We built HopToDesk to be trusted with production systems, which means being clear about what we process, why, where, and the rights you have over it. This page describes our data-protection practices in plain terms. EU and UK business customers can also request a Data Processing Agreement. It should be read together with our Privacy Policy.

What we process

  • Account information you give us, such as your email address and name.
  • Connection metadata we need to route and secure a session, such as device identifiers, timestamps, and network information. This is not the contents of your session.
  • Billing information for paid plans, handled by our payment processor.
  • We do not have access to the content of your remote sessions. Connections are end-to-end encrypted between your devices, so we cannot read what happens inside a session.
  • We do not knowingly collect personal information from children under 13.

Why we process it

We process personal data to provide the service you asked for (performance of a contract), to keep the service secure and working well (our legitimate interests), and, where the law requires it, with your consent. You can withdraw consent or object at any time.

Your rights

If you are in the EU, the UK, or a region with similar law, you have the following rights over your personal data:

  • Access. Get a copy of the personal data we hold about you.
  • Rectification. Correct data that is inaccurate or incomplete.
  • Erasure. Ask us to delete your personal data.
  • Portability. Receive your data in a portable format.
  • Objection. Object to processing based on legitimate interests.
  • Restriction. Ask us to limit how we use your data.

To exercise any of these rights, contact us through our contact form and we will respond.

Where your data is processed

Your data may be processed in the United States and the European Union through the providers we use to run the service. For transfers out of the EU or UK, we rely on Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework.

Our sub-processors

We use a small set of trusted providers to run the service, in these categories: cloud hosting and infrastructure, transactional email, payment processing, and, only when you enable the optional AI Agent, an AI provider. A complete list of our sub-processors, naming each provider with its location and transfer safeguards, is available to customers on request and forms part of our Data Processing Agreement.

We give customers at least 30 days' notice before adding or replacing a sub-processor, and honour reasonable objections.

How long we keep it

We keep personal data only as long as we need it to provide the service and meet our legal obligations. When you close your account or ask us to delete your data, we remove it from our active systems promptly and fully purge it, including from short-term point-in-time backups, within 30 days.

Data Processing Agreement

For EU and UK business customers: if you need a signed Data Processing Agreement (GDPR Article 28) covering these processing terms, the Standard Contractual Clauses, and our sub-processors, request one through our contact form and we will provide it.

Contact

For any data-protection question, or to exercise a right, use our contact form. For the full picture of how the platform is secured, see our Trust and Security page.