Mastodon Privacy Policy Generator

Mastodon Privacy Policy Generator

The Mastodon Privacy Policy Generator helps Mastodon admins to adapt the pretty good privacy policy from https://eupolicy.social for the GDPR compliance of their instance. Give it a try!

This page does not offer legal advice. For legal advice, ask a lawyer. I am just an expert. :wink:

GDPR Applicability and Mastodon

Even if your Mastodon instance is hosted outside of the European Union (EU), you may need to comply with its General Data Protection Regulation (GDPR).

Make a quick test whether you need to comply with GDPR. If you do not have to comply with GDPR, I recommend you to comply anyway, because it helps you to be transparent about how you run your instance and offer users control over their data.

You do not have to comply with GDPR if you can tick all boxes (GDPR Art. 2(2)(c)):

  • My instance hosts only my account and of family and friends.
  • My instance does not contribute to a commercial activity.
  • My instance has “Allow unauthenticated access to public timeline” disabled in the admin settings.
  • My instance has “Enable profile directory” disabled in the admin settings.

You do need to comply with GDPR if you can tick one box (GDPR Art. 3):

  • My instance welcomes also accounts of natural persons residing in the EU.
  • My instance runs on a server hosted in the EU.
  • My instance federates with instances hosted in the EU.1

If you need to comply with GDPR, you need carry out a number of tasks, some of them regularly. One simple step is to upload already a comprehensive data protection notice to inform website visitors, users and other Fediverse participants about the data that your instance processes.

Generator

Most private-sector instances run the identical code of Mastodon and don’t encourage any specific use beyond the generic user-controlled micro-blogging. In that case, I recommend you to use this Mastodon data protection notice generator to create a first draft and add, if necessary, anything that is missing. Most likely, national obligations (such as German TMG law) apply on top. Please check below how to help if you like to contribute. Ask a lawyer if you are not sure.

Credits:

You use the Mastodon Privacy Policy Generator in {{generatorVersion}}.

Data Protection Notice

Last updated: {{lastUpdated}}

1. Who we are

{{instanceName}} (hereafter “we”, “us” or “the service”) is a non-profit donation-based service that provides Mastodon social media accounts to the {{instanceCommunity}} (“you”). For the purpose of connecting and interacting with other Mastodon or Fediverse accounts, {{instanceName}} processes personal data from its users and users of other instances with whom they interact. This data protection notice describes what kind of personal data we process and on what legal basis, how long we keep it and why, as well as your rights with respect to your data.

Please do not hesitate to contact us via email to for any question you might have with regard to this document or the processing of your personal data.

2. Data protection summary

We dedicate our Mastodon instance {{instanceName}} to the {{instanceCommunity}}. Our small team in {{instanceAdminsLocation}} provides the non-profit donation-based service on a voluntary basis to offer privacy-friendly micro-blogging accounts that our users typically employ for networking, socialising and discussing ideas {{instanceTopic}}.

For the purpose of ensuring a secure interaction, the website of {{instanceName}} stores the cookie ‘_mastodon_session’ with an identifier in the browser of registered and unregistered website visitors until they close their browser. For registered website visitors, the cookie ‘_session_id’ stores their login status until logout. Based on user consent, the website stores as well push notification settings in the browser. For security and debugging purposes, our server logs and stores visitor IP addresses for a maximum of 14 days. After that time, all IP addresses are removed.

{{instanceName}} processes profile data in the form of posts (toots), subscriptions (following), subscribers (follower), content appreciations (likes) and promotions (boosts) for publication in the context of profile and post pages. For registered users we process your profile data to deliver the service. For users of other instances, we store and display public profile data and rely here on our legitimate interest until they object and in any case when they delete their post or other data (unsubscribe, unlike, unboost).

If you contact {{instanceName}} via email or a (private) post, we use any personal data that your message may contain (such as your email address or name) only to respond to your message. We archive your message for at most 12 months. You are of course free to use a nickname and a pseudonymous email address. We process messages from our registered users to deliver the service and rely for users of other instances on their consent. We may also process messages to comply with our legal obligations.

The following information is provided according to Articles 12, 13 and 14 of the GDPR.

3. Data protection notice

For the purposes of this notice:

“User” means the natural person who interacts with {{instanceName}} directly via the website or indirectly via third-party applications compatible with ActivityPub.

“Registered user” means the users with a Mastodon/ActivityPub profile.

“Profile data” means their posts (toots), subscriptions (following), subscribers (follower) content appreciations (likes) and promotions (boosts), bookmarks and profile settings.

“Subscribers” mean the accounts who follow a registered user.

“Subscriptions” mean the accounts followed by a registered user.

Scope and purpose of the processing This data protection notice applies to the processing of personal data for the provision of the microblogging service {{instanceName}}. It offers information on what personal data is processed and how it is processed, and on your data subject rights.

Responsible for the processing The data controller is {{instanceName}} in its capacity as the provider of the service.

