Privacy Policy
Data controller: Flutterando Desenvolvimento de Programas de Computador LTDA (CNPJ 33.637.582/0001-70). Data Protection Officer (DPO): Jacob Moura — [email protected].
1. Who We Are (Data Controller)
Remote Pi is operated by Flutterando Desenvolvimento de Programas de Computador LTDA, a company incorporated in Brazil (CNPJ 33.637.582/0001-70), with offices at Rua Clara Nunes, 198, Maringá/PR, CEP 87.045-650.
For any matter related to this Policy or to the processing of your personal data, you may contact our Data Protection Officer, Jacob Moura, at [email protected].
2. Data We Collect
2.1 Data you provide directly
Remote Pi is designed so that you provide essentially nothing to us on the relay path. There is no account, no email registration, no profile, and no payment information. The pairing flow generates cryptographic keys locally on your devices.
On the device itself, the mobile app stores a list of paired peers (their public keys, a friendly name you choose, and the relay URL) in the platform's secure storage (iOS Keychain / Android Keystore). This information never leaves your device unless you explicitly send it.
2.2 Data processed automatically by the public relay
When you connect to the public relay operated by Flutterando, the relay processes three categories of data:
- Connection metadata — source IP address, connection timestamps, public-key identifier of the connecting peer, room identifiers, and basic transport statistics (bytes in/out, message timing and sizes). This is logged for at most 30 days and used for abuse mitigation and reliable operation of the relay.
- Message payloads forwarded between paired peers. In the current MVP, payloads travel base64-encoded over TLS and are not end-to-end encrypted at the application layer. The relay operator could in principle access plaintext message contents in memory while forwarding. We do not log, persist, or inspect those payloads — we forward them and discard them. See §9 for the full trust model.
- Signed mesh-membership blobs. When you pair a new machine, your Owner key signs a small JSON blob listing which Pi devices belong to that Owner's mesh, and your app uploads it to the relay via
POST /mesh/<owner_pk_hash>. The relay verifies the Ed25519 signature and persists the blob (a few KB per Owner) so that new devices restoring the same Owner key can recover their peer list. The blob contains: Owner public key, a version number, the list of Pi public keys you have paired, and a timestamp. It is not encrypted — anyone with access to the relay database can read it. Pairing on your own self-hosted relay keeps this data on your infrastructure.
If you require cryptographic confidentiality from the relay operator, self-host the relay (the code is open source and documented). When you self-host, the data described in §2.2 is processed by your own infrastructure, not by Flutterando.
2.3 Data we do NOT collect
- Precise device location.
- Contacts, photos, microphone, or camera content.
- The text of your prompts or the responses produced by your Pi-side agent.
- Advertising identifiers (IDFA, AAID).
- Behavioral analytics or tracking telemetry.
3. How We Use Your Data
The limited connection metadata described in §2.2 is used to:
- Operate, maintain, and route traffic on the relay service.
- Detect and mitigate abuse, such as denial-of-service attacks or patterns of unauthorized access attempts.
- Investigate incidents and protect the security of the Service and its users.
We do not use any data for advertising, profiling, or behavioral analytics.
4. Legal Bases (LGPD Article 7)
Under the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Law 13.709/2018, "LGPD"), we process the limited data described above on the following legal bases:
- Performance of a contract (Article 7, V) — to provide the relay service you connect to.
- Legitimate interest (Article 7, IX) — to ensure the security and integrity of the relay infrastructure.
6. International Transfer
The public relay operated by Flutterando may be hosted in data centers located outside Brazil. Where this is the case, transfers occur under conditions equivalent to those required by Article 33 of the LGPD, including contractual safeguards with infrastructure providers. You can avoid international transfer entirely by running your own relay on infrastructure under your control.
7. Data Retention
Relay connection logs are retained for a maximum of 30 days, after which they are deleted or anonymized. Aggregated, non-identifying statistics (e.g. daily active connection counts) may be retained longer for capacity planning.
Paired peers stored on your device persist until you revoke the pairing or uninstall the app. We do not have access to that storage.
8. Your Rights (LGPD Article 18)
Subject to the LGPD, you have the right to request, with respect to personal data we hold about you:
- Confirmation that we process your data.
- Access to that data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
- Information about public and private entities with which we have shared your data.
- Information about the possibility of not providing consent, and the consequences of refusal.
- Revocation of consent, where consent was the legal basis.
To exercise any of these rights, contact our DPO at [email protected]. We may need to verify your identity (for example, by asking you to prove control of a paired device's public key) before fulfilling the request.
9. Security and trust model
We use the following safeguards:
- TLS 1.3 on every connection between clients and the relay.
- Ed25519 challenge-responseat pairing time, so paired devices verify each other's identity cryptographically and identity squatting is prevented.
- Private keys generated on-device and stored in the platform secure storage (iOS Keychain / Android Keystore). Private keys never leave your devices.
- Operational separation between transport metadata and any other system, with strict access controls on relay logs.
Important — read this if confidentiality matters to you. Application-layer end-to-end encryption of message payloads is not active in the current MVP. Payloads travel base64-encoded over TLS to the relay and from the relay to the paired device. The public relay operator (Flutterando) could in principle access plaintext message contents in memory while forwarding, but we do not log, persist, or inspect payloads. Per-message end-to-end encryption was removed for MVP stability and is on the roadmap for a future release.
If you require cryptographic confidentiality from the relay operator, run your own relay. The relay is open source and the documentation covers Docker deployment and VPN gating (Tailscale, WireGuard) so that only your devices can reach the relay's WebSocket port at all.
No system is perfectly secure. If you believe your account or device has been compromised, revoke the affected pairing immediately and report the incident to [email protected].
10. Children and Minors
The Service is not directed at, and is not intended for use by, individuals under the age of 13. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor under 13, we will delete that data promptly.
12. Policy Updates
We may update this Policy from time to time. The current version is always published on this site, with the "Last updated" date at the top. Material changes will additionally be announced in the project README.
13. Contact
For questions, requests under the LGPD, or any other privacy matter, contact our DPO, Jacob Moura, at [email protected].
You also have the right to lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados — ANPD).