We collect account and operational data needed to run the service.

What we collect

• Account data such as email address, customer ID, authentication identifiers, subscription status, and support identifiers.
• Endpoint metadata such as region, provider, endpoint ID, lifecycle state, DNS name, node instance ID, configuration version metadata, and provisioning job history.
• Operational telemetry such as service health, WireGuard handshake age, interface counters, NAT state, probe snapshots, lifecycle events, and error states.
• Billing records from payment processing surfaces needed to maintain subscription status and support billing questions.
• Abuse-control events such as blocked SMTP port 25 attempt counts, endpoint ID, customer ID, timestamp bucket, enforcement layer, and region.

What we do not collect by default

• We do not collect packet contents by default.
• We do not collect email message bodies, SMTP commands, recipient lists, or destination email addresses for blocked SMTP attempts.
• We do not collect full packet captures by default.
• We do not claim the service makes you anonymous from tvpn, payment processors, infrastructure providers, or lawful process.

Why operational metadata exists

Operational metadata lets us provision endpoints, show customer status, troubleshoot connectivity, detect endpoint failure, prevent abuse, support billing, and protect infrastructure reputation.

We aim to store facts needed to operate the service, not traffic content. Future public launch work must include tighter retention periods and customer-facing account controls.

Email posture

During staging and private beta, account verification and password-reset email use Cognito's default sender. We are not using SES production sending until opt-in, support, abuse, privacy, unsubscribe, bounce, and complaint handling surfaces are ready.

Authentication and security emails are transactional. We do not use Cognito authentication email for marketing.