Privacy Policy

Summary

Tunno is a developer tool. We try to collect as little about you as possible and to be clear about what we do collect. The short version:

• - We collect your email address so you can sign in, and the minimum account metadata needed to run your tunnels and your subscription.
• - Tunnel request and response bodies pass through our servers in memory only. We do not persist them, and we do not inspect them.
• - The Tunno website does not use analytics, advertising, or tracking cookies.
• - We do not sell or rent your personal information to anyone, ever.

Who We Are

Tunno is operated by Morco Labs LLC ("Morco Labs," "we," "us," or "our"), the data controller for personal information processed through the Tunno macOS application, the Tunno API, the tunnel network, and the tunno.io website (collectively, the "Service"). You can reach us at contact@tunno.io.

Information We Collect

Account information

When you create an account we collect your email address and, optionally, a display name. We authenticate you with a one-time passcode (OTP) sent to your email; we do not store passwords. We keep timestamps such as your account creation date and last sign-in, and we record which subscription tier your account is on.

Subscription and billing information

Payments are processed by Polar Software Inc. ("Polar"), which acts as our Merchant of Record. When you subscribe, Polar collects and processes your payment details under its own privacy policy. Morco Labs never receives or stores your card number, CVV, or bank details. We receive only a Polar customer identifier, subscription status, plan, billing period, and invoice metadata needed to grant you access and to respond to billing questions.

Tunnel metadata

To operate the tunnel network we process metadata about your tunnels: the subdomain or reserved port, the region, the protocol, the client IP address and Tunno client version at connection time, connection and last-seen timestamps, total bytes in and out, and aggregate request counts. This data is used to route traffic, enforce fair-use limits, secure the network, and give you accurate usage reporting inside the app.

Tunnel traffic content

When external callers reach your tunnel, their HTTP requests and your local server's responses flow through our tunnel server in memory and are forwarded over the encrypted HTTP/2 tunnel to your Mac. Morco Labs does not persist request or response bodies, headers, or URLs on the server, and we do not read them. The request inspector you see inside the Tunno app runs locally on your Mac against an in-memory buffer; that history stays on your machine and is not uploaded to us unless you explicitly share it (for example, when attaching an export to a support request).

Diagnostic and security logs

Our servers generate operational logs, traces, and metrics (via a self-hosted SigNoz instance) so we can debug failures, investigate abuse, and keep the network healthy. These logs can include IP addresses, request paths, HTTP status codes, timing information, and error messages, but not the bodies or headers of your tunnel traffic. Logs are retained for up to 30 days and then discarded.

Support communications

If you email us, we keep the content of that correspondence along with your email address so we can respond and follow up.

Website visits

The tunno.io marketing site does not use analytics tools, advertising pixels, session-replay, or tracking cookies. Our hosting provider may record standard request logs (IP address, user agent, requested path) for abuse prevention and security.

How We Use Your Information

• - To provide, operate, and maintain Tunno and the tunnel network.
• - To authenticate you and protect your account.
• - To process subscriptions, invoices, and tax obligations through our payment processor.
• - To send transactional email such as sign-in codes, welcome messages, and subscription receipts or cancellation confirmations. We do not send marketing email.
• - To detect and prevent fraud, abuse, and violations of our Terms of Service.
• - To comply with legal obligations and to enforce our agreements.

Legal Bases (EEA/UK Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases under the GDPR: performance of the contract between you and us (to deliver the Service you asked for), our legitimate interests in operating, securing, and improving the Service, compliance with legal obligations, and, where required, your consent.

Service Providers and Subprocessors

We share personal information with a small set of vendors that help us run the Service. Each is bound by a data-processing agreement and may use the data only for the purpose listed.

• - Polar Software Inc. (United States) — payment processing and Merchant of Record for all subscription transactions.
• - Zoho Corporation (ZeptoMail) (United States / India) — delivery of transactional email (sign-in codes, receipts).
• - Amazon Web Services, Inc. (United States, us-east-1) — queueing and dispatching of outbound email via Amazon SQS and AWS Lambda.
• - DigitalOcean, LLC (United States and European Union) — compute infrastructure for our API, tunnel servers, and managed PostgreSQL database.

We may also disclose personal information (a) to comply with a valid legal process or lawful government request, (b) to protect the rights, property, or safety of Morco Labs, our users, or the public, or (c) in connection with a merger, acquisition, or sale of assets, in which case the acquirer will be bound by this Privacy Policy.

International Data Transfers

Morco Labs is based in the United States, and the Service is primarily operated from the United States and the European Union. If you access Tunno from outside these regions, your personal information will be transferred to and processed in jurisdictions whose data-protection laws may differ from your own. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers out of the EEA, UK, or Switzerland.

Data Security

All tunnel connections and API traffic use TLS. Sign-in tokens on your Mac are stored in the macOS Keychain. Server-side sessions and user data live in an access-controlled PostgreSQL database. Access to production systems is restricted to authorized personnel and gated by short-lived credentials. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

We keep account information for as long as your account is active. When you delete your account, we remove your personal information from our production database within 30 days, except where we are required to retain it to comply with legal, tax, accounting, or abuse-prevention obligations. Tunnel connection metadata and usage counters are retained for up to 12 months for billing and capacity planning, then aggregated or deleted. Operational logs are retained for up to 30 days. Support correspondence is retained for up to 24 months.

Your Rights

Depending on where you live, you may have some or all of the following rights in relation to your personal information: the right to access it, to correct it, to delete it, to restrict or object to its processing, to data portability, and to withdraw consent. Residents of California have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and the right to request deletion.

We do not sell or share personal information for cross-context behavioral advertising under the CCPA/CPRA or equivalent laws.

To exercise any of these rights, email contact@tunno.io from the address on your account. We will respond within the timeframes required by applicable law. You also have the right to lodge a complaint with your local data-protection authority.

Children's Privacy

Tunno is intended for software developers and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or through the Tunno app. The "Last updated" date above always reflects the current version.

Contact Us

Questions about this Privacy Policy or our data practices? Email contact@tunno.io.