Privacy Policy

Last updated: 25 May 2026

nilidesk was designed so that the operator cannot see the contents of your remote session, even if compelled to. This policy explains what we do collect, why, and how to delete it.

1. What we do NOT collect

• Your screen. Video flows peer-to-peer over a WebRTC channel encrypted with DTLS-SRTP. The keys are negotiated between the agent and the viewer; our servers never see the plaintext or the keys.
• Your password. The session password is generated on the agent and compared on the agent. The server forwards a single auth attempt for validation and then discards it.
• Your clipboard, files, or browser history. nilidesk V1 does not transfer clipboard contents or files between machines.
• Your IP address from before you connected. We see the IP that opens the WebSocket. We don't fingerprint your browser or buy data about you from third parties.

2. What we DO collect

• Agent ID and hostname — needed so the rendezvous server can route a viewer to the right agent.
• IP address + timestamp + outcome of every connection attempt — recorded in our audit log. This protects you (and us) from brute-force and abuse.
• Server logs — request method, path, status code, response time. Standard infrastructure logs, kept for 30 days.

3. Why we collect it

The legal basis under GDPR is legitimate interest (Article 6(1)(f)): the operator needs to detect abuse and provide a reliable service; you need to know who's connecting to your computer. Under Israeli law, the basis is contractual necessity per the Terms of Service you accepted.

4. How long we keep it

• Audit log: 90 days, then deleted automatically.
• Server access logs: 30 days.
• Agent ID records (so the same machine keeps its ID across reinstalls): indefinite, until you delete the agent and use the endpoint described in section 6 below.

5. Who we share it with

Nobody, except (a) our infrastructure providers under data-processing agreements, and (b) when compelled by a lawful warrant — and even then, we cannot produce what we don't have (your session content).

We have never received a National Security Letter or gag order. This statement is reviewed and updated at every major release; its absence in a future version of this policy may be informative.

6. Your rights

Under GDPR Articles 15–22 (and Israeli Privacy Law § 13), you can:

• Access your audit-log records — email privacy@niliwebpro.com from the address associated with the request and include the agent ID. We respond within 30 days.
• Delete your agent ID — uninstall the agent and email us with the ID. We will remove it from the database and confirm.
• Object to processing — same email address. We will explain our balancing test and accommodate where possible.
• Lodge a complaint with the Israeli Privacy Protection Authority or your local EU Data Protection Authority.

7. Cookies and similar

nilidesk uses localStorage to remember your chosen UI language. That's the only thing. We do not use tracking cookies, pixels, or third-party analytics.

8. Children

nilidesk is not directed at children under 13. If a child has registered an agent ID, a parent or guardian may email us to have it removed.

9. Changes to this policy

Material changes will be announced via the website at least 14 days before they take effect. The "last updated" date at the top reflects the most recent revision.

10. Contact

Privacy questions: privacy@niliwebpro.com.