1. Who operates NightRoute
NightRoute is operated by NightRoute Labs OÜ, a private company registered in Tallinn, Estonia, at Maakri 19/2, 10145. Under the GDPR, we act as the data controller for everything described below. One person on our team holds the role of privacy lead, and you can reach that person by writing to support@zxcvbnm-pn-test-abc-93848.xyz with the word Privacy in the subject. We are a small team, so answers come from humans, not form letters. If you would rather contact a supervisory authority, the Estonian Data Protection Inspectorate accepts complaints in English at aki.ee, and nothing on this page restricts that right.
2. What we collect, and what we refuse to
We split collection into three buckets. Billing: the email address you hand to our payment processor, plus the opaque customer token the processor returns to us. Diagnostics: crash reports from the client app, tagged by operating system version and build number, never by IP. Support: whatever you type into a ticket, including attachments you attach yourself. What we do not collect is the whole point of NightRoute. The tunnel servers hold no connection logs, no browsing history, no DNS queries, no traffic metadata, and no source IPs. Servers run from ephemeral storage and pipe systemd-journal to /dev/null. If a subpoena arrives, there is nothing to hand over.
3. Why we are allowed to process this
Under Article 6 of the GDPR, every act of processing needs a lawful basis, and we try to name ours precisely. Your billing email and payment token are processed under Article 6(1)(b) — performance of a contract, because we cannot invoice you without them. Crash diagnostics fall under Article 6(1)(f) — legitimate interest in keeping the client stable and private on your device. Support tickets mix 6(1)(b) and 6(1)(a), since you provide the content voluntarily. Anti-abuse signals used to block credential stuffing and brute-force attempts also rely on 6(1)(f). We do not lean on consent for anything except optional marketing emails, which are strictly opt-in and easy to revoke.
4. How long each record survives
Billing records are retained for seven years from the invoice date because Estonian tax law forces us to. The customer token that maps your account to the payment processor is deleted within thirty days of account closure. Crash diagnostics rotate on a ninety-day window; beyond that, only aggregates without identifiers remain for internal dashboards. Support tickets age out after eighteen months from the last reply, unless you ask us to delete them sooner. Anti-abuse signals are purged after seventy-two hours. The tunnel servers themselves keep nothing — there is no retention clock for connection data, because no connection data is ever written in the first place.
5. The short list of third parties
Three outside vendors touch your data, and we keep that list short on purpose. Stripe, headquartered in Ireland, processes payments and is the only party that sees your card. They return us a token; we never see the primary account number. Sentry, under an EU-hosted deployment, receives crash reports from the client and stores them on our behalf. Castle, a fraud-prevention vendor, receives login fingerprints for anti-abuse scoring, scoped to the login event only. None of these vendors receive traffic from the tunnel, because the tunnel is not wired to them. The current subprocessor list lives at /subprocessors, and paying customers are emailed before we add to it.
6. Cookies and similar technology
This website uses two cookies and no trackers. A session cookie named nr_session keeps you signed in to the dashboard and expires when the browser closes. A preference cookie named nr_theme stores whether you picked dark or light and expires after one year. Neither carries an identifier that survives logout. We load no third-party analytics — no Google, no Meta pixel, no Hotjar, no Mixpanel. Aggregate traffic counts are computed from web server logs that strip IPs to country-level before the counter increments. If you block cookies entirely, the marketing site and the knowledge base still work; only the signed-in dashboard will ask you to re-authenticate per page.
7. Traffic that crosses borders
NightRoute is engineered in Estonia, but your data occasionally crosses borders, so we name the routes. Account records live on servers inside the EEA, in Frankfurt and Stockholm, hosted by Hetzner. Stripe's EU entity holds payment data, with onward transfers to the United States governed by the European Commission's 2023 adequacy decision and standard contractual clauses. Sentry runs an EU-hosted instance by contract. Castle transfers anti-abuse signals to the United States under standard contractual clauses plus supplementary measures, including encryption in transit and at rest. We do not transfer personal data to jurisdictions without an adequacy decision or comparable safeguards, and transfer impact assessments for each vendor are available on written request.
8. Your rights, and how to invoke them
Under Chapter III of the GDPR, you have the right to access a copy of what we hold, correct anything wrong, delete what you no longer want us to keep, restrict processing while a dispute is sorted, take your data with you in a machine-readable form, and object to any legitimate-interest processing. Email support@zxcvbnm-pn-test-abc-93848.xyz with the word Rights in the subject and tell us which of these you want exercised. We answer within thirty days, extendable by sixty more if the request is complex, and we tell you if we extend. We do not charge a fee unless the request is clearly excessive, in which case we say so first.
9. How we secure the stack, and how we change this page
The tunnel endpoints run hardened Linux, full-disk encrypted, booted from read-only images, with tmpfs for anything the daemon might try to write. Administrator access is gated by hardware keys — no password will get an engineer onto a production box. The control plane sits behind mutual TLS, and database backups are encrypted with keys rotated quarterly. We commission an external penetration test once a year and publish the redacted findings. This policy changes when the underlying processing changes, not to chase fashion. Material changes are announced by email to active customers thirty days before they take effect. Minor edits — typos, clarifications, a rewritten sentence — are logged at the bottom of this page.
Contact
Questions about this policy? Write to support@zxcvbnm-pn-test-abc-93848.xyz.