Back to home

Privacy Policy

Effective date: April 2025 · Compliant with GDPR (EU) 2016/679

Short version: We collect only what we need to run this service. No tracking. No ads. No cookies on this website. Your encrypted messages cannot be read by us — that's the whole point.

1. Data Controller

Hannes Thöne
Nordstraße 16, 34414 Warburg, Germany
Email: [email protected]

As quassel.io is operated from Germany, European data protection law (GDPR) applies in full. If you are located outside the EU/EEA, you benefit from the same high standards of data protection.

2. Scope of this Policy

This policy covers two separate services:

  • This website (quassel.io) — a static information page
  • The Matrix homeserver — the communication service you register for

3. This Website — No Tracking, No Cookies

The quassel.io website is a fully static site. It sets no cookies, uses no analytics tools, and does no cross-site tracking. All fonts are served locally from this server — no requests are made to Google Fonts or any other external font service.

4. Server Access Logs

When you visit this website or connect to the Matrix server, your web browser or client automatically transmits data that is recorded in server log files:

  • IP address (truncated after 7 days; fully deleted after 14 days)
  • Date and time of access
  • URL or API endpoint requested
  • HTTP status code and bytes transferred
  • Browser/client type (User-Agent string)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in the secure and stable operation of the service. Logs are deleted automatically after 14 days. Log data is never sold, shared with third parties, or used for profiling.

5. Infrastructure & Sub-processors

quassel.io uses the following third-party providers to operate the service. All are located within the EU/EEA and are bound as data processors under data processing agreements (Art. 28 GDPR):

  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — dedicated server hosting. The server is physically located in Helsinki, Finland (EU). Privacy policy
  • Backblaze, Inc. — S3-compatible object storage (Backblaze B2, region EU Central) used to store user-uploaded media and files. Data is stored within the EU. Privacy policy

No data is processed outside the EU/EEA by these providers.

6. Matrix Homeserver — Account Data

6.1 Registration

When you create a Matrix account on quassel.io, the following data is collected:

  • Username (your Matrix localpart, e.g. @you:quassel.io)
  • Password — stored as a bcrypt hash; never in plaintext
  • Email address (required) — used for account verification, recovery, and service notices
  • Device information — name and ID of clients you use to log in

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing the service you signed up for).

6.2 Messages and Media

Messages, images, files, and other content you send through the service are stored on the server. Messages sent in end-to-end encrypted (E2EE) rooms are stored in encrypted form — they are technically unreadable to the server operator.

Messages in unencrypted rooms are stored in plaintext on the server. We recommend using E2EE for sensitive conversations.

Content is stored as long as your account exists, or until you delete it. Legal basis: Art. 6(1)(b) GDPR.

6.3 Metadata

Operating the Matrix server generates metadata such as message timestamps, room membership records, and connection IP addresses. This data is used for abuse prevention and to operate the service securely.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in safe service operation. Pure connection logs are deleted after 14 days.

6.4 Federation — Data Shared with Other Servers

Matrix is a federated, decentralised protocol. If you join rooms hosted on other servers, or communicate with users on other homeservers, the following data is automatically transmitted to those servers as a technical necessity:

  • Your Matrix ID (@you:quassel.io)
  • Your display name and avatar (if set)
  • Messages you send in shared rooms
  • Room membership and state events

Legal basis: Art. 6(1)(b) GDPR — this is necessary to provide the service. The operator of quassel.io is not responsible for the data handling practices of other Matrix homeserver operators. Each operator is an independent data controller.

If you wish to limit data sharing with external servers, you can restrict your activity to private, local rooms on quassel.io.

6.5 Abuse Reports

If you submit an abuse report to [email protected], the information you provide (including any Matrix IDs or content you share) will be used solely to investigate and act on the report. We will not share this with third parties unless required by law.

Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR.

7. Email Contact

If you contact us by email, the data you provide (your email address, message content) is used solely to process your enquiry and is deleted once it is no longer needed. Legal basis: Art. 6(1)(f) GDPR.

8. International Data Transfers

Your data is stored in Germany and processed within the EU. Because Matrix is a federated protocol, messages may be transmitted to homeservers located outside the EU when you participate in federated rooms. This is an inherent property of the protocol and is necessary to provide the service you use.

When this occurs, we cannot guarantee that those servers provide the same level of data protection as required by the GDPR. We encourage you to use end-to-end encryption to protect your message content.

9. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights:

  • Access (Art. 15) — request a copy of the data we hold about you
  • Rectification (Art. 16) — correct inaccurate personal data
  • Erasure (Art. 17) — request deletion of your account and associated data
  • Restriction (Art. 18) — limit how we process your data
  • Objection (Art. 21) — object to processing based on legitimate interests
  • Data portability (Art. 20) — receive your data in a machine-readable format

To exercise any of these rights, contact us at [email protected]. You can also delete your account at any time directly in your Matrix client (e.g. Element → Settings → Account → Deactivate Account).

Note: Due to the federated nature of Matrix, deleting your account on quassel.io will remove data from our server but cannot remove copies of your messages already transmitted to other homeservers.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The authority responsible for the state of North Rhine-Westphalia (where quassel.io is operated from) is:

Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf, Germany
www.ldi.nrw.de

If you are based outside Germany, you may also contact the supervisory authority in your own country.

11. Changes to this Policy

We will update this policy if our practices change materially. The effective date at the top of this page will reflect the latest revision. Users who have provided an email address will be notified of significant changes.