Privacy Policy
Last updated: May 9, 2026
This Privacy Policy describes how Corterm ("we", "us", or "our") collects, uses, and discloses your information when you use our mobile application and associated services (collectively, the "Service").
Corterm is an open-source remote terminal application. The Service consists of a self-hosted Gateway server and Worker agent, with companion mobile and web apps. Because the Gateway is self-hosted, you have full control over your data when running your own infrastructure. This policy covers data handled by the official managed Gateway service at gateway.ct.rwecho.top and the mobile apps distributed through app stores.
1. Information We Collect
Account Information
- Phone Number: If you choose SMS authentication, we collect your phone number for verification purposes.
- OAuth Identity: If you sign in via Apple, Google, or GitHub, we collect the email address and unique identifier provided by the OAuth provider.
- Guest Access: Guest users are assigned a temporary identifier; no personal information is collected.
Service Data
- Session Metadata: We store session start/end times, session titles, and working directory paths to enable session persistence and reattachment.
- Terminal Sessions: Terminal session output is streamed in real-time and is not persistently logged on the Gateway. We do not record keystrokes or terminal content.
- Device Information: Device model, operating system version, and app version are collected to optimize the mobile experience.
Communication Data
- SignalR Connection: Real-time terminal sessions use SignalR over WebSockets. Connection metadata (IP address, connection duration) is temporarily held in memory.
2. How We Use Your Information
- To authenticate your identity and authorize access to the Service
- To establish and maintain real-time terminal sessions between your browser and remote Workers
- To enable session persistence (detach/re-attach)
- To improve the Service, fix bugs, and enhance security
- To communicate with you about service updates (only if you have opted in)
3. Data Storage and Retention
- Authentication tokens (JWT): Stored in your browser/device local storage. Tokens expire and are refreshed automatically.
- User accounts and sessions: Stored in the Gateway's PostgreSQL database. When self-hosting, you manage this database entirely.
- Retention: Session metadata is retained until you delete the session. Account data is retained until account deletion is requested.
- Data Deletion: You can request deletion of your account and associated data by opening an issue on our GitHub repository or contacting us through the project page.
4. Third-Party Services
- Apple, Google, GitHub: Used for OAuth authentication. We receive only the information you authorize (email, name, identifier).
- SMS Provider: Used for phone number verification (if SMS login is enabled). Phone numbers are shared only for the purpose of sending verification codes.
- Google Play Services: The Android app is distributed through Google Play and uses Google Play Services for core device functionality.
- Apple App Store / TestFlight: The iOS app is distributed through Apple's App Store and TestFlight.
5. Open Source and Self-Hosting
Corterm is open source under the MIT License. You are encouraged to self-host the Gateway and Workers on your own infrastructure. When self-hosting:
- No data is sent to Corterm-operated servers
- All data remains within your own network and database
- You are responsible for the security and privacy of your self-hosted deployment
- The source code is available at github.com/monster-echo/CortexTerminal2
6. Data Security
We implement appropriate technical and organizational measures to protect your information:
- All communications are encrypted via TLS/HTTPS
- JWT tokens are signed and have configurable expiration
- Password-equivalent secrets are never stored in plaintext
- Real-time terminal traffic uses WebSocket with MessagePack binary encoding over TLS
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction or deletion of your personal data
- Restrict or object to processing of your personal data
- Data portability
- Withdraw consent at any time (where processing is based on consent)
To exercise these rights, please contact us through the channels listed below.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we may provide additional notice through the app or our GitHub repository.
9. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
隐私政策
最后更新:2026 年 5 月 9 日
本隐私政策说明了云枢终端("Corterm"、"我们"或"我们的")在您使用我们的移动应用及相关服务(统称"服务")时如何收集、使用和披露您的信息。
云枢终端是一个开源的远程终端应用。服务由自托管的 Gateway 服务器和 Worker 代理组成,配合移动端和 Web 端应用。由于 Gateway 是自托管的,您在运行自己的基础设施时完全掌控您的数据。本政策适用于官方托管的 Gateway 服务(gateway.ct.rwecho.top)以及通过应用商店分发的移动端应用。
1. 我们收集的信息
账户信息
- 手机号码:如果您选择短信验证码登录,我们会收集您的手机号码用于验证。
- OAuth 身份:如果您通过 Apple、Google 或 GitHub 登录,我们会收集 OAuth 提供商提供的电子邮件地址和唯一标识符。
- 访客登录:访客用户会被分配一个临时标识符,不会收集个人信息。
服务数据
- 会话元数据:我们存储会话的开始/结束时间、会话标题和工作目录路径,以实现会话持久化和重连功能。
- 终端会话:终端会话输出实时流式传输,不会在 Gateway 上持久记录。我们不会记录按键或终端内容。
- 设备信息:收集设备型号、操作系统版本和应用版本,以优化移动端体验。
通信数据
- SignalR 连接:实时终端会话使用基于 WebSocket 的 SignalR 进行通信。连接元数据(IP 地址、连接时长)临时保存在内存中。
2. 我们如何使用您的信息
- 验证您的身份并授权访问服务
- 建立和维护浏览器与远程 Worker 之间的实时终端会话
- 实现会话持久化(分离/重连)
- 改进服务、修复错误和增强安全性
- 向您发送服务更新通知(仅限您已选择接收的情况下)
3. 数据存储与保留
- 认证令牌(JWT):存储在您的浏览器/设备本地存储中。令牌会自动过期和刷新。
- 用户账户和会话:存储在 Gateway 的 PostgreSQL 数据库中。自托管时,您完全管理该数据库。
- 保留期限:会话元数据保留至您删除该会话。账户数据保留至请求删除账户。
- 数据删除:您可以通过在我们的 GitHub 仓库提交 Issue 或通过项目页面联系我们,请求删除您的账户及相关数据。
4. 第三方服务
- Apple、Google、GitHub:用于 OAuth 认证。我们仅接收您授权提供的信息(电子邮件、名称、标识符)。
- 短信服务提供商:用于手机号码验证(如果启用了短信登录)。手机号码仅用于发送验证码。
- Google Play 服务:Android 应用通过 Google Play 分发,并使用 Google Play 服务实现核心设备功能。
- Apple App Store / TestFlight:iOS 应用通过 Apple 的 App Store 和 TestFlight 分发。
5. 开源与自托管
云枢终端基于 MIT 许可证开源。我们鼓励您在自有基础设施上自托管 Gateway 和 Worker。自托管时:
6. 数据安全
我们采取适当的技术和组织措施来保护您的信息:
- 所有通信均通过 TLS/HTTPS 加密
- JWT 令牌经过签名,具有可配置的过期时间
- 密码等效的秘密信息不会以明文形式存储
- 实时终端流量使用基于 TLS 的 WebSocket + MessagePack 二进制编码
7. 您的权利
根据您所在的司法管辖区,您可能拥有以下权利:
- 访问我们持有的您的个人数据
- 要求更正或删除您的个人数据
- 限制或反对处理您的个人数据
- 数据可移植性
- 随时撤回同意(当处理基于同意时)
如要行使这些权利,请通过下方联系方式与我们联系。
8. 本政策的变更
我们可能会不时更新本隐私政策。变更将发布在此页面上,并附上更新的"最后更新"日期。对于重大变更,我们可能通过应用内或 GitHub 仓库提供额外通知。
9. 联系方式
如果您对本隐私政策有疑问,或希望行使您的数据权利,请联系我们: