Privacy Policy
Preamble
Neoservice Sàrl ("Publisher" or "we"), as the controller of personal data, is committed to protecting the privacy of users of the TransHub AI service ("Service"). This Privacy Policy describes the nature of personal data collected through the Service, the purposes and legal bases for their processing, the conditions of their retention, and the rights available to users.
It complies with the General Data Protection Regulation (GDPR – EU 2016/679) and the new Swiss Federal Act on Data Protection (nFADP, in force since September 1, 2023).
Article 1 — Data Controller
The data controller is:
Neoservice Sàrl
Switzerland
Contact: hello@neoservice.ai
Website: https://app.transhubai.com
Article 2 — Data Collected and Purposes
2.1 Account data
When registering for the Service, we collect:
- Email address (via direct registration or GitHub/Google SSO)
- Full name (via direct registration or GitHub/Google SSO)
- Password (hashed and never stored in plaintext — managed by the Frappe framework)
- API keys generated for Service access (encrypted in the database)
Purpose: Account creation and management, authentication, security.
Legal basis (GDPR): Performance of a contract (Art. 6(1)(b) GDPR).
2.2 Device data
When associating a device with an Account, we collect:
- Unique device identifier (generated locally)
- Device name (set by the user)
- Connection status (online / offline)
- Tunnel JWT token (90-day lifespan, automatically renewed)
Purpose: Device management, remote access (tunnel relay), synchronization.
Legal basis (GDPR): Performance of a contract (Art. 6(1)(b) GDPR).
2.3 SSH server data
SSH/SFTP server configurations (server name, host, port, username) may be synchronized to the cloud if the user enables this feature. Sensitive elements of these configurations (SSH passwords, private keys) are encrypted locally via electron.safeStorage (AES-256) before any transfer and are never transmitted or stored in plaintext on our servers.
Purpose: Synchronization of configurations across devices.
Legal basis (GDPR): Performance of a contract (Art. 6(1)(b) GDPR) and consent (voluntary activation of synchronization, Art. 6(1)(a) GDPR).
2.4 Payment data
Payment data (card numbers, etc.) is managed exclusively by Stripe, Inc., our PCI DSS-certified payment service provider. We do not store any banking data on our servers. We retain only the billing information necessary for subscription management (amount, date, transaction reference, status).
Purpose: Subscription and billing management.
Legal basis (GDPR): Performance of a contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR).
2.5 Tunnel relay data (remote access)
When using the remote access feature, data transits via a WebSocket relay server hosted in Europe. This data is end-to-end encrypted and is not stored on the relay server. We maintain tunnel session logs for audit and security purposes, containing: device identifier, user identifier, connection and disconnection timestamps.
Purpose: Remote access feature delivery, security, audit.
Legal basis (GDPR): Performance of a contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR — Service security and integrity).
2.6 Integrated AI chat
Conversations conducted via the integrated AI chat are processed by third-party AI tools (Claude, Gemini, Codex) installed locally on the user's machine. These conversations do not transit through the Publisher's servers and are not stored on our servers. Everything remains local on the user's machine. Users are subject to the terms of use and privacy policies of the AI providers they use.
2.7 Browsing data (logs)
We may collect technical browsing data on the web dashboard for security and diagnostic purposes, including IP addresses, browser types, and access timestamps. This data is pseudonymized and does not directly identify the user without additional information.
Purpose: Security, technical diagnostics, fraud prevention.
Legal basis (GDPR): Legitimate interests (Art. 6(1)(f) GDPR).
Article 3 — Cookies and Tracking Technologies
The Service uses a minimal number of cookies, strictly necessary for its operation:
- Session cookie (authentication): required to maintain the user's connection to the web dashboard.
- CSRF cookie: required for form security.
We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies. These strictly necessary cookies do not require the user's prior consent under GDPR, as their use is essential to the operation of the Service. They are deleted upon session closure or after a limited period.
