I. Terms of service
chaos.social is run by chaos.social e.V.. The sole members of the board, as well as the administrators and moderators of chaos.social, are @leah and @rixx.
The instance rules serve as a basis for moderation. Moderators may freeze, suspend or remove accounts at their discretion.
Content on this instance must not be used for the purposes of machine learning or other “research” purposes without the explicit consent of the users involved.
Content on this instance must not be archived or indexed wholesale by automated means by any user or service. Active users may export their data through the export functionality or the API.
Data protection is regulated by the EU General Data Protection Regulation (GDPR). We have compiled all the relevant information for you on this page, so that you can find out what data we collect from you, how we process it, what we do to protect your data and who you can contact if you have any questions.
1. Order data processing, hosting and donations
For hosting, chaos.social uses the cloud services and servers of Hetzner Online GmbH, Industriestr. 25 91710 Gunzenhausen, Germany. For processing donations, we use the services of Liberapay, Stripe, Paypal and Skartbank Germany. These are each subject to their own data protection regulations.
2. Data processing when accessing the homepage, registration mask and general use
When accessing chaos.social in order to register or also during general use, a connection is established to our servers used to operate this instance. In order to be able to display the page to the browser of the end device used, certain data is processed in accordance with the HTTP and TCP/IP protocols. This includes:
- the connection’s IP address,
- the operating system of the PC, tablet or phone,
- the display resolution of the device,
- the browser and browser version in use, and</li>
- the time when the website was accessed.
This technical data is processed so that the website can be transmitted to the end device used and can be correctly processed and displayed by your browser. Some of this data is stored in our server’s logs each time you visit the site. We process this data for the purposes of server maintenance and security; IP addresses are deleted after 14 days at the latest.
The data processing is carried out in accordance with Art. 6 §1 b) GDPR to the extent necessary to enable the use of the homepage, the registration and general site access in the scope of the user relationship between us (the operator of the instance) and you (the operator of the Mastodon profile), as well as for the fulfilment of the obligation to take technical-organisational protective measures.
3. Data processing during registration
As part of the registration process we process basic account information: This includes your username, email address and password. You can enter additional profile information such as a display name or a biography and upload a profile picture or a header picture. The username, display name, biography, profile picture and header picture will then always be displayed publicly (possibly also to people who do not have their own Mastodon profile).
The data processing within the scope of the registration is carried out in accordance with Art. 6 §1 b) GDPR to the extent necessary to enable the login interface to be called up or the registration to be carried out within the scope of the user relationship.
4. Data processing during regular use of the Mastodon profile
Posts, followers and other public information: The list of people you follow is displayed publicly by default, the same applies to your followers. This can be deactivated in the settings. As soon as you send a message, the date and time is saved along with the information about which application you used to send your message. Messages can contain media content, such as images and videos. Public and unlisted posts are publicly available. Once you pin a post to your profile, it is also publicly available. Your posts are delivered to your followers, which in some cases means they are delivered to servers (other instances) and copies of them are stored there. Once you delete posts, this is also delivered to your followers, although we cannot guarantee that they will honour the deletion request. The act of sharing another post is always public by default.
Direct and “followers only” posts: All posts are stored and processed on the server. “Followers only” posts are delivered to your followers and to users you mention, direct messages (sometimes misleadingly called “private messages”) only to users mentioned in them. However, direct messages are not end-to-end encrypted and can therefore - theoretically - also be viewed by us and, if applicable, by those responsible for the instance of the Mastodon profiles mentioned in the database or in messages. We can only ensure that unauthorised persons do not have access to the contributions stored on our instance, but other servers/instances could fail in this. For this reason, it may be useful to check the instances to which your followers belong. There is an option in the settings to manually accept or reject new followers. As a general rule, please do not share sensitive information on Mastodon, not even via direct messages.
IP addresses and other metadata: When you log in, Mastodon retains both the IP address from which you logged in and the name of your browser. All logged-in sessions are available for your review and revocation in the settings. Mastodon stores the last IP address used for up to 2 days. Furthermore, this information is used to protect the instance by way of rate limiting.
The data processing within the scope of the use is carried out in accordance with Art. 6 §1 b) GDPR to the extent necessary to enable you to use your Mastodon account within the scope of the user relationship.
5. Messages from third parties
We process personal data when users of third-party services that support ActivityPub interact with accounts on this instance. To enrich public profile pages with profile data, the following data is processed according to the requirements of the ActivityPub protocol:
- IP address of the third-party service
- Name of the user’s software
- Display name, username und profile pictures
- Date and time of the interaction
- Profile data
The data processing is necessary to provide a federated Mastodon instance. It is therefore carried out in accordance with Article 6(1)(f) of the GDPR, with the exception of personal data that is not necessary, such as the display name and profile picture, the processing of which is based on Article 6(1)(a) of the GDPR. We store profile data from subscriptions to compatible third-party services until we receive a request to the contracy (unsubscribe, unlike, or unboost) via that service or directly from the user.
7. Data processing during email communication
If you contact the administration of the instance by email, your email, including the sender’s address and content, will be processed and stored in order to handle the communication with you. This information will be stored for as long as is necessary to respond to the content of your request. Unless the specific nature of our communication requires it, old emails are generally deleted two years after receipt of the last response from you and contact details are deleted after three years.
The storage and use of the data contained in the emails as well as your contact data is carried out to the extent necessary due to our legitimate interest in handling communication with you, insofar as your interests do not conflict with this (Art. 6 §1 f) GDPR).
8. Your rights
You have the right that we, upon request,
- provide you with information about the personal data concerning you that we process (Art. 15 GDPR).
- correct inaccurate data (Art. 16 GDPR).
delete your data if, for example, it is no longer necessary for the original purpose or if there is a dispute as to whether we are processing certain data lawfully (Art. 17 GDPR).
- restrict processing if the conditions of Art. 18 GDPR are met.
- provide the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format (Art. 20 GDPR).
In particular, you may object at any time, on grounds relating to a particular situation, to processing carried out on the basis of Article 6(1)(e) or (f) of the GDPR (Article 21 of the GDPR).
With regard to all of the above rights, a corresponding request sent by e-mail or in writing by post is sufficient to exercise your rights.
9. Responsible in the sense of the data protection law
chaos.social e.V. c/o Leah Oswald Fichtestr. 75 69469 Weinheim Germany Telefon: 06201/ E-Mail: contact ÄTT chaos.social (ersetze --ÄTT-- durch @!)
chaos.social e.V. is registered in Mannheim as VR 703596.
10. Supervisory authority
You have, in any case, the right to lodge a complaint with the data protection authority as a supervisory authority.
Landesbeauftragte für den Datenschutz und die Informationsfreiheit in Baden-Württemberg Address: Lautenschlagerstraße 20 70173 Stuttgart Germany poststelle--ÄTT--lfdi.bwl.de (ersetze --ÄTT-- durch @!) Postal address: Postfach 10 29 32 70025 Stuttgart Germany
According to German § 5 TMG:
chaos.social e.V. c/o Leah Oswald Fichtestr. 75 69469 Weinheim
chaos.social e.V. is registered in Mannheim as VR 703596.
If you have any question you can send us an email to: contact ÄTT chaos.social (replace –ÄTT– with @!).
Last edited: 23.12.2022
The privacy notice is based on the (German) privacy notice of legal.social and is licensed under a Creative Commons Attribution-Share Alike 3.0 Germany License.