Vector.im and Matrix.org Identity Servers Privacy Notice

1. Introduction

1.1 English, Not Legalese

Data privacy is important, and we want you to understand the issues involved. We have decided to use plain English as much as possible, to make our terms as clear as possible.

When you read 'the Identity Server', 'the Identity Servers', or 'the Service' below, it refers to the Identity Servers made available at https://vector.im and https://matrix.org which provide account discovery services for Matrix users.

Where you read New Vector, New Vector Ltd., we or us below, it refers to the company created in July 2017 to hire the Matrix core team and support Matrix's development: New Vector Ltd., its French subsidiary: New Vector SARL, and their agents.

Where you read The Matrix.org Foundation, or The Foundation, it refers to the Community Interest Company incorporated on 29 October 2018 to be the neutral custodian of the Matrix protocol: The Matrix Foundation C.I.C., and their agents.

Should you have other questions or concerns about this document, please send us an email at [email protected].

1.2 Who Provides this Service?

This service is provided by New Vector Ltd. for The Matrix.org Foundation. New Vector Ltd. and The Matrix.org Foundation are Joint Data Controllers for the Service.

This agreement does not apply to Matrix Identity Servers run by anybody else. Matrix is an open network like the Web and this agreement only applies to the Identity Servers (matrix.org and vector.im) provided by New Vector Ltd.

If this agreement is not acceptable, please use an Identity Server provided by someone else (or none at all).

1.2.1 Contact Details

New Vector Ltd.

Email: [email protected]

Postal address:

10 Queen Street Place
London
United Kingdom
EC4R 1AG

The Matrix.org Foundation

Email: [email protected]

1.3 Using The Service Means Accepting These Terms

By accessing or using the Service in any way you agree to and are bound by the terms and conditions written in this document.

If you do not agree to all of the terms and conditions contained in this document, please do not use this service. You can use an Identity Server provided by somebody else, run your own, or not use an Identity Server at all.

1.4 This Is a Living Document

With your help, we want to make our policy documents the best in the industry.

If you read something that rubs you the wrong way, or if you think of something that should be added, please get in touch! We're all ears! Email [email protected] and we'll chat.

We don't amend this document for any specific users or use case, but if your proposed changes apply to all of our users, we'll be happy to update it for everyone. Scroll to the bottom to see the history so far.

We will likely improve this document over time. By continuing to use the Service, you will implicitly accept the changes we make.

Your access and use of the Service is always subject to the most current version of this document.

2. What is a Matrix Identity Server?

Identity Servers support contact discovery on Matrix by letting people look up Third Party Identifiers to see if the owner has publicly linked them with their Matrix ID.

2.1 What is a Third Party Identifier?

A Third Party Identifier is an identifier that uniquely identifies a person, but isn't a Matrix ID. Most commonly this is an email address or a telephone number.

2.2 How does it support contact discovery?

Identity Servers offer the following services:

Verified Association of Matrix ID with Third Party Identifier

You can ask the Identity Server to establish that you own your email address or phone number and associate it with your matrix ID. The Identity Server will verify that you own that identifier by sending a link or code to your email address or phone. The association is not considered valid until your ownership of the Third Party Identifier has been confirmed.

Account Lookup by Third Party Identifier

You can look up a Matrix ID by searching for its associated Third Party Identifiers. You cannot look up Third Party Identifiers by searching for their associated Matrix ID. For example: if Alice has used the Identity Server to link her email, [email protected] with her Matrix ID, @example:matrix.org, other users can look up her Matrix ID by querying the Identity Server with her email address, but they cannot discover her email address by querying the service with her Matrix ID.

The Identity Server supports both individual and bulk Third Party Identifier lookup:

Individual Third Party Identifier Lookup

Individual Third Party Identifier Lookup is usually used when inviting a user to a Matrix room by their Third Party Identifier.

Bulk Third Party Identifier Lookup

Bulk Third Party Identifier Lookup is usually used to check whether any of your existing contacts already have a Matrix ID.

