Privacy
Policy.

General Provisions & Scope

SFTPMAC (hereinafter referred to as "the platform," "we," or "SFTPMAC") understands the importance of privacy to every user. This Privacy Policy (hereinafter referred to as "this policy") is formulated and published by SFTPMAC Global and its affiliated entities (collectively, "the SFTPMAC Group") and applies to all natural persons, legal entities, and other organizations (collectively, "users" or "you") accessing or using the cloud Mac compute rental and associated services (collectively, "services") provided through the SFTPMAC website, mobile applications, API interfaces, management console, and related digital products (collectively, "the platform").

This policy is formulated in accordance with the EU General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act (PDPA), and data protection regulations in other applicable jurisdictions. We commit to processing your personal information in a lawful and compliant manner, while reserving the right to maximize the utility of platform operational data and protect service operations and commercial interests within the extent permitted by law.

• Personal Information:Any information recorded electronically or otherwise relating to an identified or identifiable natural person, including but not limited to name, date of birth, ID numbers, personal biometric information, residential address, phone number, email address, and account information.
• Service Data:All data generated during your use of platform services, including but not limited to connection logs, operation records, resource usage, traffic data, and device status. SFTPMAC holds full usage rights to such data after anonymization or aggregation.
• Derivative Data:Information generated through statistical analysis, modeling, or other technical means based on service data, including behavioral profiles and usage preference analysis. Such data belongs to SFTPMAC and is not subject to the restrictive terms of this policy regarding personal information.
• Data Processor:Third-party entities that process your personal information under instructions from SFTPMAC, including cloud service providers, payment service institutions, and operational support partners.

This policy applies to: (a) visitors to the SFTPMAC official website and all subdomains; (b) users registered with an SFTPMAC account; (c) customers purchasing or using any SFTPMAC paid services; (d) developers accessing the platform via API or programmatic interfaces; (e) end users using platform services indirectly through distributors or agents. This policy does not apply to third-party websites, applications, or services, even if accessed through links on the platform, for which SFTPMAC assumes no responsibility.

Data Collection & Sources

To provide you with secure, stable, and high-quality cloud Mac rental services and to fulfill our legal compliance obligations, SFTPMAC collects relevant information in various scenarios. The categories of data collected and their sources are listed in detail below.

When you access the platform or use the services, our system automatically collects the following technical information:

• Network Identifiers:IP address, IPv6 address, MAC address (where applicable), geographic location (accurate to city level), ASN (Autonomous System Number), and ISP information.
• Device and Environment Information:Operating system type and version, browser type and version, device model, screen resolution, time zone, system language preferences, and browser fingerprint hashes.
• Access Logs:Page visit records, access timestamps, referrer URLs, site navigation paths, duration of stay, click behavior, and search keywords.
• API Call Logs:API endpoints, request times, request parameter summaries (sensitive parameters are masked), response status codes, and latency data.
• SSH/VNC Connection Logs:Connection initiation and termination times, connection source IP, authentication method, and number of successful/failed connections. This does not include the session content itself (unless for security auditing purposes; see Section 9).
• Resource Consumption Data:CPU utilization, memory usage, storage I/O, network ingress/egress traffic, and process-level resource statistics used for billing verification and service optimization.
• Error and Crash Reports:Frontend JavaScript errors, API exception information, and system-level alerts to help us continuously improve service stability.

Under the premise of legality and compliance, we may obtain information about you from the following third-party sources:

• Payment Institutions:Transaction status, refund results, and risk control scores provided by payment service providers such as Stripe.
• Anti-fraud Service Providers:Device risk assessment results, IP reputation scores, and account association risk tags used to prevent fraud and account abuse.
• Identity Verification Providers:Business registration query results used for corporate customer qualification verification.
• Compliance Databases:Sanctions list checks and PEP (Politically Exposed Person) screening results used to meet AML (Anti-Money Laundering) and KYC (Know Your Customer) compliance requirements.
• Distributors and Agents:Basic account information of users who register indirectly through authorized channel partners.

Purposes of Data Use and Legal Basis

SFTPMAC processes your personal information strictly in accordance with the principles of legality, fairness, and necessity, ensuring that every processing activity has a clear legal basis.

