Last updated: January 2026
1. Introduction
Virtuino Cloud ("we", "our", "the Service") is operated by the Virtuino team and provides a cloud-based IoT platform
for connecting hardware devices, storing sensor data, and building automation dashboards.
This Privacy Policy explains what personal and technical data we collect when you use
cloud.virtuino.com, how we use it, and what rights you have
regarding your data. By using the Service you agree to this policy.
2. Data We Collect
Account data — provided by you at registration:
- Email address and username
- Encrypted password (bcrypt — never stored in plain text)
- Account creation date and last activity
IoT & sensor data — sent by your devices:
- Field values published via MQTT or HTTP API
- Timestamps of each data point
- Device identifiers you define (not hardware MACs)
Billing data — handled by Paddle.com:
- Subscription plan and billing cycle
- Payment processing is managed entirely by Paddle — we never store card numbers
- Paddle customer and subscription IDs (for managing your plan)
Technical / usage data — collected automatically:
- IP address (for security and rate-limiting only)
- Browser/device type via User-Agent
- API request logs (retained for up to 30 days)
3. How We Use Your Data
- Providing and operating the IoT platform (storing, querying, and displaying your device data)
- Account authentication and session management via JWT tokens
- Sending transactional emails: account alerts, subscription expiry notices, plan change confirmations
- Enforcing plan quotas (variable limits, data-point limits) and detecting abuse
- Processing subscription payments through Paddle webhooks
- Improving platform performance and diagnosing technical issues
We do not sell, rent, or share your personal data with third parties
for marketing or advertising purposes.
4. Data Retention
Sensor data: 1 year
Account data: duration of account
API logs: 30 days
- Historical sensor records are automatically deleted after 365 days, regardless of your plan's data-point quota
- Your account data (email, username, settings, dashboards) is kept as long as your account is active
- Upon account deletion, all associated data — devices, fields, sensor history, dashboards — is permanently removed within 30 days
- Billing records required by law (invoices, transaction logs) may be retained for up to 7 years per Paddle's and local tax requirements
5. Security
- All communication is encrypted via TLS/HTTPS and TLS MQTT
- Passwords are hashed with bcrypt and never stored in plain text
- API access is controlled via short-lived JWT tokens
- The server infrastructure runs on Google Cloud Platform with firewall rules restricting direct database access
- Rate limiting is applied to all public API endpoints to prevent brute-force attacks
Despite these measures, no Internet-based service can guarantee 100% security.
If you suspect unauthorized access to your account, change your password immediately and contact us at
support@virtuino.com.
6. Third-Party Services
- Paddle — payment processing and subscription management. Paddle acts as the Merchant of Record. See Paddle's Privacy Policy.
- Resend — transactional email delivery (account notifications, expiry alerts). Emails are sent only for service-related events, never marketing.
- Google Cloud Platform — server hosting infrastructure. Data is stored in the EU region.
7. Your Rights
Under GDPR and applicable data protection laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data (email or username can be changed in account settings)
- Erasure — request deletion of your account and all associated data
- Portability — export your sensor data in CSV format (available in the console)
- Objection — object to any processing you believe is unlawful
To exercise any of these rights, contact us at support@virtuino.com.
We will respond within 30 days.
8. Cookies & Local Storage
- We use browser localStorage to store your authentication token and preferences — no third-party tracking cookies are set
- No advertising networks or analytics platforms (e.g. Google Analytics) are used on the platform
- Bootstrap CDN and Font Awesome CDN are loaded from external servers — these providers may log basic request metadata per their own policies
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top
and, for significant changes, notify active users by email. Continued use of the Service after a change constitutes
acceptance of the updated policy.
10. Contact
For any privacy-related questions or requests: