibly and in accordance with applicable laws and regulations, including the UK GDPR and the Data Protection Act 2018.

This Privacy Notice describes how we process the personal data collected when you and your users access this website (‘Website’). When you leave this site, this Privacy Notice may no longer apply to you. Any subsequent websites, applications or services not operated by CloudFirst will have their own privacy notice and applicable terms. In instances where CloudFirst acts as a sub-processor to an external data controller, the data controller’s privacy notice should be referenced for any concerns related to how your data is collected and processed. CloudFirst may define additional privacy terms in a data processing agreement (DPA – sometimes referred to as a Data Processing Addendum) with data controllers that have contracted with CloudFirst for any of the services noted above.

This Notice explains your rights and choices concerning your personal data, including how you can contact us if you have any questions or concerns. In this Privacy Notice, ‘personal data’ means any information relating to an identifiable individual.

Please read this Privacy Notice carefully. If you do not agree with this Privacy Notice or any part of it, you should not access or use any part of the services. If you change your mind in the future, you must stop using the services. You may exercise your rights in relation to your personal data as set out in this Privacy Notice.

Types of Personal Data We Collect

  • Contact details (e.g. name, email, phone number)
  • Business details (e.g. company name, position)
  • Account credentials for cloud services
  • System logs and metadata for operational support

How We Collect Your Personal Data

We collect information directly when:

  • You engage with our services.
  • You contact us for support or enquiries.
  • You use or view our website via browser cookies.

We may also collect information indirectly from the following:

  • Automated monitoring systems for security and performance.

Website Cookies

A cookie is a file containing an identifier (a string of letters and numbers) sent by a web server to a web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either ‘persistent’ cookies or ‘session’ cookies. A persistent cookie is stored by a web browser and will remain valid until its set expiry date unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session when the web browser is closed.

Cookies may not contain any information that personally identifies a user, but the personal data we store about you may be linked to the information stored in and obtained from cookies.

We use cookies for several reasons:

Cookie Category: Strictly Necessary
Purpose: These cookies are essential for the website to function properly. They enable core features such as security, network management and accessibility. Without these cookies, services you have requested (such as logging into secure areas or remembering cookie settings) cannot be provided. Consent is not usually required for strictly necessary cookies.
Examples: Session ID cookie (keeps you logged in during your visit), Cookie consent cookie (remembers your preferences)

Cookie Category: Analytics & Performance
Purpose: Helps us understand visitor interactions via Google Analytics and HubSpot.
Purpose: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. They allow us to count visits and traffic sources so we can measure and improve site performance. We use Google Analytics and HubSpot cookies in this category to track user engagement, page popularity and to help improve our content and services. These cookies are not essential and will only be set if you give consent (where applicable).
Examples: Google Analytics cookies (e.g. _ga, _gid), HubSpot tracking cookies (e.g. __hstc, hubspotutk)

Cookie Category: Marketing
Purpose: Marketing cookies are used to track visitors across websites to display relevant ads or content. CloudFirst does not currently use third-party advertising or social media cookies on our sites. If this changes, we will update this policy accordingly.
Examples: None currently in use.

Below is a detailed list of first-party and third-party cookies currently in use on CloudFirst’s main website and Client Portal. For each cookie, we explain its name, purpose, type, duration, whether it is first or third party, and its provider or source.

Cookie Name: cookieconsent_status
Provider: CloudFirst (Website)
Purpose: Remembers your cookie consent preference so that the cookie banner is not shown again once acknowledged. Does not store personal data.
Type: Essential
Duration: 1 year
First/Third Party: First-party

Cookie Name: Session ID
Provider: CloudFirst (Client Portal)
Purpose: A session cookie used to maintain your login session when you access the Client Portal. It ensures that you remain signed in as you navigate the portal’s pages.
Type: Essential
Duration: Session
First/Third Party: First-party

