LRO Privacy Policy
1. General
1.1. This Privacy Policy (the «Policy») describes how personal data of Users of the LRO (Link for Remote Operations) service (the «Service»), available at https://lro.link and https://app.lro.link, is collected, used, stored, and shared by Sole Proprietor LINKRO (the «Operator», «we»).
1.2. The Policy forms an integral part of the Terms of Service and applies together with them. Terms that are not defined here have the meanings given in the Terms of Service.
1.3. By using the Service, the User confirms that they have read this Policy and agree to the conditions for processing their personal data set out in it.
1.4. If the User is located in the EEA, the United Kingdom, or Switzerland, the Operator processes personal data in accordance with the General Data Protection Regulation (GDPR).
2. Principles of processing
The Operator processes personal data in accordance with the following principles:
- Lawfulness, fairness and transparency — processing is carried out on lawful grounds and in a way that is understandable to the User.
- Purpose limitation — data is collected only for the purposes set out in the Policy and is not used in ways incompatible with them.
- Data minimisation — we only ask for data that is necessary to provide the Service.
- Accuracy — the User has the right to correct their data at any time.
- Storage limitation — data is kept no longer than is required for the processing purposes.
- Integrity and confidentiality — technical and organisational measures are applied to protect data against unauthorised access.
3. What data we collect
3.1. Account data
- email address;
- password hash (the password itself is never stored in plain text);
- display name (optional);
- interface language;
- organisation membership and role within it;
- email verification status, global administrator flag.
3.2. Agent and connection data
- Agent name (set by the User);
- Agent identifier and public key (cryptographic);
- IP addresses from which the Agent connected;
- Agent connect and disconnect times;
- traffic volume per Agent (in bytes);
- tunnel configuration: names, endpoint identifiers, allowed IP addresses.
3.3. Tunnel metadata
- tunnel open and close times;
- identifiers of the tunnel's two ends;
- traffic volume that passed through the tunnel.
3.4. Payment data
- transaction history: type, amount in coin/USD, date, link to subscription/package;
- payment identifiers in the Paddle system.
3.5. Technical data
- IP address and user-agent at web panel sign-in;
- log data from the web server and server-side components for diagnostics and security purposes.
3.6. Browser local storage
The web panel and the landing page use the browser's localStorage to:
- store the JWT session token;
- remember the chosen interface language.
No tracking cookies or third-party analytics scripts are used.
4. Purposes of processing and legal bases
| Purpose | Data | Legal basis (GDPR art. 6) |
|---|---|---|
| Registration, authentication, and account management | 3.1 | Performance of contract (b) |
| Provision of Service features (tunnels, agents) | 3.2, 3.3 | Performance of contract (b) |
| Billing, traffic accounting, invoicing | 3.2, 3.4 | Performance of contract (b) |
| Sending transactional emails (email verification, password reset, subscription notifications) | 3.1 | Performance of contract (b) |
| Protection of the Service and prevention of abuse | 3.2, 3.3, 3.5 | Legitimate interest (f) |
| Compliance with statutory requirements (tax, accounting) | 3.4 | Legal obligation (c) |
| Handling disputes and claims | all | Legitimate interest (f) |
Marketing communications based on User consent are currently not sent. If they are introduced, the Operator will request a separate consent that can be withdrawn at any time.
5. Retention periods
| Category | Period |
|---|---|
| Account data | Until the User deletes the account, plus 90 days of technical retention for dispute resolution |
| Agent and connection metadata | Up to 12 months after the Agent is disconnected |
| Tunnel metadata (open/close/volumes) | Up to 12 months |
| Payment history | In accordance with tax-law requirements of the applicable jurisdiction (typically 5 years) |
| Web server and server-side component logs | Up to 30 days |
| Tunnel content | Not stored |
After the period expires, data is deleted or anonymised. Backups are retained for up to 90 days and then destroyed under the standard rotation schedule.
6. Sharing data with third parties
The Operator engages the following sub-processors:
| Processor | Role | Jurisdiction | Data transferred |
|---|---|---|---|
| Paddle.com Market Ltd | Payment processing, Merchant of Record | United Kingdom / EU | email, name, country, card details (directly to Paddle), transaction amount |
| Cloud infrastructure provider | Hosting of the Service's server-side components | EU | all data processed by the Service |
| Transactional email provider | Delivery of system and service emails | USA | recipient email, email content |
| Functional Software, Inc. (Sentry) | Crash and error diagnostics for the mobile apps | EU data region (provider USA) | stack traces (incl. native crashes), device model, OS and app version — no IP, no identifiers (see Annex A.4) |
A current list of sub-processors with their legal names is provided on request at info@lro.link.
