Hosted Snikket Instances Privacy Policy

Here you will find our privacy policy for our hosting service.

This is where we host your Snikket instance for you. It covers your account on our hosting dashboard, as well as the data associated with instances you launch.

The data controller for this processing is Snikket Community Interest Company c/o Hand & Co. Manor House Offices, Malvern Rd, WR2 4BS England.

If you have any questions, feel free to contact us by email at hosting@snikket.org.

If you are a user of a Snikket service (whether hosted by us or not), please confirm with your Snikket service operator what privacy policy is applicable to their service. They control that, not us. We have set out below the kind of information they might process, just for your awareness.

General principles

  • You don’t have to provide us with any personal data but, if you don’t, you might not be able to buy the service from us, or make use of the service.

  • Data that we store is used only for providing our service to you. We do not use “data mining” techniques, nor do we attempt to “profile” you (e.g. for advertising). We consider your data to be yours, and we handle it with sensitivity.

  • We use some third-party services as part of our hosting infrastructure, although we try to keep these to a minimum. Relevant services include:

    • Mailgun: used for sending some emails (e.g. notifications, password resets, etc.) from our service via their EU-based server. Your registered email address and the contents of those emails sent by our systems are therefore necessarily sent to Mailgun’s servers for delivery.
    • Paddle: used for payment processing. We do not share any personal data with Paddle beyond the data you provide during the checkout process when purchasing an instance subscription. Paddle determines the appropriate currency to display based on your IP address.
  • Our own services run on a mix of virtual and physical servers managed by hosting providers such as Hetzner, OVH and Digital Ocean.

  • If you no longer require our service, please notify us of this. Your personal data will then be removed from our servers within 30 days. For your security, we may preserve some non-personal information indefinitely such as previously registered domain names, to prevent their re-registration by other users of the service.

We expect you to comply with the law when using our service.

Likewise, we will comply with law enforcement when legally required to do so. We will notify you of requests relating to your personal data, unless legally required not to.

Your Snikket Hosting account

To provide access to our system, we store the information you would expect, such as the email address you registered with, and a hash of your credentials. This is necessary for us to perform our contract with you. If multi-factor authentication is enabled, we will store the necessary secret keys needed to authenticate you.

When you access your Snikket hosting account through our dashboard, one or more small pieces of data known as “cookies” may be stored in your web browser. These essential cookies allow us to securely identify your browser as you move between different pages in the dashboard, and therefore protect your account. The cookies are not shared with third-parties or used for tracking, advertising or any such purposes.

Snikket instances

Our hosting service allows you to create one or more Snikket instances. An instance is identified by its public domain name. Within each instance, you may invite selected people to join that instance by sharing an invitation link with them.

All data associated with your hosted instances is yours. You may request a copy of your data at any time by sending an email to hosting@snikket.org. This is the same data you would be able to access when self-hosting Snikket, with the exception of security-sensitive data such as certificates and their associated keys (if you have your own domain, you can obtain your own certificates if you wish to self-host).

We store your instance data on encrypted disk partitions, protecting it from certain kinds of potential exposure.

Locations

Our primary service is located in Germany, although other locations may be offered to you when you create an instance. Your instance will not change location without your request or prior notice.

There are regular encrypted off-site backups to a server located in Switzerland.

Apps may route encrypted audio/video call data via our servers when both parties are behind restrictive firewalls and unable to make a direct connection. We offer these relay servers in multiple locations, and you can choose between them in the instance configuration.

Operational data

In order to provide you with a safe and reliable service (i.e. a legitimate interest of ours and yours), we gather various monitoring data from our systems and running instances. The purposes we collect this data for include:

  • Performance monitoring and capacity planning
  • Billing
  • Quota enforcement (ensuring our resources are divided fairly between customers)
  • Detecting and preventing abuse (e.g. violations of our terms of service)
  • Error detection

Some examples of the types of data we collect include:

  • CPU and RAM usage
  • Disk usage, count and size of uploaded files
  • Number of instances launched
  • Number of active users
  • Time taken to perform automated routine tasks, such as deletion of expired data

We do not share sensitive operational data with third parties.

We may produce and share aggregated data privately and publicly. For example, we may from time to time publish such aggregated data publicly in blog posts - e.g. we might share publicly how many instances we are hosting in total, or what the average RAM usage of a Snikket instance is.

