matrix.org

Matrix.org Homeserver Privacy Notice<p>Please read this document carefully before accessing or using this service!</p>1. Introduction1.1 English, Not Legalese<p>Most Privacy Policy documents are unreadable. They are written by lawyers and for lawyers, and in our opinion are not very effective.</p> <p>Data protection and privacy are important, and we want you to understand the issues involved. For that reason we decided to use plain English instead as much as possible, to make our terms as clear as possible.</p> <p>When you read 'the Matrix.org homeserver' or 'the Service' below, it refers to the services made available at <strong>https://matrix.org </strong>which store your account and personal conversation history, provide services such as bots and bridges, and communicate via the open Matrix decentralised communication protocol with the public Matrix Network.</p> <p>The public Matrix Network is a <em>decentralised</em> and <em>openly federated</em> communication network. This means that user messages are replicated on each participant's server and messages posted to a room are visible to all participants including in some cases any new joiners. This is further explained at 2.3.</p> <p>Where you read <em>The Matrix.org Foundation C.I.C.</em>, <em>The Matrix.org Foundation</em>, or <em>The Foundation</em>, it refers to the Community Interest Company incorporated on 29 October 2018 to be the neutral custodian of the Matrix protocol: The Matrix Foundation C.I.C., and their agents.</p> <p>Where you read <em>Element </em>(trading name of New Vector Ltd. and New Vector SARL), <em>Element.io,</em> or <em>we</em>, <em>our</em>, or <em>us</em> below, it refers to the company we created in July 2017 to hire the Matrix core team and support Matrix's development and so run the Matrix.org homeserver: New Vector Ltd., and its French subsidiary: New Vector SARL and their agents.</p> <p> <strong>The Matrix protocol is licensed by the Matrix Foundation which makes it available to third parties who set up their own homeserver. This privacy policy does not apply to such Matrix servers run by anyone else - Matrix is an open network like the Web and this agreement only applies to the server (Matrix.org) provided by Element.</strong> </p> <p>Matrix.org is the Data Controller for the Service. We can be contacted as per the details below:</p> <p>Email: dpo@matrix.org</p> <p>Postal address:</p> <p>The Matrix.org Foundation</p> <p>c/o New Vector Ltd</p> <p>10 Queen Street Place</p> <p>London</p> <p>United Kingdom</p> <p>EC4R 1AG</p> <p>Should you have other questions or concerns about this document, please send us an email at dpo@matrix.org.</p>1.2 This Is a Living Document<p>This is a living document. With your help, we want to make it the best in the industry.</p> <p>If you read something that rubs you the wrong way, or if you think of something that should be added, please get in touch! We're all ears! Email dpo@matrix.org and we'll chat.</p> <p>We don't amend this document for any specific users or use case, but if your proposed changes apply to all of our users, we'll be happy to update it for everyone. Scroll to the bottom to see the history so far.</p> <p>We will likely improve this document over time and we will take steps to inform our users about any updates. By continuing to use the Service, you will implicitly accept the changes we make. If updates to this document are ever associated with significant changes to the way we collect our process your data, we will promptly notify you.</p> <p>Your access and use of the Service is always subject to the most current version of this document.</p>2. Access to Your Data / Privacy Policy2.1 What is the legal basis for processing my data and how does this affect my rights under GDPR (General Data Protection Regulation)?2.1.1 Legal Basis for Processing<p>Element processes your data under a Legitimate Interest basis of processing, to provide our Service to you in an efficient and secure manner and to ensure the legal compliance and proper administration of our business. Essentially, this means that we process your data only as necessary to deliver the Service and for internal administration purposes, and in a manner that you understand and expect. We also carry out processing that is necessary to provide our Service to you under our Matrix.org Homeserver Terms and Conditions and processing that is necessary to comply with our legal obligations. Where consent is required by law in relation to certain processing, we will ask for your consent.</p> <p>We process your information for the purposes of providing our decentralised, openly-federated and end-to-end encrypted communication Service, getting in touch with you, responding to your requests, working with our suppliers to deliver the Service and enabling its features, ensuring the security of our Service, developing, fixing and improving our Service, administering our business and complying with the law.</p> <p>The nature of the Service and its implementation results in some caveats concerning this processing, particularly in terms of GDPR Article 17 <em>Right to Erasure (Right to be Forgotten)</em>. We believe these caveats (discussed in the section below in detail) are in line with the broader societal interests served by providing the Service.</p> <p>In situations where the interests of the individual appear to be in conflict with the broader societal interests, we will seek to reconcile those differences guided by our policy.