Processing of personal data

Personal data processed by {{instanceName}} is accessible to its administration team and, where necessary, to moderators on a need-to-know basis to ensure a secure operation. User content is published or delivered according to the user settings. For the provision of the service, {{instanceName}} employs the data processors listed below that process personal data linked to the service solely on the written instruction from {{instanceName}}:

(a) Website Visitors

The {{instanceName}} website and APIs process the IP addresses and other metadata (as specified below) of its visitors. When accessing the service, an encrypted connection to its web server is established. To display the content correctly on the visitor’s computer or other terminal devices, the following data is processed in accordance with the HTTP and TCP/IP protocol:

  • IP address of the visitor’s internet connection
  • Operating system and operating system version of the visitor’s terminal
  • Web browser and browser version
  • Date of access to the website
  • HTTP cookie ‘_mastodon_session’ (for the duration of the website visit)

This is required for the request, processing, and display of profile data and other content on the service. After each page visit, some of the data are stored in the account profile (if logged in) and server logs. These logs serve the purpose of maintenance and security of the server and personal data herein is deleted after 14 days. Furthermore, the website employs the cookie ‘_session_id’ to store the login status of registered users until logout or until a year after the last website visit. The website also stores the notifications settings in the browser. This processing is based on Article 6 (1) (b) of the GDPR (‘processing is necessary for the performance of a contract’). This includes processing carried out in order to comply with the necessary technical and organisational protection measures.

(b) Contributors from third-party services

{{instanceName}} processes personal data when users of third-party services with ActivityPub support interact with its accounts. To enrich public profile pages with profile data, the following data is processed in accordance with the requirements of the ActivityPub protocol:

  • IP address of the third-party service
  • Name of the user’s terminal software
  • Display name, account name, and profile picture
  • Current date and time
  • Profile data

Private messages are not end-to-end encrypted and are therefore in principle accessible to the {{instanceName}} administrators.

This processing is necessary to provide a federated Mastodon instance and therefore based on Article 6 (1) (f) GDPR (‘processing is in our legitimate interest’) with the exception of personal data that is not required such as the display name and profile picture, the processing of which is based on Article 6 (1) (a) GDPR (‘consent’). {{instanceName}} stores profile data from subscriptions from compatible third-party services until it receives via that service or directly from the user a request for deletion or objection (unsubscribe, unlike, unboost).

(c) Registered users

{{instanceName}} limits registrations to users it assumes to be part of the {{instanceCommunity}}. {{instanceName}} reserves the right to refuse the provision of the service to any given user for any reason. To set up accounts and manage them subsequently, the following data from registered users is processed:

  • Display name, account name, profile picture and header image
  • Login credentials consisting of an email address
  • Account description/biography
  • Content (toots), promoted, and appreciated content
  • Private messages (sent and received)
  • Subscriptions and their recent content
  • Logged-in sessions (terminal software, time and date, IP address)

If registered users post profile data, the previous section applies accordingly. Note that updating subscribers and posting profile data (including profile mentions) requires disclosure of personal data to the service of the recipients. Depending on their Mastodon server’s geographic location, the disclosure can possibly involve international data transfers that are outside of {{instanceName}}’s control.

The registered user’s name and display name, profile picture and header, description, subscriptions, the own and promoted content, the content of their subscriptions, as well as their given feedback is published on their profile page.

This processing is based on Article 6 (1) (b) of the GDPR (‘processing is necessary for the performance of a contract’) with the exception of personal data that is not required such as the display name and profile picture, the processing of which is based on Article 6 (1) (a) GDPR (‘consent’). Profile data is retained until the account is deleted.

Registered users are responsible for the use of their accounts and their own compliance with the GDPR as separate controllers when they post personal data of other people.

(d) Donations via Liberapay

Users can make donations for the operation of {{instanceName}} via Liberapay, which processes personal data according to their own data protection notice.

(e) Contacting us by email

If you contact {{instanceName}} via email or a Mastodon private message, any personal data that your message may contain (such as your email address or name) will only be used to respond to your message and may be stored as part of an email archive. You are of course free to use a nickname and a pseudonymous email address. Such personal data will be deleted after 12 months.

Exercise your rights

You have the right to request from us access to and rectification or erasure of your personal data or restriction of processing concerning you or, where applicable, the right to object to processing or the right to data portability. Where applicable, you also have the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.

Please find more information on your rights on the website of the European Commission.

You have, in any case, the right to lodge a complaint with the data protection authority as a supervisory authority.

Acknowledgments

These terms are based on the terms initially published by eupolicy.social and made more accessible by the Mastodon Privacy Policy Generator in its version {{generatorVersion}}. This text is free to be adapted and remixed under the terms of the CC-BY (Attribution 4.0 International) license.

Output

How to Help

If you want to offer help, such as proposing an amendment, please reach out using the following means (by priority):

  1. Use Mastodon and make sure to tag me @rriemann@chaos.social AND use the hashtags #mastoLegal #MastodonPrivacyPolicyGenerator
  2. Use the Matrix channel #mastodon_admin:matrix.org (we may have a specific room for legal support later)
  3. Write me an email to robert-mastolegal@riemann.cc

Find the Jekyll Markdown source code for this page at https://gist.github.com/rriemann/fca8598a61ec91f5e06ff41198f53431.

TODO

  • find out the minimum necessary information to identify the controller (tip)
  • do not include bullet points on processors (mails, donation service, etc.) if form fields are empty (tip)
  • update regularly the template :wink:

Changelog

  • 2022-11-22 v1.1 – change EDPS to Commission link (know your rights), replace “EU Policy Bubble” in the text by the respective form value
  • 2022-11-21 v1.0 – public release
  1. This is a tricky one. I assume that basically everyone would need to choose the cautious approach and tick this box and consequently be obliged to comply with GDPR. That’s the price of a network that connects people across the globe. ↩︎