What we collect

TucDesk collects the minimum data required to operate a managed remote-infrastructure service: your account email and authentication identity, usage metadata (agent IDs, labels, operating system, online state, session timing and duration, audit context, feature usage), and billing information for paid plans.

We do not collect terminal session content. Sessions are end-to-end encrypted between the operator and the agent, and the relay infrastructure carries ciphertext only — session content is never readable by TucDesk.

How we use it

Collected data is used for three purposes: service operation (authenticating operators, routing sessions, enforcing team policy, maintaining reliability, and preventing abuse), billing (administering paid plans and invoices), and support (responding to your requests and diagnosing issues you report).

We do not sell account data, and we never use any of your data for advertising.

What we never collect

TucDesk never collects plaintext terminal session content or command payloads. Every session is encrypted end-to-end with keys negotiated between the operator and the agent — the relay sees ciphertext only and never holds session keys.

We also never store agent private keys, operator private keys, or plaintext passwords. The platform is designed so that this data is never needed by the cloud service.

Data retention

Operational logs are retained for 30 days unless a team policy or enterprise agreement configures a different window. Account data is retained for as long as your account exists and is deleted when you delete your account.

Self-hosted deployments control their own retention entirely — TucDesk receives no runtime data from self-hosted infrastructure.

Third-party services

TucDesk Cloud relies on a small set of processors: Firebase for authentication, Cloudflare R2 for encrypted session recording storage (recordings are encrypted before upload and stored under tenant-prefixed paths), and Stripe for billing. Each processor receives only the data required for its function.

Self-hosted deployments use the processors selected by the operator; TucDesk does not introduce third parties into self-hosted runtimes.

Your rights

Under GDPR and similar regulations you may request access to, deletion of, correction of, or portability of your TucDesk Cloud account data. Email privacy@tucdesk.app and we will respond to verified requests within the statutory window.

If you use a self-hosted deployment, contact the organization operating that deployment — TucDesk does not control self-hosted runtime data.

Contact

Privacy questions, access requests, and deletion requests should be sent to privacy@tucdesk.app. Security reports should go to security@tucnow.com so they follow the coordinated disclosure process.