Registration with Email or Phone Number

Some homeservers rely upon the Identity Server for part of new user registration, using the Identity Server to perform the verification of ownership of the email address or phone number.

We will be removing support for user registration from the New Vector Identity Servers. In the near future homeservers will be able to complete registration by email address without delegating ownership verification to an Identity Server. This document will be updated when this behaviour has changed.

Password Reset

Some homeservers rely upon the Identity Server for password reset by email, using the Identity Server to send a unique link to the user to complete password reset securely.

We will be removing support for password reset from the New Vector Identity Servers. Homeservers can already complete password reset by email without delegating to an Identity Server. Homeserver administrators should not rely on New Vector Ltd. Identity Servers for password reset.

Binding on Registration

When your client is configured to use either the vector.im or the matrix.org Identity Server and you register on a homeserver with your email address and/or phone number:

This behaviour is also being phased out. In the near future, choosing to publicly link your Third Party Identifiers with your Matrix ID via an Identity Server will be a wholly separate step, fully divorced from registration. This document will be updated when this behaviour has changed.

2.3 Closed Federation Between vector.im and matrix.org Identity Servers

Data is shared between the vector.im and matrix.org Identity Servers in a closed federation.

This means that when you ask the Identity Server at vector.im to link your Matrix ID with your email address or phone number, this data is replicated on the matrix.org Identity Server. Likewise if you ask the Identity Server at matrix.org to link your Matrix ID with your email address or phone number, this data is replicated onto the vector.im Identity Server.

3. Access to Your Data / Privacy Policy

3.1 What is the legal basis for processing my data and how does this affect my rights under GDPR (General Data Protection Regulation)?

3.1.1 Legal Basis for Processing

Your data is processed under Legitimate Interest. This means that we process your data only as necessary to deliver the Service, and in a manner that you understand and expect.

The Legitimate Interest of the Service is the discoverability of contacts across the wider Matrix ecosystem. The processing of user data we undertake is necessary to provide the Service. This facility is an optional component of the services provided by New Vector, designed to make contact discovery easier. Matrix works very well without an Identity Server.

3.1.2 Right to Erasure

You can remove your data from the Service at any time by using a Matrix client such as (https://riot.im/app) to remove your Third Party Identifiers from the connected Identity Server. The data will be rendered inaccessible across matrix.org and vector.im Identity Servers straight away, and will be deleted from the matrix.org and vector.im databases within 30 days.

If your homeserver is spec-compliant (i.e. if it faithfully implements the Matrix protocol specification detailed at https://matrix.org/spec), your Third Party Identifiers will be deleted if your account is deactivated.

3.1.3 Data Portability

Under GDPR you have a right to request a copy of your data in a commonly-accepted format. If you would like a copy of your data, please send a request over Matrix to @gdpr:matrix.org.

3.1.4 Your Rights as Data Subject

You have rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances. Some of these rights are explored in more detail elsewhere in this document. For completeness, your rights under GDPR are:

  1. The right to be informed

  2. The right of access

  3. The right to rectification

  4. The right to erasure

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object

  8. Rights in relation to automated decision making and profiling.

For more details about these rights, please see the guidance provided by the ICO. If you have any questions or are unsure how to exercise your rights, please contact us at [email protected].

3.2 What Information Do You Collect About Me and Why?

The information we collect is purely for the purpose of letting people discover Matrix IDs that have been publicly linked with a Third Party Identifier (such as email or telephone number). We do not profile users or their data on the Service.

3.2.1 Information you provide to us:

We collect information about you when you input it into the Service or otherwise provide it directly to us.

3.2.2 Information we collect automatically as you use the service:

Third Party Identifiers you look up

Third Party Identifiers that are looked up are logged in our application logs. These logs are kept for not longer than 180 days. This will change soon - once https://github.com/matrix-org/sydent/issues/189 lands we will no longer include looked-up Third Party Identifiers in the application logs.

