Privacy Policy

Last Updated: January 17, 2025

xpos.dev ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SSH tunneling service (the "Service").

            TL;DR: We collect minimal data (IP addresses, user agents, basic usage logs) to operate the service and prevent abuse. We don't require accounts, don't collect names or emails, and automatically delete tunnel data after 3 hours. Your tunneled traffic is encrypted via SSH and we never inspect or store the contents of your traffic.
        

1. Information We Collect

1.1 Automatically Collected Information

When you use our Service, we automatically collect certain information:

Connection Data: IP address, SSH connection timestamps, tunnel session duration
Tunnel Metadata: Unique tunnel identifiers (slugs), allocated port numbers, tunnel status (active/ended)
Visitor Logs: When someone visits your public tunnel URL, we log: visitor IP address, HTTP user agent, referrer URL, accept-language header, requested path, and visitor decision (accepted or rejected warning)
Technical Data: Browser type, operating system, device information (only for web visitors, not tunnel creators)

1.2 Information We Do NOT Collect

No user accounts, names, or email addresses required
No payment information (service is currently free)
No contents of your tunneled traffic (end-to-end SSH encryption)
No persistent tracking cookies (we only use session cookies for security warnings)

2. How We Use Your Information

We use the collected information for the following purposes:

Service Operation: To establish and maintain SSH tunnels, route traffic, and provide you with public URLs
Security & Abuse Prevention: To detect and prevent malicious activity, DDoS attacks, phishing attempts, and terms of service violations
Analytics: To understand usage patterns, improve service performance, and optimize infrastructure
Legal Compliance: To comply with applicable laws, legal processes, or governmental requests
Service Improvements: To debug issues, develop new features, and enhance user experience

3. Data Retention

            Automatic Deletion: Tunnel data is automatically deleted after 3 hours (free tier) from tunnel creation. This is a security feature by design.
        

Active Tunnels: Stored in Redis cache and MariaDB during tunnel lifetime (max 3 hours)
Visitor Logs: Retained for up to 90 days for security analysis and abuse prevention
Aggregate Statistics: We may retain anonymized, aggregated usage statistics indefinitely for service improvement
Legal Obligations: We may retain data longer if required by law or to defend legal claims

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We may share data with third-party service providers who assist us in operating the Service:

Infrastructure providers (hosting, CDN)
Analytics services (to understand usage patterns)
Security and fraud prevention services

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Valid legal process (subpoena, court order, warrant)
Requests from law enforcement or government agencies
Protection of our rights, property, or safety
Emergency situations involving danger of death or serious physical injury

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Security

We implement industry-standard security measures to protect your information:

End-to-End Encryption: All tunnels use SSH protocol with strong encryption
HTTPS: All public tunnel URLs are served over HTTPS with valid TLS certificates
Infrastructure Isolation: Tunnel servers are isolated from database and admin systems
Access Controls: Strict access controls and authentication for administrative systems
Regular Security Audits: We conduct regular security reviews and updates

Important: No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your Privacy Rights

6.1 General Rights

Depending on your location, you may have the following rights:

Access: Request a copy of personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal obligations)
Objection: Object to processing of your personal information
Data Portability: Request transfer of your data to another service (where applicable)

6.2 GDPR Rights (EU/UK Residents)

If you are located in the European Union or United Kingdom, you have additional rights under GDPR:

Right to withdraw consent at any time
Right to lodge a complaint with a supervisory authority
Right to restriction of processing

6.3 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA:

Right to know what personal information we collect, use, and disclose
Right to request deletion of your personal information
Right to opt-out of sale of personal information (we do not sell data)
Right to non-discrimination for exercising your privacy rights

6.4 Exercising Your Rights

To exercise any of these rights, please contact us at: [email protected]

We will respond to your request within 30 days (or as required by applicable law).

7. Cookies and Tracking

We use minimal cookies for essential service functionality:

7.1 Essential Cookies

xpos_accept: Session cookie to remember your security warning decision (1 year expiration)
These cookies are necessary for the Service to function and cannot be disabled

7.2 Analytics

We may use analytics tools to understand service usage. These tools may use cookies or similar technologies. You can opt-out using browser settings or privacy extensions.

8. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

9. International Data Transfers

Our servers are located in [SPECIFY LOCATIONS]. If you access our Service from outside these locations, your information may be transferred to, stored, and processed in these jurisdictions. By using the Service, you consent to such transfers.

For EU/UK users: We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses approved by the European Commission.

10. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page
Updating the "Last Updated" date at the top
Providing prominent notice on our website for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]
Support: [email protected]
Website: https://xpos.dev

13. Legal Basis for Processing (GDPR)

For EU/UK users, our legal bases for processing your personal data are:

Legitimate Interests: To operate, maintain, and improve the Service; to prevent fraud and abuse
Contract Performance: To provide the tunneling service you request
Legal Obligations: To comply with applicable laws and regulations
Consent: Where we ask for your explicit consent (you may withdraw at any time)

← Back to Home | Terms of Service →