Legal

Privacy policy.

The short version: your servers, your credentials and your terminal history never reach us. Last updated: July 2026.

The principle

Termal OS is self-hosted. The application runs on your machine and connects directly to your servers over SSH. There is no cloud backend in the middle: your infrastructure never talks to us. The only thing that reaches termalos.com is what is strictly needed to create your account and issue your license.

Data controller: TERMALOS(SE) — David Christian G., Perpignan (66000), France. Contact: hello@termalos.com.

What we collect

If you join the launch list: your email address, plus the IP address and browser used to submit it — the latter two only as evidence that the request came from you, and to stop abuse. You get one email, at launch. Ask at hello@termalos.com and the entry is deleted, no questions asked.

If you create an account: your email address, a hashed password (we never store it in clear text), and — if you buy a license — the billing details required for the invoice (name, address, country), plus your license key, plan and expiry date.

When the app validates a license: the license key, a device identifier and the app version, so that activations can be counted against your plan's limit.

When the app checks for updates: the current version and your platform, sent to our update server. Standard web-server logs (IP address, timestamp) are kept for security and troubleshooting.

If you email us: whatever you choose to write.

What we never see

The following stay on your machine and are never transmitted to us:

  • Your SSH credentials — passwords and private keys, encrypted locally with AES-256-GCM.
  • Your servers' hostnames, IP addresses, metrics, logs and files.
  • Your terminal history and the commands you run.
  • Your AI provider API key.

There is no telemetry, no analytics SDK and no usage tracking in the application.

Why we process it, and on what basis

Account and license data are processed to perform the contract between us (art. 6.1.b GDPR). Billing records are kept to comply with our legal obligations (art. 6.1.c). Server logs and license-activation counts rest on our legitimate interest (art. 6.1.f) in securing the service and enforcing plan limits. We do not sell, rent or share your data for advertising, and we run no profiling.

How long we keep it

Account data: for as long as the account exists, then deleted on request. Invoices and accounting records: ten (10) years, as required by French commercial law. Web-server logs: twelve (12) months maximum. Email correspondence: up to three (3) years after the last exchange.

Processors

  • Stripe Payments Europe Ltd (Ireland) — payments and invoicing. Card details are entered on Stripe's own servers; we never receive or store them.
  • Infomaniak Network SA (Switzerland) — hosting of the site, the license API and the update server. Switzerland benefits from a European Commission adequacy decision.

Both are bound by data-processing agreements. No data is transferred outside the EU/EEA beyond what is described here.

Cookies

We use a single cookie: the session cookie that keeps you signed in to your account. It is strictly necessary and therefore requires no consent banner. No advertising cookies, no third-party trackers, no analytics.

AI copilot

The copilot is bring-your-own-key: it uses your API key and talks directly from your machine to the provider you choose (Anthropic, OpenAI, Mistral, Groq or a compatible endpoint). We are not an intermediary and we see none of it.

Be aware that whatever you send to the copilot — the context of your servers, the output of a command — is transmitted to that provider, under their privacy policy, not ours. Review it before pasting anything sensitive.

Your rights

Under the GDPR you may request access to your data, its correction, its deletion, its portability, a restriction of processing, or object to processing based on legitimate interest. Write to hello@termalos.com — we answer within one month.

If you believe your rights are not respected, you may lodge a complaint with the French supervisory authority, the CNIL, or with the authority of your country of residence.