Cookie Name: _ga
Provider: Google Analytics
Purpose: Used to distinguish unique users by assigning a random ID, allowing us to count visits and understand site usage.
Duration: 2 years
First/Third Party: First-party

Cookie Name: _gid
Provider: Google Analytics
Purpose: Used to store information about how visitors use the site and to distinguish users on a daily basis.
Type: Analytics
Duration: 1 day
First/Third Party: First-party

Cookie Name: __hstc
Provider: HubSpot
Purpose: The main tracking cookie for HubSpot analytics. Keeps track of visitor sessions and timestamps.
Type: Analytics
Duration: 6 months
First/Third Party: First-party

Cookie Name: hubspotutk
Provider: HubSpot
Purpose: Tracks a visitor’s identity. Passed to HubSpot on form submissions to connect submissions to a single contact record.
Type: Analytics
Duration: 6 months
First/Third Party: First-party

Cookie Name: __hssc
Provider: HubSpot
Purpose: Keeps track of session count and timestamps to determine if HubSpot should increment the session number.
Type: Analytics
Duration: 30 minutes 
First/Third Party: First-party

Cookie Name: __hssrc
Provider: HubSpot
Purpose: Determines if the user has restarted their browser. Contains the value ‘1’ and lasts only for the browser session.
Type: Analytics
Duration: Session (expires on browser close)
First/Third Party: First-party

Possible Cookie Name: Remember Me Token (Client Portal)
Provider: CloudFirst (Client Portal)
Purpose: Optional cookie set if the user selects ‘Remember Me’ during login, to keep them logged in across sessions. Stores an encrypted token.
Type: Functional
Duration: Typically 7–14 days or until you log out
First/Third Party: First-party (set by CloudFirst portal)

Note:
The above cookies are primarily first-party cookies, which means they are set by our domains (cloudfirst.host or cloudfirst.host’s subdomains). We use third-party services such as Google Analytics and HubSpot to help manage these cookies, but the cookies themselves are stored under our domain. We do not currently use any third-party advertising cookies (which would be stored by external domains). If we integrate any new cookies or third-party tools in the future, we will update our cookie list and categories accordingly.

When you first visit our site, you will see a cookie notice or banner requesting your consent for non-essential cookies (such as analytics cookies). You can choose to accept all cookies or reject non-essential cookies. If you click ‘Accept All’, we will enable all cookies listed above. If you select ‘Decline’ or similar, we will not set analytics cookies – only the essential cookies necessary for the site to function will be used.

Even after you’ve given consent, you have the right to change your cookie preferences or withdraw consent at any time. You can do this by:

Using our Cookie Settings: (If available) Click the ‘Cookie Settings’ link or revisit the cookie banner (usually found as a footer link or by clearing your cookies to trigger the banner again). From there, you can adjust which categories of cookies you permit.

Browser Settings: Alternatively, you can disable or remove cookies through your web browser settings. Most browsers allow you to block cookies or delete cookies that have already been set. Please note that disabling all cookies (especially strictly necessary cookies) may impact the functionality of our site — for example, you may not be able to log in or use certain features if essential cookies are blocked.

Opt-Out Tools: For third-party analytics such as Google Analytics, you can install opt-out browser add-ons if you prefer. For example, Google provides a Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics.

Purposes and Legal Basis for Processing

We process your data to:

  • Provide and support our services.
  • Comply with legal obligations (e.g. fraud prevention).
  • Prepare for and engage in internal and external audits and other assurance-providing processes and procedures.
  • Improve service performance and security.

Our legal bases for processing include:

  • Consent – You may withdraw consent at any time by contacting us.
  • Contractual necessity – To fulfil service agreements.
  • Legal obligation – For compliance with applicable laws.
  • Legitimate interests – For operational efficiency and security.

Sharing of Personal Data

We may share your personal data with:

  • CloudFirst affiliates
  • Service providers for technical support
  • Auditors
  • Regulatory authorities where required by law

CloudFirst does not share your personal data with any third parties for the purposes of direct marketing.

