DeskBoot
Log inLaunch a session
LEGAL

Privacy Policy

Last updated: 2026-05-25. DRAFT — under legal review.

What we collect

  • From Google OAuth: email address, display name, profile picture, Google account ID.
  • Phone: the number you verify (we don't buy or scrape numbers).
  • Payment metadata: from Paystack — card brand, last 4 digits, bank, country, expiry. We never see full card numbers.
  • Session metadata: what OS/size you launched, when, how long, what region.
  • Usage events: page visits within the dashboard, button clicks for audit purposes.
  • Technical: IP address, user-agent, language preference (from request headers).
  • Communication: emails you send us, content of bug reports and contact forms.

What we don't collect

  • The contents of your sessions (files, browser history, what you do inside the VM)
  • Full payment card numbers or CVVs
  • Your Google account password
  • Anything outside what you put into our app or what Paystack/AWS surface back to us

Why we collect it

  • To provide the Service — provision instances, charge you correctly, route emails.
  • To prevent fraud — card fingerprints help us stop multi-account farming of the welcome credit.
  • To support you — audit logs let us answer "what happened when" if you contact us.
  • To comply with law — payment records, etc.

Who we share data with

  • Amazon Web Services — provisions and runs the EC2 instances; processes session metadata; stores encrypted disks. AWS privacy.
  • Paystack — processes payments and stores card details. Paystack privacy.
  • Zoho — sends transactional emails on our behalf.
  • Google — handles your sign-in.
  • Law enforcement — only with valid legal process. We'll notify you if permitted.

We don't sell your data. We don't use it for advertising. We don't train AI models on your session content.

How long we keep data

  • Account data: while your account is active, plus 90 days after closure.
  • Payment records: 7 years (legal/tax requirements).
  • Session disks: deleted immediately on Terminate; preserved while stopped until you Terminate or close the account.
  • Audit logs: 2 years.
  • Backups: rotating, max 30 days.

Your rights

You can request:

  • Access — download a copy of your data from /dashboard/settings/export.
  • Correction — fix anything wrong via the dashboard or by email.
  • Deletion — close your account; we'll delete what we can, retain what we must (payment records for tax).
  • Portability — the export is JSON, machine-readable.
  • Objection — email privacy@deskboot.store.

Cookies

We use strictly-necessary cookies for sign-in sessions (Auth.js). No tracking cookies. No third-party analytics that follow you across the web.

Security

See /security for the technical details. In short: HTTPS everywhere, KMS encryption for secrets, encrypted database, audit logging.

Transfers

Your data is processed in the AWS regions we operate in (currently us-east-1). If we add regions, we'll keep your session metadata close to where your sessions run.

Children

The Service is not for anyone under 18.

Changes

We'll announce material changes by email and a dashboard notice. Last update date at top of this page.

Contact

Privacy questions: privacy@deskboot.store. General: /contact.