Privacy Policy
Matrix Homeserver: matrix.ramforth.net
Last Updated: March 31, 2026
Data Controller: Joe (ramforth)
Contact: joe@ramforth.net | @ramforth:matrix.ramforth.net
1. Overview
This privacy policy explains what data is collected, stored, and processed when you use the Matrix homeserver at matrix.ramforth.net.
Short version: I collect the minimum data needed to run a Matrix server. You own your data. I don't sell it, share it, or use it for advertising. GDPR applies.
2. Legal Basis (GDPR)
Why I Process Your Data:
- Contractual necessity — Running the Matrix service you signed up for
- Legitimate interest — Server security, abuse prevention, uptime monitoring
- Legal obligation — Compliance with Norwegian law (minimal)
Your Rights (GDPR Articles 15-22):
- Access your data (Article 15)
- Correct inaccurate data (Article 16)
- Delete your data (Article 17 — "right to be forgotten")
- Export your data (Article 20 — data portability)
- Object to processing (Article 21)
- Lodge complaint with supervisory authority
To exercise rights: Contact @ramforth:matrix.ramforth.net
3. Data I Collect
3.1 Account Registration
| Data |
Purpose |
Retention |
| Username (localpart) |
Account identification |
Until account deletion |
| Password (hashed) |
Authentication |
Until account deletion |
| Email address (optional) |
Account recovery, notifications |
Until removed or account deletion |
| Display name |
User identification in chat |
Until changed or account deletion |
| Avatar image (optional) |
User identification |
Until changed or account deletion |
| Registration timestamp |
Account management |
Until account deletion |
| Last login timestamp |
Security, inactive account cleanup |
Until account deletion |
Legal basis: Contractual necessity (running the service)
3.2 Communication Data
| Data |
Purpose |
Retention |
| Messages you send |
Core Matrix functionality |
Until you delete them |
| Media you upload |
Core Matrix functionality |
Until you delete them |
| Rooms you join |
Core Matrix functionality |
Until you leave rooms |
| Read receipts |
Core Matrix functionality |
Session-based |
| Typing indicators |
Core Matrix functionality |
Real-time only (not stored) |
Legal basis: Contractual necessity
3.3 Technical/Log Data
| Data |
Purpose |
Retention |
| IP address (temporary) |
Rate limiting, abuse prevention |
24-72 hours |
| User agent string |
Debugging, compatibility |
7 days |
| Device ID (if provided) |
Session management |
Until logout |
| Server performance logs |
Uptime monitoring, debugging |
30 days |
| Error logs |
Debugging, stability |
30 days |
Legal basis: Legitimate interest (security, stability)
3.4 Federation Data
When you communicate with users on other Matrix servers:
| Data |
Where It's Stored |
| Your messages |
Your server + recipient's server(s) |
| Your profile info |
Cached on federated servers |
| Room membership |
Visible to room participants |
Important: I can only control data on this server. Once data is federated, other servers' policies apply.
4. What I Do NOT Collect
- Message content for analysis or profiling
- Metadata for advertising purposes
- Browsing history outside Matrix
- Location data (unless you share it in messages)
- Biometric data
- Payment information (this service is free)
- Data from third-party trackers
- Sell your data
- Share data with advertisers
- Use automated decision-making/profiling
- Transfer data outside EEA (except via Matrix federation)
5. Data Storage & Security
Where Data Is Stored:
- Primary: Proxmox server, Norway 🇳🇴
- Backups: Encrypted, stored in Norway/EU
- No intentional transfers outside EEA
Security Measures:
- TLS encryption for all connections (HTTPS/WSS)
- Passwords hashed (bcrypt/argon2)
- Regular security updates
- Firewall rules, rate limiting
- Encrypted backups
- Minimal data retention
Access Controls:
- Only I (Joe) have administrative access
- No third-party processors with data access
- Logs of admin actions maintained
6. Data Retention
| Data Type |
Retention Period |
| Active account data |
Until you delete account |
| Deleted account data |
Removed within 30 days |
| Message content |
Until sender deletes |
| IP addresses |
24-72 hours |
| Technical logs |
30 days |
| Inactive accounts |
Flagged after 12 months, deleted after notice |
Deleting Your Data:
- Self-service: Use Matrix client to delete messages/account
- Request deletion: Message @ramforth:matrix.ramforth.net
- Timeline: Within 30 days of request
7. Matrix Federation Implications
How Federation Works:
Matrix is designed for cross-server communication. When you:
- Message someone on another server → They receive and store a copy
- Join a public room → Other servers may cache room data
- Set a display name/avatar → Federated to servers you interact with
What This Means:
- I control data on this server only
- Other servers follow their own privacy policies
- You can limit federation in your privacy settings
- Some rooms are local-only (no federation)
Your Options:
- Disable incoming messages from unknown users
- Use local-only rooms for sensitive conversations
- Request room admins disable federation for specific rooms
8. Cookies & Tracking
This Server:
- No advertising cookies
- No third-party analytics
- No tracking pixels
Matrix Clients:
- Your Matrix client (Element, FluffyChat, etc.) may have its own cookies
- Check your client's privacy policy
- This server doesn't control client behavior
9. Children's Privacy
Age Requirements:
- General use: 16+ (GDPR Article 8)
- Under 16: Requires parental consent
If I Discover Under-16 Without Consent:
- Will contact parent/guardian if possible
- May suspend account pending verification
- Will delete data if consent not provided
10. Data Breaches
If A Breach Occurs:
- I will assess impact within 72 hours
- Notify affected users if risk to rights/freedoms
- Report to Datatilsynet (Norwegian DPA) if required
- Provide remediation steps
Contact for Breach Reports:
@ramforth:matrix.ramforth.net or joe@ramforth.net
11. Third-Party Services
Currently Used:
- coTURN Server (Hetzner Cloud, Finland)
Purpose: Relay service for voice/video calls when direct peer-to-peer connections fail
Data processed: IP addresses, connection metadata (temporary)
Retention: Minimal logs for abuse prevention (24-72 hours)
Location: Helsinki, Finland (EU/EEA)
Note: Call content is end-to-end encrypted and not visible to the TURN server
Potential Future Integrations:
- Uptime monitoring (e.g., Uptime Kuma) — server metrics only, no user data
- Backup storage — encrypted, EU-based providers only
- DNS/Domain (ramforth.net) — standard DNS queries, minimal logging
Any new integrations affecting privacy will be documented here with notice.
12. Changes to This Policy
How Changes Are Communicated:
- Posted in public announcement room (if created)
- Broadcast message to all users
- Email notification for significant changes
- At least 14 days notice for material changes
Your Options:
- Review updated policy
- Continue using = acceptance
- Disagree = export data and leave before effective date
13. Supervisory Authority
Primary Regulator:
Datatilsynet (Norwegian Data Protection Authority)
Website: www.datatilsynet.no
Email: postkasse@datatilsynet.no
You have the right to lodge a complaint if you believe I'm violating GDPR.
14. Contact Information
Data Controller:
Joe (ramforth)
Matrix: @ramforth:matrix.ramforth.net
Email: joe@ramforth.net
Location: Norway 🇳🇴
For Privacy Requests:
• Access/correction/deletion: @ramforth:matrix.ramforth.net
• Response time: Within 30 days (GDPR requirement)
This policy complies with EU GDPR and Norwegian Personopplysningsloven.
Hosted in Norway 🇳🇴 — EU/EEA data protection standards apply.