Privacy Policy
Table of Contents
This is a privacy policy notice for anyone who happens to use any of the services I use.
For all services#
My server is a VPS with full disk encryption. This means that, if the disk is seized, e.g. by law enforcement, your data will be unreadable to them. However, if the VPS host wishes to, they can dump the decryption keys from RAM and read my disk. For most user services I host, there will be additional encryption at rest, including such that data is never decrypted server-side.
The server is hosted in Romania.
I make local backups of server data which I physically possess. These backups are always on LUKS-encrypted drives (i.e. same disclaimer as above about being unreadable should they be seized) stored in Britain. I reserve the right to keep my backups for as long as I like, so any data you have deleted on my server may still exist in backups. If you have accidentally uploaded sensitive data to my server which you want scrubbed, contact me and I will do my best to remove it from backups. Please don’t rely on this to delete data though, and just don’t upload anything to my server that absolutely can’t persist.
My server uses fail2ban with a ban length of 1 day, so your IP address may be stored for a day if fail2ban bans you.
Sharing data#
If I am not forced to by law, I will never share the data of anyone who uses my hosted services with any third party. Try not to use my server for anything that could get the cops on me, but in the event that I am approached by law enforcement with a legally valid data access request/warrant/etc, I will do everything I safely can to avoid handing over data, up to and including shutting down the service in question. This is no guarantee that I wouldn’t comply if my own safety/liberty/etc were at risk though, therefore you should not take it as a given that data stored on this server cannot be shared if law enforcement is interested.
I will not go out of my way to read anyone’s private data (e.g. email addresses on accounts), but if it is unencrypted, I may stumble across it while doing server maintenance, reading logs, etc. If you have public data on my server, I may access it from the public web as a member of the public.
Web services#
My web server is nginx. I log web requests without any identifying information. I log:
- Timestamps
- The type of request
- The resource accessed
- The status of the request
My logging config is:
log_format main '[$time_local] "$request" '
'$status $body_bytes_sent ';
Logs are rotated with logrotate with the following logrotate config:
/var/log/nginx/*.log {
missingok
sharedscripts
postrotate
/etc/init.d/nginx --quiet --ifstarted reopen
endscript
}
I also log errors. My error logs contain IP addresses, but no other identifying information.
My static website (revsuine.xyz)#
My static website does not collect data about you beyond nginx logging. It uses JavaScript for prism.js syntax highlighting, and for the drop-down menu on mobile. To see the JavaScript usage, look at the GitHub repo for the theme. The site works completely fine without JavaScript.
This website does not use cookies, tracking pixels, or anything of the sort.
Nextcloud (cloud.revsuine.xyz)#
Server-side encryption is enabled, meaning I can view an index of your files, but not read their content. End-to-end encryption is also enabled.
I log errors, which may contain client IP addresses.
Forgejo (git.revsuine.xyz)#
There is no additional encryption at rest for anything hosted on Forgejo, so you shouldn’t upload anything to my Forgejo instance you don’t want me to see. I can say I won’t look at your private repos, but you’d have to take my word for it, and I am able to look at them if I want to.
Changes#
This privacy policy was first written in 2024 and will be kept up-to-date. I reserve the right to update this privacy policy whenever I like.