• Create and maintain your account, verify your identity, and authorize credentials.
• Configure, deliver, and activate cloud Mac instances according to your orders, providing SSH, VNC, and console access credentials.
• Process payments, refunds, and billing; generate compliant tax documents and receipts.
• Monitor instance running status in real-time, automatically triggering alerts and recovery processes when anomalies are detected.
• Send renewal reminders before the lease expires and provide advance notice of service changes.
• Respond to technical support requests, resolve billing disputes, and process refund applications.

• Detect and block network attacks against platform infrastructure in real-time, including DDoS, brute force, and SQL injection.
• Identify and address account behaviors that violate the Terms of Service, including but not limited to mining, spamming, and distribution of prohibited content.
• Implement IP whitelist policies and perform secondary verification for abnormal login attempts.
• Verify fraud risks for new users and large orders to prevent payment fraud such as credit card theft.
• Maintain comprehensive access logs for the platform and rented instances to support security incident investigations.

• Perform statistical analysis on anonymized or aggregated usage data to guide product feature planning and resource scheduling optimization.
• 3.2 Platform Security & Fraud Prevention (Legitimate Interests)
• Analyze platform performance bottlenecks, improve resource allocation algorithms, and increase hardware utilization.
• Build machine learning models for demand forecasting, fault warning, and elastic resource scheduling.

• Send product update announcements, promotional information, and personalized recommendations (only where you have not explicitly opted out).
• Send service satisfaction surveys and user interview invitations to understand your genuine feedback on the product.
• 3.3 Service Improvement & Product R&D (Legitimate Interests)

You can opt-out of non-essential marketing communications at any time through account settings or the unsubscribe link at the bottom of emails. Transactional notifications directly related to service operations (e.g., billing, security alerts, policy updates) are not affected by opt-out requests.

• Respond to data access requests from judicial authorities or government agencies with legitimate jurisdiction.
• Comply with Anti-Money Laundering (AML) regulations and foreign exchange management requirements by retaining necessary financial transaction records.
• 3.4 Marketing & Commercial Communications (Your Consent / Legitimate Interests)
• Perform necessary measures for evidence preservation in legal litigation, arbitration, or regulatory investigations.

Data Sharing & Disclosure

SFTPMAC does not sell, rent, or commercially trade your personal information. However, in the following circumstances, we may share your specific information with appropriate third parties:

We entrust strictly audited data processors to handle specific data under written instructions from SFTPMAC, requiring them to sign Data Processing Agreements (DPA) that comply with applicable laws:

• Payment Processing:Stripe Inc.，Stripe Inc., responsible for processing online payments and refunds.
• Cloud Infrastructure:AWS Cloud service providers such as AWS, providing compute and storage resources required for some platform backend services (Note: Core physical Mac nodes are independently operated and managed by SFTPMAC).
• Email & Communication Services:SendGrid Email service providers such as SendGrid, used for reliable delivery of system notifications and marketing emails.
• Customer Support Systems:Zendesk Support tools such as Zendesk, used for ticket management and multi-channel customer communication.
• Data Analysis:Anonymized aggregate statistics may be shared with analysis tool providers (e.g., Amplitude) to improve the product experience.
• Security Services:Cloudflare Security service providers such as Cloudflare, used for DDoS protection, WAF, and CDN acceleration.

Affiliated companies within the SFTPMAC Group may share necessary user information for legitimate business purposes such as unified account management, financial consolidation, and centralized risk control. All internal sharing is subject to this policy and implements data protection measures equivalent to those of external processors.

In the following circumstances, SFTPMAC will cooperate in accordance with the law to disclose relevant information to authorized authorities, exempt from the confidentiality commitments of this policy:

• Responding to judicial assistance orders, search warrants, or subpoenas issued by courts with legitimate jurisdiction.
• Cooperating with criminal investigations conducted by law enforcement agencies with legitimate jurisdiction.
• Meeting compliance review requirements from relevant financial regulatory authorities.
• 4.2 Intra-Group Sharing

In the event of a merger, division, acquisition, reorganization, or transfer of partial assets involving SFTPMAC, your personal information may be transferred to the counterparty as part of business assets. In such cases, we will notify affected users in advance and ensure that the recipient adheres to data protection obligations at a standard equivalent to this policy. If the recipient cannot meet these requirements, we will request your re-authorization or deletion of the relevant data.

