Skip to content

Privacy Policy

Last updated: June 2026

1. Data Controller

Metro Remote is the trading name of Metro Stack Limited, a private company registered in England & Wales.

  • Data controller: Metro Stack Limited (Companies House no. 17195789)
  • Contact email: support@metroremote.dev
  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
  • Website: metroremote.dev
  • ICO registration: We are exempt from the ICO data protection fee under the exemption for processing only for core business purposes (accounts and records, staff administration) with no large-scale processing of special categories of data. If our processing activities change, we will register and publish our registration number here.

We do not currently appoint a Data Protection Officer (DPO) as we do not process personal data at a scale that requires one under UK GDPR Article 37. If this changes, we will update this policy with DPO contact details. We have conducted a Data Protection Impact Assessment (DPIA) for our automated abuse-detection processing (see Section 14). A copy is available on request by emailing support@metroremote.dev.

2. Overview

Metro Remote ("we", "us", "our") operates the metroremote.dev website and the Metro Remote cloud relay service. This Privacy Policy explains what information we collect, how we use it, the legal basis for processing, and your rights regarding that information.

This policy applies to users worldwide, including users in the United Kingdom, European Economic Area (EEA), and the United States (including California).

We collect the minimum amount of data necessary to provide the service. We do not sell, rent, or share your personal information with third parties for their marketing purposes.

3. Information We Collect

Account Information

  • Email address (used for account creation and communication)
  • Authentication method (GitHub OAuth)
  • Plan and subscription status
  • Account creation and last-updated timestamps

GitHub OAuth Data

  • GitHub user ID (stored to link your GitHub account)
  • GitHub username (read during login for identification but not stored in our database)
  • GitHub email address (including your primary verified email, which may be private on GitHub; used as your Metro Remote account email)
  • We do not access your GitHub repositories, code, or any other GitHub data

Payment Information

  • Payment processing is handled entirely by Stripe. Your email address is shared with Stripe when creating your customer account.
  • We store only a Stripe customer ID and subscription ID to link your account to your subscription
  • We never store credit card numbers, CVVs, or other payment card details on our servers
  • Stripe may set its own cookies during the checkout process - see Stripe's Privacy Policy

Technical Data

  • Tunnel encryption credentials. Our API issues your private keys during setup, delivers them to your Mac over HTTPS, and never retains them. After delivery they live only on your Mac; only the matching public key is registered on our servers.
  • Device names and tunnel IP addresses
  • Relay server assignment and connection status
  • API keys (separate keys for CLI and web dashboard sessions, securely hashed before storage)
  • Bandwidth usage per device (transfer bytes received and sent, fetched live from the relay and not stored in our database)

OTA Deploy Data

  • When you use OTA deploy, your compiled app binary (IPA file) is temporarily uploaded to our server
  • IPA files are stored for up to 30 minutes to allow installation, then automatically deleted. The most recent successful deploy per app is retained for up to 2 hours to support rollback, then automatically deleted
  • We record the app bundle ID, version, display name, file size, upload notes (if provided), download byte count, and file integrity hash for the deploy session
  • Install progress status (whether the install page was opened, manifest fetched, and download completed) is tracked for the duration of the deploy session, then deleted
  • We do not inspect the contents of your IPA files
  • IPA files are served over HTTPS using a unique, time-limited token URL

MDM Enrollment Data (if you use OTA deploy)

  • Device UDID (unique device identifier, used to target app installations)
  • Device name (as set on your iOS device, e.g., "John's iPhone")
  • Apple Push Notification Service (APNS) push token, push magic, and topic identifier (used to trigger and route app installations on your device)
  • Device unlock token (if provided by iOS during enrollment, used for device management operations)
  • Enrollment status and last check-in timestamp
  • MDM data is retained while your device is enrolled and deleted when you unenrol or delete your account
  • Push tokens are sent to Apple's APNS servers to deliver install notifications to your device (see Section 11)

Device Registration Data (if you use the invite command)

