UnboundBytes Digital freedom with a safety net
🚀 Join Beta Waitlist

Privacy Policy

Last Updated: November 11, 2025

UnboundBytes exists to help you escape the surveillance economy. This policy explains how we handle your data—because privacy isn't just our product, it's our principle.

The Short Version

  • Your self-hosted apps run on your infrastructure. We never see, access, or store the data in your apps.
  • We collect minimal account data (email, name) to provide the service.
  • We use Auth0 for authentication and Cloudflare for infrastructure.
  • We don't sell your data. We don't track you across the web. We don't use your data to train AI models.
  • You can export or delete your data anytime.

Who We Are

UnboundBytes is operated by [Legal Entity Name] ("UnboundBytes", "we", "us", or "our"). You can reach us at [email protected].

What Data We Collect

Account Information

When you create an account, we collect:

  • Email address (for login and critical notifications)
  • Name (optional, for personalizing the portal)
  • Password hash (stored securely by Auth0, we never see your password)

Service Metadata

To operate the platform, we collect:

  • Deployment configurations (which apps you're running, their settings)
  • Device metadata (server IP, agent version, operating system)
  • Command logs (which commands were sent to your agent, their status)
  • Health check data (app status, resource usage, backup success/failure)
  • Backup metadata (backup timestamps, sizes, locations—not backup contents)

Application Data (The Important Part)

We do not collect, access, or store the data inside your self-hosted applications. Your photos in Immich, files in Seafile, passwords in Vaultwarden—that all stays on your infrastructure. We never have access to it.

Backups are encrypted on your device before being uploaded to your chosen storage (whether that's your own S3, Cloudflare R2, or local storage). We can't decrypt your backups.

Usage Analytics

We collect minimal analytics to improve the service:

  • Feature usage (which parts of the portal you use)
  • Error logs (when something breaks, so we can fix it)
  • Performance metrics (how fast the portal loads)

We do not use third-party analytics tools that track you across websites. All analytics stay in our infrastructure.

Payment Information

Payment processing is handled by Stripe. We never see or store your credit card details. Stripe shares with us:

  • Subscription status (active, canceled, past due)
  • Last 4 digits of card (for display purposes)
  • Billing email (if different from account email)

How We Use Your Data

We use your data to:

  • Provide the service (deploy apps, manage backups, send commands to your agent)
  • Communicate with you (critical alerts, billing updates, service announcements)
  • Improve the platform (fix bugs, add features people actually want)
  • Ensure security (detect abuse, prevent unauthorized access)
  • Comply with legal obligations (if we're legally required to)

We do not:

  • Sell your data to third parties
  • Use your data to train AI models
  • Share your data with advertisers
  • Track you across other websites

Third-Party Services

We use carefully selected third-party services:

Auth0 (Authentication)

Auth0 handles user authentication. They process your email, password hash, and login activity. Read their privacy policy at auth0.com/privacy.

Cloudflare (Infrastructure)

Cloudflare provides our infrastructure (Workers, Durable Objects, R2 storage, tunnels). They may process IP addresses and request metadata for DDoS protection and performance. Read their privacy policy at cloudflare.com/privacypolicy.

Stripe (Payments)

Stripe processes payments. They handle your payment information according to their privacy policy at stripe.com/privacy.

Data Security

We protect your data with:

  • Encryption in transit (TLS 1.3 for all connections)
  • Encryption at rest (using Cloudflare's encrypted storage)
  • HMAC authentication (for agent-orchestrator communication)
  • Secrets management (using HashiCorp Vault)
  • Access controls (tenant isolation via Durable Objects)
  • Regular security audits (dependency scanning, container scanning)

No security is perfect. If we discover a breach, we'll notify affected users within 72 hours and explain what happened and what we're doing about it.

Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account deletion
  • Deployment configs: Deleted within 7 days of deployment removal
  • Command logs: Retained for 90 days, then deleted
  • Backup metadata: Retained while backups exist, deleted when backups are deleted
  • Payment records: Retained for 7 years for tax compliance

Your Rights

You have the right to:

Access Your Data

Export your deployment configurations, command history, and backup metadata from the portal. Email [email protected] for a complete data export.

Correct Your Data

Update your account information anytime in the portal settings.

Delete Your Data

Delete your account from portal settings. We'll delete your data within 30 days, except for payment records (retained for 7 years for legal compliance).

Object to Processing

If you object to how we're processing your data, email [email protected] and we'll work it out.

Withdraw Consent

You can withdraw consent anytime by deleting your account.

International Users

UnboundBytes operates globally using Cloudflare's distributed infrastructure. Your data may be processed in multiple regions for performance and reliability.

For EU/EEA Users (GDPR)

We comply with GDPR. Your legal basis for processing is:

  • Contract (we need your data to provide the service)
  • Legitimate interest (improving the platform, ensuring security)
  • Legal obligation (tax records, anti-fraud)

You have additional rights under GDPR, including data portability and the right to lodge a complaint with your supervisory authority.

For California Users (CCPA)

We comply with CCPA. We do not sell your personal information. You have the right to request deletion and opt out of "sales" (though we don't sell data anyway).

Children's Privacy

UnboundBytes is not intended for children under 13. We don't knowingly collect data from children. If you're a parent and believe your child has provided us data, email [email protected].

Changes to This Policy

We'll update this policy as needed. Material changes will be announced via email 30 days before taking effect. Continued use after changes means you accept the updated policy.

Previous versions are available in our public repository.

Contact Us

Questions about privacy? Email [email protected] or use the contact form.

This policy was written by humans who care about privacy, not lawyers trying to cover their asses with legalese. If something's unclear, let us know and we'll fix it.