No payload visibility
Relays carry ciphertext and do not need session keys.
Cloud metadata scoped
Account, team, billing, and audit data stay tenant-bound.
Self-hosted boundary
Runtime database, storage, SMTP, and relay are operator-controlled.
Operator rights
Access, deletion, correction, portability, and restriction requests are supported.
Our privacy commitments
Information we collect
TucDesk collects only the data necessary to provide and improve the service. Self-hosted runtime data remains controlled by the operator.
| Category | Data collected | Purpose |
|---|---|---|
| Account | Name, email, team membership, roles, billing state, invite history. | Authentication, access control, billing, support, and abuse prevention. |
| Agent metadata | Agent ID, label, operating system, version, online state, tags, last-seen timestamp. | Fleet inventory, routing, security posture, and operator visibility. |
| Session metadata | Session ID, participants, timing, duration, recording pointer, audit context. | Audit history, troubleshooting, retention, and security review. |
| Usage | Product events, feature usage, support communications, and operational metrics. | Reliability, diagnostics, abuse prevention, and product improvement. |
| Billing | Plan and invoice metadata handled through payment processors. | Paid plan administration. |
| Not collected | Plaintext terminal payloads, agent private keys, operator private keys, plaintext passwords. | TucDesk is designed so this data is not needed by the cloud service. |
How data is handled
Overview
TucDesk operates in two deployment modes. In TucDesk Cloud, TucDesk runs the dashboard, API, rendezvous, relay, database, and recording storage for customer teams. In self-hosted deployments, the operator runs those services on their own infrastructure and TucDesk does not receive runtime data from that deployment.
Cloud: what TucDesk collects
For cloud accounts, TucDesk collects account identity, operator email, team membership, role assignments, billing status, plan limits, invite history, support communications, agent metadata, pairing events, session metadata, audit entries, and operational metrics required to run the managed service. Agent metadata can include agent ID, label, operating system, version, online state, last-seen timestamp, tags, and policy status.
Cloud: what TucDesk does not collect
TucDesk does not collect plaintext terminal session payloads from encrypted sessions. Session traffic uses end-to-end encryption, and relay infrastructure receives ciphertext only. TucDesk does not store agent private keys, operator private keys, plaintext passwords, or self-hosted runtime databases.
Self-Hosted runtime privacy
For self-hosted deployments, TucDesk collects nothing at runtime. Your API, database, rendezvous, relay, object storage, SMTP provider, and dashboard run under your control. Mobile apps and agents save the selected server profile locally and connect directly to your configured endpoints.
Data retention
Cloud retention defaults to 90 days for operational logs and session records unless a plan, team policy, or enterprise agreement configures a different window. Audit logs may be retained longer where required for security, abuse prevention, billing, or legal compliance. Self-hosted retention is entirely controlled by the operator through database, object storage, and backup policies.
How we use your information
We use collected cloud data to authenticate operators, route sessions, enforce team policy, provide support, prevent abuse, process billing, maintain service reliability, send service notices, and meet legal obligations. We do not sell account data or use terminal payloads for advertising.
Session recordings
Cloud session recordings are stored in tenant-prefixed object paths and encrypted at rest. Access is mediated by the API and scoped to the authenticated team. Self-hosted recordings are stored in the operator configured MinIO/S3-compatible storage and follow the operator retention and access-control policy.
Cookies and local storage
The dashboard uses authentication cookies for operator sessions and small state cookies for onboarding decisions. Public pages may use local storage to remember the public dark/light theme choice. TucDesk does not require third-party advertising cookies for core service operation. Mobile apps store server profiles in Keychain or EncryptedSharedPreferences.
Third-party processors
Cloud operations may use Cloudflare for edge/network protection, Stripe for payments, AWS SES or another SMTP provider for transactional email, and managed Postgres/object-storage providers for durable data. Self-hosted deployments use the processors selected by the operator.
Rights
You may request access, deletion, correction, restriction, or portability for TucDesk Cloud account data by contacting privacy@tucdesk.app. If you use a self-hosted deployment, contact the organization that operates that deployment because TucDesk does not control that runtime data.
Security safeguards
TucDesk uses cryptographic agent identity, short-lived operator tokens, team_id isolation, signed audit entries, encrypted session transport, and least-privilege service credentials. Administrative lifecycle endpoints require a dedicated admin token and are not accessible through normal operator JWTs.
Security practices
TucDesk uses least-privilege service credentials, tenant-scoped storage paths, short-lived tokens, signed audit entries, and encrypted session transport. Production operators should still configure SSO, MFA, network controls, backup policy, and monitoring according to their own risk requirements.
International transfers
TucDesk Cloud data may be processed in regions where TucDesk or its providers operate. Enterprise customers may request region-specific deployment terms where available. Self-hosted operators choose their own processing regions and providers.
Contact
Privacy questions, access requests, and deletion requests for TucDesk Cloud should be sent to privacy@tucdesk.app. Security reports should be sent to security@tucdesk.app so they follow the coordinated disclosure process.
Effective date
May 7, 2026