Data protection policy
Only the German text of the data protection declaration is legally binding!
For our english speaking user: this text is written to the best of our knowledge but is for informational purposes only!
Data protection policy
according to Art. 13 General Data Protection Regulation (GDPR)
Last updated: 2024-06-27
Privacy Policy Summary
We dedicate our fediverse instances to the Fediverse Foundation community. Our team based in Vienna, Austria provides the nonprofit service on a voluntary basis to offer privacy-friendly microblogging accounts that our users commonly use to network, socialize, and discuss ideas.
Fediverse Foundation processes profile data in the form of posts (toots), subscriptions (following), subscribers (followers), content ratings (likes) and promotions (boosts) for publication on profile and post pages. For registered users, we process your profile data to provide the service. For users of other instances, we store and display public profile data based on our legitimate interest, until you object and in any case if you delete your post or other data (unsubscribe, change, unboost).
If you contact Fediverse Foundation by e-mail or (private) post, we only use any personal data that your message may contain (e.g. your e-mail address or your name) to respond to your message answer. We archive your message for a maximum of 12 months. You are of course free to use a nickname and a pseudonymous e-mail address. We process messages from our registered users to provide the service and rely on the consent of users on other instances. We may also process messages to comply with our legal obligations.
The following information is provided in accordance with Articles 12, 13 and 14 of the GDPR.
Mastodon
To ensure secure interaction, the Mastodon website stores the "Mastodonsession" cookie with an identifier in the browser of registered and unregistered website visitors until they close their browser. For registered website visitors, the "sessionid" cookie saves their login status until they log out. Based on the user's consent, the website also saves push notification preferences in the browser. For security and debugging purposes, our server logs and stores visitors' IP addresses for a maximum of 62 days.
Lemmy
In logged-out state no cookies are used. For registered website visitors, the "jwt" cookie saves their login status until the log out. Based on the user's consent, the website also saves push notification preferences in the browser. For security and debugging purposes, our server logs and stores visitors' IP addresses for a maximum of 62 days.
Data protection policy
1. General information
The following information is intended to provide a simple overview of what happens to your personal data when you use Mastodon.
According to Art. 4 No. 1 GDPR, “personal data” is any information that relates to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, expresses the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.
- "User" means the natural person who interacts with or directly through the Website or indirectly through third party applications compatible with ActivityPub.
- "Registered User" means the users with an ActivityPub profile (Mastodon, Lemmy, etc.).
- "Profile Data" means your posts (toots), subscriptions (following), subscribers (followers), content ratings (likes) and promotions (boosts), bookmarks and profile settings.
- "Subscribers" are the accounts that follow a Registered User.
- "Subscriptions" means the accounts followed by a Registered User.
- Scope and purpose of processing: This data protection information applies to the processing of personal data for the provision of "Fediverse services", especially Mastodon and Lemmy. It provides information about what personal data is processed and how it is processed and what rights you have as a data subject.
- Responsible for processing: Fediverse Foundation is responsible for data processing in its capacity as provider of the service.
All detailed information on the subject of data collection and data protection can be found in the data protection declaration below.
2. Who we are
Fediverse Foundation (hereinafter "we", "us" or "the Service") is a non-profit service that provides "Fediverse" social media accounts for the Fediverse Foundation community ("you"). For the purpose of connecting and interacting with other Fediverse accounts, Fediverse Foundation processes personal data from its users and users of other entities with which they interact. This privacy notice describes what types of personal data we process and on what legal basis, how long we store it and why, and your rights in relation to your data.
3. Who is responsible for data processing?
Responsible for data processing:
Fediverse Foundation
Sillerplatz 8
1130 Vienna
support@fediversefoundation.at
4. On what legal basis and for what purpose are your data processed?
We dedicate our "Fediverse" instances to the Fediverse Foundation community. Our team based in Vienna, Austria provides the nonprofit service on a voluntary basis to offer privacy-friendly microblogging accounts that our users commonly use to network, socialize, and discuss ideas.
Personal data processed by Fediverse Foundation is accessible by its administration team and, if necessary, by moderators on a need-to-know basis in order to ensure its secure operation. User content is published or provided according to user preferences. Fediverse Foundation does not use any other data processors to provide the service.
The data is provided when registering and logging in to accounts and general use as well as when contacting us on the basis of Article 6 (1) lit. a, b, c GDPR. In addition, data is collected in accordance with Article 6 (1) (f) GDPR in order to ensure that "Fediverse" services (website, API) are provided correctly.
5. What data is collected?
On the one hand, your data is collected by providing personal data (e.g. name, e-mail address) yourself when you register with Feiverse Foundation services. Furthermore, the number of visits to the website by date, which subpage and from which website (domain) as well as performance data are recorded anonymously using statistical tools.
a) Cookies
Mastodon
To ensure secure interaction, the Fediverse Foundation websites stores the "Mastodonsession" cookie with an identifier in the browser of registered and unregistered website visitors until they close their browser. For registered website visitors, the "sessionid" cookie saves their login status until they log out. Based on the user's consent, the website also saves push notification preferences in the browser. For security and debugging purposes, our server logs and stores visitors' IP addresses for a maximum of 62 days. After this time, all IP addresses will be removed.
