Privacy Policy

1. What We Are

stunl is a localhost tunneling service ("stunl", "we", "us", "our"). Our website is stunl.com and the service is accessible via our CLI tool and web portal at portal.stunl.com.

2. Information We Collect

Account Information

When you create an account, we collect your email address and a password. Passwords are stored as bcrypt hashes and cannot be reversed. If you subscribe to a paid plan, payment is processed by Stripe and we store only your Stripe customer ID - we never see or store your full card number.

API Keys

API keys are stored as SHA-256 hashes. We cannot retrieve your API key after it is created - only you have the plaintext value.

Tunnel Metadata

When you create a tunnel, we log metadata necessary to operate the service: tunnel type, protocol, timestamps, assigned subdomain/port, session duration, and bandwidth usage. We do not inspect, log, or store the content of traffic passing through your tunnels.

Server Logs

Our servers record standard web access logs (IP address, user agent, request path, timestamps). These logs are used for security monitoring, abuse prevention, and debugging. Logs are retained for 30 days and then automatically deleted.

SMS/MMS Messages

If you contact our customer support via SMS, we collect your phone number and the content of your messages solely to provide support. We do not use your phone number for marketing. You can opt out of SMS at any time by replying STOP.

What We Do Not Collect

• Tunnel traffic content - we do not inspect, log, or store the data flowing through your tunnels
• Biometric data of any kind
• Location data beyond what your IP address implies
• Device fingerprints or tracking pixels
• Data from third-party advertising or analytics networks

3. How We Use Your Information

• Provide, maintain, and improve the stunl service
• Process payments and manage your subscription
• Enforce our Terms of Service and Acceptable Use Policy
• Send transactional emails (account verification, password resets, billing receipts, payment failure alerts)
• Respond to support requests (including via SMS)
• Monitor service health and security

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We have no ad trackers on our website.

4. Third-Party Services

We use the following third-party services to operate stunl:

• Stripe - payment processing. Stripe's privacy policy: stripe.com/privacy
• Amazon SES - transactional email delivery
• Twilio - SMS customer support. Twilio's privacy policy: twilio.com/legal/privacy

These services receive only the minimum information necessary to perform their function. We do not share tunnel traffic data with any third party.

5. Data Security

All connections to stunl use TLS 1.3 encryption. Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes. Payment data is handled entirely by Stripe (PCI DSS compliant) and never touches our servers. All API requests are signed with HMAC-SHA256 to prevent tampering.

For tunnels using our end-to-end encryption (E2E) feature, traffic is encrypted with your own TLS certificate. We route it using only the SNI header and cannot decrypt it even as it passes through our servers.

6. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Tunnel metadata: Retained for 90 days after tunnel closure for usage history, then deleted.
• Server logs: Retained for 30 days, then automatically purged.
• Billing records: Retained for 7 years as required by US tax law. Stored by Stripe.
• Tunnel traffic: Never stored.

7. Cookies

The stunl portal uses only essential cookies:

• Session cookie - keeps you logged in (expires on logout or after 7 days)
• CSRF token - prevents cross-site request forgery

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

8. Your Rights

Regardless of where you live, you can:

• Access your data in the portal dashboard, or request a copy by email
• Correct your data by updating your email or password in the portal
• Delete your account and all associated data by emailing legal@stunl.com
• Export your data in a machine-readable format by emailing legal@stunl.com

California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, email legal@stunl.com.

EU/EEA Residents (GDPR)

Our lawful basis for processing your data is contract performance (providing the service you signed up for) and legitimate interest (preventing abuse). You have additional rights to data portability, restriction of processing, and the right to lodge a complaint with your local data protection authority. Contact legal@stunl.com for any GDPR requests.

9. Data Breach Notification

If we discover a security breach affecting your personal information, we will:

• Notify affected users by email without unreasonable delay
• Notify the Illinois Attorney General if 500 or more Illinois residents are affected
• Describe the nature of the breach, what data was involved, and the steps we are taking in response

10. Age Requirement

stunl is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has created an account, contact us and we will delete it.

11. Changes to This Policy

We may update this privacy policy. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or complaints:

• Email: legal@stunl.com
• General support: support@stunl.com
• SMS: +1 (312) 779-6210
• Location: Chicago, IL