4.4 Business Reorganization & Asset Transfer

SFTPMAC uses cookies and similar tracking technologies (including Web Beacons, pixel tags, LocalStorage, SessionStorage, etc.) to ensure the platform functions properly, improve user experience, and support data analysis.

You can manage the activation status of optional cookies through the "Account Settings → Privacy Preferences" page on the platform. Additionally, you may restrict or delete cookies in your browser settings; however, please note that disabling strictly necessary cookies will prevent you from logging in or using platform services normally. SFTPMAC does not respond to browser-sent Do-Not-Track (DNT) signals, but respects the explicit preference settings made via the platform interface.

Our platform may integrate third-party analytical tools such as Google Analytics (with IP anonymization enabled) and Cloudflare Web Analytics, which set independent cookies on your device. For cookies set by these third-party tools, please refer to the respective third-party privacy policies. SFTPMAC assumes no independent responsibility for the cookie behaviors of third-party tools.

5.3 Third-Party Tracking Technologies

Your personal information is primarily stored in SFTPMAC data centers located in Singapore, Japan, Hong Kong, and the United States.

Data exceeding the retention periods mentioned above will be deleted or thoroughly anonymized through secure wiping or physical destruction. Your request to cancel an account will be executed according to the periods described in this section, rather than immediate deletion of all data.

SFTPMAC has established a multi-layered security protection system covering the entire data lifecycle:

• In-Transit Encryption:All data transfers are mandatorily encrypted using TLS 1.2/1.3 protocols; SSH connections use Ed25519/ECDSA key pairs for authentication; VNC connections are transmitted via independent encrypted tunnels.
• At-Rest Encryption:Sensitive fields in databases are stored using AES-256 encryption; user passwords are processed with irreversible bcrypt (cost≥12) hashing; payment information is handled by PCI DSS Level 1 compliant processors, and SFTPMAC has no direct contact with raw card numbers.
• Access Control:Strict principle of least privilege; internal staff access to production data requires Multi-Factor Authentication (MFA) and operational approval; all internal access is recorded in comprehensive audit logs.
• Network Security:Multi-layer WAF protection; DDoS scrubbing centers (capacity exceeding 1Tbps); network segmentation and isolation; Zero Trust network architecture.
• 6.3 Security Technical MeasuresSFTPMAC data centers continuously pursue ISO/IEC 27001 Information Security Management System certification and undergo regular third-party penetration testing.
• Disaster Recovery Mechanisms:Critical data is backed up in real-time to geographically isolated remote facilities; RTO (Recovery Time Objective) < 1 hour, RPO (Recovery Point Objective) < 15 minutes.

In the event of a data breach or security incident that may affect the security of your personal information, SFTPMAC will: (a) report to relevant regulatory authorities within 72 hours of incident confirmation (where applicable); (b) issue notifications to affected users via email or platform announcements when required by law or deemed necessary; (c) initiate incident response protocols and take necessary containment and remedial measures. However, inherent risks in internet transmission and data storage cannot be completely eliminated; SFTPMAC cannot provide absolute guarantees for any security measures, and users must acknowledge and assume a certain degree of residual security risk (see Section 11 for details).

User Rights & Choices

In accordance with applicable data protection laws, you enjoy the following rights regarding your personal information. SFTPMAC is committed to responding to your reasonable requests within the timeframe prescribed by law (usually 30 business days after receipt of the request), while reserving the right to review the reasonableness of the request and verify your identity in accordance with the law.

