Back

Privacy Policy

Last updated: February 28, 2026

1. What AirCC Does

AirCC ("we", "us", "our") is a remote terminal tool. You install a lightweight agent on your laptop, server, or VPS, then control it from your phone or browser over a direct, encrypted peer-to-peer connection. We handle signaling and account management; we never touch the content of your terminal sessions.

2. Information We Collect

2.1 Account Data (via Google OAuth)

When you sign in with Google we receive:

  • Name and email address
  • Profile picture URL
  • Google account identifier

We use this solely to create and authenticate your AirCC account. We do not share your Google account data with any third party, use it for advertising, or access any other Google services on your behalf.

2.2 Device Metadata

For each device you register we store:

  • A device name you choose (e.g. "MacBook Pro")
  • A unique device key for pairing
  • Online/offline status and last-seen timestamp

2.3 WebRTC Signaling

To establish a peer-to-peer connection we exchange ICE candidates and SDP offers through our signaling server. These are ephemeral networking messages used only for connection setup and are not stored.

2.4 Push Notification Tokens

If you enable push notifications, we store your device push token so we can notify you when a long-running command completes. You can revoke this at any time through your device settings.

3. Information We Do NOT Collect

This is the most important part:

  • Terminal content — keystrokes, command output, file contents, environment variables, and any other data in your terminal sessions travel directly between your devices over WebRTC data channels encrypted with DTLS. Our servers never see this data.
  • Voice recordings — the speech-to-text feature uses your browser's built-in speech recognition API (Web Speech API). No audio is sent to AirCC servers. Note that your browser may use its own cloud services (e.g. Google's speech recognition in Chrome) to process speech — this is handled by your browser, not by us.
  • Browsing or app usage analytics — we do not embed third-party analytics SDKs or tracking pixels.

4. How We Use Your Information

  • Authenticate your identity and manage your account.
  • Register and pair your devices.
  • Relay signaling messages so your devices can establish P2P connections.
  • Deliver push notifications you opted into.
  • Debug and improve service reliability (using aggregated, non-personal metrics only).

5. Legal Basis for Processing

We process your data under the following legal bases (per GDPR):

  • Contract performance — account data and device metadata are necessary to provide the Service you signed up for.
  • Consent — push notification tokens are collected only when you explicitly opt in. You may withdraw consent at any time.
  • Legitimate interest — aggregated, non-personal metrics to maintain service reliability.

6. Third-Party Services

  • Google OAuth — authentication only. We request only basic profile information (name, email, profile picture). We do not request access to your Google Drive, Gmail, or any other Google service. Subject to Google's Privacy Policy.
  • Supabase — hosts our authentication, database, and real-time signaling infrastructure. Account data is stored in their managed Postgres instances. WebRTC signaling messages (ICE candidates, SDP offers) pass through Supabase Realtime channels but are not persisted.
  • STUN/TURN servers — used for NAT traversal during connection setup. STUN reveals your IP to facilitate the P2P connection. TURN relays are used as a fallback when direct connections fail; relayed data remains DTLS-encrypted and opaque to the relay.

7. Cookies & Tracking

We use only essential cookies required for authentication (session tokens set by Supabase Auth). We do not use advertising cookies, analytics cookies, or any third-party tracking technologies. Because these cookies are strictly necessary to provide the Service, they do not require separate consent under the ePrivacy Directive.

8. Data Sharing & Selling

We do not sell, rent, or trade your personal information to anyone. We do not share your data with third parties for their marketing purposes. The only parties that process your data are the third-party services listed in Section 6, solely to operate the Service. We may disclose information if required by law or to protect our legal rights.

9. International Data Transfers

Our infrastructure (Supabase) may store and process data in regions outside your country of residence. Where data is transferred outside the European Economic Area, we rely on the safeguards provided by our service providers, including Standard Contractual Clauses approved by the European Commission.

10. Data Security

  • Terminal traffic is encrypted end-to-end with DTLS via WebRTC — no plaintext leaves your device.
  • Account data is stored in a managed database with row-level security policies and encrypted at rest.
  • The AirCC agent binary runs under your OS user and has no elevated privileges beyond what your terminal session requires.
  • Device keys are protected by database row-level security so only you can access your own devices.

11. Data Retention

  • Account data is retained while your account is active.
  • Signaling messages are ephemeral and not persisted.
  • When you delete your account, all associated data (profile, devices, tokens) is permanently removed within 30 days.

12. Your Rights

Depending on your jurisdiction (including under GDPR, CCPA, and similar laws), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate account information.
  • Erasure — delete your account and all associated data at any time.
  • Data portability — receive your data in a structured, machine-readable format.
  • Restrict processing — ask us to limit how we use your data.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — revoke consent for push notifications or other consent-based processing at any time, without affecting prior processing.
  • Unregister individual devices to remove their metadata.

To exercise any of these rights, contact us via the channels listed in Section 15. We will respond within 30 days. If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

13. Children

AirCC is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect information from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app. Continued use after changes constitutes acceptance. We encourage you to review this page periodically.

15. Contact

For privacy-related questions, data requests, or concerns, reach out via X (@brem_lau).