Subprocessors

CloudFirst uses subprocessors, which are third parties that support our services to you. We have contracts in place with our subprocessors. This means they cannot do anything with your personal data unless we have instructed them to do so. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

  • Teamwork Crew, Ltd. – Purpose: Customer Support Platform, Processing Location: US (multiple regions)
  • Salesforce, Inc. – Purpose: Customer Sales and Communication, Processing Location: US
  • Microsoft Corporation – Purpose: Customer Communication, Processing Location: US
  • CloudFirst – Purpose: UK-based CloudFirst operations providing customer support in the UK and EU, Processing Location: UK
  • Sophos, Ltd. – Purpose: Managed security monitoring and response software, Processing Location: US (hosted in AWS)

Transfer of Data to Third Countries

We may transfer your personal data to countries outside the UK and European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place, such as:

  • Adequacy decisions by the UK Government or the European Commission.
  • Standard Contractual Clauses (SCCs).
  • Binding Corporate Rules (BCRs), where applicable.

For further information on these safeguards, please contact us at privacy@cloudfirst.host.

Data Storage and Retention

Your data is securely stored on servers within the United Kingdom and the United States.
Retention periods depend on the nature of the data:

  • Account-related information: retained for the duration of your service.
  • Logs and metadata: retained for up to [insert time period] for security purposes.

After this period, data is securely deleted using [describe method, e.g. encrypted wipe].

Your Data Protection Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Right to access your data – You may request a copy of your personal data.
  • Right to rectify inaccuracies – You may request that CloudFirst correct any information you believe is inaccurate or complete information that appears incomplete.
  • Right to request data erasure – You may request that CloudFirst erase your personal data under certain conditions.
  • Right to restrict processing – You may request that CloudFirst restrict or limit the processing of your personal data under certain conditions.
  • Right to object to processing – You may object to CloudFirst’s processing of your personal data under certain conditions.
  • Right to data portability – You may request that CloudFirst transfer your data to you or another organisation under certain conditions.
  • Right to lodge a complaint – You may lodge a complaint with a supervisory authority, including in your country of residence, place of work or where the potential incident is believed to have occurred.

Requests to exercise your rights will be addressed promptly. CloudFirst will respond to any valid request within one month of receipt. To exercise your rights, contact us at privacy@cloudfirst.host.

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling in our processing activities. If this changes in the future, we will update this Privacy Notice accordingly. Should we implement automated decision-making, we will notify you in advance and provide an opt-out mechanism where applicable.

Mandatory or Optional Provision of Data

Providing personal data may be a contractual requirement necessary for the performance of our services. If you choose not to provide this data, we may not be able to fulfil our contractual obligations to you.

Children's Privacy

CloudFirst does not knowingly solicit or collect personal data from children under the age of 16. If we learn that we have collected personal data from a child under 16 without parental consent, we will either seek parental consent or promptly delete that information. If you believe that a child under 16 may have provided us with personal data without parental consent, please contact us as specified in the Contact Details section of this Privacy Notice.

Changes to this Privacy Notice

CloudFirst regularly reviews and updates this Privacy Notice to ensure it remains accurate and compliant with all applicable privacy regulations, laws and other requirements.

Contact Details

Company Name: CloudFirst

United Kingdom
100 Bishopsgate
18th Floor
London, United Kingdom, EC2N 4AA
Phone: +44 204 591 5708
Email: info@cloudfirst.host

United States
225 Broadhollow Rd, Suite 307
Melville, NY 11747
Phone: +1 631 608 1200
Email: privacy@cloudfirst.host

For data protection enquiries, please contact our Data Protection Officer (DPO) at privacy@cloudfirst.host.

How to Complain

If you have any concerns, please contact us at privacy@cloudfirst.host.

You may also contact the Information Commissioner’s Office (ICO):
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: https://www.ico.org.uk