Your Privacy (Last Updated: May 19th 2014)

We are completely committed to your privacy at all times when using Finch; both on the website ( and most especially when using the forwarding service itself (* The site and service are very different, hence this privacy policy is split into two separate sections clarifying how we handle your privacy on each of them:

  1. The Website (
  2. The Service (*

If you believe this privacy policy is incomplete, inaccurate, or could simply be clarified in any way please don’t hesitate to get in touch with us at

The Website (

Request information we log

Like many websites we log basic information for every request the website receives (regardless of whether it was made by a web crawler or a human being). This information includes:

  • The IP address of the request
  • The approximate Latitude and Longitude of the request, as determined by the MaxMind GeoIP API
  • The user agent which made the request
  • The referer of the request (if present)
  • The time at which the request is made

This data does not include any personal information whatsoever and is only consulted to diagnose any request issues and to aggregate statistics.

Personal information we collect

None, apart from that which you explicitly provide us with should you choose to register for an account (i.e. name, email etc).

Personal information we disclose to third parties

None. Should we ever be required to by law, this policy will be updated accordingly.

Cookies we set on your computer

We currently issue two cookies on most pages:

  1. A ‘session’ cookie. This simply allows us to tie each request to a visitor to provide a consistent experience while navigating around the site; without this we could not provide a coherent logged-in experience.
  2. A Google Analytics tracking cookie. Almost every website will issue a cookie like this; the data it collects is anonymised and simply provides us with statistical information.

You may configure your browser to reject cookies from this site if you wish.


All requests between your computer and the Finch Website are made over an encrypted connection using HTTPS. This means that these requests cannot be decrypted or read by anyone else. You may well have heard about the Heartbleed bug; our servers are not vulnerable to this and we keep our servers patched with all relevant security releases.

Passwords are stored using an industry standard one-way encryption mechanism; this is why we cannot (and would not) send you your password in an email if you have forgotten it (but you can reset it instead).

The Service (*

We fully appreciate the level of trust users put in a service like Finch; by its very nature all requests and responses must pass through our infrastructure which puts the service in a position of significantly elevated privilege. We want to be open about what data is stored when using the main forwarding service.

It is important to note that any information you send or receive on a subdomain of the service (i.e. * is not owned by, endorsed by or representative of Finch. If you are suspicious about a URL you have been sent which ends with * please do report it to us immediately at

Request information we inspect

We keep request inspection to the absolute minimum we need in order to route requests properly through the forwarding service. This is limited to a handful of request headers, all of which are sent by your browser as part of each request. Absolutely no part of the request body (if present) is inspected or stored, ever.

Request information we manipulate

We alter a few request headers in a similar way to other reverse proxies. Likewise, we add a few headers often present when requests are routed via reverse proxies (such as x-forwarded-for, x-forwarded-proto etc). No other data is ever manipulated.

Response information we inspect

We only ever inspect basic response headers and only then if you have selected the relevant modification options on a connection by connection basis. Again, no part of the response body is stored or inspected. If you have opted-in for automatic link rewriting, an automatic process blindly replaces links matching a certain pattern in the body of each response. However, the body is not stored, logged or otherwise examined.

Response information we manipulate

If your connection settings specify that HTTP redirects should be adjusted or HTML links should be rewritten, these parts of the response will be manipulated accordingly.

Request information we log

We log exactly the same information as per the website. However, some metrics are more relevant in the context of The Service:

  • The hostname of the request (e.g.
  • The response code (e.g. 200 OK, 404 Not Found)
  • The size of the response body, in bytes

Again, this data is only consulted to diagnose any request issues and to aggregate statistics. It contains no personal information.

Personal information we collect

None. All requests made through the service are forwarded on to the local site they represent at that time. What data that site collects is in no way related to Finch nor is it under our control.

Personal information we disclose to third parties

None. Should we ever be required to by law, this policy will be updated accordingly.

Cookies we set on your computer

None. The local site a URL represents may set its own cookies but these will never be issued by Finch.


The Service exposes sites both over HTTPS and HTTP. We would dearly love to enforce HTTPS only to ensure maximum privacy but unfortunately some configurations may need to use the HTTP version of the URL. However, we only ever link to and recommend the HTTPS version of forwarded sites and strongly encourage you to use these at all times.

Additionally, a connection is created between the computer running the Finch app and our forwarding servers when exposing one or more local development sites. This connection is always, unequivocally, encrypted.