Privacy Policy

Last Updated: 2026-06-08

Effective Date: 2026-06-08

1. Who we are (Data Controller)

Private Hub is a Tor proxy service for browsers, operated by:

Legal entity: Musubi (trading as "Private Hub")
Legal form: SASU
Registration number (SIREN/SIRET): SIREN 999 130 420
Registered address: 41 rue Jacquemars Gielée, 59800 Lille, France
Country of establishment: France

We are established in France. Our lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL). This policy is governed by the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés, "LIL"), and the ePrivacy rules (Art. 82 LIL).

We are the data controller for the personal data described below. Purchases are processed through a third-party Merchant of Record, which acts as the seller of record and handles invoicing and applicable VAT/sales tax. We remain the data controller for your account data.

Contacts

Privacy / data subject requests: raphael@musubi.dev
Security reports: raphael@musubi.dev
General support: raphael@musubi.dev
Data Protection Officer (DPO): Not appointed (not mandatory — see note below)

DPO status: A DPO is not mandatory for Private Hub. By design we do not monitor browsing (no URL, DNS, traffic, or IP logging), so our core activity does not constitute "regular and systematic monitoring on a large scale" under Art. 37 GDPR. If a DPO is appointed, their contact will be published here and declared to the CNIL.

2. Our honest privacy commitment

We build privacy tools, and we are deliberately precise about what that means.

We do not claim "no logs". That claim would be both false and unverifiable for any service that holds accounts and payment records. Instead, we make a claim we can stand behind:

We show you everything we store. Log in to your transparency dashboard and you can see every record we hold about you, export it as JSON, and delete your account.

What this honesty means in practice:

We do store: account details, session start/end times, quota usage, and payment records (see §4).
We do not store: your browsing history, the URLs you visit, your DNS queries, your traffic content, your real IP address, or Tor exit-node IPs. Tor's architecture means we never see them (see §5).
Our extension and backend are open source — you can verify what we collect.

3. How Private Hub works (and what that means for your data)

Private Hub offers anonymous use and three account types. We only create a server-side record when you create an account.

3.1 Anonymous sessions (no account)

You can use Private Hub without creating an account. Anonymous sessions provide a short cumulative trial. For these sessions:

A quota counter (a few numbers: seconds used, session count, cooldown, last-session time) is stored only in your browser via chrome.storage.local. It is never transmitted to us and is not personal data.
Temporary, random proxy credentials are stored briefly in our cache (Redis) with a short time-to-live, then automatically deleted.
We do not create a database record, and we do not store a device identifier or your IP for anonymous sessions.

3.2 Recovery-hash account (no personal information)

You can create an account using only a randomly generated 16-character recovery key. We store a one-way cryptographic hash (HMAC-SHA256) of that key. We cannot reverse it. We do not store the recovery key itself — if you lose it, we cannot recover it. This is by design.

3.3 Email account

You can optionally create an account with your email address. We store your email address and (optionally) a password hash. We use one-time passwords (OTP) sent to your email for verification and login.

3.4 Authentication

Authenticated sessions use JSON Web Tokens (JWT) plus a refresh token. These are stored in your browser (extension chrome.storage.local / website local storage). We store only hashed refresh tokens server-side, for rotation and revocation.

No device fingerprinting. Earlier versions of Private Hub used a browser/device fingerprint as the account identifier. That model has been removed. We do not generate, collect, or store hardware or browser fingerprints. Authentication is by recovery-hash or email, not by fingerprint.

4. What we collect, why, and our legal basis

The table below reflects what the service actually stores today. Each purpose names a single lawful basis under Art. 6 GDPR.

