Privacy Policy

Last updated: March 29, 2026

Tunels.io ("Tunels", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and password (stored as a secure hash). If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe). We do not store credit card numbers on our servers.

Usage Data

We automatically collect information about how you use our services, including:

  • Tunnel connections (creation time, duration, protocol, bandwidth usage)
  • API requests (endpoints accessed, request counts, response times)
  • Login activity (timestamps, IP addresses, user agent)
  • Feature usage (pages visited, actions taken)
Device and Browser Information

We collect your IP address, browser type, operating system, and device information when you access our services. This information is used for security, analytics, and to improve your experience.

Tunnel Metadata

When you create and use tunnels, we collect and store metadata about your tunnel activity, including:

  • Your IP address at the time of tunnel creation
  • Tunnel URLs, protocols, and port configurations
  • Connection timestamps (start, end, duration)
  • Bandwidth usage (bytes transferred in and out)
  • Request counts and error rates

We do not inspect, monitor, or log the content of traffic passing through your tunnels. However, we retain tunnel metadata for security purposes, abuse investigation, plan enforcement, and compliance with legal obligations.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and manage your subscription
  • Send you transactional emails (account verification, password resets, billing notifications)
  • Enforce plan limits (bandwidth, tunnel count, requests per second)
  • Detect and prevent fraud, abuse, and security threats
  • Respond to your support requests and inquiries
  • Generate aggregated, anonymized analytics to improve our platform

3. Information Sharing

We do not sell your personal information. We may share your information with:

  • Payment processors: Stripe processes your payment information. Their privacy policy applies to payment data.
  • Email service providers: We use third-party email services to send transactional emails.
  • Law enforcement: We may disclose your account information and tunnel metadata if required by law, court order, or government request. We may also proactively report illegal activity, including child exploitation material, to the appropriate authorities. This includes sharing IP addresses, tunnel logs, account details, and any other relevant metadata.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will:

  • Provide a 30-day grace period during which you can recover your account
  • Permanently delete your personal data after the grace period
  • Retain anonymized usage data for analytics purposes
  • Keep audit logs for up to 2 years for security and legal compliance

5. Data Security

We implement industry-standard security measures to protect your data:

  • Passwords are hashed using bcrypt with a high cost factor
  • All connections are encrypted using TLS/HTTPS
  • API tokens are stored securely (hashed or encrypted)
  • Sessions are tracked and can be revoked at any time
  • Rate limiting protects against brute-force attacks
  • Account lockout after multiple failed login attempts

6. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate personal data
  • Deletion: Request deletion of your account and personal data
  • Export: Request an export of your data in a portable format (JSON, CSV, or ZIP)
  • Restriction: Request that we limit how we use your data
  • Objection: Object to the processing of your personal data

To exercise any of these rights, contact us at [email protected] or use the account settings in your dashboard.

7. Cookies and Tracking

We use the following cookies:

  • Session cookie (session_id): Required for authentication. HttpOnly, Secure, expires after 7 days.
  • Authentication cookie (auth_token): Stores your JWT access token. HttpOnly, Secure, expires after 30 minutes.
  • CSRF cookie (csrf_token): Protects against cross-site request forgery. HttpOnly, Secure, expires after 1 hour.

We do not use third-party tracking cookies or advertising cookies.

8. Third-Party Services

Our services integrate with the following third parties:

9. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly.

10. International Data Transfers

Our servers are located in North America. If you access our services from outside this region, your data may be transferred to and processed in Canada or the United States. By using our services, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, contact us at: