Privacy

1. Philosophy

Privacy is not a feature we bolt on. It's a design constraint we start from. Every service on this platform is selected and configured with the assumption that the operator should be unable to build a meaningful profile of any user, even with full database access.

Data is shared with third parties only where technically unavoidable for service delivery — federated protocols like Usenet exchange some routing metadata with peer servers by design. Outside of that, data stays on our infrastructure. We have no business relationships with ad networks, data brokers, or intelligence contractors.

2. Data minimization in practice

Pages and services load assets exclusively from our own servers. There are no third-party scripts, fonts, or CDN resources that would expose your IP address to an outside party on page load.

Cookies are set only where strictly required for session state — services that work without them do not set them. Access logs are rotated on short cycles and stripped of client IPs before archival where the software permits it.

Registration on any service we control requires only a username and passphrase. Email addresses and real names are never asked for. User-agent strings are not stored or analyzed.

3. Service-specific notes

CryptPad

CryptPad is zero-knowledge. The server stores encrypted blobs. We have no ability to read document content, document names, or drive structure. Account metadata (username hash, storage quota usage) is stored but contains no identifying information.

Jitsi

Call rooms are ephemeral. No server-side recording is enabled. For calls with more than two participants, media is routed through our SFU server. IP addresses of call participants are visible to the server during the call and are not logged afterward.

YAMN Remailer

The YAMN remailer is a store-and-forward anonymous remailer. It cannot associate incoming messages with outgoing messages by design. We do not log message content or routing metadata. The remailer's public key and statistics are published to Echolot as required for participation in the mix network.

4. Technical implementation

All services are accessible only over TLS 1.3. No TLS 1.2 or earlier. HTTP Strict Transport Security is enabled with long max-age values. Content Security Policy headers restrict resource loading to our own domains.

Server software is kept up to date. Security patches are applied as soon as practical after disclosure. We do not use shared hosting or managed cloud platforms where provider staff could access user data at the infrastructure layer.

5. Legal

We are based in the European Union. EU data protection law (GDPR) applies. We do not process personal data in ways that require formal GDPR documentation because we do not process personal data at all beyond what is technically unavoidable.

In the event of a legally binding order compelling disclosure, we will disclose only what we have, which is minimal. We will notify affected users if legally permitted to do so.

6. Contact

Questions about data or requests for deletion can be sent to info (a) virebent.art. See the contact page for our PGP key.