← Back

Privacy Policy

Last updated: March 2026

1. Overview

The Other Dude is self-hosted software. All data is stored on infrastructure you own and control. The authors do not collect, transmit, or have access to any of your data. This privacy policy describes what data the Software stores locally on your deployment.

2. Data We Store

When deployed, The Other Dude stores the following data in your local database:

User accounts: Email addresses, names, and authentication data. Passwords are never stored — The Other Dude uses SRP-6a zero-knowledge authentication, meaning the server only stores a cryptographic verifier derived from your password, never the password itself.
Encryption key material: Per-user encrypted key sets for zero-knowledge encryption. Your Secret Key is stored only in your browser (IndexedDB) and is never transmitted to or stored on the server.
Device credentials: RouterOS usernames and passwords for managed devices, encrypted at rest with AES-256-GCM via per-tenant envelope encryption.
Device data: Hostnames, IP addresses, firmware versions, hardware models, and configuration backups retrieved from your MikroTik devices.
Metrics: Time-series performance data (CPU, memory, bandwidth, wireless stats) collected from your devices by the polling service.
Audit logs: Records of user actions within the portal (logins, configuration changes, device management operations). Encrypted at rest with zero-knowledge encryption.
Certificates: TLS certificates and encrypted private keys generated by the internal certificate authority for device API connections.

3. No External Transmission

The Other Dude does not send any data to external servers, analytics services, or third parties. All communication occurs between the portal and your MikroTik devices over your local or private network. The only outbound connections are:

Firmware checks: Queries the MikroTik download server to check for RouterOS updates (no device data is sent).
Email notifications: If configured, alert emails are sent via your SMTP server. Only alert data you configure is included.
Webhook notifications: If configured, alert data is sent to webhook URLs you specify.

4. Multi-Tenancy

The Other Dude supports multiple tenants (organizations). Data isolation between tenants is enforced at the database level using PostgreSQL Row-Level Security (RLS). Each tenant can only access their own devices, users, and data. The super_admin role has cross-tenant visibility for platform administration.

5. Security Measures

SRP-6a zero-knowledge authentication (server never sees your password)
Zero-knowledge encryption for config backups and audit logs
Per-tenant envelope encryption via KMS
Device credentials encrypted with AES-256-GCM
JWT tokens with short expiry (15 minutes) in httpOnly cookies
Rate limiting on authentication endpoints
RBAC with four permission levels
Security headers (CSP, X-Frame-Options, HSTS)
Subresource Integrity (SRI) hashes on JavaScript bundles

6. Your Rights

As a user of this deployment, you have the following rights regarding your personal data:

Right of Access (Art. 15): You can view your account information on the Settings page at any time.
Right to Data Portability (Art. 20): You can export all your personal data in JSON format from Settings > Export My Data.
Right to Erasure (Art. 17): You can permanently delete your account and all associated personal data from Settings > Delete Account. This action:
- Hard-deletes your user account, encrypted key sets, and API keys
- Anonymizes your entries in the audit log (removes email/name, retains action records)
- Creates a deletion receipt for compliance verification
- Is irreversible — there is no recovery after deletion
Right to Rectification (Art. 16): Contact your administrator to update your account information.

These rights can be exercised through the Settings page when logged in, or by contacting your deployment administrator.

7. Data Retention

The Other Dude applies the following data retention periods:

Data Type	Retention Period	Notes
User accounts	Until deleted	Users can self-delete from Settings
Device metrics	90 days	Automatically purged by TimescaleDB retention policy
Configuration backups	Indefinite	Stored in git repositories on your server
Audit logs	Indefinite	Anonymized on account deletion; action records retained
API keys	Until revoked or user deleted	Cascade-deleted with user account
Encrypted key material	Until user deleted	Cascade-deleted with user account
Session data (Redis)	15 min (access) / 7 days (refresh)	Auto-expiring tokens
Password reset tokens	Until used or 30 minutes	Auto-expire, cascade-deleted with user

After account deletion, all personally identifiable information is permanently erased. Anonymized audit log entries (with no PII) are retained for security compliance.

After tenant deactivation, all tenant data (devices, metrics, configurations, user accounts) is retained until the super admin explicitly deletes the tenant, at which point all data is cascade-deleted.

You control all retention through your database and can adjust these periods in your deployment configuration.

8. Cookies

The Other Dude uses a single httpOnly session cookie for authentication. No tracking cookies, analytics cookies, or third-party cookies are used. The application also uses localStorage for user preferences (theme, sidebar state, configuration mode).

9. Your Responsibilities

As the operator of a self-hosted deployment, you are the data controller. You are responsible for compliance with applicable data protection laws (GDPR, CCPA, etc.) in your jurisdiction, including data subject access requests and breach notification.

10. Contact

For questions about this privacy policy or the data practices of The Other Dude, please open an issue in the project repository.