Skip to content

Privacy Policy

Localport is built on a simple promise: your traffic is yours. We collect the minimum information needed to run the service, we hold it for the shortest time we reasonably can, and we apply the GDPR, the UK GDPR, the CCPA, and the other data protection laws that apply where you live. While a tunnel is active, the traffic flowing through it does not leave the region you selected for that tunnel, and the account and operational data we store to run the service is held in the European Union (EU). This policy is the detail behind those promises.

Last updated: May 30, 2026

1. Who We Are

Localport is a product operated by Masteren Labs, a sole proprietary concern based in India ("Masteren Labs," "Localport," "we," "us"). When you use Localport, we act as the controller of the account, billing, and operational data described below. When you expose your own application through a tunnel, that application and its users remain your responsibility. We do not act as a controller for whatever you choose to route through us.

2. Scope

This policy covers https://localport.io, the Localport dashboard, our APIs, the Localport CLI, our edge network, tunnel domains, billing flows, and support channels. It does not cover third-party sites or services you connect to or link from Localport. Those are governed by their own notices.

3. What We Collect

Account

Your email, name, the login method you chose, and session state. If you verify your email, we record that.

Teams and members

Team names, member roles, invitations, ownership, administrative actions, and account status.

Tunnel configuration

The names, identifiers, kinds, regions, subdomains, reserved ports, custom domains, IP allowlists, mTLS settings, and access tokens you create. We store hashes of tokens. The raw value is shown to you once at creation and is not retained on our side.

Operational records

Connection counts, bytes transferred, request counts, session start and end times, edge region, client IP addresses, disconnect reasons, and other events needed to run the service, enforce plan limits, and respond to abuse. We do not record the contents of your requests or responses as part of normal operation.

mTLS

When you turn on mTLS for a tunnel, we store certificate metadata (issuer, subject, serial, expiry), certificate status, revocation entries, access decisions, source IPs, and timestamps. Private key material that Localport generates on your behalf is stored encrypted at rest.

Billing

Your plan, subscription status, renewal date, the customer and subscription identifiers given to us by the payment provider, invoice references, bandwidth and usage totals, and billing contact details. Card numbers and CVV codes never reach our servers. They go directly to the payment provider.

Website and product events

When you visit our website or dashboard, our servers see standard request metadata: URL, referrer, IP address, and user agent. Inside the product we record a small set of events (sign-up, checkout, tunnel created, plan changed) so we can tell whether something is broken. We do not run advertising trackers or profile you for ads.

Support

If you write to us, we keep your message, our reply, and anything you attached.

4. Tunnel Traffic

Tunnel traffic is what flows through Localport between the public internet and your client or service. We treat it as transit. We do not log payloads, build search indexes over them, sell them, hand them to advertisers, or use them to train models.

How much of a request our infrastructure ever sees depends on the tunnel mode you pick:

  • TCP and TLS passthrough. Bytes are forwarded. We do not have the keys and we do not inspect the payload.
  • HTTP. The edge reads the routing information needed to send the request to the right tunnel. The body is forwarded.
  • HTTPS termination and mTLS-protected HTTP. The edge holds the TLS certificate so it can provide HTTPS or check client certificates. Requests pass through in plaintext in memory only long enough to be forwarded.

We record only the operational metadata listed in Section 3: counts, sizes, timestamps, and addresses. This is the minimum we need to bill, to keep the platform up, and to push back on abuse.

Localport does not provide malware scanning, antivirus inspection, content filtering, web application firewall services, or moderation of what you send through your tunnel. We do not detect, classify, sanitize, or block hostile traffic aimed at your service. You are responsible for what runs behind your tunnel.

5. How We Use Data

  • Run the service. Sign you in, create tunnels, route traffic, charge subscriptions, and send service email.
  • Keep the platform healthy. Measure load, diagnose outages, investigate abuse, and defend the network.
  • Enforce plans. Count bandwidth and tunnels, apply limits, and handle overages.
  • Talk to you. Answer support requests and send security and billing notices.
  • Comply with law. Respond to lawful requests, defend ourselves in disputes, and preserve records we are required to keep.

We do not use your account data, your tunnel metadata, or your traffic for advertising. We do not sell personal data. We do not feed your traffic into machine learning systems.

6. Cookies

The marketing website does not set advertising cookies. The dashboard uses strictly necessary cookies to keep you signed in and to remember your interface preferences. That is all.

7. Who We Share With

We share personal data only where it is needed to run Localport or where the law requires it. The categories are short:

  • Infrastructure providers that host our servers, databases, and edge network.
  • Payment processors that handle checkout, subscriptions, tax, and invoices.
  • Email delivery for one-time codes, account, billing, security, and support email.
  • Identity providers if you sign in with a third party.
  • Professional advisers such as lawyers, auditors, accountants, and insurers, bound by confidentiality.
  • Law enforcement and authorities when required by valid legal process, or to protect rights, users, and the public.
  • An acquirer in the event of a merger, financing, restructuring, or sale of the business.

