How does moonzean use data? Stored data about individuals: - Profile information - first and last name - description / status - preferred language - timezone - mail address - date of account creation - latest date of being online - account preferences - Authentication - IP adress of each login - user agent of each login - date of each login - a cookie is being created that stores login session data only. Every login session has a unique random key, associated with the data stored during login and navigating - Push notification tokens - device operating system (Google, Apple) - device push key - Contact information - pending contact requests (awaiting accepting / refusal) - contact connection (between two users) - Conversations and messages - members of conversations - encryption key of conversations - latest activity of conversation - latest time where each user has viewed a conversation / latest message each user has read - messages stored in encrypted format in the database (text messages get decrypted on server before sent) - date of creation of message - user who created the message - messages can contain images or voice messages, stored on the same server - messages are being deleted after 6 weeks, including assets (voice messages, images) - Feedback - date and message of the feedback message - OPTIONAL: mail and username - Groups - title - description - date of creation - latest activity - visibility and personalization preferences - users including date of joining - Notes - note content stored in encrypted format in the database (notes get decrypted on server before sent) - encryption key for notes - latest date of modification - Posts, comments - content - date of publish - associated group - votes from users - images - Tags - users, groups may have tags linked - Widgets - widget activation date - widget information (name, description, developer, published date) - preferences Why is certain data collected? I'm going to talk about the two most sensitive things here: How/why messages are encrypted / decryped as well as how/why login sessions get logged. - How and why are messages encrpted? When creating a message, the client side never encrypts the message. It is being sent in plaintext, but over a TLS connection, meaning the message can't be read during transmission. The server will use the encrpytion key to encrypt the message before storing it in the database, and decrypting it when the message gets requested before sending it in plaintext over a TLS connection back. A client-side encryption is not available because the user can use multiple devices for login, meaning that there is no way to be able to have the decryption key without having it stored on the server. The server-side encryption is used on server so that messages are not immediatelly apparent for administrators when debugging problems. - How and why do login sessions get logged? Data stored when logging in is the IP adress as well as user agent, together with the date. Additionally, a random key is being generated and sent to the user. While navigating through moonzean and making requests, the most lately date will be updated every time. In case the user agent changes, it gets updated as well. In case the IP adress changes, it gets updated, too. When logging off, the session is marked as closed, invalidating the key for further use as authentication. The data is being collected in order to be able to prevent malicious activity, for example someone stealing the authentication key and using it without notice. This is the reason why manual logoff is highly recommended instead of just closing the browser window when browsing at a public computer. All data is being collected for purposes of enhancing the user experience. Data collected is being analyzed in an anonymous fashion. For example, the amount and content length of posts as well as number of users is bein user to judge how popular / active a group is. It is not planned to share data with other third parties. Data is stored in Germany (Europe). Except messages, data is being stored until manually deleted. "I want all the data moonzean collected about me" In case you want a copy of all your data on moonzean, send a mail to anthimos@moonzean.com. I will try to provide you with collected data about you as quickly as I can if I have the available time. Please note that moonzean is not a commercial project and requesting your data for no particular reason is a frustrating activity regarding time spent from me. As such, I will require you to send me a copy of your passport / legal authentication document, matching your first name and last name, in order to proceed. Account deletion / Deletion of personal data In case you want to get your account deleted (which includes the deletion of all personal data), message me at anthimos@moonzean.com. I will try to delete your account as quickly as possible. Please make sure you use the same mail as your account uses when doing so or I will need you to provide me with a different way of authentication. Also, maybe you are interested in this page: https://www.moonzean.com/legal/