Privacy Policy

What Obacht stores

• —Account: your email address and a salted password hash (authentication is handled by Supabase Auth)
• —Profile: username, display name, and optional first/last name
• —Sign-up record: the invite code you used, plus the Terms version and timestamp you accepted
• —Plan: your tier and — once billing goes live — a Stripe customer identifier
• —Device inventory: name, type (Raspberry Pi / ESP32 / Pico W), MAC address and serial number
• —Hardware & OS details reported by the agent: model, CPU architecture, kernel, OS name and version, hostname, agent version
• —Connection state: install tokens, first-connected and last-seen timestamps, online/offline status
• —Live health metrics: CPU load, RAM and disk usage, CPU temperature
• —Network traffic counters per device (bytes in/out) used for your traffic quota
• —The list of systemd services and installed templates per device, with install and reconcile events
• —Monitoring rules you define and the alerts they trigger
• —Device logs and events your device or templates choose to send to the dashboard
• —WireGuard public keys and the tunnel IP assigned to each device
• —Your SSH public keys and each device's SSH host-key fingerprint
• —Custom domains you bind to a device
• —Projects, their members and roles, and which devices belong to them
• —Notification preferences and the notifications we have sent you
• —Feedback and support messages you submit, and ESP32 firmware you upload (kept temporarily for over-the-air delivery)

What Obacht does not store — or cannot access

• —The data inside the apps you host — databases, uploads and user content live only on your device; obacht relays the connection but never stores it
• —Files or backups from your device — obacht never copies your filesystem
• —The contents of your terminal sessions or the commands you run — SSH is end-to-end encrypted to your device and never recorded
• —Your source code or application configuration
• —Your WireGuard private keys — they are generated on the device and never sent to us
• —Your SSH private keys — they stay encrypted in your browser; obacht only ever sees public keys
• —Your password in plain text — Supabase Auth stores only a salted hash
• —No advertising IDs, no third-party trackers, no behavioural profiling
• —We never sell your data and never share it with advertisers or data brokers

Infrastructure

Obacht runs on European infrastructure (Hetzner, Germany). Devices connect through outbound-only WireGuard tunnels, so your device is never exposed to inbound ports on the public internet. Terminal access uses SSH public-key authentication, and private keys stay encrypted in your browser — obacht never receives them. All connections are encrypted in transit.

Your data, your control

You can delete your account and everything tied to it at any time from the dashboard — this cascades to your devices, metrics, logs, keys, domains and projects. We share data only with the essential providers needed to run the service (hosting and authentication, plus payment processing once billing is live), never with advertisers or data brokers. Metrics and logs are retained only as long as they are useful for operating your devices.