Who We Are and What This Policy Covers
Hi there! We're the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt, Germany. We're a research group, led by Prof. Matthias Hollick, and operate PrivacyMail.info and related services. Max Maass leads our work on the PrivacyMail project and is the person to talk to for any questions related to this platform.
Creative Commons Sharealike License
Information We Collect
If at all possible, we try to avoid collecting information about you at all. As you may have already noticed, there is no need to provide your name, eMail address, or other identifying information anywhere on the website. However, in this day and age, it is literally impossible to not collect any data, so read on for details on what we do collect.
Information You Provide to Us
It goes without saying that data that you provide to us is collected and used by us. For this website, this mostly refers to the newsletters that you sign up with us, and any additional information (what we call metadata) that you provide about these services (e.g., telling us which country a service is from, or which sector the company belongs to). (You may have noticed that this data is actually not related to you as a person, but is data about other companies, so this shouldn't be a problem, right?).
If you send us an eMail (hi there!), it should be obvious that we will receive and read it, and that it will probably be retained in our inboxes, because who deletes eMails these days?!
Information We Collect Automatically
Like any good programmer, we make use of logging to check if our service is operating normally. Part of this logging is the use of Sentry, an excellent service that makes it easier to find and fix problems with our service. Note that we run our own instance of Sentry, and do not use the commercial, "hosted" version of sentry. No data is sent to the people behind Sentry, it all stays right here with us.
Anyway, if errors occur, Sentry will automatically collect some information about them. This includes the IP address, type of browser, and some other details about the user that encountered the error. We will only use this information to help us in debugging what is going on.
We also use some additional logging to detect if people try to break into our service. This includes logging abnormal requests, and actions that look nefarious to us. In these cases, the IP address of the offending user is logged as well to allow us to prevent them from attacking our service in the future. If you do not want your information to be logged in this way, simply don't attack our service :).
Finally, our web server will automatically create logs of who is accessing the service, and when they are doing it. These logs are retained for two weeks and then automatically deleted. We usually only look at this logs if we think that bad things are happening to our service. We may occasionally analyze them to find out how many people are using our service, as providing big, impressive numbers in reports will make the people happy that pay our bills, and we'd like to be able to keep doing what we are doing. However, we will not share any details with others.
Information We Collect from Other Sources
This part is easy: We do not collect data about you from any other sources.
How and Why We Use Information
Purposes for Using Information
We already mentioned a couple of reasons further up, but just to re-iterate:
- To provide our service - it is technically impossible to run a website without using your IP address, because we need it to send you data!
- To defend ourselves against attacks - not from you (hopefully!), but from the big bad internet out there.
- To improve our service - this sounds fancy, but basically just means that we collect information about errors you encounter so we can fix them.
- To communicate with you - for example, if you send us an eMail.
- To fulfil our legal obligations - we may be required by law to retain specific information for a certain time.
Just to make sure we're on the same page, we will never use your information for the purpose of profiling or advertising - that is literally the opposite of what we are trying to do here.
Legal Bases for Collecting and Using Information
A note here for those in the European Union about our legal grounds for processing information about you under EU data protection laws, which is that our use of your information is based on the grounds that: (1) The use is necessary in order to enable access to our website on your device; or (2) The use is necessary for compliance with a legal obligation; or (3) The use is necessary in order to protect your vital interests or those of another person; or (4) We have a legitimate interest in using your information--for example, to provide and update our Services, to improve our Services, to safeguard our Services, to communicate with you, or to monitor and prevent any problems with our Services.
Phew. That was some serious legalese, but you asked.
How We Share Information
As you know by now, we do not collect a lot of information about you. The little that we do collect, we will never sell to others, and only share it under the limited circumstances spelled out below:
- Members of the team: Members of the PrivacyMail team may access your information while they are trying to fix a problem with the service or prevent abuse.
- Legal and Regulatory Requirements: We may disclose information about you in response to a subpoena, court order, or other governmental request. We have no idea why they would ever want to do this, but it is a possibility we can't totally rule out.
- Aggregated or De-Identified Information: We may publish aggregate statistics about the use of our Services, e.g. by boasting about the thousands of people using our service to impress the people that pay our bills.
Information Shared Publicly
For the sake of avoiding misunderstandings: All of the above applies to information related to you, the user. Information about the companies whose newsletters we analyze on this platform may be shared much more widely (starting with the fact that we publish it on our website for everyone to see). However, we figure that this should be fine with you, as it does not impact you personally.
How Long We Keep Information
We generally discard information about you when we no longer need the information for the purposes for which we collect and use it--which are described in the section above on How and Why We Use Information--and we are not legally required to continue to keep it. For example, we keep the web server logs that record information about a visitor to our website, such as the visitor’s IP address, browser type, and operating system, for approximately 14 days. We retain the logs for this period of time in order to, among other things, investigate issues if something goes wrong on one of our websites, or occasionaly analyze traffic to find out how many people are using our service.
We take reasonable steps to protect the information in our custody. However, in the end, it's the internet we're talking about - the only 100% secure way to own a server is to never connect it to a power outlet, let alone the internet, and that would help no one.
To be honest, your choices here are pretty limited - you can choose not to use our service, but since we don't collect a lot of information, and what we do collect is collected automatically, we cannot change these things for individual users, sorry.
If you are located in certain countries, including those that fall under the scope of the European General Data Protection Regulation (AKA the “GDPR”), data protection laws give you rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:
- Request access to your personal data;
- Request correction or deletion of your personal data;
- Object to our use and processing of your personal data;
- Request that we limit our use and processing of your personal data; and
- Request portability of your personal data.
The only personal identifier we will ever have about you is your IP address. If you want to know what we have saved about you, please contact us, stating your public IP address and the time you used the website, and we'll check what we have on file.
Controllers and Responsible Parties
This website is operated by the Secure Mobile Networking Lab, Technische Universität Darmstadt, Mornewegstr. 32, 64293 Darmstadt, Germany.
How to Reach Us
If you have any questions or want to say hi, feel free to reach out. For the moment, it's probably best if you contact Max Maass directly at mmaass [at] seemoo.tu-darmstadt.de.