Privacy Notice Link to heading

Fediverse Instance Link to heading

This privacy notice explains what information is processed when using the instance and what rights users have in relation to the operators of the instance. All statements and rights explained here are in accordance with the European General Data Protection Regulation (GDPR), applicable since 25 May 2018.

1. Data Processing When Accessing the Homepage, Before Registration, and During Use Link to heading

As soon as the homepage of the instance is accessed—whether to register or during general use—a connection is established to the web server hosting the instance. In order to display content to the browser or app on the user’s device, certain data is processed according to the protocols used (http, TCP/IP, etc.). This may include:

  • the IP address of the internet connection
  • the operating system version of the PC, tablet, or smartphone
  • the device’s screen resolution
  • the (approximate) location of the device
  • the browser or app used
  • the time of access

These technical data are processed so the content can be delivered from the server and correctly rendered in the browser or app. Some of these data are logged by the web host after each visit for maintenance and security purposes but IP addresses are usually deleted after 14 days, often sooner.

The server is operated by a professional hosting provider located in the European Union, and the servers themselves are also in Europe. The hosting provider is contractually obligated to follow technical and organizational security measures as instructed by the instance operators.

Legal basis: Art. 6(1)(f) and Art. 6(1)(b) GDPR.

2. Data Processing During Registration Link to heading

During registration, basic account information is processed, including:

  • Username
  • Email address
  • Password

Optional profile information may include:

  • Display name
  • Biography
  • Profile picture
  • Header image

Note: Username, display name, biography, and images are publicly visible and federated to other instances. Technically, all this information is also accessible to the instance operators.

Legal basis: Art. 6(1)(b) GDPR.

3. Data Processing While Using the Instance Account Link to heading

Posts, Followers, and Other Public Information Link to heading

  • Public visibility of followers and followed accounts
  • Posts may include media (images, videos)
  • Metadata such as date, time, and app used
  • Federated content may be copied or stored on other servers
  • Post deletion is requested across the Fediverse but not enforceable

“Followers Only” and “Mentioned Only” Posts Link to heading

  • Stored on the instance server
  • Delivered to intended recipients
  • Not end-to-end encrypted
  • Instance operators (local or remote) may access content
  • Poll responses follow similar behavior

Users should evaluate the trustworthiness of other instances and manually approve followers when concerned about privacy.

Polls Link to heading

  • Up to four answer options
  • Votes stored via user tokens
  • Selected option shown when revisiting poll

IP Addresses and Other Metadata Link to heading

  • IP and browser details logged during login
  • Last IP normally stored up to 12 months
  • This instance deletes IPs immediately after processing

Sensitive Data (Art. 9 GDPR) Link to heading

  • Users may post sensitive personal data (e.g., health, political views)
  • The instance federates with others globally
  • Use caution: such content is public or may be accessed

Legal basis:

  • Art. 6(1)(b) GDPR – For general use
  • Art. 9(2)(e) GDPR – If made public
  • Art. 9(2)(a) GDPR – With explicit consent

4. Use of Cookies Link to heading

  • Session cookies used to store:
    • Login status
    • Session ID
    • Last visited page

Cookies are technically necessary and stored in the browser.

5. Data Processing in Email Communication Link to heading

When users contact the instance via email:

  • Email address and message content are stored
  • Retention:
    • Emails deleted after 1 year of inactivity
    • Contact info after 2 years

Legal basis: Art. 6(1)(f) GDPR – Legitimate interest.

6. Data Processing When Embedding Third-Party Content Link to heading

Examples: YouTube, PeerTube videos embedded via iFrames.

  • Only a preview is loaded initially
  • Clicking the video connects to external servers
  • Data like IP address may be shared with those providers

Instance operators have no control over third-party data handling.

7. User Rights Link to heading

Under the GDPR, users have the right to:

  • Access personal data (Art. 15)
  • Rectify incorrect data (Art. 16)
  • Erase data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Lodge a complaint with data protection authorities

Contact details for exercising these rights are in the legal notice (imprint).

