Last updated: March 21, 2026
MekongTunnel ("we", "us", "our") is operated by Ing Muyleang / KhmerStack. This Privacy Policy explains how we collect, use, and protect information when you use the MekongTunnel website and tunneling Service.
1. Information We Collect
Account Information
When you register, we collect:
- Name — used to personalize your dashboard
- Email address — used for authentication, notifications, and support
- Password — stored as a bcrypt hash; we never store plaintext passwords
- OAuth provider data — if you sign in with GitHub or Google, we receive your public profile (name, email, avatar)
Usage Metadata
When you run tunnels, we log:
- Tunnel subdomain, local port, and start/end timestamps
- Total request count and bytes transferred per tunnel
- Source IP address of the machine running the CLI
- CLI version and operating system type
We do not log or inspect the content of HTTP requests or responses passing through your tunnels.
Technical Data
- Browser type and version (for the web dashboard)
- Approximate geographic region (derived from IP, for abuse prevention only)
- Error logs for debugging purposes
2. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Provide the tunneling service | Account info, tunnel metadata |
| Authenticate you | Email, password hash, OAuth tokens |
| Send product updates (if subscribed) | |
| Enforce rate limits and abuse prevention | Source IP, request counts |
| Improve the service | Aggregated, anonymized usage stats |
| Respond to support requests | Email, account info |
We do not sell your personal data to third parties. Ever.
3. Data Sharing
We share data only with:
- Stripe — payment processing for paid plans. Stripe's Privacy Policy (opens in a new tab) governs their use of your payment data. We do not store full card numbers.
- Cloudflare — DNS, DDoS protection, and TLS termination. Traffic passes through Cloudflare's network.
- DigitalOcean — our server infrastructure provider. Your data is stored on servers in Singapore/US East regions.
- GitHub / Google — only if you use OAuth login; they provide your public profile data.
We may disclose data if required by law or to protect the safety of users and the Service.
4. Data Retention
| Data type | Retention period |
|---|---|
| Account information | Until account deletion |
| Tunnel logs (metadata only) | 90 days rolling |
| Billing records | 7 years (legal requirement) |
| Error logs | 30 days |
After account deletion, your personal data is purged within 30 days except where retention is legally required.
5. Your Rights
You have the right to:
- Access — request a copy of your personal data
- Correction — update inaccurate information via your dashboard Settings page
- Deletion — delete your account and associated data from Settings → Delete Account
- Export — request a JSON export of your account data by emailing us
- Opt out — unsubscribe from product emails at any time via the unsubscribe link or dashboard notification settings
To exercise these rights, email ing@mekongtunnel.dev with subject line "Privacy Request".
6. Security
- All data in transit is encrypted with TLS 1.2+
- API tokens are shown once at creation and stored only as hashed prefixes
- Passwords are hashed with bcrypt (cost factor 12)
- We conduct regular dependency audits and security reviews
- See our Security Policy for vulnerability disclosure
7. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us immediately.
8. Cookies
See our Cookie Policy for details on how we use cookies and local storage.
9. Changes to This Policy
We may update this policy from time to time. We will notify registered users by email for material changes. The "Last updated" date at the top reflects the most recent revision.
10. Contact
Privacy questions or requests: ing@mekongtunnel.dev
Ing Muyleang / KhmerStack Phnom Penh, Cambodia