Connection Information

Currently, we log the IP address of the party who accesses the Service. Since this is usually the homeserver requesting data on behalf of its user(s), it is usually the IP address of the homeserver that is logged. This data is used in order to mitigate abuse, debug operational issues, and monitor traffic patterns. Our logs are kept for not longer than 180 days.

3.3 What Information is Shared With Third Parties and Why?

3.3.1 Sharing Data with Connected Services

The purpose of the Service is to share your associated Matrix ID with whomever looks up your linked Third Party Identifiers. As a reminder, use of this service is optional - if you do not want your Matrix ID to be discoverable from your Third Party Identifiers, please do not use the service.

3.4 Sharing Data in Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights

In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to

(a) comply with any applicable law, regulation, legal process or governmental request,

(b) protect the security or integrity of our products and services (e.g. for a security audit),

(c) protect New Vector Ltd., The Matrix.org Foundation, and our users from harm or illegal activities, or

(d) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the serious bodily harm of any person.

3.5 Our Commitment to Children's Privacy

We never knowingly collect or maintain information in the Service from those we know are under 16, and no part of the Service is structured to attract anyone under 16. If you are under 16, please do not use the Service.

3.6 How Can I Access or Correct My Information?

You can view and modify your published Third Party Identifiers by using any compatible Matrix client (such as https://riot.im/app) and managing your User Settings.

3.7 Who Can See My Matrix ID/Third Party Identifier associations?

Anyone who knows your Third Party Identifier can query the Service to see if you have publicly linked it with a Matrix ID. Queries only work in this direction It is not possible for parties who only know your Matrix ID to query the service and discover your Third Party Identifiers.

The association between your Matrix ID and your Third Party Identifiers is stored in New Vector Ltd. databases. This means that, unlike regular users, New Vector employees and contractors can look up your Third Party Identifiers from you Matrix ID (subject to the New Vector data access guidelines below).

Employees or agents of The Matrix.org Foundation do not have access to the database (except in cases that they are also employees or agents of New Vector Ltd.).

3.8 What Are the Guidelines New Vector Follows When Accessing My Data?

3.9 Who Else Has Access to My Data?

We host the majority of the Service in UpCloud data centres. Here's UpCloud's privacy policy. UpCloud controls physical access to their locations.

We use Cloudflare to mitigate the risk of DDoS attacks. Here's CloudFlare's privacy policy.

Physical access to our offices and locations use typical physical access restrictions.

We use secure private keys when accessing servers via SSH, and protect our AWS console passwords locally with a password management tool.

We log application data (caller IP and user agent). We keep logs for no longer than 180 days.

3.10 What happens if New Vector is sold?

In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

If we or substantially all of our assets are acquired by a third party, personal data held by us about our users will be one of the transferred assets.

3.11 How Is My Data Protected from Another User's Data?

All of our users' data for the Service currently resides in the same database cluster. We use software best practices to guarantee that only people who know your linked Third Party Identifiers can use them to look up your Matrix id. In other words, we segment our user data via software. We do our best and are very confident we're doing a good job at it, but, like every other service that hosts their user data on the same database, we cannot guarantee that it is immune to a sophisticated attack.

3.12 What Should I Do If I Find a Security Vulnerability in the Service?

If you have discovered a security concern, please follow the Matrix.org Security Disclosure Policy.

4. Making a Complaint

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention at [email protected] if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you want to make a complaint about the way we have processed your personal information to the supervisory authority, you can contact the ICO (the statutory body which oversees data protection law) at https://www.ico.org.uk/concerns.

5. Document History

A note to other startups: this document was heavily inspired by Balsamiq's plain English ToS document. We were impressed by their championing of plain English, and wanted to reproduce that as much as possible in our own legal documentation. Feel free to draw similar inspiration from this document, though be sure to get any documents you produce checked over by a lawyer. Good luck!