We do not share data with advertising networks. We do not enrich your profile from third-party data brokers.

8. Retention

  • Account and team data is kept while your account is open.
  • Tunnel configuration is kept while it is in use and removed shortly after deletion, subject to backup rotation.
  • Operational records (connections, bandwidth, session events) are kept up to twelve months unless a longer period is needed for investigation, billing, or legal reasons.
  • mTLS certificate and access records are kept while the feature is enabled and for a reasonable period after, for security and audit purposes.
  • Billing and tax records are kept for as long as tax law requires, typically up to seven years.
  • Support correspondence is kept while it is useful and then removed on normal business retention.
  • Backups are overwritten on their normal rotation.

When data is no longer needed, we delete it, aggregate it, or strip identifiers.

If your account or team is suspended for suspected abuse, fraud, security risk, or breach of the Terms, we will hold the account, its data, and related records under the retention periods above while we investigate, while a dispute or chargeback is open, and for as long as we may need them to defend ourselves, cooperate with law enforcement, or respond to a regulator. Suspension does not, on its own, trigger deletion.

9. Security

We use encryption in transit, hashed or encrypted credentials at rest, scoped access for engineers, isolated tenancy at the network layer, and monitoring across the platform. Production access is limited and audited. Where applicable law requires us to notify affected users of a security incident, we will do so on the timeline that law sets.

No service over the internet is perfect, and the controls described in this section are not a representation that the service or any data within it cannot be compromised. You are responsible for the security of anything you choose to expose, including patching, authentication, monitoring, and incident response. If you believe you have found a vulnerability in Localport itself, write to [email protected] and give us a fair opportunity to respond before disclosing it elsewhere.

10. Data Residency and International Transfers

While a tunnel is active, its traffic stays in the region you selected. Each tunnel is anchored to an edge in the region chosen at creation, the client establishes its session with that edge, and the bytes that flow between the public internet and your service pass through that edge only. We do not relay an active tunnel's traffic through another region, we do not mirror it to another region, and we do not copy it into the systems that run the dashboard, billing, analytics, or backups.

The personal data we hold to run Localport is stored in the European Union. This includes your account, your teams, your billing records, your tunnel configuration, and the operational records described in Section 3, including the records relating to tunnels you choose to run in any region. Where we store this data does not change with the region a tunnel uses. While a tunnel is active, its traffic remains in the region you selected for it, and the records we keep about that tunnel are held on our systems in the European Union.

A limited number of the service providers we rely on, such as our payment processor, our email provider, and any identity provider you use to sign in, may process the data they need outside the European Union. Localport is operated from India, and our personnel may access data held in the European Union in order to operate and support the service. Where personal data is transferred across a border, we rely on the legal mechanisms recognised under applicable law, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where they apply. We do not transfer personal data to a jurisdiction that lacks an adequate level of protection unless one of those mechanisms is in place or the transfer is otherwise lawful under the law that protects you.

11. Your Rights Under Privacy Law

We honour the rights given to you by the data protection law that applies where you live. If your processing falls under the GDPR or the UK GDPR, that includes the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where consent is the legal basis. Our lawful bases include contract performance, legitimate interests in operating and securing the service, compliance with legal obligations, and your consent where consent is required.

If you are a California resident covered by the CCPA, you have the rights to know, delete, correct, and limit the use of sensitive personal information, and the right to non discrimination for exercising those rights. Localport does not sell personal information, does not share it for cross context behavioural advertising, and does not process sensitive personal information for inferring characteristics about you.

To exercise any of these rights, email [email protected] from the address on your account. We may ask you to verify your identity before we act. We will respond within the timelines that the applicable law requires. You also have the right to complain to the data protection authority in your country, although we would prefer that you write to us first so we can put the issue right.

We are required to keep some records, including those related to billing, fraud, security, and legal matters. Those will remain on file for the periods set out in Section 8, even after the rest of your data is removed.

12. Children

Localport is not intended for anyone under 18, and we do not knowingly collect data from minors. If you believe a child has signed up, write to [email protected] and we will remove the account.

13. Account Deletion

You can schedule account deletion from the dashboard. There is a short grace period during which you can change your mind and cancel the deletion. After that, the account, its teams (where you are the sole owner), tunnels, and tokens are removed.

  • Cancel any active paid subscription before deleting. Deletion does not refund a paid period that is already running.
  • Billing, tax, fraud, security, audit, legal, and backup records may be retained as described in Section 8.
  • Deletion is final once the grace period closes.

14. Changes

We will update this policy when the service or the law changes. Material changes will be announced by email, by dashboard notice, or on this page. The "Last updated" date at the top is the authoritative version.

15. Contact

Masteren Labs (sole proprietary concern, India)
Privacy: [email protected]
Security: [email protected]
Grievance: [email protected]
Support: [email protected]
Website: https://localport.io