May 13, 2018, 11:37 a.m. by mati

As some of you are most certainly aware, the General Data Protection Regulation (GDPR) will come into force on May 25th, 2018. It is a major step forward for users of any service that handles privacy related data. Obviously, this services is affected by the GDPR too, so we'd like to take some time to give you an overview of your rights and what they mean in context of jabber.at.

In general, please be aware that

  • jabber.at is run by private individuals in their free time.
  • As such, jabber.at is a "best effort" service in all respects.
  • None of us are lawyers or anything close to it.
  • We have zero income from this service: jabber.at is free for all users. We have no ads and take no private donations.
  • We have zero expenses - except lots of our free time - from this service: Necessary infrastructure (server, bandwidth) is provided by the Students Union of Computer Science Students of the Vienna University of Technology. Thanks!

Your privacy, with or without the GDPR, always has been and always will be of the upmost importance to us. We are committed to upholding the highest standards possible to us. We also want to answer all your questions (contact) should anything remain unclear.

For example the unofficial information portal eugdpr.org lists the key rights ("Data Subject Rights") you get from the GDPR. We'd like to comment on each of them and what they mean to you with regards to jabber.at.

Breach Notification

Notifying you of any breach in our services (e.g. if we accidentally publish data or our services are hacked) is common sense. We have practiced this in the past and will continue to notify you of any breach we become aware of.

Right to Access

Your personal data is used and processed exclusively for providing you with a Jabber/XMPP service. Our servers and all data on them are located in Vienna, Austria.

Regarding a "copy of your personal data in electronic format":

  1. The only data that cannot be retrieved directly from your client are webserver logs and connection information in short term storage for SPAM-fighting purposes. This data is not necessary for transferring your account to another service and will be removed automatically after a short period of time (see privacy policy).
  2. There currently is no open format (that we are aware of) that provides XMPP account data in a transferable format. When such a format becomes available and our software supports generating such files, we will provide you with that feature.
  3. This currently means that retrieving data via your client is your best option to get such a copy.

Right to be Forgotten

If you want to remove parts of your data (e.g. data you published as a vCard), you can do so directly in the client.

If you want to remove all data from our servers, you can do so here. This will immediately delete all data except webserver logs (which are not directly related to your account) and any short-term connection information that is used to fight SPAM. Both data sets will be removed automatically after a short period of time.

Data Portability

The idea that users can freely choose services provides is at the very core of the Jabber/XMPP protocol.

Since there currently is no standardized exchange format to transfer your data to other XMPP services, we cannot really provide "machine readable" data beyond what is available via the XMPP protocol  that is useful to you. Once there is such a file format, we will provide download/upload functionality to you.

Note that some data cannot be transferred automatically by definition, for example your contact roster and who you are able to see as online, since this data is also stored on the roster of the other user and hence not on our server. You will always have to manually renew subscriptions.

Privacy By Design

We only provide a small part of the Jabber/XMPP ecosystem. For those parts that we are responsible for, we strive to minimize the data we store as possible.

Data Protection Officers

We currently believe that this requirement is not applicable to us. In short, "... whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences" as listed on the eugdpr.org homepage does not describe us as a service.