Privacy Policy

Last updated: June 13, 2026

Broch is software you deploy on your own infrastructure. What Broch, LLC collects depends on how you interact with us. Jump to: Website & AccountSelf-Hosted BrochBroch-Hosted Trial.

Website & Account

This applies to anyone who visits broch.io, regardless of how — or whether — you run Broch.

  • Analytics: When you visit broch.io, Google Analytics collects your IP address, browser type, pages visited, and time on site.
  • Cookies: We use cookies and similar technologies to remember preferences and improve the site experience.

Self-Hosted Broch

When you run Broch on your own servers, your operational data stays there. Broch, LLC never sees your tunnels, your team's activity, or traffic routed through your deployment.

Beyond the website data above, what your self-hosted server sends us is limited to what's necessary to validate your license. Payment is separate: when you purchase, you provide your payment details directly to Stripe (described under Payment below), not through your server.

License Validation

Your self-hosted Broch server contacts Broch's licensing service to activate and periodically validate your license. What it sends depends on the exchange:

  • Activation: your license key, your deployment ID (the wildcard hostname you configured for tunnel URLs), the server's machine name, and the Broch server version.
  • Refresh (automatic, daily by default): your license key, the current signed token, and a usage report — active seat count, all-time seat high-water mark, and server version. Integers, not identities.

When an admin buys a license or accepts the subscription agreement in the app, that exchange also sends the seat quantities, the agreement version, the billing email, and the signing admin's name and IdP-verified email — these bind the purchase and the agreement to an authorized signer.

That is the extent of data your Broch server transmits to Broch, LLC. It does not include tunnel names, traffic content, user activity, your end-user list, or any other operational data. The Security documentation enumerates every licensing exchange field by field.

Payment

When you purchase a license, Stripe (at payment.broch.io) processes your payment details. We receive only a transaction confirmation — card numbers are never stored by Broch, LLC.

What Stays on Your Infrastructure

Everything else remains on your servers and under your control:

  • Tunnel names and configurations
  • Traffic routed through your tunnels — Broch, LLC never sees this
  • Audit logs of user actions within your deployment
  • Team member activity and access events
  • Error logs and diagnostic data from your Broch server

You are responsible for the privacy practices, compliance, and security of your self-hosted deployment.

Broch-Hosted Trial

The Broch-hosted trial runs on a shared Broch server we operate at trial.broch.io — 60 days, no credit card, no deployment. (The self-hosted trial, where you run Broch on your own infrastructure, is 15 days; see Self-Hosted Broch above.) Because we run the infrastructure for the hosted trial, we process operational data from your trial usage:

  • Tunnel information: Tunnel names, connection times, and connection status
  • Traffic metadata: HTTP request methods, paths, and response codes for traffic through your tunnels. We do not inspect, store, or log the content of your traffic.
  • Access logs: Actions performed within your trial — creating, modifying, or deleting tunnels and configurations — with timestamps and success/failure status
  • Technical data: IP addresses, operating system, device type, and CLI version
  • Account authentication: Auth0 (at sso.broch.io) processes your email address when you sign in to the trial.
  • Authentication events: Login and logout events, authentication method used
  • Error and diagnostic data: Error messages and system state when the service encounters issues

Because the hosted trial is a shared, evaluation-only environment, do not route production or sensitive traffic through it. Data you create during the trial is commingled with other trial users' data on the shared server — we do not isolate or separately delete an individual user's trial data.

Information Sharing

We do not sell or trade your personal information. We share it only with:

  • Service providers operating broch.io and processing transactions: Auth0 for authentication, Stripe for payment, Google for analytics
  • Law enforcement, when required by law or to protect safety
  • Business successors in connection with a merger, acquisition, or asset transfer

Data Security

We implement appropriate technical and organizational measures to protect your personal information. For self-hosted deployments, your operational data never leaves your infrastructure. For the hosted trial, we apply the same security posture to your data as we do to our own.

No method of internet transmission is 100% secure.

Your Rights

Depending on your location, you may have the right to access, correct, delete, or port your personal information, or to object to or restrict its processing. To exercise these rights, contact us at [email protected].

One limitation: data you create in the shared Broch-Hosted Trial is commingled with other trial users' data and cannot be isolated or deleted on an individual basis. Avoid putting personal or sensitive information into the trial.

Data Retention

  • Account information: Retained while your account is active and for a period required by applicable legal obligations
  • Payment records: Per Stripe's retention policies
  • License validation logs: Up to 90 days
  • Hosted trial operational data: Retained on the shared trial server; not separated or deleted per user
  • Website analytics: Per Google Analytics defaults

To request deletion of your data, contact us at [email protected], subject to legal retention obligations. Data created in the shared Broch-Hosted Trial is an exception — it cannot be isolated or deleted per user.

International Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place.

Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16.

Changes to This Policy

We will notify you of material changes by posting an updated policy on this page and updating the date at the top.

Contact

[email protected]