Privacy Policy

Foreword

This privacy policy is adapted from Disroot's.

1998 is an extremely small, independent passion project run by very little people. While we do not have the resources of larger organizations, we are committed to being transparent about how your personal information is collected, used, and protected. If you have any questions or concerns about your privacy, please feel free to reach out. Your trust is invaluable, and we are dedicated to providing a safe experience for every user.

Definitions used on this Privacy Statement

GDPR: General Data Protection Regulation, EU 2016/679
Data: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the information required for the proper operation of the services provided by 1998 as well as the information the user optionally submits on any of them.
Services: the set of different software, protocols and standards used to exchange data between web applications.
User or you: any person or third party that access and uses the services provided by 1998.
1998, we or us: 1998.ovh
Platform: the set of services provided by 1998 and that are hosted on our servers.
Federated services: services that operate on the basis of so-called federation protocols which enable users who signed up at different services providers to interact with each other. Examples of these services are Nextcloud, Email, Akkoma and XMPP.
Brute-force attack: is an attack that consists of submitting many passwords or passphrases, hoping to eventually find the right one.

The Data covered by this Privacy Statement

This Privacy Statement applies to all services hosted and officially announced by 1998. It does not extend to any external websites or services that can be accessed from our platform including, but not limited to, any federated services communicating outside 1998, or third-party and/or private websites hosted on the 1998.ovh domain. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.It is important to note that sharing data with other services' providers is a user choice and is configurable by users in their settings, including the decision what to share and with whom.

1. What data do we collect?

The 1998 platform encompasses a diverse array of services, each functioning independently and consequently exhibiting very distinct levels of data collection. To provide clarity, this section is delineated into two segments: firstly, data automatically collected or processed by all services and front-end servers; secondly, supplementary data, inclusive of but not limited to usernames, passwords, or information specifically entered by the user.

If a user chooses to use any of the services provided by us, the following data will be collected by 1998:

Access logs and other standard, automatically provided and collected necessary information related to the operation and functioning of the services, which may include, for example:
- IP address
- Browser user agent
- Request information (domain, protocol, method, query string, etc)
Any supplementary information voluntarily provided by users during the usage of our services, including but not limited to chat interactions, posts, emails, files, documents, etc.
- For more detailed information, please refer to the "Detailed privacy notices per service" section below.

1.1. What do we do with your data?

We only peek into your data when it's justified and necessary. Your privacy really is a big deal to us, so we don't snoop unless there's a good reason. We use your data to:

Provide the service,
Ensure proper security by analyzing logs and finding anomalies,
Diagnose software issues and monitor service health,
Prevent and detect fraud and/or violations of our Terms and Conditions,
Communicate with you about important information, updates, and notifications related to the services,
Comply with legal obligations, like meeting regulatory requirements and responding to legal requests.

Owing to the jurisdiction of our primary server, the front-end web server's access logs may be retained for a duration of at least 12 months. Rest assured, we prioritize the confidentiality of these logs and will only disclose them in response to a valid legal request or similar. For certain services, primarily those that do not allow the user to contribute to the creation of content put online, the logging settings may still be adjusted in favor of your privacy. Please continue reading for further information.

1.2. How do we store and secure your data?

In safeguarding your data, we implement a range of industry-standard security protocols. Noteworthy among these measures are the following:

If possible and practical, we use disk encryption on all servers to prevent data leaks in case the servers are stolen, confiscated or in any way physically tampered with.
We provide and require TLS (HTTPS) encryption on all "user-to-server" and "server-to-server" communications on all provided services.
We utilize "end-to-end" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users. End-to-end encryption is a robust security measure that ensures only the intended recipients can access and decipher the content of transmitted data, rendering it unreadable to potential hackers or eavesdroppers - even if the server's files can be read by an unauthorized third-party.
We strive to delete any extraneous user data from our servers, following the law and what we can manage.

1.3. How do we backup your data?

To facilitate recovery in the event of data loss disasters, we create backups to various cloud services, employing encryption methodologies that prevent access to the data by the services themselves. Backups are made on a regular basis.

