Privacy Policy

Last updated on April 2, 2026

1. Introduction

Welcome to xpos.dev, operated by Codes Easy, based in Kochi, Kerala, India. xpos provides SSH tunneling services that allow developers to expose local development servers to the internet through secure SSH connections.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at xpos.dev, our tunneling service via xpos.to, and any related services (collectively, the “Service”).

By using xpos, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address — for account identification and communication
Name — for personalizing your experience
Password (if using email/password authentication) — stored securely using Argon2id hashing (we never store plaintext passwords)
Google account ID (if using Google OAuth) — for authentication only

2.2 Usage Information

When you use the tunneling service, we automatically collect:

IP address — for geo-detection (currency determination), rate limiting, and abuse prevention
SSH connection metadata — connection timestamps, tunnel hostnames, session duration
Bandwidth usage — bytes transferred through your tunnels (for tier enforcement and billing)
Request counts — number of HTTP requests proxied through your tunnels

2.3 Request Inspection Data (Pro and Business Plans)

If you are subscribed to a Pro or Business plan, the Request Inspection feature records the following data for each HTTP request proxied through your tunnels:

HTTP method and URL path
Response status code and response size
Request latency
Redacted request headers (sensitive values such as Authorization and Cookie are masked)
Timestamp of the request

This data is stored temporarily in Redis for a maximum of 1 hour and is limited to 50 entries per tunnel. It is used solely to provide you with debugging and monitoring capabilities for your tunnels. It is not shared with third parties and is automatically deleted after the retention period.

2.4 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by our authorized payment processors. We do not store your credit card numbers, bank account details, or UPI IDs. We retain:

Payment processor customer and subscription identifiers
Payment transaction IDs and status
Subscription plan, currency, and billing interval
Payment amounts and timestamps

2.5 Anonymous Usage

xpos can be used anonymously without an account. For anonymous users, we collect only IP address and basic connection metadata for the duration of the tunnel session. This data is not linked to any persistent identity.

3. How We Use Your Information

We use the information we collect to:

Provide and maintain the Service — routing tunnel traffic, managing sessions, allocating subdomains
Process billing — managing subscriptions, processing payments, enforcing tier limits
Enforce usage limits — bandwidth caps, rate limiting, concurrent tunnel limits per your plan tier
Prevent abuse — detecting and blocking malicious use of tunnels (phishing, malware distribution, etc.)
Send transactional emails — account verification, password resets, billing notifications (via Mailgun)
Determine pricing currency — using IP-based geolocation to display prices in INR (India) or USD (elsewhere)
Improve the Service — understanding usage patterns to improve reliability and performance

We do not sell your personal information to third parties. We do not use your data for advertising or profiling purposes.

4. Data Storage & Security

We implement industry-standard security measures to protect your data:

Passwords are hashed using Argon2id (RFC 9106) with secure parameters — we cannot retrieve your original password
API tokens are encrypted using AES-256-GCM and stored securely — tokens are accessible from your dashboard and transmitted only over encrypted connections
Sensitive credentials (such as server bootstrap tokens) are encrypted at rest using AES-256-GCM
All tunnel traffic is encrypted via SSH (Ed25519 host keys) with automatic TLS certificates for HTTPS
Database — PostgreSQL with access restricted to localhost and internal network only
Ephemeral data (active tunnel sessions, rate limit counters) is stored in Redis with append-only persistence for reliability; this data is automatically expired based on tunnel lifetime

5. Third-Party Services

We use the following third-party services that may process your data:

Payment processors — we use authorized payment processors to handle subscription billing and payment collection. These processors may act as merchant of record depending on your region. We do not store your full payment details — they are held securely by the payment processor.
Google OAuth — authentication (Google Privacy Policy)
Cloudflare — DNS management and CDN services (Cloudflare Privacy Policy)
Hetzner — server hosting infrastructure (Hetzner Privacy Policy)
Mailgun — transactional email delivery (Mailgun Privacy Policy)
MaxMind GeoLite2 — IP geolocation for currency determination (no personal data shared; lookup is performed locally)

6. Cookies

We use the following cookies:

Session cookie — Auth.js encrypted session token for maintaining your login state (essential, httpOnly, secure)
Interstitial bypass cookie — remembers your acknowledgment of the tunnel warning page for a specific tunnel (essential, short-lived)

When analytics are enabled, we use Google Analytics which may set cookies to understand site usage. We do not use third-party advertising cookies.

7. Data Retention

Account data — retained while your account is active. Upon account deletion, personally identifiable information (email, name) is anonymized. The account record is soft-deleted and retained for audit purposes.
Tunnel session data — active tunnel records are removed when the tunnel disconnects. Historical tunnel usage (aggregated bandwidth, request counts) is retained for billing purposes.
Bandwidth counters — reset monthly for billing cycle tracking.
Payment records — retained as required by applicable tax and financial regulations.
Anonymous tunnel data — tunnel session metadata (including IP address and SSH fingerprint) is stored for operational and abuse-prevention purposes and anonymized after 90 days. The tunnel record is retained but personally identifiable fields (IP address and SSH fingerprint) are removed.

8. Your Rights

You have the right to:

Access — view the personal data we hold about you through your dashboard
Correction — update your name and profile information from your account settings
Deletion — delete your account from the dashboard settings page. This will cancel any active subscription, revoke all API tokens, release all reserved domains, terminate active tunnels, and anonymize your personal information.
Data export — contact us at [email protected] to request a copy of your data

9. International Data Transfers

Our servers are hosted by Hetzner in data centers located in Germany and Finland (European Union). If you access xpos from outside the EU, your data will be transferred to and processed in these locations. By using the Service, you consent to this transfer.

10. Children's Privacy

xpos is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the “Effective Date” at the top of this page. For material changes, we may notify you via email or a prominent notice on our website. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Company: Codes Easy, Kochi, Kerala, India