Privacy Policy — tnls.lt
This Privacy Policy explains how personal data is processed when you use tnls.lt (the “Service”). It should be read together with the Terms of Service. Capitalised terms (Operator, Tunnel User, Visitor) have the meaning given in the Terms.
1. Who is responsible for your data
The data controller for the Service is Ievgen Sliusarenko, a natural person operating tnls.lt. You can reach the controller at [email protected] for any question about this Policy or your personal data.
The Service is operated from outside the European Union by a controller resident in Ukraine, while being offered to users in the EU. The Operator aims to process personal data in accordance with the EU General Data Protection Regulation (GDPR).
2. A note on our approach
The Service is a free, non-commercial tunneling tool intended for individual development and testing use. The Operator deliberately collects as little personal data as reasonably possible. The Operator does not sell personal data, does not use it for advertising or marketing, and does not build profiles of users beyond what is strictly necessary to keep the Service secure and free of abuse.
3. What data is processed, and why
The Service processes two distinct categories of data, corresponding to two distinct groups of people.
3.1. Tunnel Users (people who open a tunnel)
When you run a client and open a tunnel, the Operator collects and stores:
- your source IP address;
- the subdomain assigned to your tunnel;
- timestamps of connection and disconnection;
- your user-agent string;
- traffic volume (bytes transferred);
- metadata about requests passing through your tunnel — request methods, response status codes, content types, and request rate (but not the full contents of request or response bodies in the ordinary course of operation).
Purpose: to provide the Service you requested, to keep it secure, to detect and prevent abuse, and to be able to respond to abuse reports and legal requests.
Lawful basis: performance of the service you request (Art. 6(1)(b) GDPR) and the Operator’s legitimate interest in the security and integrity of the Service and the prevention of abuse (Art. 6(1)(f) GDPR).
Retention: Tunnel User logs are retained for 30 days, then deleted — unless a specific record must be kept longer to investigate an ongoing incident or to comply with a legal obligation.
3.2. Visitors (people who open a tunnel’s public link)
When someone accesses the public subdomain of a tunnel (*.tnls.lt), the Operator
processes limited technical data solely to detect and prevent abuse (such as
phishing, malicious redirects, or malware distribution served through a tunnel):
- the Visitor’s IP address is never stored in raw form. It is converted into a salted hash and held only transiently, for a short time window;
- the salt is rotated periodically, so hashes cannot be reversed to recover the IP address, nor used to track a Visitor across different time windows;
- the hash is used only to tell apart unique Visitors from repeat Visitors within a window — for example, to notice when an unusually large number of distinct Visitors reach a single tunnel, which is a common sign of abuse.
Purpose: security and abuse detection only.
Lawful basis: the legitimate interest of the Operator and of third parties in the security of the Service and in preventing its use for unlawful purposes (Art. 6(1)(f) GDPR; see Recital 49, which expressly recognises network and information security as a legitimate interest). Because Visitors do not enter into any agreement with the Operator, this processing is kept to the strict minimum necessary for security.
Retention: transient only. Hashed Visitor data is not written to persistent logs in the ordinary course of operation. If abuse is detected or reasonably suspected, relevant data may be retained temporarily for as long as necessary to investigate, stop the abuse, protect affected parties, and meet legal obligations.
4. Sharing data with third parties
The Operator does not sell or rent personal data. Data is shared only in the limited circumstances below.
4.1. IP-reputation checks (AbuseIPDB)
To assess whether a connecting Tunnel User poses a security risk, the Operator may submit the Tunnel User’s IP address to third-party IP-reputation services, in particular AbuseIPDB (operated by Marathon Studios Inc., United States). These services process the submitted IP address under their own privacy policies.
Because AbuseIPDB is located in the United States, this involves a transfer of personal data outside the European Economic Area. Such transfers rely on appropriate safeguards and/or applicable derogations under Chapter V of the GDPR (for example, the necessity of the transfer for the security purposes described above). You may contact the Operator for more information about this transfer.
Lawful basis: the Operator’s legitimate interest in security and abuse-prevention (Art. 6(1)(f) GDPR).
4.2. Hosting and infrastructure
The Service runs on infrastructure controlled by the Operator. Underlying connectivity and hosting providers may process technical data (such as IP addresses) as part of routing network traffic, acting as processors or independent controllers for the purpose of operating their networks.
4.3. Legal disclosures
The Operator may disclose personal data to law enforcement or other competent authorities where required by law, or where the Operator believes in good faith that disclosure is necessary to investigate, prevent, or act regarding illegal activity, abuse of the Service, or violations of the Terms.
5. International transfers
As described in section 4.1, some processing (IP-reputation checks) may involve transferring an IP address to a provider in the United States. Aside from such specific, security-related transfers, the Operator does not intentionally transfer personal data outside the EEA beyond what is inherent in operating an internet-facing service. Where transfers occur, the Operator relies on appropriate safeguards or applicable GDPR derogations.
6. Your rights under the GDPR
If your personal data is processed by the Service, you have the right to:
- access the personal data held about you;
- request rectification of inaccurate data;
- request erasure (“right to be forgotten”), subject to the Operator’s need to retain certain data for security or legal reasons;
- request restriction of processing;
- object to processing carried out on the basis of legitimate interest;
- data portability, where applicable.
To exercise any of these rights, contact [email protected]. The Operator will respond within the timeframe required by the GDPR (generally one month).
Please note an inherent limitation: because the Operator does not require registration and stores Visitor data only as short-lived salted hashes, it is often technically unable to link a request to a specific individual. In such cases the Operator may be unable to identify your data among its records, and may ask you for additional information to locate it, or may be unable to act on the request (Art. 11 GDPR).
You also have the right to lodge a complaint with a supervisory authority. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI). You may also contact the supervisory authority in your own EU country of residence.
7. Cookies and tracking
The Service is a network tunneling tool, not a content website, and does not use cookies or similar tracking technologies for analytics, advertising, or profiling. Any cookies set by content served through a tunnel are the responsibility of the Tunnel User operating that tunnel, not of the Operator.
8. Data security
The Operator takes reasonable technical and organisational measures to protect personal data, including data minimisation (such as hashing Visitor IPs), limited retention, and restricted access. However, no internet-based service can be guaranteed to be perfectly secure, and the Operator cannot warrant absolute security.
9. Children
The Service is not directed at children and is intended for software developers. The Operator does not knowingly process the personal data of children.
10. Changes to this Policy
The Operator may update this Policy from time to time. The current version is published at /en/privacy with a revised “Last updated” date. Continued use of the Service after changes take effect constitutes awareness of the updated Policy.
11. Contact
For any question about this Privacy Policy or about your personal data:
Ievgen Sliusarenko
Email: [email protected]
Abuse: [email protected]