Privacy & Security

Updated 2026-05-22.

The short version (BYOH model)

CloudHostAI is Bring Your Own Hetzner. You give us an API token to your own Hetzner Cloud account. We orchestrate servers inside your account on your behalf. You pay Hetzner directly. We never provision in our own account on your behalf.

What we store

  • Account: your email + a salted password hash. We do not store your plaintext password.
  • Hetzner API token: stored encrypted with Fernet (AES-128-CBC + HMAC-SHA256) keyed off the server SECRET_KEY. Plaintext is decrypted only in-memory at the moment of a Hetzner API call. We never echo it in logs, error messages, or telemetry.
  • CloudHostAI SSH keypair: a per-user ed25519 keypair generated by us. The public key is uploaded to your Hetzner project (so we can SSH for log fetching and remote redeploy). The private key is stored encrypted alongside your token.
  • Project metadata: name, repo URL, branch, Hetzner server id, IP, status, deploy history.

The temporary SSH key — full disclosure

When CloudHostAI provisions a server, we tell Hetzner to install the public half of your CloudHostAI-managed keypair as the server's root SSH key. This lets us:

  • Run docker logs --tail=200 when you click "Logs" on the dashboard.
  • Run git pull && docker compose up -d --build when you click "Re-deploy".

The private half stays encrypted in our database. We never share it. If you want to lock us out, rotate or remove the key in console.hetzner.cloud → your project → Security → SSH Keys (look for cloudhostai-user-<id>).

What we do not store

  • Your Hetzner billing details.
  • The actual code/data running on your servers.
  • Your environment secrets (you set those directly on your server / in your Dockerfile).

How to revoke us

  1. Settings → Disconnect in CloudHostAI removes the stored encrypted token + the in-DB keypair.
  2. In console.hetzner.cloud, Security → API Tokens → revoke the token. Do this too — disconnecting in our UI removes our copy but only Hetzner can invalidate the token itself.
  3. Optional: delete the cloudhostai-user-<id> SSH key from Hetzner.

Data residency

CloudHostAI's orchestrator and database are hosted in the EU on OCI. Your application servers are in Hetzner's fsn1 (Falkenstein, Germany) datacenter by default. Multi-region COMING SOON.

Disclaimer

BYOH — Bring Your Own Hetzner. You connect your own Hetzner Cloud account; CloudHostAI orchestrates servers IN your account. You pay Hetzner directly for compute (from €3.99/mo per server). CloudHostAI charges only for the orchestration platform. We store your Hetzner API token encrypted; you can revoke it in Hetzner at any time. SSL via Let's Encrypt on a best-effort basis. This is an MVP — flagged 'coming soon' features (auto-scaling, managed DBs, preview environments, GitHub OAuth) are not yet implemented.