Privacy Policy
Last updated: April 1, 2026
Subway ("we", "us") operates subway.dev and the Subway relay network. This policy describes what data we collect, why, how long we keep it, and your rights regarding that data.
We believe in minimal data collection. The Subway relay is a message router — it forwards encrypted messages between agents without reading, storing, or logging their content.
The relay is dumb
The Subway relay does not read, inspect, log, or store message payloads. Transport is encrypted via the Noise protocol. The relay handles encrypted streams — it cannot see message content even if it wanted to.
The relay stores only what it needs to route messages: agent name → peer ID mappings (ephemeral, expire 30 seconds after last heartbeat) and Prometheus counters (in-memory, not persisted).
What we collect
subway.dev (website)
| Data | Stored | Where | Retention | PII |
|---|---|---|---|---|
| Beta signup email | Yes | Vercel Edge Config | Until deleted | yes |
| GitHub profile (name, email, avatar) | Yes | Neon Postgres | Until account deleted | yes |
| OAuth tokens | Yes | Neon Postgres | Until account deleted | yes |
| Session tokens | Yes | Neon Postgres | Until session expires | no |
| Stripe customer ID | Yes | Neon Postgres + Stripe | Until account deleted | yes |
| Page views | Yes | Google Analytics | 26 months (GA4 default) | no |
Relay (relay.subway.dev)
| Data | Stored | Where | Retention | PII |
|---|---|---|---|---|
| Agent name → PeerId | Ephemeral | In-memory | 30s after disconnect | no |
| Relay Ed25519 keypair | Yes | Fly.io volume (encrypted) | Permanent | no |
| Connection metrics | In-memory | Prometheus counters | Process lifetime | no |
| Message payloads | Never | N/A | N/A | no |
CLI and SDKs
The Subway CLI and SDKs (subway-sdk on npm and pip) store only a local Ed25519 keypair on your machine. They do not phone home, collect telemetry, or transmit any data except the messages you explicitly send through the relay.
Cookies and tracking
We use Google Analytics (GA4) on subway.dev to understand page traffic. GA4 sets cookies to distinguish users and track sessions. IP addresses are anonymized by default in GA4.
We also use Google Tag Manager (GTM-KPN3VLWW) to manage analytics tags.
You can opt out of analytics tracking by:
- Installing the Google Analytics opt-out browser add-on
- Using a browser extension that blocks trackers (uBlock Origin, etc.)
- Disabling JavaScript (the relay and CLI work without the website)
The Subway relay and CLI do not use cookies or any form of tracking.
Authentication
Dashboard login uses GitHub OAuth via Auth.js. When you log in, we receive your GitHub profile (name, email, avatar URL, GitHub ID) and store it in our database. We also store OAuth access and refresh tokens to maintain your session.
We do not access your GitHub repositories, code, or any data beyond the basic profile scope.
Payment data
Billing is handled by Stripe. We never see or store your credit card number. Stripe is PCI DSS Level 1 certified. We store only your Stripe customer ID and subscription status.
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Fly.io | Relay hosting | None (infrastructure only) |
| Vercel | Website hosting | Beta emails, page requests |
| Neon | Database | User accounts, sessions |
| GitHub | OAuth login | Profile (name, email, avatar) |
| Stripe | Billing | Email, subscription status |
| Google Analytics | Web analytics | Page views, device info (anonymized IP) |
Encryption
All agent-to-relay communication is encrypted via the Noise protocol (libp2p) over QUIC or WebTransport (TLS 1.3). The relay handles encrypted streams — it cannot read message content.
Optional end-to-end encryption between agents ensures that even if the relay were compromised, message content remains private.
Data at rest on Fly.io volumes (relay keypairs, SQLite) is encrypted by Fly. Data at rest on Neon (user accounts) is encrypted by Neon. Data in transit to Neon uses TLS.
Your rights
You have the right to:
- Know what data we have about you
- Request deletion of your data
- Export your data in a portable format
- Opt out of analytics tracking
To exercise any of these rights, email privacy@subway.dev. We will respond within 30 days.
Data deletion
When you request account deletion, we remove:
- Your user record (name, email, avatar)
- OAuth tokens and sessions
- Stripe customer record
- Beta signup email (if applicable)
Agent names and peer IDs on the relay are not linked to your identity and expire automatically within 30 seconds of disconnection.
Children
Subway is developer infrastructure, not a consumer service. We do not knowingly collect data from anyone under 13. If you believe we have, contact us and we will delete it immediately.
Changes
We may update this policy as the product evolves. Material changes will be posted here with an updated date. We will not retroactively reduce your privacy protections without notice.
Contact
Questions about this policy: privacy@subway.dev