Privacy Policy
Last updated: April 18, 2026
HostAnywhere is a mesh networking product operated by the HostAnywhere team. This policy describes what information our web dashboard, desktop apps (Windows / macOS / Linux), and mobile apps (iOS / Android) collect, how we use it, and the choices you have. It applies to the HostAnywhere service at hostanywhere.io and all our apps.
What we collect
Account information
- Email address you signed in with (via Google, Apple, Microsoft, GitHub, or magic link)
- The display name your OAuth provider returns (optional, used only in team UIs)
- An authentication token (JWT) stored locally on your device so you stay signed in
Device information
- Device name (hostname on desktop, model name or user-set name on mobile)
- Platform identifier (e.g. "macos", "ios", "android", "linux", "windows")
- A WireGuard public key generated locally on the device (the matching private key never leaves the device)
- Last-seen timestamp — a heartbeat sent every 30 seconds while the agent is running, so the dashboard can show "Live" / "Off" status
- Public IP address as observed by our relay server at connection time — used for direct-peer endpoint discovery (NAT hole-punching)
Mesh and tunnel metadata
- The mesh IP (100.64.0.x) assigned to each device on your network
- Subdomains you configure for your internet-exposed services (e.g.
my-app.hostanywhere.io) and the local address on your device they forward to (e.g.localhost:3000) - Device-to-device connection events (direct vs. relayed) for routing metrics
What we do not collect
- The contents of your traffic. Data sent through your mesh tunnel is end-to-end encrypted with WireGuard using keys that only your devices hold. We cannot decrypt or inspect packets — even on our relay servers where encrypted packets pass through.
- The content of your files, messages, or any application-layer data
- Advertising identifiers, cross-site trackers, or analytics fingerprinting
- Location data beyond the public IP your device connects from
- Any biometric data
Why we collect it
| Data | Purpose |
|---|---|
| Account identity, password-less sign-in, service notifications | |
| Device name + platform | Labels in the dashboard so you can tell which device is which |
| WireGuard public key | Distributing your peer identity to your other devices so they can encrypt for you |
| Heartbeat / last-seen | Dashboard status ("Live" / "Off" / "Last seen 2h ago") |
| Public IP + port | NAT-hole-punching so your devices connect directly when possible instead of relayed |
| Subdomain + local address | Routing incoming public requests to the correct device and port |
VPN and network traffic (mobile apps)
The iOS and Android apps use the platform's VPN APIs
(NEPacketTunnelProvider on iOS, VpnService on
Android) to route mesh-bound traffic through a local WireGuard tunnel.
The tunnel only handles traffic destined for the 100.64.0.0/10
mesh address range. All other traffic from your phone goes out via your
normal internet connection without entering the tunnel. We never log,
inspect, sell, or share the content of any traffic passing through the
tunnel.
Who we share with
We do not sell, rent, or trade personal information. We share limited data only with the following categories of service providers, solely to operate the product:
- Cloud infrastructure (e.g. Cloudflare, Oracle Cloud, Microsoft Azure): hosts our relay servers, control plane, and DNS. Encrypted tunnel packets pass through these providers but are not readable by them.
- Payment processing (Stripe): used only if you purchase a paid plan on hostanywhere.io. We never see or store full card numbers.
- Email delivery: transactional emails (magic-link sign-in, team invitations) are sent via a third-party email provider.
- OAuth providers (Google, Apple, Microsoft, GitHub): only during sign-in; we receive your email address and the OAuth provider's stable user ID.
Data retention
- Account data persists while your account is active
- You can delete your account and all associated data at any time: on the web dashboard (Settings → Delete Account) or inside the mobile apps (Settings → Delete Account)
- After deletion, your account email, devices, mesh peer records, tunnels, and team memberships are removed within 24 hours. Server logs may retain anonymized IP addresses for up to 30 days for security and abuse detection
Children
HostAnywhere is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, email us and we will delete it.
Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data. You can exercise access, export, or deletion directly in the dashboard or apps (Settings → Delete Account). For other requests — or if the self-service tools don't cover your case — email [email protected].
Security
All traffic between your devices and our servers is encrypted in transit via TLS 1.2+. Mesh traffic between your devices uses end-to-end WireGuard encryption — the private key never leaves the device that generated it. Session tokens are stored in your platform's secure store (Keychain on Apple, Android Keystore-backed EncryptedSharedPreferences, OS credential store on desktops).
Changes to this policy
We will update this page when we change how HostAnywhere handles data. Material changes — anything that expands what we collect or how we share it — will be announced in-app or by email at least 14 days before taking effect.
Contact
Questions, deletion requests, or any other privacy concern:
[email protected]
This policy applies to the HostAnywhere web dashboard, Windows / macOS / Linux agents, and the HostAnywhere iOS and Android apps.