</p>2.1.2 Your Rights as Data Subject<p>You have rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances. Some of these rights are explored in more detail elsewhere in this document. For completeness, your rights under GDPR are:</p> <ol> <li>The right to be informed</li> <li>The right of access</li> <li>The right to rectification</li> <li>The right to erasure</li> <li>The right to restrict processing</li> <li>The right to data portability</li> <li>The right to object</li> <li>Rights in relation to automated decision making and profiling.</li> </ol> <p>We may ask for proof of identity before responding to your request. For more details about these rights, please see the guidance provided by the ICO. If you have any questions or are unsure how to exercise your rights, please contact us at dpo@matrix.org.</p>2.1.3 Right to Erasure<p>You can request that we forget your copy of messages and files by instructing us to deactivate your account (using a Matrix client such as the Element chat app) and selecting the option instructing us to forget your messages. What happens next depends on who else had access to the messages and files you had shared.</p> <p>Any messages or files that were only accessible by your account will be deleted from our servers within 30 days.</p> <p>Where you shared messages or files with another registered Matrix user, that user will still have access to their copy of those messages or files. Apart from state events (see 2.1.3.1 below), these messages and files will <em>not</em> be shared with any unregistered or new users who view the room after we have processed your request to be forgotten.</p> <p>State events are processed differently to non-state events. State events are used by the Service to record, amongst other things, your membership in a room, the configuration of room settings, your changing of another user's power level and your banning a user from a room. Were we to erase these state events from a room entirely, it would be very damaging to other users' experience of the room, causing banned users to become unbanned, revoking legitimate administrator privileges, etc. We therefore share state events sent by your account with all non-essential data removed ('redacted'), even after we have processed your request to be forgotten. This means that your username will continue to be publicly associated with rooms in which you have participated, even after we have processed your request to be forgotten. We are actively working on a solution to work around this restriction and allow you to be fully forgotten while maintaining a high quality experience for other users. If this is not acceptable to you, please do not use the Service.</p>2.1.3.1 Exceptional Erasure<p>As described above, erasing a state event may result in our needing to erase the entire conversation at the same time. Deciding whether to take this drastic step will require a balancing exercise to be carried out at the time of the request, and will depend on:</p> <ul> <li>the nature of the Personal Data that the user is requesting to be erased;</li> <li>how many other users would have their fundamental rights and freedoms put at risk if the Right to Erasure were to be exercised</li> <li>to what degree these other users would have their fundamental rights and freedoms put at risk if the Right to Erasure were to be exercised</li> </ul> <p>The Personal Data contained in a state event is usually limited to the username, the timestamp and the conversation in which the state event was issued. State events only represent that a user participated in a given conversation at a given time. It is rare that this data is sensitive enough to warrant its erasure given the drastic impact this will have on other users.</p> <p>Each case will be decided based on the factors listed above. In most situations we will not erase state events. In extreme situations, where not erasing state events will place people at material risk of harm, we may choose to erase state events or remove the entire conversation.</p>2.1.3 Data Portability<p>Under GDPR you have a right to request a copy of your data in a commonly-accepted format. If you would like a copy of your data, please send a request over Matrix to dpo@matrix.org. In the future we will provide a better interface for this!</p>2.2 What Information Do You Collect About Me and Why?<p> <strong>The information we collect is purely for the purpose of providing your communication service via Matrix. We do **</strong>not*<strong>* profile users or their data on the Service.</strong> </p> <p>Be aware that while we do not profile users on the Service, third party Matrix clients may gather usage data. The Element app (the Matrix client provided by Element) optionally gathers opt-in anonymised usage data in order to improve the app. This data is retained for not longer than 13 months. For more details on how your data is processed by Element, please review its privacy policy.</p>2.2.1 Information you provide to us:<p>We collect information about you when you input it into the Service or otherwise provide it directly to us.