Lemmy
In logged-out state no cookies are used. For registered website visitors, the "jwt" cookie saves their login status until the log out. Based on the user's consent, the website also saves push notification preferences in the browser. For security and debugging purposes, our server logs and stores visitors' IP addresses for a maximum of 62 days.
b) Profile Data
Fediverse Foundation processes profile data in the form of posts (toots), subscriptions (following), subscribers (followers), content ratings (favourites) and promotions (boosts) for publication on profile and post pages. For registered users, we process your profile data to provide the service. For users of other instances, we store and display public profile data based on our legitimate interest, until you object and in any case if you delete your post or other data (unsubscribe, change, unboost).
c) Website visitor data
The Fediverse Foundation website and APIs process the IP addresses and other metadata (as specified below) of its visitors. When accessing the service, an encrypted connection to its web server is established. In order to correctly display the content on the visitor's computer or other end devices, the following data are processed according to the HTTP and TCP/IP protocol:
- IP address of the visitor's Internet connection
- Operating system and operating system version of the visitor terminal
- Web browser and browser version
- Date of access to the website#
- Mastodon
- Lemmy
This is necessary for querying, processing and displaying profile data and other content of the service. After each visit to the site, some of the data is stored in the account profile (if logged in) and server logs. These logs are used for server maintenance and security, and the personal data they contain are deleted after 62 days. In addition, the website uses the "sessionid" cookie to register the login status
to save the user until they log out or for up to one year after the last website visit. The website also saves the notification settings in the browser. This processing takes place on the basis of Art. 6 Para. 1 lit. b GDPR ("Processing is necessary to fulfill a contract"). This includes processing to comply with the necessary technical and organizational protective measures.
d) Contributors to Third Party Services
Fediverse Foundation processes personal data when users of third-party services with ActivityPub support interact with its accounts. In order to enrich public profile pages with profile data, the following data is processed according to the requirements of the ActivityPub protocol:
IP address of the third party service
Name of the end device software of the user
Display name, account name and profile picture
Current date and time
profile data
Private messages are not end-to-end encrypted and are therefore generally accessible to Fediverse Foundation administrators.
This processing is necessary to provide federated "Fediverse"-instances and is therefore based on Article 6 (1) (f) GDPR (“Processing is in our legitimate interests”), with the exception of personal data that is not required, such as: . B. Display name and profile picture, the processing of which is based on Article 6(1)(a) GDPR ("consent"). Fediverse Foundation stores profile data from subscriptions to compatible third-party services until it receives a request for deletion or objection (unsubscribe, different, unboost) via this service or directly from the user.
e) Registered Users
Fediverse Foundation restricts registrations to users who it believes are part of the EU Policy Zone. Fediverse Foundation reserves the right to refuse to provide the service to any particular user for any reason. The following data from registered users is processed to set up and later manage accounts:
- Display name, account name, profile picture and header picture
- Registration data consisting of an email address
- Account Description/Biography
- Content (Toots), promoted and valued content
- Private messages (sent and received)
- Subscriptions and their current content
- Logged-in sessions (end device software, time and date, IP address)
If registered users post profile data, the previous section applies accordingly. Note that updating subscribers and posting profile information (including profile mentions) requires disclosure of personal information to the recipients' service. Depending on the geographic location of their "Fediverse" server, the disclosure may potentially involve international data transfers that are beyond Fediverse Foundation control.
The Registered User's name and display name, profile picture and header, description, subscriptions, owned and promoted content, the content of their subscriptions, and the feedback they have provided will be published on their profile page.
This processing takes place on the basis of Art. 6 Para. 1 lit. b GDPR ("Processing is necessary to fulfill a contract"), with the exception of unnecessary personal data such as display name and profile picture, the processing on the basis of Art. 6 Para. 1 lit. a GDPR ("consent"). Profile data is stored until the account is deleted.
Registered users are responsible for the use of their accounts and their own GDPR compliance as separate controllers when posting other people's personal data.
f) Contact
If you contact Fediverse Foundation by e-mail or (private) post, we only use any personal data that your message may contain (e.g. your e-mail address or your name) to respond to your message answer. We archive your message for a maximum of 12 months. You are of course free to use a nickname and a pseudonymous e-mail address. We process messages from our registered users to provide the service and rely on the consent of users on other instances. We may also process messages to comply with our legal obligations.
g) Server log files
The provider of this site automatically collects and stores information in so-called server log files, which your browser automatically transmits. These are: Browser type and browser version, operating system used, referrer URL, host name of the accessing computer, time of server request, IP address. This data is not merged with other data sources. This data is also not assigned to any natural person. They only serve to improve the website. In the event of illegal use of the website, we reserve the right to subsequently check data
in. The data processing is based on the legitimate interest according to Art. 6 Para. 1 lit. f GDPR in the technically flawless presentation. The data will be deleted after the purpose has ceased to exist, i.e. within a few days, unless further storage is required for evidentiary purposes.
h) TLS encryption
You can recognize the SSL or TLS encryption in the address line of the browser, as this changes from "http://" to "https://" and a lock symbol is also visible at the end of your browser line. SSL or TLS encryption is used on this site for security reasons and to protect the transmission of confidential content, such as inquiries via the contact form. This type of encryption makes it impossible for third parties to participate in the transmission of the data.
6. What rights do you have in relation to your data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data at any time and free of charge. You also have the right to request the correction, data portability, restriction of use or deletion of this data. In this regard and also for all other questions on the subject of data protection, you are welcome to contact us at any time at the address given above.
You can revoke your consent at any time. To do this, send us an informal message by e-mail; you will find our contact details in the imprint. The legality of the data processing operations that took place up until the revocation remains unaffected by the revocation.
All the data you enter when contacting us will remain with us until you request us to correct it, restrict data processing or delete it, revoke your consent to the storage of your data or the purpose for storing the data no longer applies, such as after processing has been completed a request. Mandatory legal provisions - including retention periods - remain unaffected.
7. Complaint Rights & Competent Data Authority
In the event of violations of data protection law, the data subject has the right to lodge a complaint with the competent supervisory authority. In the case of data protection questions or complaints, the competent authority is the Austrian Data Protection Authority (DSB), Wickenburggasse 8-10, 1080 Vienna. https://www.dsb.gv.at/