Privacy Policy

Last Updated: April 3, 2026

1. Introduction

Rabtly (“we”, “us”, or “our”) operates the Rabtly Cloud mesh VPN service and dashboard at rabtly.cloud (the “Service”). This Privacy Policy explains what data we collect, why we collect it, and how we protect it. By using the Service you agree to this policy.

If you are self-hosting the open-source control plane on your own infrastructure, Rabtly does not collect any data from your deployment — this policy applies only to rabtly.cloud-hosted accounts.

2. Information We Collect

Account & Identity

  • Email address (required for login and notifications)
  • Name or display name (optional; sourced from your OAuth provider if used)
  • OAuth provider identifier (Google or GitHub) when you sign in via OAuth
  • Password hash (bcrypt) when you use email/password sign-in — your plain-text password is never stored

Network & Node Data

  • WireGuard public keys for each registered node
  • Device name, assigned mesh IP address, and public endpoint IP/port
  • Advertised subnet routes (if subnet routing is enabled)
  • Node heartbeat timestamps and online/offline status

Traffic Analytics

  • Aggregate bytes transferred (received and sent) per node, sampled each heartbeat (~10 s)
  • Active peer count per node
  • We do not inspect, log, or store the content of your VPN traffic

Billing

  • Subscription plan and status, sourced from Stripe
  • Payment event history (succeeded/failed charges, amounts, dates) — card numbers are never stored by us
  • Stripe customer ID and subscription ID

Audit & Security Logs

  • Login events (success and failure), IP address, timestamp
  • ACL policy changes, node registrations and deletions, member invite actions
  • Retained in a rolling buffer of the last 2,000 events per workspace

3. Third-Party Services

We use the following third-party processors. Each has its own privacy policy.

  • Stripe — payment processing and subscription management. Stripe stores your payment method; we only receive a customer ID and payment status.
  • Google OAuth 2.0 — optional sign-in. We receive your email and Google account ID; we do not access Google Drive, Gmail, or any other Google data.
  • GitHub OAuth — optional sign-in. We receive your primary verified email and GitHub ID; we do not access your repositories or any other GitHub data.
  • Resend — transactional email (e.g., workspace invite notifications). Only your email address and invite details are transmitted.

4. How We Use Your Information

  • Authenticate users and devices connecting to your workspace
  • Route mesh VPN peer information so devices can connect to each other
  • Enforce plan limits (node count, member count) based on your subscription
  • Display traffic analytics in your dashboard
  • Send transactional emails (invites, payment receipts) — no marketing without consent
  • Detect and prevent abuse, unauthorized access, and service disruptions

5. Data Retention

Data TypeFree PlanStarter / ProTeam
Traffic analytics7 days30 days90 days
Billing event historyIndefinitely (legal requirement)
Account & node dataUntil account deletion
Audit logsLast 2,000 events (rolling)

6. Data Security

  • All data is transmitted over TLS 1.2+ (HTTPS and WireGuard)
  • Passwords are hashed with bcrypt before storage
  • WireGuard private keys are generated on your device and never transmitted to our servers
  • Database access is restricted to internal infrastructure; no public database ports
  • We do not have access to the traffic flowing through your mesh VPN

7. Information Sharing

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • Service providers: Stripe, Resend, and cloud infrastructure providers under data processing agreements
  • Legal obligation: If required by law, court order, or regulatory authority
  • Business transfer: In connection with a merger or acquisition, with advance notice to users

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data (except data we are legally required to retain)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests

To exercise these rights, email us at privacy@rabtly.cloud. We will respond within 30 days.

9. Cookies

The dashboard uses a single session cookie (set by NextAuth.js) to maintain your authenticated session. We do not use advertising cookies, cross-site tracking, or analytics cookies.

10. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Last Updated” date and, for material changes, notify you by email or a notice on the dashboard. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact

For privacy questions or data requests, contact us at privacy@rabtly.cloud.