Jetty

Legal information for Jetty.

Privacy Policy

Last updated: April 4, 2026

1. Who we are

This Privacy Policy describes how Jetty ("Jetty", "we", "us", "our") collects, uses, and shares personal information when you use our websites, command-line tools, APIs, and related services (collectively, the "Service").

Jetty is operated by Shafer LLC. If you have questions about this policy or your personal data, contact us at privacy@usejetty.online.

2. Information we collect

Account information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). If you sign in with GitHub or Google, we receive your name, email, and profile photo from the OAuth provider. We store your organization and team memberships, role assignments, notification preferences, and settings you configure.

Tunnel and connection data

To operate tunnels, we process tunnel identifiers (subdomain labels, IDs), the local host and port you expose, connection timestamps, agent metadata (CLI version, operating system), and heartbeat counters (request count, bytes transferred). We do not inspect or store the content of HTTP requests and responses that pass through your tunnels unless you enable traffic inspection.

Traffic inspection samples

If traffic inspection is enabled on your plan, the CLI may send request metadata (method, path, status code, byte counts, and optionally HTTP headers) to our API for display in the dashboard. Sensitive headers (Authorization, Cookie, API keys) are redacted or masked before storage based on your organization redaction tier (standard, strict, or none). Request and response bodies are not stored by default.

Billing information

When you subscribe to a paid plan, our payment processor Stripe collects your payment method, billing address, and tax identifiers. We receive from Stripe a limited record: the last four digits of your card, card brand, subscription status, and invoice history. We never see or store your full card number.

API tokens

Personal access tokens you create for CLI authentication are stored as SHA-256 hashes. We record the token name, creation date, last-used timestamp, and associated organization. The plaintext token is shown once at creation and never stored.

Logs and diagnostics

We collect server access logs (IP address, user agent, timestamps), error reports, and edge server metrics (request latency, status codes, rate limit events). The CLI may send anonymous telemetry about WebSocket connection failures to help us improve reliability. You can disable CLI telemetry via the JETTY_SHARE_NO_TELEMETRY environment variable.

Cookies

We use session cookies to authenticate you in the dashboard and CSRF tokens to protect forms. We do not use third-party advertising or tracking cookies. If you use the CLI, no cookies are involved; authentication uses Bearer tokens.

3. How we use your information

  • Provide, maintain, and improve the Service, including tunnel routing, team management, billing, and support.
  • Authenticate your identity and authorize access to tunnels, teams, and API endpoints.
  • Process payments and manage subscriptions through Stripe.
  • Enforce rate limits, IP filtering, and security controls to protect the Service and other users.
  • Send transactional emails (account verification, password resets, team invitations, billing receipts) and optional notifications (tunnel status alerts via email, Telegram, or webhook).
  • Monitor system health, detect abuse, and investigate security incidents.
  • Generate aggregated, non-identifying analytics to understand usage patterns and guide product development.
  • Comply with legal obligations and respond to lawful requests.

4. Legal bases for processing (EEA/UK)

Where the GDPR applies, we rely on:

  • Contract -- processing necessary to provide the Service you signed up for (tunnel routing, team management, billing).
  • Legitimate interests -- security monitoring, fraud prevention, service improvement, and abuse detection, balanced against your rights and freedoms.
  • Consent -- where required, such as optional marketing emails or traffic inspection with sensitive header logging.
  • Legal obligation -- tax records, law enforcement requests, and regulatory compliance.

5. How we share your information

Service providers

We share data with vendors who process it on our behalf under contractual safeguards: Stripe (payments), DigitalOcean (hosting), Sentry (error reporting), and email delivery services. These providers only access data necessary for their function.

Within your organization

Organization owners and admins can view team memberships, tunnel activity, audit logs, and billing information for their organization. Team members can see tunnels and request samples within their team, subject to role-based permissions (Owner, Manager, Developer, Viewer).

Legal and safety

We may disclose information if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect rights, safety, or property, investigate fraud, or respond to a government request.

Business transfers

If Jetty is acquired, merges, or sells assets, your information may transfer to the successor entity. We will notify you via email or prominent notice before your information becomes subject to a different privacy policy.

We do not sell your personal information. We do not share it with advertisers or data brokers.

6. Data retention

  • Account data -- retained while your account is active and for 30 days after deletion to allow recovery.
  • Tunnel metadata -- retained while the tunnel exists. Deleted tunnels are purged within 7 days.
  • Traffic inspection samples -- retained for up to 50 samples per tunnel (configurable per organization). Older samples are automatically pruned.
  • Audit logs -- retained for 90 days.
  • Server logs -- retained for 30 days, then deleted.
  • Billing records -- retained as required by tax and accounting law (typically 7 years).

7. Security

We protect your data with:

  • TLS encryption for all data in transit (HTTPS, WSS).
  • Bcrypt password hashing and SHA-256 token hashing.
  • Role-based access controls at the organization and team level.
  • Per-tunnel IP allowlists/blocklists and rate limiting.
  • Webhook signature verification (Stripe, GitHub, Shopify, HMAC-SHA256).
  • Two-factor authentication (TOTP) for account access.
  • Configurable header redaction tiers and compliance presets (GDPR, HIPAA, SOC 2).
  • Audit logging of administrative actions.

No system is perfectly secure. If you discover a vulnerability, please report it to security@usejetty.online.

8. Your rights

Depending on your location, you may have the right to:

  • Access -- request a copy of the personal data we hold about you.
  • Correction -- update inaccurate or incomplete data via your Profile settings.
  • Deletion -- delete your account and associated data from Profile > Account.
  • Export -- download a machine-readable JSON export of your data from Profile > Download your data.
  • Object -- object to processing based on legitimate interests.
  • Restrict -- request that we limit processing of your data in certain circumstances.
  • Withdraw consent -- where processing is based on consent, you may withdraw it at any time.

To exercise these rights, email privacy@usejetty.online or use the self-service options in your dashboard. We will respond within 30 days (or as required by law). You may also lodge a complaint with your local data protection authority.

9. California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion, and opt out of the sale of personal information. We do not sell personal information. To submit a request, contact privacy@usejetty.online.

10. International transfers

Jetty is based in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US or other countries where our service providers operate. Where required, we use Standard Contractual Clauses or other approved transfer mechanisms to protect your data.

11. Children

The Service is not intended for anyone under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with an updated "Last updated" date. For material changes, we will notify you by email or via a notice in the dashboard at least 14 days before the changes take effect.

13. Contact us

For privacy questions, data requests, or concerns:

  • Email: privacy@usejetty.online
  • Support: support@usejetty.online
  • Security issues: security@usejetty.online

See also our Terms of Service