Web analytics

We utilize very basic privacy-conscious analytics on our website and hosting dashboard. We do this for our legitimate interest of organising the site more efficiently (making sure people find what they are looking for as easily as possible) and detecting issues (such as broken links).

This data is not shared or correlated with third parties (we host it ourselves using open-source software) and does not employ cookies or cross-site tracking. More information can be found in the snikket.org general privacy policy.

Information stored by Snikket instances

If you are a user of a Snikket service, please confirm with your Snikket service operator what privacy policy is applicable to your use of their service. We are providing this information so that you are aware of the different types of information you might share when you use a hosted Snikket service.

Basic account information

When you create an account on a Snikket instance, your username will be stored, along with a hashed version of your password.

You may additionally provide a profile picture (avatar) and display name. These will be shared with other users on the network so they may identify you. You can control visibility of this information in the profile section of the web portal (accessed by visiting your Snikket domain in a web browser).

Contacts that you add within the app will be stored in your contact list on the Snikket server. This is so that the server can identify who you have (and have not) permitted to view your online status, profile and other information, and to synchronize your Snikket contacts if you have multiple apps or devices.

The server will also maintain a list of apps that you have authorized to connect to your account. The server will assign a random identifier to each authorized app, as well as generic information that can help you identify the app, such as the its name.

Messages

When you send or receive a message on Snikket, this message is stored temporarily in your personal “message archive” on the Snikket server. The purpose of your message archive is to enable an app you use with your account to “catch up” on recent conversations. This allows Snikket to:

  • ensure delivery of messages even if you are temporarily offline or experiencing connectivity issues, and
  • allow synchronization of messages across multiple devices and apps that you may use.

The data stored for each entry in the message archive is:

  • A unique identifier for the message
  • The time and date that the message was sent/received
  • The sender and recipient of the message
  • The message contents (encrypted according to your app’s settings)

Entries in the message archive are stored for a minimum of 7 days. The server will routinely erase all delivered entries after they have been in the archive for this amount of time.

We encourage the use of encryption of your message contents, as is the default within the Snikket app.

Uploaded files

You may also use the server to upload files (including images and videos) within your conversations. These files will remain on the server for a minimum of 7 days. This allows your contacts time to retrieve the file, even if they are offline. Similarly to message archives, the server will routinely erase files beyond this age.

Uploaded files are assigned a long random identifier which is included in the link to the file. This ensures your files can only be viewed by people you share the link with.

The server will store the following information for every shared file:

  • A unique identifier
  • The time and date that the file was uploaded
  • The file name
  • The file size
  • The file type (as reported by the app)
  • The file contents (encrypted according to your app’s settings)

The Snikket app will automatically encrypt file contents when sharing a file within an encrypted conversation.

Once you share a file with a contact, understand that the contact may store a copy of the file on their device that is beyond our control and may remain even after the file is removed from the Snikket server.

Access and network information

The Snikket server may record the time and general location from which you connect to your account or perform certain security-related actions such as changing your password.

This is to identify unauthorized access to your account, and detect when your account becomes inactive for administrative purposes (for example, so that it may be erased when no longer needed).

Push notifications

If necessary, apps connected to your account may register to receive “push notifications” for incoming messages. The data provided to the server in this registration varies depending on the app you are using. For more information about push notifications in the Snikket apps, refer to the privacy policy of the Snikket apps.

Cookies

When you access your account through the web portal on your Snikket domain, one or more small pieces of data known as “cookies” may be stored in your web browser. These essential cookies allow us to securely identify your browser as you move between different pages in the web portal, and therefore protect your account. The cookies are not shared with third-parties or used for tracking, advertising or any such purposes.

Remote services

Snikket supports communication between users on different Snikket (or XMPP-compatible) services. Similar to something like email, if you send data (such as messages, media and files) to someone on a different service, we no longer have control over that data that you have sent to them. Our policy does not apply to services beyond our control. You may consult the privacy policy of the remote service, if available, for more information on how they handle their data.

Your rights

You have various rights in respect of the personal data we process about you. This includes the right:

  • to request access to your personal data (i.e. to get a copy of it)
  • to rectify inaccurate personal data
  • the require the erasure of your personal data in some situations
  • to require that we restrict our processing of your personal data, to object to our processing, in some situations
  • to data portability, in some situations

If you have any questions, feel free to contact us by email at hosting@snikket.org.

If you have a complaint about the way in which we are processing your personal data and we have not been able to resolve it with you, you can complain to a supervisory authority (in the UK, this is the Information Commissioner’s Office).