Privacy Policy

Introduction

HomeLab Everywhere ("HLE", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our website, relay server, and CLI application.

Important — your role as a data controller: HLE is a relay service. If you use HLE to expose a service that your own users access, you are the data controller for any personal data those users provide to your service. HLE does not access, process, or store the content of traffic flowing through your tunnels. You are responsible for providing your end users with appropriate privacy notices and complying with applicable data protection law (including GDPR where applicable).

Information We Collect

We collect information in the following ways:

  • Account Information: When you register, we collect your email address, username, and authentication credentials (or OAuth profile data from GitHub/Google).
  • API Keys: We generate and store API keys for tunnel authentication. Keys are stored as SHA-256 hashes for security.
  • Tunnel Data: When you expose a service via HLE, we log basic metadata: tunnel creation time, service labels, and usage statistics. We do not inspect or log the contents of traffic flowing through tunnels (no URLs, request/response bodies, headers, or form data are stored).
  • Usage Analytics: We collect aggregated statistics about tunnel usage (request counts, data transferred, latency) to monitor service health and enforce plan limits.
  • Access Rules: When you configure tunnel access rules (e.g., allowing specific email addresses), we store those configurations in our database.
  • Tunnel Access Logs: When visitors access your exposed services, we log their IP address, user agent, authentication method used, and whether access was allowed or denied. These logs help you monitor who accesses your tunnels and are subject to your plan's retention period (see Data Retention below). Business plan users may disable access logging entirely.
  • Audit Events: We log security events such as logins, failed login attempts, password changes, tunnel connections/disconnections, and access rule changes. Each event includes the actor's email, IP address, and timestamp.
  • Payment Information: If you use billing features, payment details are processed by Stripe. We never store full credit card numbers; Stripe provides tokenized payment information.
  • Server Logs: We maintain standard server logs including IP addresses, timestamps, request types, and response codes for security and debugging purposes.
  • Website Analytics: We use a privacy-focused, cookieless analytics tool (Umami) to collect anonymous, aggregated website usage data such as page views, referrers, and browser types. This data does not include personal identifiers, does not use cookies, and cannot be used to identify individual users.

How We Use Your Information

We use collected information to:

  • Authenticate users and authorize tunnel access
  • Operate and maintain the relay service
  • Process payments and manage billing (via Stripe)
  • Detect and prevent fraudulent activity and security threats
  • Monitor service performance and debug issues
  • Enforce tunnel limits and fair use policies
  • Communicate with you about service updates or policy changes
  • Comply with legal obligations

Legal Basis for Processing (GDPR)

Where GDPR or equivalent data protection law applies, we rely on the following legal bases:

  • Performance of contract (Art. 6(1)(b)): Processing your account data, API keys, and tunnel metadata is necessary to provide the HLE service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Server logs, usage analytics, fraud detection, and service performance monitoring are processed under our legitimate interest in operating a secure and reliable service. You may object to processing based on legitimate interest by contacting us.
  • Legal obligation (Art. 6(1)(c)): We may process data where required by law, such as tax record retention for payment data or responding to valid legal requests.
  • Consent (Art. 6(1)(a)): Where you connect a third-party account (GitHub, Google) via OAuth, we process the profile data received based on your explicit consent when authorising the connection. You may withdraw consent at any time by unlinking your account.

Third-Party Services

HLE integrates with the following third-party services:

Stripe (Payment Processing)

If you use paid features, payment processing is handled by Stripe. Stripe's privacy practices are governed by their Privacy Policy. We do not store credit card information; Stripe provides us with tokenized payment tokens and billing updates.

GitHub OAuth

You may optionally authenticate using your GitHub account via OAuth 2.0. When you authorize HLE to access GitHub, we receive your GitHub profile information (public username, email, avatar). This is governed by GitHub's Privacy Statement.

Google OAuth

You may optionally authenticate using your Google account via OAuth (OpenID Connect). When you authorize HLE, we receive your Google profile information (email address, name, profile picture). This is governed by Google's Privacy Policy.

Cookies

HLE uses HTTP-only cookies to store authentication tokens (JWT). These cookies:

  • Are set after successful login and contain your session token
  • Are secure (HTTPS only) and HTTP-only (not accessible to JavaScript)
  • Expire after the session ends or after an inactivity period
  • Are necessary for tunnel authentication and dashboard access

Your browser may also store cookies for tunnel authentication via the hle_tunnel_token cookie when accessing exposed services.

