GDPR Policy

Data Protection & Privacy Compliance

Effective Date: September 16, 2025

1. Policy Statement & Purpose

Exhas ("we," "us," "our") is committed to processing personal data in full compliance with the European Union's General Data Protection Regulation (GDPR). This policy outlines our obligations and practices for ensuring the protection of all personal data collected and processed through our website, exhas.com (the "Site"), and our associated IPTV services (the "Services").

The purpose of this policy is to ensure that Exhas:

  • Complies with data protection law and follows good practice.
  • Protects the rights of our users ("Data Subjects").
  • Is transparent about how it stores and processes personal data.
  • Protects itself from the risks of a data breach.

2. The Data Controller

As defined by the GDPR, the data controller for your personal information is:

Exhas
Website: exhas.com
Contact Email: Support@exhas.com

The data controller is responsible for deciding how your personal data is processed and for what purposes.

3. The Principles of GDPR

We adhere to the principles relating to the processing of personal data set out in Article 5 of the GDPR:

  • Lawfulness, Fairness and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: Data is accurate and, where necessary, kept up to date.
  • Storage Limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and Confidentiality (Security): Data is processed in a manner that ensures appropriate security of the personal data.
  • Accountability: The controller is responsible for, and must be able to demonstrate, compliance with the other principles.

4. Lawful Basis for Processing

All data processing we conduct has a lawful basis under Article 6 of the GDPR. We primarily rely on the following bases:

  • Contractual Necessity (Article 6 (1)(b)): The processing is necessary for the performance of a contract to which you are a party. This includes setting up your account, providing the IPTV service, and processing payments.
  • Legitimate Interests (Article 6(1)(f)): The processing is necessary for our legitimate interests, such as for service improvement, network security, and fraud prevention, except where such interests are overridden by your interests or fundamental rights.
  • Consent (Article 6(1)(a)): For specific activities, such as sending promotional or marketing emails, we will rely on your explicit, opt-in consent. You may withdraw this consent at any time.
  • Legal Obligation (Article 6(1)(c)): The processing is necessary for us to comply with the law (e.g., tax regulations or law enforcement requests).

5. Personal Data Collected and Processed

We process the following categories of personal data to deliver our Service:

  • Account Data: Name, email address, billing information.
  • Technical Data: IP address, device identifiers (e.g., MAC address), browser and OS information.
  • Transactional Data: Payment confirmation data received from our third-party payment processors (Stripe).
  • Service Usage Data: Login/logout times and service interaction data used for performance monitoring and diagnostics.

6. The Rights of the Data Subject

Under the GDPR, you, as the data subject, have explicit rights. Exhas is fully committed to upholding these rights:

  • The Right to be Informed: This policy serves to inform you about our data processing activities.
  • The Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data.
  • The Right to Rectification: You have the right to have inaccurate personal data rectified without undue delay.
  • The Right to Erasure (The "Right to be Forgotten"): You have the right to request the deletion of your personal data, under specific conditions.
  • The Right to Restrict Processing: You have the right to request the restriction of processing of your personal data, under specific conditions.
  • The Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller.
  • The Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, please contact our data protection team at Support@exhas.com. We will respond to your request within one month, as required by the GDPR.

7. Data Security and Breach Notification

We have implemented robust technical and organizational measures to ensure the security of your personal data, including encryption, access controls, and secure infrastructure.

In the unlikely event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, and in any event within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.

8. Data Transfers

Data may be processed by third-party service (e.g., hosting providers) located outside the European Economic Area (EEA). In such cases, we ensure the transfer is lawful and data is protected by implementing appropriate safeguards, such as the EU's Standard Contractual Clauses (SCCs).

9. Policy Review and Updates

This GDPR Policy will be reviewed regularly and updated as necessary to reflect changes in our practices or in data protection legislation. Any changes will be posted on this page.

10. Contact and Supervisory Authority

For any questions regarding this policy or your data, please contact us at terms@exhas.com.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.