Privacy Policy
Effective date: May 13, 2026
1. Overview
DevNet (“we”, “us”, or “our”) operates the devnet.sh website and tunneling service. This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information. By using DevNet, you agree to the practices described here.
2. Information We Collect
Account information
When you create an account we collect your email address and, if you choose to set one, a display name. Passwords are hashed and managed by Supabase Auth — we never store plain-text passwords.
Tunnel activity
We store metadata about tunnels you create: the subdomain, local port, TTL, creation time, and expiry time. We also maintain an audit log of connection events (requests, approvals, denials) associated with your account. Raw request bodies are never stored.
Usage and bandwidth
We track the total bytes transferred through your tunnels each billing period to enforce plan limits. This counter resets monthly and is not broken down by request.
Billing information
Payments are processed by Stripe. We store only your Stripe Customer ID and current subscription plan. Full payment card details are held exclusively by Stripe and never touch our servers.
Connection metadata
When a visitor connects through your tunnel, we log their IP address, browser/OS (derived from the User-Agent string), HTTP method, and path. This information is shown to you for approval purposes and stored in your audit log.
Email invites
If you use the --invite flag, we send a one-time tunnel link to the email address you specify via Mailjet. We do not store recipient email addresses after the message is sent.
3. How We Use Your Information
- To provide and operate the tunneling service
- To authenticate your account and secure access to your tunnels
- To enforce plan limits (tunnel count, bandwidth, TTL)
- To process payments and manage your subscription via Stripe
- To send transactional emails (tunnel invites, password resets) via Mailjet
- To investigate abuse, security incidents, or violations of our Terms of Service
- To comply with applicable laws and legal obligations
We do not sell your personal data to third parties. We do not use your data for advertising.
4. Third-Party Services
We use the following third-party services to operate DevNet:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database, authentication, and row-level security | supabase.com/privacy |
| Stripe | Payment processing and subscription management | stripe.com/privacy |
| Cloudflare | DNS, proxying, and DDoS protection | cloudflare.com/privacypolicy |
| Mailjet | Transactional email delivery | mailjet.com/privacy-policy |
| AWS EC2 | Relay server infrastructure | aws.amazon.com/privacy |
5. Data Retention
We retain your account information and audit logs for as long as your account is active. If you delete your account, your personal data and associated records are permanently deleted within 30 days, except where we are required to retain them for legal or financial compliance purposes (e.g. billing records, which may be retained for up to 7 years).
Bandwidth counters reset automatically at the start of each billing period. Expired tunnel records are retained in your history but contain no personally identifiable information beyond what was captured at creation time.
6. Cookies
We use strictly necessary cookies only. Specifically:
- Authentication cookies — set by Supabase to maintain your login session on the dashboard.
- Tunnel access cookies — set by the relay server to remember device approval status for active tunnels (e.g.
devnet_token,devnet_auth).
We do not use analytics, advertising, or tracking cookies.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request that inaccurate data be corrected
- Deletion — request that your data be deleted (“right to be forgotten”)
- Portability — request your data in a machine-readable format
- Objection — object to certain processing of your data
To exercise any of these rights, email us at support@devnet.sh. We will respond within 30 days.
8. Data Security
All data in transit is encrypted via TLS. Data at rest is encrypted by Supabase and AWS. Access to production systems is restricted to authorized personnel and protected by SSH key authentication. We do not store plain-text passwords, payment card details, or the content of tunneled requests.
9. Children's Privacy
DevNet is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you via email or a prominent notice on the dashboard. Your continued use of DevNet after changes take effect constitutes acceptance of the updated policy.
11. Contact
If you have any questions about this Privacy Policy, please contact us at: support@devnet.sh