# Privacy Policy **Last Updated:** March 27, 2026 **Effective Date:** March 27, 2026 This Privacy Policy describes how Seawise.io ("Seawise.io", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use the Seawise.io platform, including the website at seawise.io, the Seawise.io API, the Seawise.io Client software, and all related services (collectively, the "Service"). We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. *** ## 1. Information We Collect ### 1.1 Account Information When you create an account, we collect: * **Email address** — Used for authentication, account recovery, and essential service communications. * **Display name** — Optional. Used for display purposes in the dashboard. We use magic link (passwordless) authentication. We do not collect or store passwords. ### 1.2 Server and App Configuration When you connect servers and configure apps, we store: * **Server name** — A label you assign to your server. * **Server status** — Online/offline state and last seen timestamp. * **App configuration** — Name, host, port, subdomain, and optional icon for each app you expose. * **Whitelist entries** — Email addresses of users you authorize to access your apps. * **FRP authentication token** — A cryptographically generated token used to authenticate your server's tunnel connection. This is not a personal credential. ### 1.3 Session and Access Data When you or your authorized users access apps through Seawise.io, we collect: * **Session tokens** — Cryptographically generated tokens to maintain authenticated sessions. Sessions expire after 8 hours. * **IP addresses** — Collected during authentication and access for security and abuse prevention. * **User agent strings** — Browser/client identifiers, collected for security logging. * **Timestamps** — When sessions are created, last accessed, and expire. ### 1.4 Billing Information If you subscribe to a paid plan, payment is processed by our third-party payment processor (currently Paddle), who acts as the Merchant of Record. We store: * **Subscription status** — Plan type, billing period, renewal dates. * **Customer and order identifiers** — References to your account with our payment processor (not payment card details). * **Bandwidth usage** — Aggregate bytes transferred per day, used for plan enforcement. We **do not** collect, store, or have access to your payment card numbers, bank account details, or other financial instruments. All payment processing, tax collection, and billing is handled by our payment processor. ### 1.5 Usage and Operational Data We collect operational data to maintain and improve the Service: * **Bandwidth usage** — Aggregate data transfer volumes per user per day. We do not log individual URLs, request contents, or traffic payloads. * **Audit logs** — Records of security-relevant actions (login, account deletion, server pairing) including timestamps, IP addresses, and user agents. Retained for security purposes. * **Error logs** — Application errors and performance data. These may include request metadata but never application traffic content. ### 1.6 Information We Do NOT Collect * **Application traffic content** — We do not inspect, log, store, or analyze the contents of traffic flowing through your tunnels. Seawise.io acts as an encrypted conduit only. * **Passwords** — We use passwordless (magic link) authentication. * **Payment card details** — Handled entirely by our payment processor. * **Location data** — We do not collect GPS or precise location data. * **Device fingerprints** — We do not use browser fingerprinting. *** ## 2. How We Use Your Information We use the information we collect for the following purposes: | Purpose | Legal Basis (PIPEDA) | | ---------------------------------------------------------------------------- | --------------------------------------------- | | Providing and operating the Service | Necessary for the service you requested | | Authenticating your identity | Necessary for the service you requested | | Managing your subscription and billing | Necessary for the service you requested | | Enforcing bandwidth limits and plan restrictions | Necessary for the service you requested | | Preventing abuse and ensuring security | Legitimate interest in protecting the Service | | Investigating violations of our Terms of Service | Legitimate interest in enforcing our Terms | | Sending essential service communications (outages, security alerts, billing) | Necessary for the service you requested | | Improving the Service | Legitimate interest in improving our product | | Complying with legal obligations | Legal requirement | We **do not** use your information for: * Advertising or ad targeting. * Selling or renting to third parties. * Profiling or automated decision-making. * Marketing emails (unless you explicitly opt in). *** ## 3. How We Share Your Information We do not sell your personal information. We share information only in the following circumstances: ### 3.1 Service Providers We use the following third-party service providers who process data on our behalf: | Provider | Purpose | Data Shared | | ------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------- | | Supabase | Database and authentication | Email, account data, session data | | Cloudflare | CDN, DDoS protection, DNS | IP addresses, request metadata (standard web traffic handling) | | Paddle | Payment processing, tax compliance (Merchant of Record) | Email, subscription data | | Hetzner / Cloud Provider | Infrastructure hosting | Encrypted data at rest | | Sentry | Error monitoring | Error metadata, request context (never application traffic content) | | Resend | Transactional email delivery | Email address, email content | | Google / GitHub (OAuth) | Authentication (if you choose to sign in with Google or GitHub) | Email address, display name, profile picture | All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes. ### 3.2 Dashboard Sharing When you add an email address to a dashboard whitelist, the owner of that email address will be able to see the dashboard name and the apps within it (name, subdomain, and status). No other personal information is shared between users. ### 3.3 Legal Requirements We may disclose your information if required to do so by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to: * Comply with applicable law or legal process. * Protect the rights, property, or safety of Seawise.io, our users, or the public. * Detect, prevent, or address fraud, security, or technical issues. ### 3.4 Business Transfers If Seawise.io is acquired, merged, or