What the server keeps long-term
Account / session identifier (email + auth token, used for login); quota / billing records (who ran how many builds — count only, never the contents). Those two, nothing else.
Lives only inside the build sandbox — destroyed at build end
Build job metadata (target chip, IDF version, build_type, parameters), compile logs (streamed to your browser over WebRTC), firmware artifacts (.bin / .elf, pushed to your browser over WebRTC), failure diagnostics (stderr, stack traces) — all live inside an ephemeral sandbox. **The sandbox is destroyed the moment the build finishes; the server retains no copy of build logs, firmware, or source.** You download the .bin, close the browser, and nothing remains on our side.
Stays only in your browser — the server never sees it
The /ops/* surfaces' localStorage (maker-stats snapshots, plugin registry, local preferences); the analytics endpoint setting (default off + empty; you point it at your own sink); wizard drafts; WebRTC SDP/ICE negotiation state; everything pushed via `window.aegis.*`; whatever build logs and .bin files you keep in the browser after the build. Switching browsers, clearing the cache, or moving to a new device does not sync any of this to the server.
Things we never collect
No third-party analytics (Google / Baidu / Hotjar etc. have all been removed); no fingerprinting; no sharing with advertisers; no persistent device telemetry. **Most importantly: your maker-asset triples (`~/maker-assets/`) never leave your disk** — they are signed locally by `espctl deposit`, and the server has no copy, no backup, no mirror.
Retention windows (short)
Account sessions: until logout, or auto-expire after 30 days of inactivity. Billing records: minimum legally required (currently 36 months). Build logs / firmware artifacts / failure diagnostics: **not retained** — the sandbox is destroyed and the data is gone. Expired account data is physically deleted on a cron — not moved to cold archive.
Third parties
Infrastructure: Caddy reverse proxy (no PII forwarded), self-hosted STUN/TURN relay (only used if direct P2P fails; traffic is end-to-end DTLS-SRTP encrypted). **No CDN fingerprinting, no analytics vendors.** Any new third-party dependency will be listed here explicitly with advance notice.
What you control
Export: `espctl deposit export --json` packages all your local triples (your asset has always been yours). Inspect cache: any server-side artifact can be reviewed via the `artifacts.*` MCP tools. Delete account: file a request through the Contact page. Stop using: just stop — no lock-in, no contract. Your maker data lives on your disk from day one.
How to reach us
Security / vulnerabilities → `security@esphome.cloud`, 24-hour response (every day, not just weekdays), coordinated disclosure. Privacy / data access / deletion / private matters → `hello@esphome.cloud`, office hours: Tuesday 14:00–16:00 UTC+8. General feedback / bugs / features → [`github.com/esphome-cloud/community`](https://github.com/esphome-cloud/community) (Issues + Discussions); if GitHub is unreachable from your network, use the [Gitee read-only mirror](https://gitee.com/esphome-cloud/community) or `feedback@esphome.cloud` (same Tuesday office-hours response). Single maintainer, AI-triaged for 80–90% of inbound, every email is ultimately read by a human.