# Sidecar Network — Privacy Policy **Effective date:** 2026-05-19 **Last updated:** 2026-05-20 **Document hash (SHA-256):** _computed at deploy; logged with every click-through acceptance_ This Privacy Policy explains what data Sidecar Network LLC ("Sidecar," "we") collects, why, how we use it, and the rights you have under the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable laws. This policy is incorporated by reference into our [Terms of Service](TERMS.md). --- ## 1. Data We Collect | Category | Specific data | Source | Purpose | Retention | |---|---|---|---|---| | Account | Email address, hashed password (if applicable) | You, at signup | Authentication, billing notices | Life of account + 90 days | | Click-through acceptance | Timestamp, IP address, user-agent, document SHA-256 hash, session identifier | Your browser at signup | Contract formation evidence, chargeback defense | 7 years | | Billing | Last 4 digits and brand of payment method; PayPal payer ID; transaction IDs; charge amounts and dates | PayPal / processor | Subscription billing, chargeback defense, tax records | 7 years (IRS / tax) | | WireGuard | Peer public keys, allocated IPs (IPv4 + IPv6), allowed-IPs config | You / `sidecar` CLI | Tunnel routing | Life of peer + 30 days | | Connection metadata | Sampled handshake events (first handshake per peer per day), daily traffic aggregates, last-seen timestamp, bytes transferred (per peer, aggregated) | Relay nodes | Capacity planning, abuse handling, service-delivery proof, chargeback defense | 24 months | | Monthly traffic record | Per-peer monthly aggregate bytes; used as service-delivery evidence in payment dispute defense | Relay nodes | Chargeback liability window coverage | 7 years | | Abuse logs | Source IP of suspected AUP-violating traffic, destination summary, abuse-report content | Automated detection / third-party complaints | AUP enforcement, NCMEC/DMCA reporting | 1 year | | Web analytics | Page paths, referrer, anonymized IP (last octet truncated) | Browser visits to sidecar.network | Product analytics | 13 months | | Support correspondence | Email content you send to *@sidecar.network | You | Support, dispute records | 3 years | | Email delivery telemetry | Sent / delivered / opened / clicked events for transactional emails | Sidecar's self-hosted mail server (`mail.sidecar.network`) | Chargeback defense (proof we notified you) | 3 years | The categories of data retained for dispute defense are described in §6.4 of the Terms of Service. --- ## 2. Data We Do Not Collect Sidecar **does not** and **cannot** access the contents of encrypted WireGuard tunnels. WireGuard provides end-to-end authenticated encryption between your container and its destination; the relay performs Layer-3 forwarding only. We do not log destination URLs, application-layer payloads, or any data inside the encrypted envelope. This is a property of the protocol, not a policy choice — we are technically incapable of inspecting tunnel contents. **DNS queries** from containers are forwarded via **Oblivious DNS over HTTPS (ODoH, RFC 9230)**, an HPKE-encrypted protocol that prevents any single party from seeing both the container identity and the query content simultaneously. Each relay runs an ODoH proxy daemon: the daemon sees which customer IP is asking but cannot read the query (the DNS message is encrypted under the upstream ODoH target's published public key before it leaves the relay); the upstream resolver sees the query content but receives it from the relay over a single shared TLS connection and cannot link it back to a specific customer. We do not log DNS query content, only aggregate counters (queries per second, error rate, upstream latency). Proxy-target unlinkability is a property of the protocol, not a policy choice. **Onion-mode routing** is an optional per-container setting (Docker label `sidecar.relay-mode: onion`) that wraps your traffic in two independent WireGuard tunnels keyed by cryptographically independent X-Wing-derived pre-shared keys and forwards it through two relays in different regions before reaching the public internet. Neither relay alone holds enough key material to read your traffic. This is a paid feature; the default mode is single-hop. We do not sell personal data. We do not share personal data with advertisers. We do not use third-party tracking cookies on sidecar.network beyond what is strictly necessary for the cart and authenticated session. --- ## 3. Legal Bases (GDPR Art. 6) - **Contract performance** — account, billing, WireGuard peer, connection metadata. - **Legitimate interest** — abuse logs, security monitoring, product analytics, fraud and chargeback defense. - **Legal obligation** — tax records, CSAM/NCMEC reporting, DMCA compliance, sanctions screening. - **Consent** — optional marketing emails (separate opt-in; withdrawable any time). --- ## 4. Sub-Processors | Sub-processor | Purpose | Location | Data category | |---|---|---|---| | Dedicated-server provider (named in writing on request) | Relay VPS hosting, public IP allocation | EU and North America datacenters | Connection metadata, peer IPs | | **PayPal Holdings, Inc.