Tailgator
TAILGATOR Beta
Get started

Privacy Policy

Last updated: 2025-10-14

Tailgator is an experimental, spare-time project that operates a managed Tailscale-powered reverse proxy platform. We currently focus on webhook delivery, with future plans to support broader HTTPS reverse proxy use cases. This Privacy Policy describes how we handle personal data for visitors and users in the United States, the European Union, and other regions. Tailgator is operated by an individual developer; for any privacy questions, reach out to contact@tailgator.app.

Personal Data We Process

  • Account and identity details from Tailscale: tailnet identifiers, device names, node IDs, peer metadata, owner identity strings, login URLs, verification codes, and adoption HMAC secrets that you or your tailnet provide when authorizing a tunnel.
  • Configuration data: endpoint names, aliases, slugs, destination URLs, TLS preferences, status flags, success and failure counters, and timestamps that you save for your tunnels.
  • Session data: identifiers stored in the `tsproxy_session` cookie, session state, and short-lived verification codes that enable secure configuration flows.
  • Operational telemetry: auth status snapshots, Tailscale netcheck reports, peer rosters, and error messages needed to operate the service and guard against abuse.
  • Request content: webhook or HTTPS payloads that traverse Tailgator. We proxy these requests but do not intentionally store their bodies beyond the time required to forward them.
  • Platform analytics: Cloudflare’s edge analytics and access logs, which may include IP addresses, user-agent strings, and basic timing metrics.

How We Use Personal Data

We process personal data for the following purposes:

  • Providing, configuring, and operating reverse proxy tunnels and webhook delivery features.
  • Authenticating access to tunnels and protecting the platform against abuse or unauthorized use.
  • Monitoring service health, debugging issues, and improving reliability.
  • Complying with applicable laws and responding to lawful requests.
  • Preparing for future product development and potential commercialization.

Legal Bases for EU Users

  • Contract necessity: operating the service, delivering webhooks, maintaining tunnels, and providing support.
  • Legitimate interests: securing the platform, preventing misuse, and improving stability, so long as these interests are not overridden by your rights.
  • Legal obligation: retaining data or responding to lawful disclosure requests when required.
  • Consent: storing the `tsproxy_session` cookie and processing data you voluntarily submit when configuring endpoints or authenticating devices.

Cookies and Tracking

We use a single, essential cookie (`tsproxy_session`) to maintain authenticated sessions. It is secured with HttpOnly, Secure, and SameSite=Lax attributes and expires automatically within 24 hours. We do not currently use marketing pixels or third-party trackers. Cloudflare edge analytics operate as part of our hosting provider and rely on server-side logging rather than browser-based trackers.

Third Parties and International Transfers

We rely on two primary subprocessors: Cloudflare, Inc. (Workers, Durable Objects, KV storage, and analytics) and Tailscale Inc. (Tailscale IPN stack, DERP relay network, authentication APIs). These providers may process data in the United States, the European Union, or other jurisdictions. Where required, we rely on the standard contractual clauses or the EU-U.S. Data Privacy Framework embedded in their customer agreements to safeguard international transfers.

Data Retention

  • Tunnel configurations, adoption secrets, and session metadata remain until you deprovision the tunnel, expire its key, or delete the related configuration.
  • Durable Object and KV logs are typically retained for up to 30 days.
  • Cloudflare’s high-level analytics may persist longer in aggregated form to help measure capacity planning and abuse trends.
  • We will delete or anonymize data sooner if you exercise your rights or when storage is no longer needed.

Security

We use encrypted transport (HTTPS and Tailscale tunnels) and encryption at rest provided by Cloudflare and Tailscale. Each tunnel runs in its own Durable Object instance to isolate credentials and state. However, the service does not offer end-to-end encryption, and proxy operators may access metadata necessary to triage issues. You are responsible for configuring Tailscale ACLs and endpoint security appropriate to your risk level.

Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and California residents may request disclosures about personal information we collect. You can submit requests by emailing contact@tailgator.app. We will respond as promptly as the spare-time nature of this project allows and in accordance with applicable law. Because we operate in a limited capacity, we may need to verify your identity and may not be able to fulfill requests that conflict with security, legal obligations, or technical feasibility.

Children

Tailgator is intended for technically proficient adults and is not directed to anyone under 18. We do not knowingly collect personal data from minors. If you believe a child has provided data, contact us so we can delete it.

Changes to This Policy

We may update this Privacy Policy as the product evolves into a broader HTTPS reverse proxy or if we launch commercial offerings. Material changes will be posted on this page with an updated revision date. Continued use of Tailgator after an update signifies acceptance of the revised policy.

Contact

For any questions or requests about this Privacy Policy, email contact@tailgator.app.

Tailgator
TAILGATOR Beta

The serverless reverse proxy for Tailscale. Deliver webhooks securely to any private service on your tailnet with zero-config tunnels and automatic HTTPS.

Legal

© 2025 Tailgator. All rights reserved.

Secure serverless proxying for teams that trust Tailscale.