2. What do we NOT do with your data?

We do not, in any way, process, analyze your behavior or personal characteristics to create profiles about you or your usage of the services. We have no business relationships with advertisers.
We do not sell your data to any third party.
We do not share your data with any third party unless it's needed for the functioning of the service (e.g. hosting providers, CAPTCHAs, federated services).

We use Cloudflare to protect our services from certain attacks. The Internet traffic going to our services may be routed through Cloudflare's servers. Cloudflare may collect some information about you. For more information, please refer to Cloudflare's Privacy Policy as well as their Transparency Report.

We do not require any additional information that is not crucial for the operation of the service, such as your home address or phone number.

3. Where is the data stored?

The data collected by the services is stored on servers located in Europe (primarily Germany and Poland) and the United States. The data is stored on servers that are secured with industry-leading security measures.

4. Detailed privacy notices per service

4.1 - CryptPad / 1998 Office (https://office.1998.ovh)

This service supports login, but it is not required.
All documents created or uploaded to the server are end-to-end encrypted which means no one with access to the server can decrypt/read the data without a valid user-controlled key.
Documents expire after a time between 1 and 90 days (depending on server load) and are then removed from the server, except if an account was created, in which case documents uploaded to the server are wiped based on the retention period set by the user upon upload/creation.
This service is hosted on an on-premises server located in Poland.

4.2 - 1998 Status Page

This service does not support login.
This service is run by UptimeRobot. Please refer to their Privacy Policy and Terms of Service for information on how they handle your data.

4.3 - 1998 Key/Value Database

This service does not support login.
This is a back-end service used by some 1998 services. It is not normally visible to users.
Some services utilizing this back-end service use end-to-end encryption, safeguarding data with user-controlled keys before it is uploaded.
The data stored in this service is automatically deleted after a period of no activity or access.
IP addresses may be associated with the sync keys/identifiers for compliance reasons.
This service is hosted on a cloud server in the United States. We are working to ensure all data sent to this service is end-to-end encrypted for better security.

4.4 - 1998 DateButton (https://datebutton.1998.ovh)

This service does not support login.
The captured dates are stored in a local, browser-backed database by default. The data is uploaded to the 1998 key/value database service when the user chooses to enable synchronization.
This service is hosted on Cloudflare infrastructure located around the world. For more information, please refer to Cloudflare. However, since the key value database is hosted in the US, synced data is stored there.

5. Your rights

Under the GDPR you have a number of rights with regard to your personal data:

Right to access - The right to request (I) copies of your personal Data or (II) access to the information you submitted and we hold at any time.
Right to correct - The right to have your Data rectified if it is inaccurate or incomplete.
Right to erase - The right to request delete or remove your Data from our servers.
Right to restrict the use of your Data - The right to restrict processing or limit the way we use your Data.
Right to Data portability - The right to move, copy or transfer your Data.
Right to object - The right to object to our use of your Data.

You may exercise your rights directly through our services' account/data management panels, or by contacting us via email to [enable JS to view]. Kindly note that our ability to assist may be limited if the services utilized are anonymous, preventing us from verifying identities or sending copies of only the data associated with you. Furthermore, in instances of end-to-end encryption, we are unable to read your data. In such cases, we recommend exercising your rights through the respective service itself.

5.1. Access to your information

All your data stored on the services that are bound to an account (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible service. Contact us at [enable JS to view] if you have any problems or questions regarding data access.

6. Changes on this Privacy Statement

Any and all changes to this Privacy Statement will be publicly available and communicated to all users via the main page. We recommend that you regularly check for any changes on this Statement.

Last updates of this Privacy Statement:

May 13 2024: Updated information about server locations.
February 4 2024: Clarified the location of the data stored by the DateButton service.
January 20 2024: Updated information about the status page.
January 1st 2024: Updated information about server locations.
29 December 2023: Removed references to another service that's no longer available.
25 December 2023: Added information about dateButton and clarified what data is collected by the key/value database. Removed references to a service that is no longer available.
24 December 2023 (Christmas): Added information on Cloudflare.
December 2023: Initial revision.