** | Subscription payment processing and card processing (Hosted Card Fields) | USA / Luxembourg | Billing data; PayPal is an independent data controller for payment data | | ODoH target resolver and DNS provider (named in writing on request) | Oblivious DNS over HTTPS target (HPKE-encrypted query content only; client IP is the shared relay, never the container) plus authoritative DNS for sidecar.network and edge delivery for the marketing site | USA / Global | Container DNS query content (no link to a specific container); anonymized web analytics | | Self-hosted mail server (operated by Sidecar) | Transactional email (receipts, renewal reminders, password resets). Runs on a dedicated VPS at `mail.sidecar.network`. All mail signed with 2048-bit DKIM, SPF hard-fail (`-all`), DMARC `p=reject` with strict alignment, MTA-STS enforce mode, TLS-RPT reporting. No third-party email sub-processor. | USA datacenter | Email address, message content, delivery telemetry | | **NCMEC** | Statutory CSAM reporting (18 U.S.C. § 2258A) | USA | Abuse logs containing CSAM reports | The current sub-processor list — including all categories (infrastructure, payment, email, DNS / CDN / tunnel, bot mitigation, ML weights distribution, open-source feed CDN, off-host backup, reporting / safety, optional video safety) and the named entities for each role above — is maintained at **** and is provided in writing to enterprise and DPA customers on request. We will notify subscribers via email at least thirty (30) days before adding a new sub-processor with access to personal data. --- ## 5. International Transfers Sidecar is headquartered in Delaware, USA. Relays operate in commercial datacenters in the United States, Canada, France, Germany, and the United Kingdom; specific provider and facility identifiers are available on request to enterprise and DPA customers. Transfers from the EU/UK to the US are made under the EU Standard Contractual Clauses (2021/914) and the EU-US Data Privacy Framework where applicable. A copy of our SCCs is available on request to privacy@sidecar.network. --- ## 6. Your Rights ### 6.1 GDPR / UK GDPR (if you are in the EEA or UK) - **Access** — request a copy of personal data we hold about you. - **Rectification** — request correction of inaccurate data. - **Erasure ("right to be forgotten")** — request deletion, subject to legal retention obligations (tax records held 7 years, chargeback-defense records held 7 years). - **Restriction** — request that we limit processing. - **Portability** — receive your data in a machine-readable format (JSON export of account + peer records). - **Objection** — object to processing based on legitimate interest. - **Withdraw consent** — for any consent-based processing. - **Complain** — to your supervisory authority (e.g., CNIL, BfDI, ICO). To exercise these rights email **privacy@sidecar.network**. We respond within thirty (30) days. ### 6.2 CCPA / CPRA (if you are a California resident) - **Right to know** what categories of personal information we collect, the sources, purposes, and recipients. - **Right to delete** personal information we hold, subject to legal exceptions. - **Right to correct** inaccurate personal information. - **Right to opt out** of "sale" or "sharing" of personal information — Sidecar does not sell or share personal information as defined under CPRA, so this right has no practical application, but we honor Global Privacy Control signals. - **Right to limit use** of sensitive personal information — we do not use sensitive personal information for any purpose other than providing the Services. - **Right to non-discrimination** for exercising any of the above. To exercise these rights email **privacy@sidecar.network** with "CCPA Request" in the subject line. --- ## 7. Data Retention Summary See the table in §1. In general: - Account: life of account + 90 days for dispute and abuse handling. - **Connection metadata (sampled handshakes + daily aggregates): 24 months** — required for service-delivery proof during the chargeback liability window. - **Monthly traffic records + billing + click-through acceptance + email delivery telemetry: 7 years** — required for tax compliance and chargeback defense. - Abuse logs: 1 year. - Litestream WAL replicas: rotated on a 90-day cycle. After the applicable retention period, data is deleted or irreversibly anonymized. --- ## 8. Security Sidecar applies industry-standard safeguards including: - **TLS 1.3** for all client-facing endpoints. - **Post-quantum hybrid key encapsulation** for control-plane key establishment. - **WireGuard Noise_IK** for tunnel authentication. - **Full-disk encryption** on all relay VPS instances. - **Control-plane database is held in memory** with local Litestream WAL replication. Sidecar holds all encryption keys. - **Principle-of-least-privilege IAM** and quarterly access reviews. - **Published vulnerability disclosure policy** at sidecar.network/.well-known/security.txt. - **AI-assisted abuse triage (advisory only).** A locally-hosted small language model (fully offline, with no third-party API calls) centralised at https://sidecar.network/v1/abuse/triage extracts the reported peer IP, violation category, and severity score from inbound abuse emails and pre-stages an enforcement action for human-operator review. A dual-LLM (CaMeL-style) prompt-injection defense prevents the model that reads untrusted input from autonomously taking action. **No enforcement action is ever taken without explicit human confirmation.** See [Terms of Service §3](TERMS.md) and the [AUP](AUP.md). No system is perfectly secure; in the event of a breach affecting your personal data we will notify you and the appropriate supervisory authority within 72 hours of confirmation, as required by GDPR Art. 33–34 and applicable US state breach laws. --- ## 9. Children's Privacy Sidecar does not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact privacy@sidecar.network and we will delete the account and associated data. --- ## 10. Warrant Canary Sidecar publishes a transparency canary at **https://sidecar.network/canary** affirming, as of each update, that we have not received certain categories of legal process. See [CANARY.md](CANARY.md) for the protocol and [WARRANT_CANARY.md](WARRANT_CANARY.md) for the current text. --- ## 11. Changes to This Policy We will post material changes at least thirty (30) days before they take effect and email subscribers at their account-of-record address. --- ## 12. Contact **Sidecar Network LLC** — Privacy Officer privacy@sidecar.network Delaware, USA EU representative (if/when designated under GDPR Art. 27): to be published at sidecar.network/legal/eu-rep.