Privacy Policy for WarpGate

Last updated: March 14, 2026

Introduction

WarpGate is a cross-platform SSH client developed by RH-DEV. Your privacy and the security of your credentials are paramount. This policy explains what data the app handles and how.

Data We Store

WarpGate stores the following data to provide its functionality:

• SSH credentials (usernames, passwords, private keys)
• Host configurations (hostname, port, authentication method, notes)
• Credential profiles (reusable authentication sets)
• Snippets (saved command templates)
• Command history (per-host)
• Session logs (terminal I/O recordings, if enabled)
• Port forwarding rules
• App settings (themes, terminal preferences)

All sensitive data is encrypted locally before it leaves your device.

Encryption

Your data is protected with AES-256-GCM authenticated encryption:

• Master password derived via PBKDF2 with SHA-256 and 600,000 iterations (OWASP 2023 standard)
• 256-bit random salt per vault
• 12-byte random IV per encryption operation
• Encryption keys stored in platform-native secure storage (Keychain on macOS/iOS, Credential Manager on Windows)

Your master password is never transmitted or stored in plaintext. We cannot recover it if lost.

Cloud Sync

Sync is optional and uses your own infrastructure:

• Desktop (Linux/Windows): Direct sync with your self-hosted Minio S3 instance
• Apple (iOS/macOS): Sync via the WarpGate backend API, which stores encrypted files on S3

All data is encrypted before upload. The server only sees encrypted blobs — never plaintext credentials, keys, or host configurations.

The app works fully offline. Local data is the primary source; sync happens when a connection is available.

Authentication

WarpGate supports sign-in via OIDC/SSO through a self-hosted Authentik instance. When you sign in, the following data is received from your identity provider:

• Username
• Email address
• Display name
• Group memberships (for admin status)

Authentication is required for backend sync and organization features. The app can be used in local-only mode without any account.

Organizations & Shared Data

When you join or create an organization:

• Shared host configurations, credentials, and snippets are accessible to organization members
• Access is controlled by roles (owner, admin, member)
• Shared data is encrypted with an organization key, distributed via X25519 key wrapping
• Your personal vault remains separate and is never shared with the organization

Crash Reporting

The app uses GlitchTip (a self-hosted, Sentry-compatible service) to collect anonymous crash reports. Crash reports may include:

• Device type and OS version
• App version and platform
• Stack traces and error messages
• Diagnostic breadcrumbs (connection events, sync events)

Crash reports do not contain your SSH credentials, private keys, passwords, host configurations, or session content.

Permissions

The app does not access your contacts, location, photos, or microphone.

Third-Party Services

All services used by WarpGate are self-hosted and controlled by RH-DEV:

• Authentik — OIDC authentication (self-hosted)
• Minio S3 — Encrypted data sync storage (self-hosted)
• GlitchTip — Crash reporting (self-hosted)

No data is sent to third-party cloud providers, advertisers, or analytics services.

Data Deletion

You can delete your data at any time:

• Factory Reset clears all local data, Keychain entries, and authentication tokens
• Logout clears tokens and locks the vault
• Organization owners can remove members, revoking their access to shared data
• iCloud sync data (if enabled) must be deleted separately from iCloud settings

Children’s Privacy

The app is not directed at children under 13.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected in the “Last updated” date above.

Contact

If you have questions about this privacy policy, contact us at:

Email: app-support@rh-dev.io