Data Retention

We retain your information as follows:

  • Account Data: Retained while your account is active. Upon account deletion, account data is removed within 30 days.
  • API Keys: Retained until explicitly revoked. Revoked keys are deleted immediately.
  • Tunnel Records: Tunnel metadata and bandwidth statistics are retained for 90 days for debugging and auditing.
  • Tunnel Access Logs: Visitor access logs (IP addresses, user agents, auth method, outcome) are retained based on your subscription plan:
    • Free: 7 days
    • Pro: 30 days (with the option to disable access logging entirely)
    • Business: 90 days (with the option to disable access logging entirely)
    After the retention period, access logs are permanently deleted. IP addresses in expired logs are not retained in any form.
  • Audit Events: Security audit events (logins, tunnel events, billing events) are retained for 90 days, then automatically purged.
  • Payment Records: Retained per Stripe's retention policies and legal/tax requirements.

IP Address Processing

IP addresses are classified as personal data under GDPR. We collect IP addresses in the following contexts:

  • Rate limiting and brute-force protection: IP addresses are held in memory during active rate-limit windows (up to 5 minutes) and not persisted to disk.
  • Audit logs: IP addresses are recorded with login attempts, tunnel connections, and other security events. Retained for 90 days.
  • Tunnel access logs: Visitor IP addresses are logged when they access your exposed services. Retained per your plan's retention period (7, 30, or 90 days).

Legal basis: We process IP addresses under legitimate interest (Art. 6(1)(f) GDPR) for the purposes of service security, abuse prevention, and providing you with access monitoring. You may object to this processing by contacting privacy@hle.world.

Logging controls: Business plan users can disable tunnel access logging entirely from their dashboard settings. When disabled, visitor IP addresses are not recorded for your tunnels. Rate limiting and audit events (your own logins and tunnel connections) continue to function as they are necessary for service security.

Security

We implement industry-standard security measures to protect your data:

  • API keys are hashed using SHA-256 before storage; raw keys are never retained
  • Passwords are hashed using PBKDF2-SHA256 with 600,000 iterations and random 32-byte salts
  • All communication between clients and the relay is encrypted via WebSocket over HTTPS (WSS)
  • Sessions use JWT tokens stored in HTTP-only, secure cookies with 24-hour expiry
  • Login rate limiting (10 attempts/5 min per IP) and progressive account lockout protect against brute-force attacks
  • Every commit is scanned by 10+ automated security tools (Semgrep, Bandit, TruffleHog, Trivy, ZAP, and more)
  • The HLE relay terminates TLS to provide SSO authentication. Traffic passes through the relay in memory for routing and auth enforcement, but request/response bodies, URLs, headers, and form data are never logged, stored, or sent to any third party

The HLE client is fully open source (MIT license) — you can verify exactly what data leaves your machine. For full technical details, see our Security documentation.

No system is completely secure. We encourage you to use strong passwords and protect your API keys. To report a security vulnerability, contact security@hle.world.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, in accordance with GDPR Article 34.

Data Sharing

We do not sell or rent your personal information. We may share data only in the following circumstances:

  • Service Providers: With third-party services (Stripe, GitHub, Google) that help us operate HLE, only to the extent necessary to provide the service
  • Legal Compliance: When required by law, regulation, court order, or valid government request
  • Security: To investigate, prevent, or address fraud, security issues, or technical problems

GDPR Roles

For users in the European Economic Area (EEA) or where GDPR or equivalent law applies:

  • HLE as data controller: HLE is the data controller for information you provide directly to us — your account email, authentication credentials, API keys, billing details, and connection metadata (IP addresses, timestamps, bandwidth). We process this data to operate the service as described in this policy.
  • HLE as data processor: Where applicable law requires a Data Processing Agreement (DPA) for the connection metadata we process on your behalf, please contact us at privacy@hle.world.
  • You as data controller: You are independently the data controller for any personal data of your own end users that is transmitted through your tunnels. HLE does not access that data, cannot respond to data subject requests about it, and has no visibility into it. You must comply independently with all applicable data protection obligations towards your users.

Your Rights

Depending on your jurisdiction (including under GDPR), you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your data (right to be forgotten)
  • Data portability: Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another service
  • Restriction: Request that we restrict processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
  • Supervisory authority: Lodge a complaint with a data protection supervisory authority in your country of residence. For users in the Netherlands, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens - AP)

To exercise any of these rights, please contact us at privacy@hle.world. We will respond within 30 days (or within the timeframe required by applicable law).

International Data Transfers

HLE operates servers that may store your data in different jurisdictions. By using HLE, you consent to the processing and transfer of your information across borders and to jurisdictions that may have different data protection laws than your home country.

Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by updating the "Last Updated" date and, if required, by email. Your continued use of HLE after changes constitutes your acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: privacy@hle.world

Service: HomeLab Everywhere (HLE)

Domain: hle.world

Last Updated: March 2026