• Right to Information and Access:You have the right to know whether SFTPMAC holds your personal information and to obtain copies of such information. We may charge a reasonable administrative fee for large-volume data exports, and such requests are limited to twice per year per user.
• Right to Rectification:If you find that the personal information we hold is inaccurate or incomplete, you have the right to request rectification. Basic information on the account page can be modified by yourself; for verified identity verification information, a support ticket must be submitted with supporting documentation.
• 7.1 Your RightsUnder the following circumstances, you may request the deletion of your personal information: (i) processing purposes have been fulfilled and there is no legal basis for continued retention; (ii) you withdraw consent and there is no other legal basis for processing; (iii) SFTPMAC processes your personal information unlawfully. Please note that data we retain as required by law (such as transaction records and logs) is not within the scope of erasable data.
• Right to Portability:You have the right to obtain personal information you provided to SFTPMAC in a structured, machine-readable format and request its transfer to another service provider (within the extent technically feasible).
• Right to Restrict Processing:In specific circumstances (e.g., during a period of dispute over data accuracy or during the review of a deletion request), you may request that SFTPMAC suspend active processing of your data.
• Right to Object:You may object at any time to the processing of your personal information based on legitimate interests, including processing for direct marketing purposes. Once you object to marketing processing, we will immediately stop using your data for that purpose.
• Right to Withdraw Consent:For processing activities conducted based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted based on consent prior to the withdrawal.
• Right Regarding Automated Decision-making:You have the right to request human review of automated decisions that affect your rights and interests (such as risk control blocking or account banning) and the right to object to such decisions.

You may submit a rights request through the following methods: (a) log in to your account and access the "Privacy and Data" self-service page; (b) send an email to [email protected] with the subject line "Data Rights Request"; (c) submit via the platform support ticket system. To protect your account security, we will verify your identity before processing the request and may require you to provide additional identification documents.[email protected], with the email subject clearly marked as "Data Rights Request"; (c) submit via the platform support ticket system. To ensure your account security, we will verify your identity before processing your request and may require you to provide additional identity documentation.

Under the following circumstances, SFTPMAC may partially or fully refuse your rights request: (a) responding to the request would harm the legitimate rights and interests of other individuals; (b) responding to the request would impede ongoing law enforcement or regulatory investigations; (c) the request is technically infeasible; (d) the request falls under specific exceptions clearly defined by law. For refused requests, we will provide an explanation and inform you of available appeal channels.

Cross-border Data Transfers

As a globalized cloud Mac rental platform, SFTPMAC operates services in multiple data centers worldwide; therefore, your personal information may be transferred to jurisdictions outside of your country or region for processing and storage.

For users from the European Economic Area (EEA), SFTPMAC relies on the following lawful transfer mechanisms approved by the European Commission when conducting cross-border data transfers:

• Standard Contractual Clauses (SCC):Signing Standard Contractual Clauses approved by the European Commission with data processors located outside the EEA.
• Adequacy Decisions:Transferring data to countries or regions that the European Commission has determined provide an adequate level of data protection (e.g., UK, Japan, etc.).

If your jurisdiction has mandatory data localization requirements, SFTPMAC will take corresponding compliance measures in accordance with the law. Specific arrangements can be consulted via [email protected].[email protected] for consultation.

Equipment Rental Monitoring & Compliant Use

To ensure the security and stability of platform infrastructure, SFTPMAC implements monitoring at the platform level for rented instances, specifically including:platform-level monitoring, which specifically includes:

• Resource Utilization Monitoring:Continuous collection of metrics such as CPU, memory, disk I/O, and network bandwidth used for billing, SLA assurance, and resource scheduling.
• Network Traffic Metadata:Monitoring the metadata layer of network connections (source/destination IP, ports, protocols, traffic bytes). We do not inspect payload content (i.e., no Deep Packet Inspection, DPI), but detect abnormal traffic patterns involving prohibited activities (e.g., large-scale scanning, DDoS initiation).not inspect payload content (i.e., no Deep Packet Inspection, DPI), but we do detect abnormal traffic patterns involving prohibited activities (e.g., large-scale scanning, DDoS initiation).
• Process Running List:Regular collection of process names and PID lists running on the instance for security compliance checks (e.g., detecting mining processes). We do not read process memory content or inter-process communication data.notnot read process memory content or inter-process communication data.
• 9.2 Security Incident Triggered Enhanced Auditingonly recording metadata of connection establishment/termination (timestamp, source IP, authentication results),notrecording session content (keystrokes, screen displays), except in the following circumstances (see Section 9.2).
• Disk Usage:Monitoring of total storage volume without active scanning of file content; however, suspected prohibited content (e.g., CSAM materials confirmed via hash matching) will be handled in accordance with the law.