  • When a tester scans an invite link, we collect their device UDID, device name, device product type (e.g., "iPhone14,2"), and iOS version
  • This data is used to register the device with your Apple Developer account for provisioning
  • Invite tokens expire after 30 minutes. Collected device data is retained while needed for provisioning, then cleaned up automatically

Waitlist & Email Data

  • If you join the waitlist (Solo, Pro, or Team) or become a Founding Member, we collect: your email address, the plan you're interested in, an optional first name (used only to personalize the email greeting), and the page you signed up from
  • Lawful basis: consent (UK GDPR Art 6(1)(a)). You can withdraw consent any time via the one-click unsubscribe link in every email or by emailing unsubscribe@metroremote.dev.
  • Storage: waitlist entries and email send/bounce metadata are stored in our Postgres database (DigitalOcean, London). Retention: up to 2 years from signup, then deleted.
  • Email delivery processor: we use Resend (EU/Dublin region) to send transactional emails. Data shared with Resend: recipient email address, subject, send timestamp, and bounce/complaint metadata. No tracking pixels are enabled.
  • Bounced or unsubscribed addresses are added to a deny-list and never receive further emails. You can request full erasure at any time by emailing us.

Data Stored Locally by the CLI

  • The CLI stores configuration data on your Mac at ~/.metro-remote/ including your API key, email address, relay IP, and tunnel configuration
  • Your tunnel credentials are stored locally on your Mac
  • This data stays on your machine and is not sent to us (we already have it server-side). You can delete it at any time by running metro-remote uninstall

Feedback Form Data

  • If you submit feedback via the website, we collect: your name (optional), email (optional), feature category, and feedback text
  • This data is stored in a Google Sheet via a Netlify Function and is used only to improve the product
  • No feedback data is stored in our API database

Usage and Security Data

  • Basic server logs (IP addresses, request timestamps) for security and debugging
  • Login attempt counts and lockout status (for brute-force protection)
  • We do not log, inspect, or store the content of hot reload traffic that passes through the encrypted tunnel

API Usage & Security Data

  • API request metadata: timestamps, tool/template names, request frequency
  • IP addresses associated with API requests (for multi-account detection)
  • Machine identifier hashes (one-way SHA-256, stored for re-entry prevention - not reversible to original identifier)
  • Payment card fingerprints (tokenised identifiers from Stripe, stored for re-entry prevention - not full card numbers, PCI-DSS compliant)
  • Request timing patterns (interval regularity, burst detection within 60-second windows)
  • Duplicate request detection (same tool + parameters within a short dedup window)

4. Legal Basis for Processing (UK GDPR / EU GDPR)

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we process your personal data on the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing your account information, technical data, and payment data is necessary to provide the Metro Remote service you have subscribed to.
  • Legitimate interests (Article 6(1)(f)): Server logs, login attempt tracking, and security monitoring are processed for our legitimate interest in maintaining the security and integrity of the service. We have assessed that this does not override your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): We may retain certain billing records as required by UK tax law (HMRC requirements) and applicable financial regulations.
  • Contract performance (Article 6(1)(b)): Processing your GitHub profile data (user ID, username, email) is necessary to authenticate you and provide the service. You can revoke GitHub access at any time in your GitHub settings under Applications.

5. Is Providing Your Data Required?

Providing your email address and creating an account is a contractual requirement to use the Service. Without this information, we cannot provision your encrypted tunnel or manage your subscription. You are not obliged to provide this data, but if you choose not to, you will be unable to use Metro Remote.

Signing in via GitHub is required to use the service.

