Privacy Policy

Your privacy is our priority. We believe in complete transparency about how we collect, use, and protect your personal information.

Data Minimization
End-to-End Encryption
GDPR Compliant
CCPA Ready
0
Data Sold
30 days
Deletion Time
AES-256
Encryption
4
Sub-processors

Your Data Rights

You own your data. We provide the tools and transparency to exercise your rights.

Right to Access

Request a complete copy of all personal data we hold about you. Includes account information, usage logs, and any automated decisions.

Request Access

Data Portability

Export all your data at any time in standard formats (JSON, CSV). Full data portability with no vendor lock-in.

Request Export

Right to Erasure

Request complete deletion of your account and all associated data. Processed within 30 days with a deletion certificate.

Request Deletion

Rectification

Correct any inaccurate personal data. Update your profile in the dashboard or contact us for data you cannot modify.

Request Correction

Right to Object

Object to processing based on legitimate interests. Control marketing, analytics, and optional data collection from settings.

Manage Preferences

Data Residency

Choose where your data is stored β€” US, EU, or Asia-Pacific. Enterprise customers can request dedicated infrastructure.

Learn More

What We Collect

Complete transparency about what data we collect and why. No hidden data collection.

Data Type Purpose Collection Retention Shared With
Session Recordings
SSH keystrokes, RDP screen captures, VNC screen captures, database queries, web app requests		 Audit trail, compliance, and session playback Required Based on plan (7-365 days) Not shared externally
Access Logs
Connection timestamps, source IPs, target resources, session duration		 Security auditing and access governance Required Based on plan (7-365 days) Not shared externally
Identity & Authentication Data
SSO tokens, MFA status, IdP attributes, role assignments		 Identity verification and RBAC enforcement Required Account lifetime + 30 days Not shared externally
Account Information
Email, name, company, billing details		 Account management & communication Required Account lifetime + 30 days Payment processor (billing only)
Usage Analytics
Feature usage, page views		 Product improvement Optional 26 months Google Analytics
Resource Credentials
SSH keys, database passwords, RDP credentials, VNC credentials		 Securely held by the gateway for credential injection β€” never exposed to end users Required Until resource is removed Never shared externally
User Passwords
Your PumaGate account password		 Not stored β€” hashed using bcrypt with salting Never Stored in Plaintext N/A N/A
File Contents
Documents, source code on your servers		 Not collected β€” PumaGate proxies access, it does not scan or index your files Never Collected N/A N/A

How We Use Your Data

We only use your data to provide and improve our Zero Trust Access Gateway.

What We Do

  • Proxy and record SSH, RDP, VNC, database, web app, and network access sessions for audit and compliance
  • Enforce identity-based access controls using your SSO provider and RBAC policies
  • Securely inject credentials into sessions so users never see target passwords or keys
  • Generate unified audit logs across all nine protocols for compliance reporting
  • Send service-related communications (access alerts, policy changes, support updates)

What We Never Do

  • Sell your data to third parties for advertising or marketing
  • Share your session recordings or access logs with other customers
  • Use your data to train AI models without explicit consent
  • Expose target resource credentials to end users or external parties
  • Retain session recordings or access logs beyond your plan's retention limits

Sub-processors & Third Parties

Complete list of third parties who may process your data on our behalf. All sub-processors are bound by strict data protection agreements.

Amazon Web Services (AWS)

Infrastructure hosting, data storage, and compute services

πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Ί πŸ‡¦πŸ‡Ί
Multi-region

Stripe

Payment processing and billing management

πŸ‡ΊπŸ‡Έ
United States

Brevo

Transactional email delivery (alerts, notifications) and customer support chat

πŸ‡ͺπŸ‡Ί
Europe

Google Analytics

Website analytics and usage tracking (optional, can be disabled)

πŸ‡ΊπŸ‡Έ
United States

Last updated: January 2026. We notify customers 30 days before adding new sub-processors.

Data Security

Comprehensive technical and organizational measures to protect your data.

Encryption & Protection

  • AES-256 encryption for all data at rest with customer-managed key options
  • TLS 1.3 encryption for all data in transit with perfect forward secrecy
  • Automated daily backups with geo-redundant storage
  • Data isolation between tenants with logical and physical separation

Access Control

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication required for all employee and admin access
  • Comprehensive audit logging of all access and administrative actions
  • Background checks for all employees with access to customer data

Privacy FAQ

Common questions about our privacy practices and data handling.

Absolutely not. We never sell, rent, or trade your data to third parties. Your data is only used to provide our services. We only share data with sub-processors necessary to operate our service (listed above), and never for advertising or marketing purposes.
Data deletion requests are processed within 30 days. Upon request, we delete all customer data from production systems and backups. A deletion certificate can be provided upon request for compliance documentation purposes.
Yes! You can select your preferred data region during account setup. We offer data residency in the US, EU, and Asia-Pacific regions. Enterprise customers with Private Cloud deployment get dedicated, isolated infrastructure in their chosen region.
PumaGate collects session recordings across all nine protocols β€” SSH keystrokes, RDP screen captures, database queries, web app requests, and network access connection metadata β€” along with access logs and connection metadata. Target resource credentials (SSH keys, database passwords) are securely held by the gateway for credential injection and never exposed to end users. PumaGate does not collect file contents on your servers, scan or index your infrastructure, or store your account password in plaintext. See our detailed data collection table above.
When you cancel your account, we retain your data for 30 days in case you change your mind. After 30 days, all data is permanently deleted using cryptographic erasure. You can request immediate deletion at any time. Before cancellation, you can export all your data using our data export feature.
Yes, we fully comply with the EU General Data Protection Regulation. We provide data processing agreements, support all data subject rights (access, rectification, erasure, portability, objection), and maintain transparent data practices. Contact us for a copy of our Data Processing Agreement (DPA) with Standard Contractual Clauses.
You can opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on or by adjusting your browser's privacy settings. Essential cookies required for authentication and security cannot be disabled.

Have Privacy Questions?

Our privacy team is available to discuss your specific requirements, provide compliance documentation, or answer any questions.

Contact Privacy Team Trust Center