Privacy Policy

Last updated: November 24, 2025

This Privacy Policy explains how OpenMQTT (“we”, “us”, “our”) collects, uses, stores and protects personal data in connection with the OpenMQTT cloud MQTT service (“the Service”). We are committed to processing personal data in compliance with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller is OpenMQTT. Email: privacy@openmqtt.com

If you are using OpenMQTT as a business customer and request a Data Processing Agreement (DPA), we may act as a data processor for MQTT payloads and device data.

2. Data We Collect

We collect the minimum information necessary to operate a secure, reliable MQTT service.

2.1 Account Information

  • Email address
  • Password (hashed and salted)
  • Name
  • Country/region
  • Subscription plan / billing details

2.2 Billing Information (via Stripe)

When subscribing to a paid plan, billing information is processed by our payment processor: Stripe Payments Europe, Ltd. (Stripe Privacy Policy). We do not store full credit card numbers on our servers.

2.3 MQTT Metadata

To operate your broker, we process:

  • connection timestamps
  • client IDs
  • IP addresses
  • TLS fingerprint
  • QoS
  • topic names
  • online/offline events
  • retained flag
  • error codes

2.4 Message Payloads

By default, we do not store the contents of MQTT messages. Payloads may be stored only if you explicitly enable:

  • Debug/Inspector
  • Dashboard logging
  • Historical data retention
  • Flow recording

2.5 Log Data / Device Telemetry

We may process device IP, reconnect attempts, authentication success/failure, and usage statistics (traffic, sessions, quotas). This helps ensure stability, performance, and abuse prevention.

2.6 Cookies & Analytics

We use cookies for login sessions, user preferences, and website analytics (anonymised). We may use tools such as Plausible Analytics, Google Analytics (optional, consent-based), and Cloudflare.

3. How We Use Personal Data

We process data exclusively for:

  • operating your MQTT brokers
  • securing and stabilising the Service
  • account authentication
  • billing and subscription management
  • detecting abuse, spam or attacks
  • providing support
  • improving the Service
  • analytics (aggregate, non-identifiable)

We do not sell or share data with advertisers.

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

4.1 Contractual necessity (Art. 6(1)(b))

To provide the Service: account creation, MQTT broker operation, dashboards, logs, flows, billing

4.2 Legitimate interest (Art. 6(1)(f))

Security monitoring, abuse prevention, analytics for product improvement

4.3 Consent (Art. 6(1)(a))

Optional analytics, optional logging of MQTT payloads, optional newsletters

4.4 Legal obligation (Art. 6(1)(c))

Bookkeeping, anti-fraud safeguards, tax/VAT documentation

5. Sharing of Data

We only share data with trusted subprocessors necessary to operate the Service:

  • Stripe (payments)
  • Cloudflare (security/CDN)
  • Hosting provider (Hetzner, AWS, or equivalent EU-based computing)
  • Email provider (Mailgun, Postmark, or equivalent)
  • Analytics provider (Plausible, optional)

We ensure all subprocessors sign GDPR-compliant DPAs and operate under European data protection standards. We never sell personal data.

6. International Transfers

If data is transferred outside the EU/EEA, we ensure Standard Contractual Clauses (SCCs), supplemental safeguards, and GDPR-compatible protection levels. Most user data is stored within the EU (depending on region/plan).

7. Data Retention

We retain data only as long as necessary:

Data TypeRetention
Account dataUntil deletion
Billing data7–10 years (legal requirement)
Connection logs7–30 days (depending on plan)
Aggregated usage statistics (no payload, only size in kb)14 days for free accounts, 60 days for premium
Debug logs24–72 hours
Support ticketsUntil resolved + 12 months

You may request deletion at any time (see Section 9).

8. Security

We implement industry-standard security measures:

  • TLS encryption for all MQTT traffic
  • Password hashing (bcrypt/argon2)
  • Firewall and rate-limiting
  • Brute-force protection
  • Network isolation per broker
  • Monitoring for suspicious activity
  • Two-factor authentication (optional)

However, no service is 100% secure. You are responsible for securing your IoT devices and client code.

9. Your Rights (GDPR)

You have the right to:

  • access personal data we store
  • request correction
  • request deletion (“right to be forgotten”)
  • object to certain processing
  • request data portability
  • withdraw consent
  • file complaints with your local supervisory authority (IMY in Sweden)

To exercise rights: privacy@openmqtt.com

10. Children

The Service is not intended for children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy. If changes are significant, we will notify you via email or in-app message.

12. Contact

For privacy inquiries: privacy@openmqtt.com