Overview
CDNStudio s.r.o. ("CDNStudio", "we", "us", or "our") operates the CDNStudio content delivery network and associated services available at cdnstudio.com and via our API (collectively, the "Services"). This Privacy Policy explains what personal data we collect, how we use it, and the choices you have regarding your data.
We are the data controller for personal data processed in connection with this website and our account management. For data processed as part of delivering content on behalf of our clients (e.g., end-user IP addresses in CDN access logs), we act as a data processor under the client's instructions.
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.
Data we collect
Account and contact data
When you create an account or contact us, we may collect:
- Name and email address
- Company name, job title, and billing address
- Payment information (processed via our payment processor; we do not store full card numbers)
- Phone number (if provided for support calls)
- Messages and correspondence sent to us
Usage and technical data
When you use the CDNStudio dashboard or API, we automatically collect:
- IP address and approximate geographic location
- Browser type and version, operating system
- Pages visited, features used, and time of access
- API requests made: endpoint, timestamp, and response status
- Error logs and crash reports (to diagnose and fix bugs)
CDN traffic data (processed on behalf of clients)
When we deliver content on behalf of our clients, our servers process:
- End-user IP addresses (used for routing; not linked to CDNStudio accounts)
- HTTP request metadata: URL, method, status code, bytes transferred
- HTTP headers including User-Agent and Referer
- Cache status and PoP serving the request
This data is processed under our client's instructions. Clients are responsible for their own privacy obligations towards their end users.
How we use your data
We use the data we collect to:
- Provide and operate the Services — processing billing, managing your account, routing traffic, and delivering content
- Communicate with you — responding to support requests, sending invoices, and notifying you of important service updates (e.g., outages or maintenance)
- Improve the Services — analysing usage patterns to fix bugs, prioritise features, and optimise network performance
- Enforce our Terms of Service — detecting and preventing abuse, fraud, and security threats
- Comply with legal obligations — responding to lawful requests from courts or regulatory authorities
We do not sell your personal data to third parties. We do not use your data for targeted advertising.
Data sharing
We share personal data only in the following circumstances:
Service providers
We use a small number of carefully selected sub-processors to help us operate the Services — including payment processing, cloud infrastructure, and support tooling. All sub-processors are bound by data processing agreements and are not permitted to use your data for their own purposes.
Legal requirements
We may disclose your data if required by law, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our legal rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Business transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
With your consent
We may share your data for other purposes with your explicit consent.
Data retention
We retain personal data for as long as your account is active or as needed to provide the Services. Specific retention periods:
- Account data: Retained for the duration of your account plus 2 years after closure, to resolve disputes and comply with legal obligations
- Billing records: Retained for 7 years (EU VAT and accounting requirements)
- CDN access logs: Retained for 30 days by default on our systems; clients may configure log push to extend retention in their own infrastructure
- Support communications: Retained for 3 years from the last interaction
- Security logs (IP-level threat data): Retained for 90 days
After the applicable retention period, data is securely deleted or anonymised.
Your rights
If you are in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection law, you have the following rights:
Right of access
You can request a copy of the personal data we hold about you.
Right to rectification
You can ask us to correct inaccurate or incomplete data about you.
Right to erasure ("right to be forgotten")
You can request that we delete your personal data, subject to our retention obligations described above.
Right to restriction of processing
You can ask us to temporarily limit how we use your data while a dispute is resolved.
Right to data portability
You can request your data in a structured, machine-readable format (e.g., JSON or CSV).
Right to object
You can object to our processing of your data where we rely on legitimate interests as our legal basis.
Right to withdraw consent
Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email us at hello@cdnstudio.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
Security
We take the security of your data seriously. Our measures include:
- All data in transit is encrypted using TLS 1.3
- All data at rest is encrypted using AES-256
- Access to production systems is restricted to authorised personnel using hardware security keys
- We maintain SOC 2 Type II certification and ISO 27001 certification
- We run an active bug bounty programme on HackerOne
- We conduct annual third-party penetration tests
No method of transmission over the internet or method of electronic storage is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you in accordance with applicable law.
International data transfers
CDNStudio is headquartered in Prague, Czech Republic (EU). Your data may be processed by us or our sub-processors in countries outside your own country, including countries outside the EEA.
For transfers from the EEA to third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or we ensure that the recipient country provides an adequate level of data protection as determined by the European Commission.
For EU clients who require EU data residency for their CDN traffic data, we offer EU-only processing options — please contact us to discuss this.
Children's privacy
Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@cdnstudio.com and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to the address associated with your account
- Posting a prominent notice on our website for at least 30 days before the change takes effect
- Updating the "Last updated" date at the top of this page
Continued use of the Services after a change takes effect constitutes your acceptance of the revised policy.
Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
- Email: hello@cdnstudio.com
- Post: CDNStudio s.r.o., Attn: Privacy Officer, Václavské náměstí 1, 110 00 Prague 1, Czech Republic
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the Czech Republic, this is the Office for Personal Data Protection (ÚOOÚ): uoou.cz.