The Operator does not sell or transfer personal data to third parties for purposes unrelated to providing the Service, except in the following cases:
- receipt of a binding request from competent state authorities;
- protection of the Operator's rights and interests in court;
- existence of the User's written consent.
7. International data transfers
7.1. The Service's primary infrastructure is located in the EU.
7.2. When transferring data to sub-processors outside the EEA (for example, to the transactional email provider in the USA), the Operator relies on Standard Contractual Clauses (SCC) approved by the European Commission and on additional safeguards where applicable.
8. Data subject rights
The User has the following rights regarding their personal data:
- Access — obtain a copy of the data processed about them.
- Rectification — correct inaccurate or incomplete data through the web panel or by request to support.
- Erasure («right to be forgotten») — delete the account and associated data, subject to mandatory retention periods (section 5).
- Restriction of processing — pause processing in case of a dispute about accuracy or lawfulness.
- Portability — receive their data in a machine-readable format (JSON).
- Objection — object to processing based on legitimate interest.
- Withdrawal of consent — withdraw previously given consent at any time (where processing is based on consent).
- Lodging a complaint — file a complaint with the data-protection supervisory authority in their country.
Requests are accepted at info@lro.link. A response is provided within 30 days of receipt of the request; for complex requests the period may be extended to 60 days with notice to the User.
9. Security
The Operator applies technical and organisational measures to protect personal data, including:
- HTTPS (TLS) on all public endpoints;
- password hashing using bcrypt;
- cryptographic authentication of Agents (Noise XK);
- end-to-end encryption of tunnel traffic between Agents;
- role-based access control within organisations;
- a limited set of staff with access to server-side infrastructure;
- regular backups;
- audit logging of actions related to permission changes and billing.
Notwithstanding these measures, no transmission of data over the internet is completely secure. In the event of a data breach likely to result in significant risk to Users, the Operator will notify affected Users and, where applicable, the supervisory authority within 72 hours of becoming aware of it.
10. Children
10.1. The Service is not intended for use by persons under the age of 16.
10.2. The Operator does not knowingly collect personal data of children under 16. If we become aware that such data has been collected, it will be deleted.
11. Changes to the Policy
11.1. The Operator may amend the Policy. The current version is published at https://lro.link/privacy/en with the date of update.
11.2. Material changes (affecting categories of processed data, purposes, retention periods, or the list of sub-processors) take effect no earlier than 14 days after publication. The User is notified by email.
11.3. Continued use of the Service after changes take effect constitutes the User's acceptance of the new version.
12. Contacts
Questions about personal data processing, requests to exercise data subject rights, and incident reports:
- Operator: Sole Proprietor LINKRO
- Registered address: 050000, Republic of Kazakhstan, Almaty, Baiseitova str. 11/13 — 4
- Tax ID (IIN): 780508302277
- Email: info@lro.link
Annex A — Mobile applications
This Annex describes data practices specific to the LRO Android applications — LRO Agent (link.lro.agent) and LRO Terminal (link.lro.terminal). The main Policy applies in full; this Annex adds the app-specific detail required for the Google Play listing.
A.1. Permissions requested
- Internet / network state — to maintain the Agent's outbound connection and to carry SSH and tunnel traffic.
- Foreground service (data sync) — keeps the connection alive while the app is in the background; shown to the User as a persistent notification.
- Notifications (Android 13+) — to display that foreground-service notification.
The apps contain no advertising, analytics, or tracking SDKs and do not use Google Mobile Services or Firebase.
A.2. Data stored on the device only
LRO Terminal stores the following locally on the device, encrypted at rest (Android Keystore-backed encryption, optionally gated by biometric authentication):
- SSH connection profiles (host, port, username);
- SSH passwords and private keys you enter;
- known-host fingerprints (trust-on-first-use).
This data is never transmitted to the Operator. SSH credentials and keys are used solely to connect to the servers you specify; we do not receive, transmit, or store them.
A.3. Device backup
LRO Terminal participates in Android's system backup. Only a passphrase-encrypted profiles file (profiles_backup.bin) is included in cloud backup and device-to-device transfer; the device-bound keystore-encrypted preferences and the session token are excluded. The encrypted file is held in your own Google account backup under Google's terms — the Operator has no access to it.
A.4. Crash diagnostics
To detect and fix crashes, the apps send crash and error reports to Sentry (error-tracking; processor: Functional Software, Inc., EU data region). A report contains the stack trace (including native crashes in the Rust core), device model, operating-system version, and app version. IP addresses and personal identifiers are not attached (the sendDefaultPii option is disabled), and no performance or usage tracking is carried out.
A.5. Account data (LRO Agent)
LRO Agent signs in to the same LRO account as the web panel and processes the account, Agent, and tunnel data described in sections 3.1–3.3, under the same terms.