</p>2.2.1.1 Account and Profile Information<p>We collect information about you when you register for an account. This information is kept to a minimum on purpose, and is restricted to:</p> <ul> <li>Username</li> <li>Password</li> <li>Display Name (if you choose to provide one)</li> <li>Your email address (which we may mandate to mitigate abuse)</li> <li>Your verified telephone number (if you choose to provide it)</li> </ul> <p>Your username and password is used to authenticate your access to the Service and to uniquely identify you within the Service.</p> <p>Your password is stored until you change it or your account is deactivated (see 2.5 for details on how passwords are handled securely). Your username is stored indefinitely to avoid account recycling.</p> <p>Your email address is used for account verification purposes. You can delete your email from your account after you have registered and verified, if you so wish. Alternatively, your email address may be used for the purposes described below:</p> <ul> <li>We will also use your email address to let you reset your password if you forget it, and to optionally send you notifications about missed messages from users trying to contact you on Matrix;</li> <li>We may also send you infrequent urgent messages about platform updates.</li> </ul>2.2.1.2 Content you provide through using the Service<p>We store and distribute the messages and files you share using the Service (and across the wider Matrix ecosystem via federation) as described by the Matrix protocol and according to the access rules configured within the system. <strong>Storing and sharing this content is the reason the Service exists.</strong> </p> <p>This content includes any information about yourself that you choose to share.</p>2.2.1.3 Information you provide through purchases in the Matrix Foundation Shop<p>The Matrix.org Shop is an online store at which you can purchase Matrix.org-branded merchandise, such as stickers or tee-shirts. All proceeds go to The Matrix.org Foundation. Data you provide for this purpose is processed under Performance of Contract. This means that we process your data for the purposes of fulfilling orders you make from us, getting in touch with you, responding to your requests, working with our suppliers to deliver the Service and enabling its features, ensuring the security of our Service, developing, fixing and improving our Service, administering our business and complying with the law.</p> <p>The information we collect is purely for the purpose of taking payments for merchandise and shipping your purchases to you. We do <strong>not</strong> profile users or their data on the Service.</p>We may need your personal information to establish, bring or defend legal claims. For this purpose, we will retain your personal information for the statutory recommended 7 years after the date it is no longer needed by us for any of the purposes listed under How we use your information above<strong>.</strong>2.2.1.3.1 Information you provide to us:<p>We collect information about you when you input it into the Service or otherwise provide it directly to us.</p> <ul> <li>Name and contact details</li> <li>Delivery address</li> <li>Purchase information</li> <li>Payment details (handled by a third party provider, not visible to Matrix.org Foundation employees)</li> </ul>2.2.1.3.2 Information we collect automatically as you use the service:<p>Your IP address is logged when you access the Service. This data is used in order to mitigate abuse and debug operational issues. Our logs are kept for not longer than 180 days.</p> <p> <strong>2.2.1.3.3 Third-parties</strong> </p>BigCartel<p>We have selected BigCartel to provide our shopfront. By purchasing from our shop, the following details will be shared with BigCartel:</p> <ul> <li>Your purchase details</li> <li>Your name and contact details</li> <li>Your delivery address</li> </ul> <p>Here is BigCartel's Privacy Policy</p>Stripe<p>We use Stripe to handle payment processing. By purchasing from our shop, the following details will be shared with Stripe:</p> <ul> <li>Your payment details</li> <li>Your purchase value</li> </ul> <p>Stripe takes care of all payment processing, so The Matrix.org Foundation and its employees will never see your payment details.</p> <p>Here is Stripe's Privacy Policy</p>Royal Mail<p>We use Royal Mail Click &amp. Drop to generate shipping labels. By purchasing from our shop, the following details will be shared with Royal Mail Click &amp. Drop:</p> <ul> <li>Your name and address</li> </ul> <p>Here is Royal Mail's Privacy Policy</p>2.2.2 Information we collect automatically as you use the Service:Device and Connection Information<p>Each device you use to access the Service is allocated a (user-configurable) identifier. When you access the Service, we record the device identifier, the IP address it used to connect, user agent, and the time at which it last connected to the service.</p> <p>This information is gathered to help you to manage your devices - you can view and manage the list of devices by connecting to the Service with a Matrix client such as the Element app.</p> <p>Currently, we log the IP addresses of everyone who accesses the Service. This data is used in order to mitigate abuse, debug operational issues, and monitor traffic patterns. Our logs are kept for not longer than 180 days. Once Matrix is out of beta we will consider implementing log minimisation.</p>2.3 What Information is Shared With Third Parties and Why?2.3.1 Sharing Data with Connected Services<p>We may share your information when working with our suppliers in order to provide the Service.