sells substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy. *** ## 4. Data Retention We retain your information for as long as your account is active or as needed to provide the Service. Specifically: | Data Type | Retention Period | | ----------------------------------------- | ------------------------------------------------------------------------- | | Account information (email, display name) | Until you delete your account | | Server and app configuration | Until you delete the server/app or your account | | Session tokens | Automatically expire after 8 hours; deleted records purged within 30 days | | Auth codes | Expire after 30 seconds; purged within 24 hours | | Bandwidth usage logs | 90 days | | Audit logs | 1 year | | Billing records | As required by Canadian tax law (typically 7 years for financial records) | When you delete your account: * Your profile, servers, apps, sessions, and whitelist entries are deleted immediately. * Your authentication account is deleted from Supabase. * Billing records may be retained as required by law. * Audit logs referencing your account are retained for the standard retention period for security purposes. *** ## 5. Data Security We implement appropriate technical and organizational measures to protect your information: * **Encryption in transit** — All connections use TLS encryption. Tunnel connections between the Seawise.io Client and our infrastructure are encrypted. * **Encryption at rest** — Database and storage systems use encryption at rest. * **Access control** — Row-level security (RLS) policies ensure users can only access their own data. Internal systems use role-based access with least-privilege principles. * **Authentication security** — Timing-safe token comparison, cryptographically secure random token generation, and automatic session expiration. * **Infrastructure security** — Kubernetes network policies, Web Application Firewall (WAF), rate limiting, and DDoS protection. * **Audit logging** — Security-relevant events are logged for incident investigation. No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. *** ## 6. Your Rights Under PIPEDA and applicable provincial privacy laws, you have the right to: * **Access** — Request a copy of the personal information we hold about you. * **Correction** — Request correction of inaccurate or incomplete personal information. * **Deletion** — Request deletion of your personal information (subject to legal retention requirements). You can delete your account at any time through the dashboard. * **Withdraw consent** — Withdraw consent for processing where consent is the basis. Note that withdrawing consent may affect your ability to use the Service. * **Complaint** — File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated. To exercise your rights, contact us at . We will respond within 30 days. ### 6.1 European Users (GDPR) If you are located in the European Economic Area, you also have the right to: * Data portability — Receive your data in a structured, machine-readable format. * Restriction — Request restriction of processing in certain circumstances. * Object — Object to processing based on legitimate interests. ### 6.2 California Users (CCPA) If you are a California resident, you have the right to: * Know what personal information is collected and how it is used. * Request deletion of your personal information. * Non-discrimination for exercising your privacy rights. We do not sell personal information as defined by the CCPA. *** ## 7. Cookies and Similar Technologies ### 7.1 Essential Cookies We use the following cookies, all of which are essential for the Service to function: | Cookie Name | Purpose | Duration | | ----------------------------- | ---------------------------------------------------- | -------- | | `seawise_session_[subdomain]` | Authenticates your access to a specific tunneled app | 8 hours | We do not use cookies for analytics, advertising, or tracking. ### 7.2 Third-Party Cookies Cloudflare may set security cookies (e.g., `__cf_bm`) as part of its DDoS protection and bot management. These are essential security cookies. See Cloudflare's privacy policy for details. *** ## 8. International Data Transfers Our infrastructure is hosted in North America (Ashburn, Virginia, United States). If you access the Service from outside this region, your data will be transferred to and processed in the region where our servers are located. For transfers of personal data from the EEA, we rely on Standard Contractual Clauses (SCCs) with our service providers as the legal mechanism for cross-border data transfers, in accordance with GDPR Article 46. *** ## 9. Children's Privacy The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete that information. *** ## 10. Consent We obtain your consent for the collection and use of your personal information as follows: * **Express consent** — When you create an account and accept the Terms of Service, you provide express consent for the collection and use of your information as described in this Privacy Policy. * **Implied consent** — When you use the Service, consent for essential operational data collection (such as session tokens and IP addresses for security) is implied as part of the service you requested. * **Third-party authentication** — If you choose to sign in with Google or GitHub, you consent to sharing your authentication information with those providers as part of the sign-in process. You can review their privacy policies before choosing this option. You may withdraw consent at any time by deleting your account through the dashboard. Withdrawal of consent may affect your ability to use the Service. *** ## 11. Data Breach Notification In the event of a security breach that poses a real risk of significant harm to affected individuals, we will: * Notify affected users by email as soon as feasible, and no later than 72 hours after becoming aware of the breach. * Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA. * Keep a record of all breaches, whether or not they meet the threshold for notification. Notification will include the nature of the breach, the types of information involved, steps we are taking to address the breach, and steps you can take to protect yourself. *** ## 12. Changes to This Policy We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. *** ## 13. Contact Us If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: * **Email:** * **Website:** **Privacy Officer:** SEAWISE.IO For complaints, you may also contact the Office of the Privacy Commissioner of Canada at .