6. How We Use Your Information

  • To provide and maintain the Metro Remote service (tunnel provisioning, relay assignment, device management)
  • To process payments and manage your subscription via Stripe
  • To authenticate you via GitHub OAuth
  • To send transactional emails (account verification, billing receipts)
  • To diagnose technical issues and improve the service
  • To respond to support requests
  • To protect against fraud, abuse, and unauthorised access
  • Abuse detection and prevention: automated monitoring of API usage patterns to protect service quality and prevent unauthorised access
  • Progressive rate limiting: temporary request delays (2 seconds) or blocks (1 hour) when unusual patterns are detected
  • Account suspension: automatic suspension when persistent abuse patterns are confirmed, with right to human review (see Section 14)
  • Re-entry prevention: machine ID and payment fingerprint checks to prevent suspended users from creating new accounts

We do not use your data for targeted advertising. We do not send marketing emails unless you explicitly opt in. For details on automated decision-making that may affect your account access, see Section 14.

7. Cookies and Local Storage

We use minimal browser storage:

  • metro-remote-token (localStorage) - authentication token for the web dashboard (7-day session)
  • mr_auth_token / mr_auth_expiry (localStorage) - authentication for beta access gate (7-day session)
  • metro-oauth-state / metro-oauth-return (sessionStorage, with localStorage fallback for new-window OAuth flows) - CSRF protection and return URL during GitHub OAuth login. SessionStorage entries cleared when tab closes; localStorage fallback entries include a 10-minute expiry and are cleaned up after use
  • metro-cli-pending (sessionStorage) - temporary nonce for CLI authentication flow (cleared after use or when tab closes)
  • We do not set any HTTP cookies from our servers. Authentication is handled via Bearer tokens in API request headers.
  • We do not use third-party tracking cookies, analytics scripts, or advertising cookies
  • Stripe may set its own cookies during checkout - see Stripe Cookie Policy

Because we only use strictly necessary cookies/storage (required for the service to function), we do not require a cookie consent banner under UK PECR or EU ePrivacy Directive.

8. Data Retention

  • Account data (email, credentials, plan status): retained while your account is active and deleted within 30 days of account deletion
  • Tunnel and device data (tunnel keys, IPs, device names): deleted immediately when you delete your tunnel or account
  • OTA deploy files (IPA binaries): automatically deleted within 30 minutes of upload; the most recent build per app retained up to 2 hours for rollback
  • Server logs (IP addresses, request timestamps): retained for up to 30 days
  • Billing records (Stripe customer ID, subscription ID, plan history): retained for up to 7 years as required by UK tax law (HMRC)
  • GitHub OAuth data (GitHub user ID, username): deleted when you disconnect GitHub or delete your account
  • Deleted tunnel/device records: soft-deleted records are permanently removed after 30 days
  • Login attempt data: login attempt counters reset after a successful login; lockout status expires automatically after the lockout period
  • Stripe webhook events: processed event IDs retained for 7 days to prevent duplicate processing, then deleted
  • MDM enrollment data (device UDID, APNS tokens, unlock token): marked as unenrolled when the device is unenrolled, then permanently deleted within 30 days or when you delete your account. In-memory MDM command queue data (used during app installations) is automatically cleared after 24 hours
  • Subscription grace period: if a payment fails, a 48-hour grace period timestamp is stored and cleared once payment resumes or the subscription is cancelled
  • API usage logs: retained for 30 days, then automatically pruned by daily cron job
  • Abuse detection metrics (in-memory): session-scoped, cleared on server restart; idle trackers cleaned every 10 minutes (2+ hours idle)
  • Escalation state (abuse trigger count, suspension status): persisted in database until manually reviewed and cleared by admin
  • Machine ID hashes: retained for 12 months from ban date, then automatically deleted. Earlier removal on successful appeal
  • Card fingerprints: retained for 12 months from ban date, then automatically deleted. Earlier removal on successful appeal
  • IP-to-keys reverse map: in-memory only, pruned every 10 minutes (entries idle 2+ hours deleted), cleared on server restart

9. Data Security

  • All tunnel traffic is encrypted in transit using an industry-standard encrypted tunnel protocol
  • Authentication via GitHub OAuth with CSRF state tokens
  • API keys are securely hashed and compared
  • All web traffic and API communication uses HTTPS/TLS
  • GitHub OAuth uses CSRF state tokens to prevent cross-site request forgery
  • Relay servers are hardened with restricted access controls, firewalls, and automatic security updates

10. International Data Transfers

Our relay servers are hosted on secure cloud infrastructure and may be located outside the United Kingdom and EEA (currently in the UK, but additional regions may be added).

Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:

  • Transfers to Stripe (US) are covered by Stripe's Data Processing Agreement and Standard Contractual Clauses (SCCs)
  • Transfers to GitHub (US) are covered by GitHub's Data Protection Agreement and Standard Contractual Clauses
  • Transfers to DigitalOcean (US) are covered by DigitalOcean's Data Processing Agreement and the UK International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses
  • Transfers to Apple (US) via APNS for OTA deploy push notifications are covered by Apple's standard terms. Apple acts as an independent controller for APNS delivery data under their own privacy policy

11. Third-Party Services and Data Processors

  • Stripe (data processor for payment processing) - We share your email address and an internal account identifier with Stripe to create your customer account. Stripe processes your payment card details directly. We have a Data Processing Agreement (DPA) with Stripe in accordance with UK GDPR Article 28. Stripe Privacy Policy
  • GitHub (data processor for OAuth authentication) - We receive your GitHub user ID, username, and email when you sign in. We do not access your repositories or code. GitHub's processing is governed by their Data Protection Agreement. GitHub Privacy Statement
  • DigitalOcean (data processor for cloud infrastructure) - Hosts our relay servers. DigitalOcean's processing is governed by their Data Processing Agreement. DigitalOcean Privacy Policy
  • Apple Inc. (APNS for OTA deploy) - When you use OTA deploy, we send push notification tokens to Apple's Push Notification Service (APNS) to trigger app installations on your enrolled devices. Apple Privacy Policy
  • Google (data processor for feedback only) - Feedback form submissions are stored in Google Sheets via Google's API. Google processes this data under their Cloud Data Processing Addendum. Google Privacy Policy
  • Resend (data processor for transactional email) - We use Resend (EU/Dublin region) to send waitlist confirmations and founding-member welcome emails. Data shared: recipient email, optional first name, subject, send timestamp, bounce/complaint metadata. No tracking pixels. Resend Privacy Policy
  • Netlify (data processor for website hosting and serverless functions) - Hosts our website and runs serverless functions for feedback and waitlist processing. Netlify's processing is governed by their Data Processing Agreement. Netlify Privacy Policy

We have appropriate data processing agreements in place with all third-party processors in accordance with UK GDPR Article 28. We do not share your personal data with any other third parties. We do not use analytics, advertising, or tracking services.

12. Your Rights

UK and EEA Residents (UK GDPR / EU GDPR)

Under the UK GDPR and EU GDPR, you have the right to:

  • Access the personal data we hold about you (Subject Access Request)
  • Rectification - request correction of inaccurate data
  • Erasure - request deletion of your personal data ("right to be forgotten")
  • Restrict processing - request that we limit how we use your data
  • Data portability - receive your data in a structured, commonly used, machine-readable format (JSON)
  • Object - object to processing based on legitimate interests
  • Withdraw consent - where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing. Note: GitHub OAuth is processed under contract performance, not consent; you can disconnect GitHub in your GitHub settings at any time
  • Not be subject to automated decision-making (Article 22) - see Section 14 for details on how we handle automated processing
  • Explanation of automated decisions - right to a detailed explanation of which metrics triggered any automated suspension decision (GDPR Article 22(3))
  • Human review of automated decisions - right to request human review of any automated decision affecting your account
  • Deletion of ban data - right to request deletion of machine ID hashes and card fingerprints from ban lists
  • Be informed - right to be told the specific metrics that triggered any automated action against your account

To exercise any of these rights, email us at support@metroremote.dev. We will respond within one calendar month as required by UK GDPR Article 12(3). A Legitimate Interest Assessment is available on request for any processing we carry out under legitimate interests. To request account deletion, email us and we will cancel your subscription, delete your tunnels, devices, and MDM enrolments, and remove your account data within 30 days (billing records retained as required by law).