Data we hold	Where	Personal data?	Purpose	Legal basis (Art. 6)	Retention
Anonymous quota counters (seconds used, session count, cooldown, last-session time)	Your browser (`chrome.storage.local`)	No	Enforce free-trial quota & prevent abuse	Strictly necessary (ePrivacy / Art. 82 LIL) — no consent banner needed	Until you clear extension data
JWT + refresh token, connection state, cached account data	Your browser	Yes (tied to account)	Keep you signed in; run the service you requested	Contract (Art. 6(1)(b))	Until sign-out / token expiry
Account record: email (email accounts only), username (optional), recovery-key hash / password hash, tier, quota counters, timezone, signup source, payment-provider customer & subscription references	Our database (PocketBase)	Yes	Provide and manage your account & quota	Contract (Art. 6(1)(b)); legitimate interest for abuse handling (Art. 6(1)(f))	Life of account + legal retention; deleted on account closure (subject to accounting law below)
Session records: start time, end time, status, seconds consumed	Our database	Yes (connection metadata)	Quota tracking, service reliability	Contract (Art. 6(1)(b))	Up to 90 days, then deleted
Payment records: amount, currency, tier, status, date, payment-provider transaction reference, billing email	Our database	Yes	Process purchases; keep accounting records	Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))	10 years (French Code de commerce L123-22, accounting records)
Email verification / OTP / recovery tokens	Our database	Yes	Verify email, log you in, recover account	Contract (Art. 6(1)(b))	Short-lived; auto-deleted after use or after 8 days
Hashed refresh tokens	Our database	Pseudonymous	Maintain & revoke sessions	Contract (Art. 6(1)(b))	Until rotation / revocation
Temporary proxy credentials	Cache (Redis)	No / pseudonymous	Authenticate your proxy connection	Strictly necessary / Contract	Anonymous: ≤ 5 min. Account: ≤ 1 hour
Debug/diagnostic logs (error message, stack trace, browser name/version, OS, extension version, session reference)	Our database (`client_logs`)	Yes (device/browser info)	Debug technical issues, improve reliability	Legitimate interest (Art. 6(1)(f))	Auto-deleted after 7 days (recommended ≤ 7) — you can disable log collection in extension settings
Hashed IP for rate limiting (SHA-256 + daily-rotating salt)	Server memory only	Pseudonymous	Prevent abuse, brute-force, DDoS	Legitimate interest (Art. 6(1)(f), Recital 49)	≤ 1 hour; lost on restart; never persisted
Product analytics events (popup opens, session start/end, quota events, payment completion, email verification, feature usage) keyed to a persistent per-account identifier	PostHog (EU instance) — extension only	Pseudonymous → personal	Understand product usage, improve features	Consent (Art. 6(1)(a)) + Art. 82 LIL — off by default until you opt in	Per PostHog retention (12 months, ≤ 25 months recommended)

4.1 Whether providing data is mandatory

Anonymous use requires no personal data at all.
Email is optional. Without an email you can still use a recovery-hash account; some recovery and notification features require an email.
Payment data is necessary to purchase a paid tier; without it we cannot complete a sale.

4.2 No automated decisions with legal effect (Art. 22)

Quota enforcement and abuse rate-limiting are automated, but they produce no legal or similarly significant effect on you. We do not carry out Art. 22 automated decision-making or profiling.

4.3 Source of some data (Art. 14)

Some payment metadata (e.g. billing country, card brand, partial card details, billing name) is received from our payment provider / Merchant of Record, not collected directly from you.

5. What we do NOT collect

This is the core of the product. We do not collect, store, or have access to:

Your browsing history
The URLs you visit
Your DNS queries
Your traffic content
Your real IP address (we don't log it; the rate limiter only ever holds a salted, rotating, in-memory hash)
Tor exit-node IPs
Your search queries
Your file downloads
Device hardware information or fingerprints
Cross-site tracking cookies

You can verify this. Log in to your transparency dashboard. If a data category is not listed there, we do not have it.

6. Local storage, cookies, and analytics consent

The ePrivacy rules (Art. 82 LIL / Art. 5(3) ePrivacy) cover any storage or reading of information on your device, whether or not it is an HTTP cookie.

6.1 Strictly necessary storage — no consent required

The following are exempt as "strictly necessary for a service you explicitly requested":

Anonymous quota counters in chrome.storage.local (a few numbers, device-local, never transmitted, used only to run the free trial and prevent abuse).
Authentication tokens and connection state (JWT/refresh token), which are required to keep you signed in.

6.2 Product analytics (PostHog) — consent required, OFF by default

The Private Hub extension can send pseudonymous product-analytics events to PostHog (EU instance, eu.i.posthog.com). Because these events use a persistent per-account identifier and include conversion/feature events, they do not qualify for the CNIL audience-measurement exemption. Therefore:

Analytics are disabled by default.
We collect analytics events only after you opt in, and you can withdraw consent at any time in the extension settings (analytics on/off).
Withdrawing consent is as easy as giving it.

6.3 Website

The Private Hub website uses no third-party analytics, no tracking pixels, and no advertising cookies on authentication and account pages. Marketing pages may use a simple first-party page-view counter for traffic estimation. PostHog is not loaded on the website.

7. Sub-processors and recipients

We share data only with the processors needed to run the service. We do not sell, rent, or trade your personal data. We maintain the list below; material changes are reflected in this policy's version history.

