LW.Org does offer its communication services free of charge to the general public.
— Short rules statement
You’re not entitled to use this service for malicious intents like:
- Hate seeding and xenophoby/racism promoting activities and discussions
- Promoting, discussing or sharing of illegal sexual material
- Illegal sharing of copyrighted material
- Phishing, Scamming and other ill intented activities
- Any Denial of Servicing
- Use this service as “carrier for” or “intermediate to” cheat bots, and/or other game cheating activities
Regarding the use of Disposable E-Mail Addresses to register to the service:
- Furthermore you’re NOT entitled to use a DEA to register to our services, your mail address won’t be stored more than the log rotation time in our mail server. Throw-away addresses are mainly used for malicious intents and most of these services simply let the messages being web harvested, which is UNACCEPTABLE. Periodically (within the week) we perform checks for registrations done through Throw-away E-Mail providers (which aren’t catched by Metronome’s DSA/Spam filtering system itself), if found, the accounts will be assumed, no matter what, as ToS breaching without the possibility of an appeal.
Failing to comply to every of the above will result in a breach of the terms of service and the immediate account termination.
— Regarding privacy
Logging, data retention:
- We do not monitor data content (e.g. message content) passing through our services, only stanza headers are logged and they will contain the jid of the source, the jid of the destination, and other attributes like id and type etc.
- Some public multi-user chatrooms which have the “room logging” configuration option explicitly enabled will have the sole groupchat activity logged and exposed via Message Archive Management (XEP-0313) or a web interface, and you will be warned appropriately as mandated by XEP-0045 when you join and able to leave said room or use a client supporting Message Processing Hints (XEP-0334) to prevent your messages from being logged. These logs will be completely deleted in case the logging gets disabled via room configuration.
- Users who have explicitly enabled Message Archive Management (XEP-0313) could have upto 100000 sent and received private messages (not MUC) historic recorded on the server, otherwise clients may signal our server to not store messages using Message Processing Hints (XEP-0334), messages are stored unlimitedly until the previously mentioned threshold is reached when that happens the oldest of the messages will get deleted. Metronome also offers a custom protocol to purge the personal archive should the need arise more details can be found here.
- When you connect to our xmpp service or use our mail services data like ip address, jabber id or username, mail from/rcpt and subjects are recorded in our logs and will be aggregated along other server data to help with debugging/troubleshooting and eventual abuse tracking/prevention.
- This service offers a HTTP Upload (XEP-0363) component that offers an out of band method to users to share content, files can be deleted via Adhoc commands either selectively or via a purge and will be expired as new content gets uploaded after two days have passed. They will also be removed on user deletion. Using the upload service implies you take full responsibility of the files shared by yourself through it.
- It also offers a STUN/TURN relay service to facilitate traversal of NATs for Audio / Video conferencing via Jingle or WebRTC, data that is relayed may be passed to 3rd parties which are beyond the bundaries of this service which means we’re unable to guarantee the safety or usage of the mentioned data when it transits away from our systems.
Server to server communication, meta data processing and disclosure:
- XMPP is decentralised in nature and offers a way for servers to communicate between ’emselves called federation, so any users on a federated service is able access the whole XMPP network.
- So, any time you communicate with an entity which JID or Host addressing doesn’t end with lightwitch.org or metronome.im you’re effectively transmitting your data outside of this service boundaries (you can check the service status page to see which services are actually hosted by us) via server to server (s2s) communication.
- Whenever you use s2s you may transmit one, but not limited to, of the following data/meta data: Your JID and/or your contacts’, Messages, Presence and Status, IQ request/response logic stanzas that include operations like file transfers or AV calls for example etc
- You must be perhaps aware of the privacy and also legal implications this has to you and us, LW.Org and its administrators won’t be able to neither control or assert the usage of your personal data or meta data once it gets transmitted to a third party via s2s, and can’t be held responsible for it’s usage after that.
- That you must take extreme care of what kind of data you share via this instant messaging service (or the internet in general) and that you’re therefore fully responsible for any consequences the sharing of that data may cause to yourself, expecially if it’s directed to a remote contact / entity.
- And finally that if you join even a local groupchat (via MUC), there’s the possibility users from remote services may join it as well and perhaps everything stated above will still apply.
Push Notifications data processing and disclosure:
- lightwitch.org supports push notifications as specified in XEP-0357, this means that you will be able to send notifications to devices via developers App Servers which then will communicate with cloud notifications services like Google’s GCM or Apple’s APN.
- Metronome’s implementation by default shares only the number of messages, no other info is shared and you’re able to disable the sharing of the last sender via an Adhoc Command (see XEP-0050 for client support).
Direct data disclosure:
- LW.Org will never willingly disclose any personal data pertaining to its users to any third party with the exception of E-Mail which is matched against the NameAPI database to verify that it isn’t a disposable address. Also we don’t require you to provide any information which would make it possible to identificate yourself (Name, Surname, Residence etc.) to register to it, with the exception of the mail address as mentioned above used to send you the verification token to complete the account registration process, which beside syslog/mail logs isn’t retained anywhere and is eventually garbage collected whit the said logs’ rotations (usually from a week to a few months depending on the service).
- The above statement would partially or not apply in case of abuse or ToS breach as every measure deemed necessary will be taken in order to settle the situation and pursue investigations including disclosure of data to middle parties, involved or to be involved parties and/or recognized authorities, etc.
Opt-out requesting and oblivion rights:
- You may delete your LW.Org account via protocol means along the data pertaining to it, or request us to delete it for you through our contact form.
- You may request the stored data about you by contacting us via the above mentioned form.
- You may request us to delete any public muc log data pertaining you by sending yet again an inquiry and we’ll do our best to oblige.
- Passwords are stored into the server in hashed format strengthened by a randomly generated key salt making it way harder for ’em to be decoded or cracked for both xmpp or mail.
- We do although encourage you to apply basic safety measures to create passwords of decent strength.
- LW.Org Administrators will never ask you for your password/s and or will be able to retrieve ’em on your behalf in case of loss.
Regarding SPIM Blocking challenges:
- The SPIM blocking module uses reCAPTCHA to protect its form from automated solving by bots.
- This means the following data will be handed out to Google Services: the requester origin IP address.
- To note that the requester origin ip address will be also logged by our systems to troubleshoot and prevent any possible abuse.
— Regarding Inactivity
We periodically perform checks for inactive entities may that be MUC Groupchats or User Accounts:
- Persistent Rooms on conference.lightwitch.org unused for more than 30 days, will be automatically deleted.
- User Accounts inactive and not logging in for more than a year may eventually be deleted from the server store, along with all their data.
— Final disclaimers
LW.Org provides its public services, AS IS, without guarantees of sort, we perhaps decline any liability in case of damage or loss derived from their usage. We also reserve the right to suspend either the services, and/or the access to them to any third party, without notice.
By registering and/or using an account, you agree to abide to the above service agreement and consent the eventual treatment of your data and meta data by us or a third party as described (implicitly or explicitly) in this document.