Privacy Policy

Last updated: March 18, 2026

This Privacy Policy describes how tunnelto ("we", "us", "our") collects, uses, and protects information when you use our tunnel proxy service at tunnelto.me and associated client software (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (as provided by your authentication provider)
• Authentication identifiers (e.g. OAuth user ID)

1.2 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other financial information on our servers. We retain only the Stripe customer ID and subscription ID necessary to manage your account.

1.3 Usage and Traffic Metadata

We collect and store:

• Tunnel configuration data (domain names, port numbers, TLS settings)
• Aggregate bandwidth usage (bytes transferred per tunnel, per hour/day)
• Connection timestamps and client version information
• IP addresses of connecting clients (for logging and abuse prevention)

1.4 Tunneled Traffic

When you use server-side TLS termination (the default), HTTP request and response data passes through our servers in decrypted form. We do not inspect, log, store, or analyze the content of your tunneled traffic. Traffic is forwarded in real-time and is not retained after delivery.

When you use client-side TLS termination or passthrough mode, tunneled traffic passes through our servers in encrypted form that we cannot read.

Regardless of TLS mode, we record only aggregate byte counts (ingress and egress) for bandwidth metering purposes.

1.5 Cookies

We use a single session cookie to maintain your authenticated session on the admin dashboard. This cookie is HttpOnly, Secure, SameSite=Lax, and expires after 30 days. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

2. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Process payments and manage subscriptions
• Enforce usage limits and rate limits based on your plan
• Monitor for abuse and enforce our Terms of Service
• Communicate with you about your account (e.g. billing issues, security notices)

3. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

• Payment processing: We share necessary account information with Stripe to process payments.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Abuse prevention: We may share IP addresses or account information with law enforcement or affected parties in cases of confirmed abuse of the Service.

4. Data Retention

• Account data is retained as long as your account is active. If you delete your account, we will delete your personal data within 30 days.
• Traffic metadata (hourly aggregates) is retained for 90 days. Daily aggregates are retained for the lifetime of your account.
• Tunneled traffic content is never stored and exists only in transit.
• Server logs containing IP addresses and request metadata are retained for up to 30 days.

5. Data Security

We implement reasonable technical and organizational measures to protect your data, including encryption in transit (TLS), bcrypt hashing for stored credentials, and SSH key isolation per tunnel. No method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Your Rights

You may access your personal data through the dashboard, correct inaccurate data by updating your account settings, delete your account and associated data by contacting us, or export your tunnel configuration and traffic data through the API.

7. International Data Transfers

The Service is operated from servers that may be located in various jurisdictions. By using the Service, you consent to the transfer of your information to these locations, which may have different data protection laws than your country of residence.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending you an email. Continued use after changes take effect constitutes acceptance.

10. Contact

For privacy-related questions or requests, contact us at privacy@tunnelto.me.