General Notice: Overview of Processing Activities Link to heading

Types of Data Processed Link to heading

  • Inventory data
  • Employment data
  • Location data
  • Contact data
  • Content data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of Data Subjects Link to heading

  • Employees
  • Communication partners
  • Users
  • Third parties
  • Whistleblowers

Purposes of Processing Link to heading

  • Communication
  • Security measures
  • Reach measurement
  • Tracking
  • Audience targeting
  • Organizational and administrative procedures
  • Feedback
  • Marketing
  • Profiling
  • User-friendliness
  • Infrastructure
  • Public relations
  • Whistleblower protection

Under the GDPR:

  • Consent – Art. 6(1)(a)
  • Contractual necessity – Art. 6(1)(b)
  • Legal obligation – Art. 6(1)(c)
  • Legitimate interest – Art. 6(1)(f)

Under German law (BDSG): Additional national data protection rules apply.

Swiss DPA: This notice also complies with the Swiss DPA where applicable.

Security Measures Link to heading

Implemented in accordance with risk and legal requirements:

  • Data confidentiality, integrity, availability
  • Secure access, encryption (HTTPS), data separation
  • Deletion protocols
  • Data protection by design and default

TLS/SSL Encryption (HTTPS) Link to heading

  • All data in transit is protected via HTTPS/TLS
  • Confirmed via the browser’s lock icon or address bar

Data Transfers Link to heading

Internal Sharing Link to heading

  • Data may be shared between departments for operational reasons.

Third Parties Link to heading

  • Includes hosting, IT, and content service providers
  • Contracts ensure data protection compliance

International Transfers Link to heading

  • For the USA: Data Privacy Framework (DPF) used
  • SCCs (Standard Contractual Clauses) are fallback protections
  • More Info

Data Retention and Deletion Link to heading

Data is deleted when:

  • Consent is withdrawn
  • Purpose is fulfilled
  • No legal basis remains

Typical Retention Periods (Germany) Link to heading

  • 10 years – accounting, tax
  • 8 years – receipts, invoices
  • 6 years – correspondence
  • 3 years – legal claims/statute of limitations

Data Subject Rights (GDPR) Link to heading

  • Object (Art. 21)
  • Withdraw consent (Art. 7)
  • Access (Art. 15)
  • Correct (Art. 16)
  • Delete (Art. 17)
  • Restrict (Art. 18)
  • Portability (Art. 20)
  • Complain to authorities

Provision of Online Services & Hosting Link to heading

Data processed: IPs, logs, metadata

  • Subjects: users
  • Purpose: functionality, infrastructure, security
  • Legal basis: Art. 6(1)(f) GDPR

Hosting Link to heading

  • Providers: e.g. Hetzner, Instart CDN
  • May also use own servers

Blogs and Publications Link to heading

When users leave comments or content:

  • Data: name, contact info, IP, message
  • Purpose: communication, feedback, public display
  • Legal basis: Art. 6(1)(f) GDPR
  • Retention: until objection raised

Contact & Inquiry Management Link to heading

User contact via form, email, social media:

  • Purpose: response, organization, feedback
  • Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR

Social Media Presence Link to heading

Fediverse instance presence on:

  • Bluesky
  • X (formerly Twitter)
  • YouTube

Note: Data may be processed outside the EU. Platform privacy policies apply.

Embedded Third-Party Content Link to heading

Includes: YouTube, Google Fonts, Google Maps, X plugins

  • Data: IP, browser, usage
  • Purpose: content display, measurement
  • Legal basis: Art. 6(1)(a) or Art. 6(1)(f)
  • Retention: cookies up to 2 years

Whistleblower Data Protection Link to heading

Handled confidentially.

Legal bases:

  • Legal obligation – Art. 6(1)(c)
  • Special category data – Art. 9(2)(g), § 22 BDSG
  • Internal investigations – Art. 6(1)(f)
  • Consent – Art. 6(1)(a)

Changes and Updates Link to heading

Please check this privacy notice regularly. Significant updates may require renewed user consent.

Data Controller Link to heading

To exercise rights, contact:

EzuVista
admin@explorers.gay
c/o MDC Management#2131
Welserstraße 3
87463 Dietmannsried

Please contact: admin@explorers.gay with your request to ensure quick reactions and action!