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, Tel: 0303 123 1113. In the EU, contact your local data protection authority.

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have additional rights:

  • Right to Know - request the categories and specific pieces of personal information we have collected
  • Right to Delete - request deletion of your personal information
  • Right to Correct - request correction of inaccurate personal information
  • Right to Non-Discrimination - we will not discriminate against you for exercising your rights

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use your data for cross-context behavioural advertising. There is no need to opt out because we do not engage in these practices.

To exercise your rights, email us at support@metroremote.dev. We will verify your identity and respond within 45 days.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach (as required by UK GDPR Article 33)
  • Notify affected individuals without undue delay (as required by UK GDPR Article 34)
  • Provide details of the breach, its likely consequences, and the measures taken to address it

14. Automated Decision-Making

Legal basis: We process abuse-detection data under GDPR Article 6(1)(f) - legitimate interests. Our legitimate interest is protecting the service from abuse, ensuring fair access for all users, and preventing unauthorised extraction of proprietary algorithms. We have assessed that this interest is not overridden by your rights, given the proportionate nature of the measures (progressive escalation, grace periods, right to appeal).

We use automated systems to monitor API usage patterns and protect service quality. These systems may make decisions that affect your access to the Service:

Automated decisions that may be applied

  • Request delays: 2-second delay for 15 minutes (warning tier)
  • Rate limiting: HTTP 429 block for 1 hour (rate-limit tier)
  • Account suspension: HTTP 403 suspension until human review (suspend tier)

Metrics monitored

These decisions are based on monitoring of:

  • Request volume (hourly and daily)
  • Duplicate request patterns
  • IP address diversity
  • Request burst frequency
  • Multiple API keys from the same source
  • Request timing regularity

Specific thresholds are calibrated to distinguish normal usage from abuse. You may request the specific thresholds applicable to your account by emailing support@metroremote.dev.

Grace period and escalation

New accounts receive doubled thresholds for the first 24 hours after signup. Escalation is progressive and time-based: a first trigger starts a 15-minute delay window; a second trigger within 24 hours starts a 1-hour block window; a third trigger within 24 hours results in suspension. Each escalation tier has its own timer - when a timer expires without further triggers, the escalation level for that tier resets. Suspension persists until human review.

Your rights under GDPR Article 22

  • Right not to be subject to solely automated decisions: Suspensions are applied immediately to protect service integrity against active abuse (GDPR Article 22(2)(b) - necessary for contract performance). However, you may request immediate human review, and we will respond within 24 hours. If the suspension is found to be a false positive, your account will be reinstated immediately.
  • Right to human review: Contact support@metroremote.dev to request human review of any automated decision. A human will review your usage patterns and the specific metrics that triggered the decision.
  • Right to contest: You may dispute any automated suspension and provide your perspective on why your usage was legitimate.
  • Right to explanation: You may request a detailed explanation of which metrics triggered the decision and what thresholds were exceeded.
  • Right to object: Under GDPR Article 21, you may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Response time: We aim to respond to all appeals within 24 hours. In the event of bulk appeals (e.g., false positive incident), we will acknowledge receipt within 24 hours and provide a transparent timeline for full review.

Billing-related automated decisions

Our billing system also automatically adjusts service access based on subscription status (e.g., if a payment fails, device access may be paused after a 48-hour grace period). This is a standard service management process. You can contact us at any time to query or dispute any billing-related service changes.

15. Children

Metro Remote is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will delete it promptly.

16. Complaints Procedure

If you have a complaint about how we handle your personal data or provide the Service:

  • Step 1: Contact us at support@metroremote.dev. We aim to resolve complaints within 14 days.
  • Step 2: If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on the website at least 14 days before the changes take effect. Your continued use of the service after changes constitutes acceptance of the updated policy. Previous versions of this policy are available on request.

18. Contact

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, contact us at support@metroremote.dev.