Privacy Policy

Last updated: January 2026

1. Introduction

EpochProxy ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure remote access platform, including our website, API, CLI tools, agent software, and related services (collectively, the "Service").

EpochProxy is operated by KrakenTheStack. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address - Required for account creation and communication
  • Name - Optional, used for personalization
  • Organization name - Optional, used for team features
  • Authentication credentials - Securely hashed passwords or OAuth tokens
  • AWS IAM principals - If you use AWS IAM authentication

2.2 Payment Information

When you subscribe to a paid plan, we collect payment information through our payment processor, Stripe:

  • Credit card details (processed and stored by Stripe, not by us)
  • Billing address
  • Subscription and invoice history

We do not store your complete credit card number. Stripe handles all payment processing in compliance with PCI DSS standards.

2.3 Usage Data

We automatically collect information about your use of the Service:

  • Connection logs - Timestamps, source IP addresses (IPv4/IPv6), connection duration
  • Session metadata - Session type (terminal, exec, tunnel), status, start and end times
  • Agent registration information - Agent identifiers, labels, registration timestamps
  • Data transfer metrics - Volume of data transferred for billing purposes
  • API usage - API calls made, endpoints accessed, rate limit information
  • Error logs - Error messages and diagnostic information for debugging
  • Audit logs - Actions performed, user agent strings, timestamps

2.4 Technical Data

We collect technical information when you access our website or use our Service:

  • Browser type and version
  • Operating system
  • Device type and identifiers
  • IP address
  • Referring website
  • Pages visited and time spent

2.5 Self-Hosted Deployments

For self-hosted deployments, all operational data remains on your infrastructure. We do not have access to your usage data, connection logs, session content, or any information processed by your self-hosted EpochProxy installation.

For self-hosted deployments, we may only collect:

  • License validation information (if applicable)
  • Support request data (when you contact us)
  • Optional telemetry (if you choose to enable it)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

  • Provide, operate, and maintain the Service
  • Authenticate users and authorize access
  • Process and route connections between clients and agents
  • Generate audit logs for compliance purposes

3.2 Billing and Payments

  • Process subscription payments and invoices
  • Calculate usage-based charges
  • Manage subscription status and plan changes

3.3 Communication

  • Send important service updates and security notices
  • Respond to support requests and inquiries
  • Send marketing communications (with your consent)

3.4 Security and Fraud Prevention

  • Monitor for suspicious activity and unauthorized access
  • Investigate security incidents
  • Enforce our Terms of Service and Acceptable Use Policy

3.5 Service Improvement

  • Analyze usage patterns to improve the Service
  • Develop new features and functionality
  • Conduct research and analytics

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing necessary to provide the Service you have requested (account management, service provision, billing)
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as security monitoring, fraud prevention, service improvement, and analytics, where these interests are not overridden by your rights
  • Consent: Where you have given explicit consent for specific processing activities, such as marketing communications or optional analytics
  • Legal Obligation: Processing necessary to comply with legal requirements, such as tax record retention or responding to lawful government requests

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our website.

5.1 Types of Cookies We Use

  • Essential Cookies: Required for the website to function, including authentication and session management
  • Analytics Cookies: Help us understand how visitors interact with our website (Google Analytics)
  • Functional Cookies: Remember your preferences and settings

5.2 Google Analytics

We use Google Analytics to analyze website traffic and usage patterns. Google Analytics collects information such as how often users visit our site, what pages they visit, and what other sites they used prior to coming to our site. We use this information to improve our website and Service.

Google Analytics uses cookies to collect this information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

5.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or delete certain cookies. However, if you disable cookies, some features of our Service may not function properly.

6. Third-Party Services

We share your information with the following third-party service providers who help us operate and improve our Service:

6.1 Payment Processing

Stripe - We use Stripe for payment processing. When you make a payment, your payment information is sent directly to Stripe. Stripe's use of your information is governed by their Privacy Policy.

6.2 Analytics

Google Analytics - We use Google Analytics to analyze website usage. Google's use of your information is governed by their Privacy Policy.

6.3 Infrastructure

Amazon Web Services (AWS) - We use AWS to host and operate our Service. AWS processes data in accordance with their Privacy Notice and the AWS Data Processing Addendum.

6.4 Authentication

Google OAuth - If you choose to sign in with Google, we receive basic profile information from Google. Google's use of your information is governed by their Privacy Policy.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: With third-party vendors who help us provide the Service (as described in Section 6)
  • Legal Requirements: When required by law, subpoena, or other legal process
  • Safety and Rights: To protect the safety, rights, or property of EpochProxy, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity
  • With Consent: When you have given us explicit consent to share your information

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

For transfers from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses for data transfers
  • EU-US Data Privacy Framework: Where applicable, we rely on service providers certified under the EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting us at privacy@epochproxy.cloud.

9. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: Retained while your account is active and for 30 days after account deletion
  • Connection and session logs: Retained for 90 days
  • Audit logs: Retained for 1 year
  • Billing and payment records: Retained for 7 years as required by tax and accounting regulations
  • Support correspondence: Retained for 3 years after resolution

We may retain anonymized or aggregated data that cannot identify you for longer periods for analytics and service improvement purposes.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit: All data transmitted to and from our Service is encrypted using TLS 1.3
  • Encryption at rest: Sensitive data is encrypted at rest using industry-standard encryption
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis
  • Security monitoring: We continuously monitor our systems for security threats and vulnerabilities
  • Regular audits: We conduct regular security assessments and penetration testing

Our security practices are designed to support SOC 2 Type II compliance. For customers with HIPAA requirements, we offer Business Associate Agreements (BAAs) and HIPAA-eligible configurations.

11. Your Privacy Rights

11.1 Rights for All Users

Regardless of your location, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (subject to legal retention requirements)
  • Export your data in a portable format
  • Opt out of marketing communications

11.2 GDPR Rights (EEA, UK, and Switzerland Residents)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with a supervisory authority in your country of residence

11.3 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Categories of Personal Information Collected: Identifiers (email, IP address), commercial information (purchase history), internet activity (usage logs), professional information (organization), and inferences (usage patterns).

Do Not Sell or Share: EpochProxy does not sell your personal information and does not share it for cross-context behavioral advertising purposes.

11.4 How to Exercise Your Rights

To exercise any of your privacy rights, you may:

  • Email us at privacy@epochproxy.cloud
  • Use the account settings in your dashboard to access, export, or delete your data

We will respond to your request within 30 days (or 45 days for CCPA requests). We may need to verify your identity before processing your request.

12. Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@epochproxy.cloud, and we will delete such information.

13. Security Incident Notification

In the event of a security incident affecting your personal data, we will notify you in accordance with applicable law:

  • GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and affected individuals without undue delay if the breach is likely to result in high risk
  • CCPA: We will notify affected California residents as required by California Civil Code Section 1798.82
  • General: We will notify affected customers via email and, where appropriate, through our Service

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a new "Last updated" date
  • Sending an email notification to registered users for significant changes

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

For GDPR-related inquiries, you may also contact our data protection team at the email address above.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting with a qualified legal professional for specific legal questions.