Sub-processor	Role / data shared	Location & transfer safeguard
Payment provider (Merchant of Record)	Payment processing and sale of record. Collects your card data, billing address, name, country, and email; we receive a transaction reference, status, amount, currency, and partial metadata. The specific provider will be named here before launch.	To be confirmed at launch; transfers outside the EEA covered by SCCs / EU-US Data Privacy Framework as applicable, under the provider's DPA.
Resend	Transactional email delivery (OTP, verification, recovery) — recipient email + token. Email accounts only.	US-headquartered; SCCs / DPF; Resend DPA in force. Privacy: https://resend.com/legal/privacy-policy
PostHog	Product analytics (extension, consent-gated) — pseudonymous user ID + usage/conversion events.	EU instance (`eu.i.posthog.com`) keeps data in the EU; PostHog Inc. is US-headquartered; PostHog DPA in force. Privacy: https://posthog.com/privacy
Cloudflare	Website hosting / CDN (Cloudflare Workers). Edge briefly processes visitor IP, user agent, and request path. Cloudflare Web Analytics is disabled.	US org; SCCs / DPF. Backend/API and auth traffic do not route through Cloudflare.
Rahona Hosting (hosting provider)	Hosts our backend (Express API, PocketBase, Redis) and Tor proxy infrastructure.	Region: France (EEA). If within the EEA, no international transfer; if outside, SCCs apply.
Tor network	Onion routing of your traffic.	Decentralized infrastructure, not a sub-processor; no personal data is shared with it by design. Operated by The Tor Project, Inc., not affiliated with Private Hub.

8. International data transfers

Some sub-processors are US-headquartered. Where personal data is transferred outside the European Economic Area, we rely on:

the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) for our payment provider, Resend, PostHog, and Cloudflare; and
for our hosting provider (Rahona Hosting), no international transfer applies (data stays in the EEA) (no transfer if the region is in the EEA; SCCs otherwise).

PostHog data is stored on its EU instance.

9. Data retention

Data	Retention
Anonymous quota counters (browser)	Until you clear extension data
Authentication tokens (browser)	Until sign-out / expiry
Account record	Life of account; deleted on account closure (subject to accounting law below)
Session records	Up to 90 days, then deleted
Payment records	10 years (French accounting law, Code de commerce L123-22)
Verification / OTP / recovery tokens	Short-lived; ≤ 8 days, auto-deleted
Debug logs (`client_logs`)	7 days (≤ 7 recommended), auto-deleted
Hashed IP (rate limiting)	≤ 1 hour, in-memory only
Temporary proxy credentials	≤ 5 min (anonymous) / ≤ 1 hour (account)
Analytics events	Per PostHog retention (12 months, ≤ 25 months recommended)

When you delete your account, we delete your personal data except records we are legally required to keep (notably payment/accounting records, retained for 10 years and then deleted). Such retained records are minimised to what the law requires.

10. Your rights

Under the GDPR and the French Data Protection Act, you have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erasure ("right to be forgotten"), subject to legal-retention exceptions;
Restrict processing;
Data portability (receive your data in a machine-readable format);
Object to processing based on legitimate interest;
Withdraw consent at any time (e.g. for analytics), without affecting prior lawful processing.

How to exercise: Many rights are self-service in your transparency dashboard — view all stored data, export JSON, and delete your account. You can also email raphael@musubi.dev.

Response time: We respond within one month of receiving your request (Art. 12(3) GDPR), extendable by two further months for complex requests, in which case we will tell you.

Right to lodge a complaint with the CNIL

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with our supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
https://www.cnil.fr

You may also contact the supervisory authority in your EU country of residence.

11. Children's privacy

Private Hub is not intended for children. In France, the digital age of consent is 15. We do not knowingly collect personal data from anyone under 15. If you believe a child under 15 has provided us with personal data, contact raphael@musubi.dev and we will delete it.

12. Data security

All traffic to our servers is encrypted in transit (HTTPS/TLS).
Recovery keys and passwords are stored only as one-way hashes (HMAC-SHA256 / bcrypt).
Credentials are short-lived and stored in cache with strict TTLs.
Access to systems follows least-privilege principles.

Data breach notification

In the event of a personal data breach likely to result in a risk to your rights, we will notify the CNIL within 72 hours where required (Art. 33 GDPR) and inform affected users without undue delay where the breach is likely to result in a high risk (Art. 34). Security contact: raphael@musubi.dev.

13. Chrome Web Store — Limited Use disclosure

Private Hub's use of information received from Google APIs and any data collected through the extension adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We do not collect or transmit your web-browsing activity. Data we collect is used only for the user-facing features described in this policy and is never sold or used for unrelated purposes.

14. Business transfers

If Private Hub is acquired, merged, or sold, your data may be transferred to the successor entity, which will remain bound by this policy. We will notify you, and you may delete your account before any such transfer.

15. Third-party websites

Private Hub routes your traffic through Tor but does not control the websites you visit, their privacy practices, or the cookies and data they collect. Please review the privacy policies of the sites you use.

16. Changes to this policy

We may update this policy to reflect changes in our service or the law.

Material changes: email notice to accounts with an email on file, plus a 30-day notice period where required.
Minor changes: updated "Last Updated" date.
All versions are published at https://privatehub.org/privacy.

17. Contact

Privacy / data requests: raphael@musubi.dev
Security: raphael@musubi.dev
Support: raphael@musubi.dev
Postal: Musubi, 41 rue Jacquemars Gielée, 59800 Lille, France

Your business is your business. We're just here to keep it private.