Put simply, Remotely doesn't use any cookies for tracking or gathering personal data. It's built using only standard ASP.NET Core libraries from Microsoft. The only cookies used are part of Microsoft's Identity framework and are necessary for providing secure login functionality.

The web server logs access information, including IP addresses, of people who access the site. This logging behavior is typical of web servers, and the information they contain is only used for diagnostic purposes when needed. No personally identifiable information is gathered.

The Remotely server uses Microsoft's Identity system for handling authentication. User accounts and passwords are handled by Microsoft's code libraries that are built into ASP.NET Core.

Identity does not save passwords on the server. They are obscured in a way that cannot be reversed, but can only be used to determine if subsequent login attempts are the same as the original password used to create the account. The password itself cannot be retrieved, though.

You can learn more about Identity on Microsoft Docs.

Data pertaining to computers using the Remotely service is only kept for three months, then it is permanently deleted. No information about the computers, commands sent, or results are kept permanently.