Masto.host is a service provided by WAP – Web Access Platforms, Unipessoal, LDA.
WAP is a one-person company 100% owned and administrated by Hugo Gameiro. Masto.host aims to make running a Mastodon instance easily accessible. Besides me, Hugo Gameiro, there are no other company employees. I will single-handedly conduct the provision of this service.
I only request and store essential information to offer the services in Masto.host.
The only information request is:
- email address
- domain/subdomain for installations
- plan for the subscription
Besides the referred data, I will also store the IP used to sign up, the payment history, and temporarily IPs used to sign in to the web interface on my.masto.host. Plus, other encrypted data, such as password, “remember me” series and tokens, time-based one-time password/two-factor authentication (TOTP/2FA) secret, backup code for TOTP/2FA and other security tokens.
That information is only processed by me and stored on the Masto.host database (with remote temporary backups) and local copies on my work devices.
I use that information to keep track of Masto.host active and cancelled services. You may request that I delete/anonymise your information from my records at any time.
The payment processing providers for Masto.host are FastSpring and PayPal. They can require extra information to process your subscription, but Masto.host does not store that information.
Your personal information is private and never shared with anyone or used for any other purpose than to provide you with the service you subscribed to.
Masto.host has no newsletter, and you will only be contacted by Masto.host if something important about your service is needed. I don’t do email marketing, period.
As GDPR requires that a DPO (Data Protection Officer) be named, obviously, the DPO for Masto.host is me (Hugo Gameiro).
Other data I also control is the one sent to the firstname.lastname@example.org email address. For example, whenever you request support, the only copy of your request and my reply are stored there. Also, the notifications from FastSpring and PayPal about subscriptions and payments that may include personal information are redirected to that email account.
The email address email@example.com is hosted by Fastmail and secured behind a large unique password and two-step authentication.
Masto.host website doesn’t use tracking cookies but requires authentication cookies to access my.masto.host. The server that runs Masto.host website is maintained by me and kept up to date using cPanel and CloudLinux.
This is all the personal information I store and use to run Masto.host.
Privacy of the Hosting Service
When it comes to the hosting service of Mastodon servers, I am solely a Data Processor. Meaning that I process the data that the server owners (that are the Data Controllers) request of me and permit me to do so.
As a data processor, I employ the best security to keep the data private, namely keeping the servers and software up to date and only remotely accessible using private keys.
Also, you can be sure that I don’t go through the data stored in servers databases, logs or any form of media (images/videos). I will only do so when explicitly asked by the owner, when necessary due to a technical issue, if I suspect some illegal activity or some abuse of the system is happening.
Although it never happened, you should also know that I will give access to server data to authorities if a legal warrant is presented to me that requires that I provide access to that data. Again, this never happened and I will disclose if a case like that ever happens.
Besides the already mentioned Fastmail, I currently rely on four sub-processors MailGun, Bunny, ClouDNS and OVH.
MailGun handles all notification emails sent by the Mastodon servers hosted on Masto.host, unless requested otherwise by the server owner.
Bunny provides CDN (Content Delivery Network) for media files. The CDN caches media files remotely and aims to improve load times on media files, especially for users outside Europe.
ClouDNS provides DNS hosting for Masto.host services.
OVH is the server rental and data center infrastructure provider. OVH data centers in France are where the hosted data is stored.
As a Data Controller (server owner) or a user of a server hosted on Masto.host, you should know that Mastodon was not built to communicate private information and that the data stored by Mastodon is currently not encrypted (except user passwords). You should not store private information on any Mastodon instance. Remember that if a data breach occurs, you should expect all stored information to be fully accessible.
In case of a data breach, I will report it without “undue delay” to all owners of the servers involved.
All servers hosted by Masto.host use Mastodon software that provides users access to their personal information, where they can download an archive or change/delete it.
The only data stored in Masto.host servers, not generated by the Mastodon software, and that could contain a form of personally identifiable information (IP addresses) is an access log containing the IP address of the requests made to the servers. These logs are auto-deleted in less than 90 days.
At any time, any server owner can download a backup to migrate their server to a different hosting solution and request the deletion of all data related to that server.
Each server owner is responsible for informing and getting consent from the users to store and process their information.
Rights of the data subject
Although server owners use my services as a Data Controller, by using the service, they also have rights as a data subject (regarding these, WAP is the Data Controller). As such, server owners are entitled to the exercise of the following rights:
Right to access (article 15 GDPR)
This right allows you to know if your data is being processed or not. When they are being processed, you can inquire about the purpose of the processing, categories of the data being processed, who is accessing your data and the conservation deadline.
Right to rectification (article 16 GDPR)
By exercising this right, you can ask that your data be rectified/corrected when the personal data is inaccurate.
Right to erasure (‘right to be forgotten’) (article 17 GDPR)
You can ask to be forgotten in the following conditions:
- the personal data are no longer necessary with the purposes for which they were collected or otherwise processed;
- you want to withdraw consent on which the processing is based, and there is no other legal ground for the processing;
- you object to the processing according to your right to object, and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
Right to restriction of processing (article 18 GDPR)
You can ask that I restrain the processing of your data if:
- you contest the accuracy of your personal data, and you can ask for the restriction of processing while I verify the accuracy of the personal data;
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims;
- you objected to the processing (article 21(1)), and verification is pending on whether our legitimate grounds override those of the data subject.
Right to data portability (article 20 GDPR)
This right allows you to ask for your data to be transferred to you or a service of your choosing.
You can only exercise this right when the data is processed with a legal basis on your consent or a contract and when the processing is carried out by automated means. I will provide the data in a structured, commonly used, machine-readable format.
Right to object (article 21 GDPR)
You can object to the processing of data.
Right to retrieve your consent
At any given time, you also have the right to retrieve your consent.