Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address -- used for authentication (login codes), account recovery, and transactional notifications
• Display name -- optional, used for identification within the dashboard and team features

1.2 Usage Data

While you use the Service, we automatically collect:

• Tunnels created -- the number and configuration of tunnels (subdomain, port, protocol), but not the traffic flowing through them
• Domains registered -- custom domains you configure with the Service
• Login timestamps -- when you sign in to the dashboard or authenticate via the CLI
• IP addresses -- the IP address from which you connect, used for security monitoring and abuse prevention

1.3 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full card details on our servers. We receive and store only:

• A Stripe customer ID that links your devenv.tools account to your Stripe payment profile
• The last four digits of your card (for display purposes in the dashboard)
• Billing history (invoice amounts, dates, and payment status)

1.4 Technical Data

To diagnose issues and improve the Service, we may collect:

• Browser type and version -- when you use the web dashboard
• Operating system -- reported by the CLI client for compatibility purposes
• CLI version -- to ensure you are running a supported version
• Error logs -- stack traces and error messages generated by the Service when something goes wrong (these are sanitized to remove personal data where possible)

1.5 What We Do NOT Collect

To be clear about boundaries:

• We do not inspect, log, or store the content of traffic flowing through your tunnels
• We do not use third-party analytics or tracking services
• We do not collect data from your local development environment beyond what the CLI explicitly sends

2. How We Use Your Information

We use the information we collect for the following purposes:

We do not use your information for advertising, profiling, or any purpose unrelated to providing and improving the Service.

3. Information Sharing

We share your information only in the following limited circumstances:

3.1 Service Providers

• Stripe -- processes payments on our behalf. Stripe receives your payment details directly and is governed by Stripe's Privacy Policy.
• Email provider -- we use a transactional email service to deliver login codes, billing notifications, and account alerts. The provider receives your email address and the content of the message.

3.2 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties. Period. This is not a revenue model we will ever pursue.

3.3 Legal Requirements

We may disclose your information if we are required to do so by law, court order, or government request. If legally permitted, we will notify you before making such a disclosure so you have the opportunity to contest it. We will resist overbroad or vague requests and will only disclose the minimum information necessary to comply.

3.4 Business Transfers

If devenv.tools is acquired, merged, or substantially all of its assets are transferred, your information may be part of that transaction. In such an event, we will notify you by email and give you the opportunity to delete your account before the transfer takes effect.

4. Data Storage and Security

4.1 Encryption in Transit

All connections to the Service -- including the web dashboard, CLI, and tunnel traffic -- are encrypted using TLS (Transport Layer Security). We enforce HTTPS on all endpoints and do not support unencrypted connections.

4.2 Encryption at Rest

Our databases are encrypted at rest using industry-standard encryption (AES-256). Database backups are similarly encrypted.

4.3 Access Controls

Access to production systems and user data is restricted to authorized personnel only. We use role-based access controls, audit logging, and multi-factor authentication for all infrastructure access.

4.4 Infrastructure

Our edge servers and data storage are hosted in professionally managed data centers with physical security controls. We select providers with strong security track records and compliance certifications.

4.5 Incident Response

In the event of a data breach that affects your personal information, we will notify you by email within 72 hours of confirming the breach, in accordance with applicable data protection laws. The notification will describe the nature of the breach, the data affected, and the steps we are taking to address it.

5. Data Retention

5.1 Active Accounts

We retain your account data for as long as your account is active. If your account has been inactive (no logins or tunnel activity) for 12 months, we may send you a notification and, after an additional 30-day grace period, close the account and delete the associated data.

5.2 Account Deletion

When you delete your account, all associated personal data -- including your profile, tunnel configurations, domain registrations, and usage history -- will be permanently deleted within 30 days. Some data may persist in encrypted backups for up to 90 days before those backups are rotated.

5.3 Logs

Server access logs and error logs that may contain IP addresses or request metadata are retained for 90 days, after which they are automatically purged. This retention period allows us to investigate security incidents and debug issues reported by users.

5.4 Billing Records

We retain billing records (invoice history, payment amounts, subscription changes) for up to 7 years after your last payment, as required for tax and accounting compliance. These records do not include full payment card details.

6. Your Rights

Regardless of where you are located, we provide all users with the following rights over their personal data. These rights are aligned with GDPR and similar data protection frameworks:

6.1 Access Your Data

You can view your account information, tunnel history, and domain configurations at any time through the dashboard. Programmatically, your data is available via GET /account on our API.

6.2 Correct Your Data

You can update your email address, display name, and other account information through the dashboard or via PATCH /account on our API.

6.3 Delete Your Data

You can delete your account and all associated data through the dashboard settings or via DELETE /account on our API. Deletion is permanent and cannot be undone after the 30-day processing period.

6.4 Export Your Data

You can request a complete export of your personal data by emailing privacy@devenv.tools. We will provide the export in a machine-readable format (JSON) within 30 days of your request.

6.5 Object to Processing

If you believe we are processing your data in a way that is not covered by this Privacy Policy or not justified by a legitimate interest, you can object by contacting privacy@devenv.tools. We will review your objection and respond within 30 days.

6.6 Withdraw Consent

Where we process your data based on consent (rather than contractual necessity or legitimate interest), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

7. Cookies and Local Storage

7.1 What We Use

The devenv.tools dashboard uses localStorage in your browser to store a JWT (JSON Web Token) for authentication. This token keeps you signed in between visits and is required for the dashboard to function.

7.2 What We Do NOT Use

• No tracking cookies -- we do not use cookies to track your behavior across sessions or across websites
• No analytics cookies -- we do not use Google Analytics, Mixpanel, or any other third-party analytics service that sets cookies
• No advertising cookies -- we do not serve ads and do not use any advertising-related cookies or tracking pixels
• No third-party cookies -- the only client-side storage we use is the JWT in localStorage for authentication

7.3 Clearing Your Data

You can sign out from the dashboard at any time, which removes the JWT from localStorage. You can also clear your browser's localStorage manually to remove all devenv.tools client-side data.

8. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a user is under 16, we will take steps to delete their account and associated data promptly.

If you are a parent or guardian and believe your child has created an account on devenv.tools, please contact us at privacy@devenv.tools and we will delete the account.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:

• Minor changes (clarifications, formatting) will be made directly and the effective date will be updated
• Material changes (new data collection, new sharing partners, changes to your rights) will be communicated via email to all registered users at least 14 days before they take effect

We encourage you to review this page periodically. The "Effective date" at the top of the page indicates when the policy was last updated.

10. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, contact us:

• Privacy inquiries: privacy@devenv.tools
• General support: support@devenv.tools

We aim to respond to all privacy-related inquiries within 14 days. If you are in the EU and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.