When the platform detects the following abnormal conditions and has reasonable grounds to believe that a violation has occurred, SFTPMAC reserves the right to initiate Enhanced Security Auditing on the involved instance. Specific measures include, but are not limited to: (a) capturing instance network traffic for security analysis; (b) performing forensic examination of instance disk images; (c) reviewing system log files. Trigger conditions include:

• Initiating high-frequency port scanning, network attacks, or DDoS traffic to external targets.
• Sending large volumes of spam or phishing emails.
• Running cryptocurrency mining programs on the instance (except in explicitly authorized scenarios).
• 9.3 User Compliance Obligations
• Investigative orders issued by judicial or regulatory authorities in accordance with the law.
• Other reasonable scenarios where SFTPMAC deems an investigation necessary.

By using the SFTPMAC rental services, you explicitly commit to:

• Not processing, storing, or distributing any content or data that violates the laws of your jurisdiction on the rented instance.
• Not using the rented instance for network attacks, intrusion testing (pre-authorized in writing only), or malicious activities against third parties.
• Safeguarding your SSH keys and VNC passwords. You assume full legal responsibility for any instance misuse by third parties resulting from your own negligence.
• Indemnifying SFTPMAC in full for all losses, legal liabilities, regulatory penalties, or third-party claims arising from your non-compliant use.

Protection of Minors

SFTPMAC services are intended for adults with full capacity for civil conduct. We do not provide account registration or service purchases to minors under 18 years of age (or the legal age of majority in your jurisdiction).

If you are a minor, please use this service under the supervision of a parent or guardian and with their explicit consent. If we discover that we have collected personal information from a minor without parental or guardian consent, we will take steps to delete the relevant data as quickly as possible and may suspend or terminate the associated account.

If you are a parent or guardian of a minor and find that your ward has registered an SFTPMAC account without authorization, please contact [email protected] immediately. We will cooperate with you to process account cancellation and data deletion.[email protected], and we will cooperate with you to process account cancellation and data deletion.

Limitation of Liability & Disclaimer

11.2 Data Content DisclaimerHowever, given the inherent characteristics of the internet and information technology, SFTPMAC cannot guarantee absolute data security.SFTPMAC shall not be held liable for compensation, or shall limit its liability to the maximum extent permitted by applicable law, for data security incidents occurring in the following circumstances:

• Account credential leakage due to your own actions (including but not limited to password sharing, falling victim to phishing attacks, or devices being infected with malware).
• 11.3 Maximum Liability Cap
• Data leakage caused by system defects or attacks targeting third-party data processors (such as payment institutions or cloud service providers). SFTPMAC assumes no joint liability but will assist you in protecting your rights within the extent permitted by law.
• Unauthorized access, leakage, or destruction of data resulting from your violation of this policy or the Terms of Service.
• 11.4 Third-Party Service Disclaimer

SFTPMAC provides hardware compute rental services. We assume no responsibility for the data content stored, processed, or transmitted on your rented instance. You assume full legal responsibility for all data and activities on the rented instance. SFTPMAC shall not be liable for any direct, indirect, incidental, special, punitive, or consequential damages arising from your use of the instance for any activity, regardless of the nature of the claim (tort, contract, or otherwise) and whether or not SFTPMAC has been advised of the possibility of such damages.

In no event shall the total aggregate liability of SFTPMAC to you for any breach of this Privacy Policy exceed the total amount of service fees actually paid by you to SFTPMAC in the 3 months preceding the claim event, and in no case shall it exceed 10,000 RMB (or equivalent currency). This liability cap applies to legal claims of any form and shall not be invalidated by the failure of the essential purpose of any limited remedy. Some jurisdictions do not allow the limitation of liability for implied warranties or certain types of damages; in such jurisdictions, the aforementioned limitations may not apply to you, and you may possess additional legal rights.be limited to the total service fees actually paid by you to SFTPMAC in the 3 months preceding the claim event, and in no case shall it exceed 10,000 RMB (or equivalent currency). This liability cap applies to legal claims of any form and shall not be invalidated by the failure of the essential purpose of any limited remedy. Some jurisdictions do not allow the limitation of liability for implied warranties or certain types of damages; in such jurisdictions, the aforementioned limitations may not apply to you, and you may possess additional legal rights.

12.1 Right to Amend Policy

You agree to fully indemnify and hold SFTPMAC, its affiliates, directors, employees, and agents harmless from any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorney fees) arising from: (a) your violation of this Privacy Policy or the Terms of Service; (b) illegal or infringing activities on your rented instance; (c) damages suffered by SFTPMAC due to false information provided by you; (d) losses caused to SFTPMAC or third parties due to unauthorized access to your account resulting from your negligence.

12.3 Deemed Acceptance

SFTPMAC reserves the full right to modify, update, or replace this Privacy Policy at any time without your prior consent. The revised policy shall become effective upon its publication. We may amend this policy for reasons including: adapting to changes in laws and regulations, adding or adjusting service features, responding to regulatory requirements, improving data protection practices, or optimizing clarity of expression.We may amend this policy for reasons including: adapting to changes in laws and regulations, adding or adjusting service features, responding to regulatory requirements, improving data protection practices, or optimizing clarity of expression.

For material changes (such as substantially changing the purpose of data processing or introducing new categories of data sharing), we will notify you through one or more of the following methods:

• Sending email notifications to your registered email address (notification is deemed effective upon the sending of the email by SFTPMAC, regardless of actual review).
• Posting a prominent notice on the platform homepage or console page for at least 30 consecutive days.
• Prompting you to review the updated policy via a pop-up window or embedded banner upon your next login.

For non-material changes (such as typo corrections, expression optimization, or updated legal references), SFTPMAC may not provide separate active notifications and will only update the "Last Updated" date at the top of the page.

Regardless of whether SFTPMAC has notified you of policy changes, your continued access to or use of any platform services after the policy update constitutes your full knowledge and unconditional acceptance of all contents of the revised policy. If you do not accept the revised policy, your sole remedy is to immediately stop using all platform services and cancel your account. To cancel your account, please send a request to [email protected].If you do not accept the revised policy, your sole remedy is to immediately stop using all platform services and cancel your account. To cancel your account, please send a request to [email protected] for graphical interfaces.

13.4 Right to Complain to Regulatory Authorities

Governing Law, Dispute Resolution & Jurisdiction

The interpretation, validity, and dispute resolution of this policy shall be governed by the laws of Singapore (the place of registration of SFTPMAC Global).

For any dispute arising out of or in connection with this policy, both parties shall first attempt to resolve it through amicable negotiation. You may initiate the negotiation process by sending a written complaint to [email protected]. SFTPMAC commits to providing a substantive response within 15 business days of receiving the complaint.[email protected]. SFTPMAC commits to providing a substantive response within 15 business days of receiving the complaint.

If the dispute cannot be resolved within 30 days through amicable negotiation, both parties agree to submit the dispute to the Singapore International Arbitration Centre (SIAC) for final resolution by arbitration in accordance with the SIAC Rules then in effect. The seat of arbitration shall be Singapore, the language of arbitration shall be English, and the arbitral award shall be final and binding on both parties. However, the following matters are not subject to this arbitration clause: (a) emergency injunctive relief applications by SFTPMAC to protect its intellectual property or platform security; (b) complaints filed by you with data protection regulatory authorities as provided by law.

The arbitration clause of this policy does not affect your right to file a complaint with the competent data protection regulatory authority according to the law. EU users may complain to the Data Protection Authority (DPA) of their respective member state; Singapore users may complain to the Personal Data Protection Commission (PDPC); users in other regions may complain to their local competent data protection authority.

Contact Us · Data Protection Contact

If you have any questions, comments regarding this Privacy Policy, or need to exercise your data rights, please contact us through the following channels. Our data protection team will carefully handle every request within the timeframes prescribed by law.