SSH BridgeSSH Bridge

Privacy Policy

Effective May 4, 2026

1. Overview

SSH Bridge (the "Service") is operated by Themewizz ("we", "us"). This policy explains what information the Service collects, how we use it, who we share it with, and the choices you have. By creating an account or using the Service you agree to the practices described here.

2. Information we collect

Account information. When you register we store your name, email address, hashed password, and (if you sign in with Google) your Google account ID and profile picture URL.

Connection data. SSH host metadata you save (label, hostname, port, username, group, color), SSH keys (private keys are stored encrypted at rest), snippets, and port-forwarding rules. The actual credentials and keys are encrypted and only used to establish SSH sessions on your behalf.

Device information. Each device you sign in from is registered with a device ID, platform, OS version, and last-login IP address. We use this to enforce single-device sessions and let you revoke access from a lost device.

Usage logs.Authentication events, session creation, plan changes, and admin actions are logged with timestamps. Logs are retained according to your plan's retention policy.

Payment information. If you subscribe to a paid plan, payment is processed by Stripe. We do not store card numbers on our servers — Stripe stores the actual payment instrument. We retain the Stripe customer ID, subscription ID, plan tier, billing cycle, and a ledger of paid/failed invoice records (date, amount, currency, description, status).

Network telemetry. If you opt into the SSH Bridge Network mesh, your device registers with our coordination server and is assigned a private mesh IP. We see node hostnames, online/offline status, and last-seen timestamps. Traffic between devices is encrypted end-to-end and we do not have access to its contents.

3. How we use information

We use the information we collect to operate the Service: authenticating you, syncing your hosts and keys across your devices, enforcing plan limits, processing payments, sending transactional email (welcome messages, password resets, payment receipts), and providing customer support.

We do not sell your information, run behavioral advertising, or use your SSH session contents for analytics. SSH session traffic flows directly between your client and your server (or via the SSH Bridge Network mesh which is end-to-end encrypted) — we do not have visibility into it.

4. Third-party services

We rely on a small set of vendors to deliver the Service:

  • Stripe — payment processing, customer portal, invoice history. Subject to Stripe's privacy policy.
  • Resend — transactional email delivery. Subject to Resend's privacy policy.
  • Google— optional "Sign in with Google" identity provider. Subject to Google's privacy policy.
  • Cloudflare / Supabase Storage — content delivery and release-artifact hosting.

5. Data storage and security

Account data, hosts, keys, and logs are stored in a managed PostgreSQL database. Sensitive credentials are encrypted at rest. Connections to our backend use TLS. Passwords are stored as bcrypt hashes — never in plaintext. We follow industry-standard practices for access control, but no system is perfectly secure; if you discover a vulnerability, please email us at [email protected].

6. Data retention

Account data is retained for as long as your account is active. Audit logs are retained according to your plan's log-retention policy (visible on the pricing page). When you delete your account, we remove your personal data within 30 days, except for records we must retain to comply with legal or financial obligations (e.g. invoice records for tax purposes).

7. Your rights

You have the right to access, correct, export, or delete your personal information. You can manage most of this directly in the app (Settings → Account, Settings → Billing), or contact us at [email protected] for assistance. If you are an EU/UK resident you also have the right to lodge a complaint with your local data-protection authority.

8. Cookies

The marketing site uses essential cookies only — there is no third-party tracking, no advertising, and no analytics that profile individual visitors. The desktop and mobile apps store an authentication token in platform-secure storage (macOS Keychain, Windows Credential Manager, iOS Keychain, Android Keystore) instead of cookies.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us and we will delete it.

10. International transfers

We are based in the United States and our infrastructure providers may process data in the US, the EU, and other jurisdictions. By using the Service you consent to your information being transferred to and processed in countries outside your own.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and/or a notice in the app at least 14 days before they take effect. The "Effective" date at the top of this page indicates the version currently in force.

12. Contact us

Questions about privacy? Email [email protected].