Overview
SSH Manager is a native, sandboxed macOS application for editing your SSH configuration,
managing keys and known_hosts, and running SSH
tunnels in-process. This policy explains how we handle personal data across two contexts:
the app on your Mac, which is local-first and collects nothing
about you, and our website and backend, which process
a limited set of data when you buy, trial, or get support for the app.
We have written it to meet the EU General Data Protection Regulation (GDPR) and the equivalent Serbian Law on Personal Data Protection. Where this policy uses GDPR article references, the corresponding rights under Serbian law apply equally.
Who is responsible
The data controller is Dušan Malušev Preduzetnik Bela Crkva, a sole proprietorship (preduzetnik) registered in Serbia. Full registration and contact details are on our legal notice page. You can reach us about privacy at [email protected].
The macOS app
The app itself is designed to never need your data. It runs entirely on your Mac and does not require an account or an internet connection to function. Specifically, the app does not:
- Track your usage with analytics or telemetry
- Include advertising or third-party ad SDKs
- Read, upload, or sync the contents of your ~/.ssh directory to any server
- Transmit your private keys, passphrases, or known_hosts off your device
- Build a profile of you
Your SSH config is read and written via a user-granted, security-scoped bookmark; app data (tunnel presets, settings, favorites, version history) lives in a local SQLite database inside the app’s sandbox container; and private keys and passphrases are protected by the macOS Keychain. The only outbound connections the app makes are the SSH connections you initiate and occasional update checks, which carry no personal information beyond what is needed to deliver an update.
What we collect & why
When you interact with our website or backend, we process the following. We do not sell your data, and we do not use it for advertising or automated decision-making that produces legal effects.
- Purchases & licensingWhen you buy a license, we store your email address, the purchase channel (Paddle or Apple App Store), the product, amount, currency, status, and the transaction record returned by the payment provider, together with the license key and the devices it is activated on. Payment-card details are handled by the provider and are never stored by us.
- Magic-link sign-inTo activate a license or trial, we email you a one-time link. We store your email and a cryptographic hash of the link token (never the token itself) until it is used or expires.
- Free trialsWhen you start a 30-day trial we store your email (and a normalised form of it) and a device identifier supplied by the app, solely to grant the trial and to prevent the same person claiming repeated trials.
- Support & contact formIf you email us or use the contact form, we keep your name, email, message, and — for the web form — your IP address and browser user-agent, to answer you and to limit spam and abuse.
- Bug & crash reportsIf you choose to send a bug report or opt in to crash reporting, we receive the report text, app version/build, macOS version, your Mac’s hardware model, recent app logs, and crash diagnostics. An email is included only if your copy is licensed. We store a salted, irreversible hash of your IP (not the IP itself) to rate-limit abuse.
- Server logsOur web server records standard access logs (IP address, request, user-agent, timestamp) for security and troubleshooting, retained for a limited period.
- Operator dashboardOur internal admin dashboard is restricted to our own staff and uses GitHub sign-in or passkeys. It stores administrator profile data and session records (including IP and user-agent). It is not used for customer accounts.
Legal bases
We rely on the following legal bases under Article 6 of the GDPR:
- Performance of a contract (Art. 6(1)(b))Processing your email, purchase, license, and trial data so we can sell you the app, deliver and activate your license, and provide support.
- Legal obligation (Art. 6(1)(c))Retaining invoices and transaction records to meet tax and accounting law.
- Legitimate interests (Art. 6(1)(f))Keeping the service secure and preventing fraud and trial abuse, answering support requests, and maintaining basic server logs. We balance these against your rights and use the minimum data needed.
- Consent (Art. 6(1)(a))Sending crash/diagnostic reports, which are entirely opt-in. You can withdraw consent at any time in the app’s settings.
Who we share with
We share data only with the service providers we need to run the business — for payments, email delivery, hosting, and abuse prevention. Each acts as our processor or, for the payment providers, as a merchant of record under their own terms. The full, current list of sub-processors — what they are, what they receive, and where — is on our sub-processors page. We may also disclose data where required by law or to protect our legal rights.
International transfers
We are based in Serbia, and some of our sub-processors are located outside the European Economic Area (for example in the United States). Where your data is transferred outside the EEA, the transfer is protected by appropriate safeguards — principally the European Commission’s Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the relevant safeguards by contacting us.
How long we keep it
We keep personal data only as long as necessary for the purpose it was collected, then delete or anonymise it:
- Purchase & invoice recordsRetained for as long as required by applicable tax and accounting law (which can be several years), after which they are deleted.
- License & account dataKept for the lifetime of your license so we can support and re-activate it; deleted on request once no longer needed.
- Trial recordsKept for a limited period to prevent repeat-trial abuse, then deleted.
- Support & contact messagesKept while we handle your request and for a reasonable period afterwards, then deleted.
- Bug & crash reportsKept only as long as useful for fixing the underlying issue.
- Server access logsKept for a short period for security and troubleshooting, then rotated and deleted.
Your rights
Wherever the GDPR or Serbian law applies to you, you have the right to:
- Access the personal data we hold about you, and receive a copy
- Rectify data that is inaccurate or incomplete
- Erase your data (“right to be forgotten”), subject to legal retention duties
- Restrict or object to certain processing, including processing based on our legitimate interests
- Receive your data in a portable, machine-readable format
- Withdraw consent at any time, without affecting prior processing
To exercise any of these, email us at [email protected]. We will respond within the time limits set by law (normally one month). You also have the right to lodge a complaint with a supervisory authority. In Serbia that is the Commissioner for Information of Public Importance and Personal Data Protection; if you are in the EU/EEA, you may instead contact the supervisory authority in your country of residence.
Security
We protect your data with encryption in transit (TLS), hashed rather than stored authentication tokens, salted hashing of IP addresses where used for abuse prevention, and access controls limiting who can reach production data. No method of transmission or storage is perfectly secure, but we take reasonable measures appropriate to the risk.
Children’s privacy
SSH Manager is a developer tool intended for general audiences and is not directed at children. We do not knowingly collect personal data from children under the age of digital consent in their country.
Changes
We may update this policy from time to time. When we do, we’ll revise the “Last updated” date at the top of this page, and we’ll note material changes in the app’s changelog.
Contact
Questions about this policy or your data? Email [email protected] and we’ll be happy to help.
Contact us