</p> <p>In addition, the Matrix.org homeserver is a <em>decentralised</em> and <em>open</em> service. This means that, to support communication between users on different homeservers or different messaging platforms, your username, display name and messages and files are sometimes shared with other services that are connected with the Matrix.org homeserver.</p>2.3.1.1 Federation<p>Matrix homeservers share user data with the wider ecosystem over federation.</p> <ul> <li>When you send messages or files in a room, a copy of the data is sent to all participants in the room, including (depending on room settings) participants who join the room in future. If these participants are on remote homeservers, your username, display name, messages and files may be replicated across each participating homeserver.</li> <li>We will forget your copy of your data upon your request. We will also forward your request to be forgotten onto federated homeservers. However - these homeservers are outside our span of control, so we cannot guarantee they will forget your data.</li> <li>Federated homeservers can be located anywhere in the world, and are subject to local laws and regulations.</li> </ul> <p>Access control settings are shared between homeservers, as well as any requests to remove messages by "redactions", or remove personal data under GDPR Article 17 <em>Right to Erasure (Right to be Forgotten)</em>. Federated homeservers and Matrix clients which respect the Matrix protocol are expected to honour these controls and redaction/erasure requests, but other federated homeservers are outside of the span of control of Element, and we cannot guarantee how this data will be processed. Federated homeservers can also be located in any territory, and will be subject to the local regulations of that territory.</p> <p> <strong>2.3.1.2 Bridging</strong> </p> <p>Some Matrix rooms are bridged to third-party services, such as IRC networks, Twitter or email. When a room has been bridged, your username, display name, messages and file transfers may be duplicated on the bridged service where supported.</p> <ul> <li>It may not be technically possible to support your management of your data once it has been copied onto a bridged service.</li> <li>Bridged services can be located anywhere in the world, and are subject to local laws and regulations.</li> </ul> <p>Access control settings, requests to remove messages by "redactions" or remove personal data under GDPR Article 17 <em>Right to Erasure (Right to be Forgotten)</em> are shared to bridging services, which are expected to honour them to the best of their ability. Be aware that not all bridged networks or bridges support the necessary technical capabilities to limit, remove or erase messages. If this is not acceptable to you, please do not use bridged rooms.</p>Integration Services (Bots and Widgets)<p>The Matrix.org homeserver provides a range of integrations in the form of Widgets (miniature web applications accessed as part of a Matrix Client) and Bots (automated participants in rooms). Bots and Widgets currently have access to all the messages and files in any room in which they participate, although we are adding a more sophisticated access control system.</p>Transfers of your Data<p>If you use our Service your data will be transferred outside of the EU to other homeservers and services connected with matrix.org as this is necessary to provide the Service to you. By the very nature of our Service, such transfers will occur regularly and we have no control over the safeguards adopted by third party recipients.</p> <p>Where we engage suppliers to process your data outside the EU we will ensure that appropriate safeguards such as the standard contractual clauses are in place.</p>2.4 Sharing Data in Compliance with Enforcement Requests and Applicable Laws. Enforcement of Our Rights<p>In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to</p> <p>(a) comply with any applicable law, regulation, legal process or governmental request,</p> <p>(b) protect the security or integrity of our products and services (e.g. for a security audit),</p> <p>(c) protect Element and our users from harm or illegal activities, or</p> <p>(d) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the serious bodily harm of any person.</p>2.5 How Do You Handle Passwords?<p>We never store password data in plain text. instead they are stored hashed (with at least 4096 rounds of bcrypt, including both a salt and a server-side pepper secret). Passwords sent to the server are encrypted using SSL.</p> <p>It is your sole responsibility to keep your user name, password and other sensitive information confidential. Actions taken using your credentials shall be deemed to be actions taken by you, with all consequences including service termination, civil and criminal penalties.</p> <p>If you become aware of any unauthorised use of your account or any other breach of security, you must notify Element immediately by sending an email to security@matrix.org. Suspicious devices can be deleted using the User Settings management tools in a Matrix client such as https://riot.im/app, and users should manage good password hygiene (e.g. using a password manager) and change their password if they believe their account is compromised.</p> <p>If you forget your password (and you have registered an email address) you can use the password reset facility to reset it.