Article 4 — Sub-processors and Data Recipients
The Publisher uses the following sub-processors and recipients:
| Sub-processor | Purpose | Location / Safeguards |
| Frappe / application server | Backend hosting, account management, user data | Europe — GDPR compliant |
| WebSocket relay server | Remote access tunnel | Europe — GDPR compliant |
| Stripe, Inc. | Payment processing, subscription management | USA — PCI DSS certified, EU Standard Contractual Clauses (SCCs) |
| GitHub (SSO) | Authentication via GitHub OAuth (optional) | USA — EU SCCs / Privacy Framework |
| Google (SSO) | Authentication via Google OAuth (optional) | USA — EU SCCs / Privacy Framework |
Article 5 — International Data Transfers
Some sub-processors are established outside the European Union and Switzerland (notably Stripe, GitHub, and Google, established in the United States). These transfers are governed by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- Adherence to the EU-US Data Privacy Framework for applicable providers;
- Equivalent mechanisms recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
In all circumstances, the Publisher ensures that these transfers provide an adequate level of protection in accordance with GDPR and nFADP.
Article 6 — Data Retention
| Data category | Retention period |
| Account data | Duration of subscription + 3 years after termination (legal accounting obligations) |
| Device data | Token validity (90 days) or until device removal |
| SSH server configurations | Duration of subscription or until deleted by the user |
| Payment / billing data | 10 years (Swiss legal accounting obligation — CO Art. 958f) |
| Tunnel session logs (audit) | Rolling 90 days |
| Browsing logs | Rolling 30 days |
| AI chat data | Not retained by the Publisher (local storage only) |
Article 7 — User Rights
In accordance with GDPR and nFADP, each user has the following rights regarding their personal data:
7.1 Right of access (Art. 15 GDPR / Art. 25 nFADP)
The user may obtain confirmation that data concerning them is being processed and receive a copy.
7.2 Right of rectification (Art. 16 GDPR / Art. 32 nFADP)
The user may request the correction of inaccurate or incomplete data.
7.3 Right to erasure (Art. 17 GDPR)
The user may request the deletion of their personal data, subject to legal retention obligations.
7.4 Right to restriction of processing (Art. 18 GDPR)
The user may request restriction of processing of their data in the cases provided for by GDPR.
7.5 Right to data portability (Art. 20 GDPR)
The user may receive their personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
7.6 Right to object (Art. 21 GDPR)
The user may object to the processing of their data where it is based on the Publisher's legitimate interests.
7.7 Right to withdraw consent
Where processing is based on consent, the user may withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
7.8 Exercising rights
To exercise any of these rights, the user may send a request by email to hello@neoservice.ai, stating their full name and the email address associated with their Account. The Publisher will respond promptly and no later than 30 days (or 3 months for complex requests, with prior notification).
7.9 Right to lodge a complaint
If the user believes their rights are not being respected, they may lodge a complaint with the competent data protection authority:
- In Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
- In the European Union: the data protection authority of their Member State of residence.
Article 8 — Data Security
The Publisher implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:
- Encryption of sensitive data (SSH passwords, private keys) via electron.safeStorage (AES-256) before any storage or transfer
- Hashing of user passwords (never stored in plaintext)
- Encryption of API keys in the database
- End-to-end encryption of data transiting through the WebSocket tunnel relay
- Servers hosted in Europe in datacenters compliant with applicable security standards
- Data access restricted to authorized personnel on a least-privilege basis
- Time-limited tunnel JWT tokens (90-day lifespan)
In the event of a data breach likely to result in a high risk to users' rights and freedoms, the Publisher commits to notifying the affected individuals and, where applicable, the competent authorities within the statutory deadlines.
Article 9 — Minors
The Service is intended for adults (18 years and older). The Publisher does not knowingly collect personal data from minors. If a minor has registered for the Service without the consent of their legal representative, the latter may contact the Publisher at hello@neoservice.ai to request deletion of the account and associated data.
Article 10 — Changes to This Privacy Policy
The Publisher reserves the right to modify this Privacy Policy at any time, in particular to adapt to new legal obligations or changes to the Service. In the event of material changes, the user will be informed by email or via a notification in the Service with reasonable notice. The effective date of the new version is indicated at the top of the document. Continued use of the Service constitutes acceptance of the changes.
Article 11 — Contact and Data Protection
For any questions about this Privacy Policy, the protection of your personal data, or to exercise your rights, please contact:
Data Protection Contact — Neoservice Sàrl
Email: hello@neoservice.ai
Website: https://app.transhubai.com
Neoservice Sàrl is based in Switzerland and is not legally required to designate a Data Protection Officer (DPO) under Art. 37 GDPR. However, the Publisher commits to handling all data protection requests diligently and within the statutory timeframes.