</p> <p>You can manage your account by using a Matrix client such as https://element.io/app</p> <p>We will never change a password for you.</p>2.6 Our Commitment to Children's Privacy<p>We never knowingly collect or maintain information in the Service from those we know are under 16, and no part of the Service is structured to attract anyone under 16. If you are under 16, please do not use the Service.</p>2.7 How Can I Access or Correct My Information?<p>You can access all that we collect about you by using any compatible Matrix client (such as https://element.io/app) and managing your User Settings. You can download a copy of all your data as per section 2.1.3.</p>2.8 Who Can See My Messages and Files?<p>In unencrypted and encrypted rooms, users connecting to the Matrix.org homeserver (directly or over federation) will be able to see messages and files according to the access permissions configuration of the relevant room. This data is stored in the format it was received on our servers, and can be viewed by New Vector engineers (employees and contractors) under the conditions outlined below.</p> <p>In encrypted rooms, the data is stored in our databases but the encryption keys are stored only on your devices or by yourself. Users can optionally backup an encrypted copy of their keys on the Service to aid recovery if they lose all their keys and devices. This key backup is encrypted by a recovery key that only the user has access to. This means that nobody, even Element engineers (employees and contractors) can see your message content in our database, and if you lose access to your encryption keys you lose access to your messages forever.</p> <p>We use HTTPS to transfer all data. End-to-end encrypted messaging data is stored encrypted using AES-256, using message keys generated using the Olm and Megolm cryptographic ratchets.</p>2.9 What Are the Guidelines Element Follows When Accessing My Data?<ul> <li>We restrict who at Element (employees and contractors) can access user data to roles which require access in order to maintain the health of the Service;</li> <li>We have technical procedures in place to prevent unauthorised access to user data;</li> <li>We never share what we see with other users or the general public.</li> </ul>2.10 Who Else Has Access to My Data?<p>We host the majority of the Service in UpCloud data centres. Here's UpCloud's privacy policy. UpCloud controls physical access to their locations.</p> <p>We host some Services in Mythic Beasts data centres. Here’s Mythic Beast’s privacy policy.</p> <p>We store some files shared through the Service on Amazon Web Services (AWS). Amazon employees have access to this data. Here's Amazon's privacy policy. Amazon controls physical access to their locations.</p> <p>We use Cloudflare to mitigate the risk of DDoS attacks. Here's CloudFlare's privacy policy.</p> <p>Physical access to our offices and locations use typical physical access restrictions.</p> <p>We use secure private keys when accessing servers via SSH, and protect our AWS console passwords locally with a password management tool.</p> <p>We log application data (username, user IP and user agent). We keep logs for no longer than 180 days.</p>2.11 What happens if Element is sold?<p>In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.</p> <p>If we or substantially all of our assets are acquired by a third party, personal data held by us about our users will be one of the transferred assets.</p>2.12 How Is My Data Protected from Another User's Data?<p>All of our users' data for the Service currently resides in the same database cluster which is due to the nature of our Service. We use software best practices to guarantee that only people who you designate as viewers of your data can access it. In other words, we segment our user data via software. We do our best and are very confident we're doing a good job at it, but, like every other service that hosts their user data on the same database, we cannot guarantee that it is immune to a sophisticated attack.</p>2.13 What Should I Do If I Find a Security Vulnerability in the Service?<p>If you have discovered a security concern, please email us at security@matrix.org. We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. We consider correspondence sent to security@matrix.org our highest priority, and work to address any issues that arise as quickly as possible.</p> <p>Please act in good faith towards our users' privacy and data during your disclosure. White hat security researchers are always appreciated.</p>3. Making a Complaint<p>We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention at dpo@matrix.org if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.</p> <p>If you want to make a complaint about the way we have processed your personal information to the supervisory authority, you can contact the ICO (the statutory body which oversees data protection law) at https://www.ico.org.uk/concerns.</p>4. Document History<ul> <li>2018, March 28: created.</li> <li>2019, August 22: revised.</li> <li>2020, August 10: revised</li> </ul> <p> <strong>A note to other startups:</strong> this document was heavily inspired by Balsamiq's plain English ToS document. We were impressed by their championing of plain English, and wanted to reproduce that as much as possible in our own legal documentation. Feel free to draw similar inspiration from this document, though be sure to get any documents you produce checked over by a lawyer. Good luck!</p>