codema.in

Legal Notice and Privacy Policy for Durare

BK Buster Keaton Mon 8 Dec 2025 1:18PM Public Seen by 11

Hello,

We need to provide Legal Notice of Durare for us to be placed in at least B Category of https://providers.xmpp.net/. Building on previous thread for diasp.in service me and @pun have drafted a version. It is not perfect yet, and will go further corrections and revisions. We should make a clear and simple notice in English, not legalese.

Durare Terms of Service (Version 0.1)

By using any of the services provided by Durare you agree to our terms of use. These conditions can be changed at any time without prior notice. However we highly evaluate transparency and will do our best to make sure users are notified as soon as possible about any major changes via our forum on Codema.

1. Resource Limitations - Resources are scarce. Use Durare service with responsibility, please try not to share large chunks of files or spam. We have set a total size limit of 1GB/day/user to make sure the services are available for everyone to use.

2. Account expiration - Accounts those are inactive for more than 1 year are deleted to manage the resource availability. Account owner will be notified, if contact details are shared with us, before the deletion.

3. Password - Password reset is only possible if you have shared your email when applying for account invite, otherwise, passwords cannot be recovered.

4. Legal responsibilities - As for anything else you do, be aware that Durare is not responsible for what you write, nor for the safeguard of your own privacy. We therefore invite you to make the most of all the existing tools to defend your rights. We remind you not to upload on the site copyright protected materials that could endanger the existence of our very servers (and all services connected to it).

The aim of Durare is to promote open source, free software and all kind of copyleft content. Embrace it and support artists and projects that release their work under those licenses. Please refer to our privacy policy to learn more about how your information is being stored and used.

5. Refraining from certain activities - You may not engage in the following activities through the services provided by Durare:

1. Misuse of services by distributing viruses or malware, engaging in a denial of service attack, or attempting to gain unauthorized access to any computer system, including Durare servers.

2. Contributing to the abuse of others by distributing material where the production process created violence or sexual assault against persons or animals.

6. Account Termination - Durare may terminate your service if the account has engaged in any of the banned activities listed above.

7. No Warranty - You understand and agree that Durare provides you primarily with internet-based services. Therefore, services are offered as is, subject to availability and without liability to you. As much as we wouldn't like letting any of our users down, we just cannot give any warranty as to the reliability, accessibility, or quality of our services. You agree that the use of our services is at your sole and exclusive risk.

Privacy Policy

1. We do not read, share or sell your data. We are hosting Durare because we care about privacy on the internet. We are funded by people like you via donation.

2. Our server is located in Finland and hosted with Hetzner based in Germany. Their Privacy Policy is at https://www.hetzner.com/legal/privacy-policy/.

3. We use disk encryption on all data to prevent data leak in cases where servers are stolen, confiscated, or in any way physically tempered with.

4. Applications like Gajim, Conversations support End to End Encryption (E2EE). If E2EE is enabled, no one other than sender and recipients will be able to read the messages. Not even the admins can read your messages. E2EE is not enabled by default in all applications. You may have to manually enable encryption for each conversation in some applications. We recommend E2EE for all conversations. (Remember to back up your encryption keys, we will not be able to retrieve your messages in case the keys are lost.)

5. We provide and require SSL/TLS encryption on all provided services.

6. Federation - XMPP service provided by Durare is based on Federation Protocols. This enables users signed up at different service providers to interact with each other. Because of the nature of the protocols (ability to send each other messages, likes, share files, chat) some of the data is naturally shared with other entities. However, sharing data with other service provider is the user's choice and is configured by the users in their settings per service including the decision of with whom and what to share.

7. You may be shown embedded videos and link previews from other websites while using services provided by Durare. This may expose you to web tracking by external services, such as (but not limited to) Facebook, Twitter, and Google.

What is Stored?

  • Email address, if provided during account creation

  • Date of registration and last login (to detect inactive users)

  • Username and password hash

  • Profile information and avatar

  • IP addresses for incorrect login attempts

  • Contacts and MUCs added to the account

  • Uploaded files (180 Days)

  • Message archive (MAM) (can be disabled on your client)

  • Offline messages

If you have any doubts on our terms of service, please contact us on diasp.in@autistici.org

Please feel free to comment something that you would like to add, remove or any other suggestion.

PP

Pirate Praveen Mon 8 Dec 2025 11:35PM

Thanks for creating this, some comments.

  1. Include a link to this codema sub group when referring to updates via codema.

  2. I think account expiration can be skipped, diaspora did this, but we don't need it as mam already has limit and the disk usage don't grow with inactive accounts. Older messages are cleared by mam to save disk space.

  3. Password recovery section should be updated for prosody. Prosody don't collect email so forgot password won't work, but check if clients allow for changing passwords.

  4. I think we no longer use disk encryption.

  5. Federation section is from diaspora, which may need slight tweaks to fit xmpp (it talks about likes and aspects, but this is not how we generally use xmpp).

  6. I think embedded videos and link previews are controlled by clients.

  7. What is stored needs to be updated. email shared via formbrics is not available to prosody and it is good idea to include the fombrics section to this - whatever we decided about retaining / cleaning the form data.

  8. mam and offline messages are same. We may need to explain mam here. Especially since other messengers keep a long message history (do they even clear old messages at all?). Messages are stored on the server only for the time we configured for mam - we need to mention our configured mam limit. Older messages than this will be deleted. If they want to keep message history, they need to make backup from clients.

  9. omemo section may additionally recommend verifying devices by scanning QR codes. Since clients mention omemo, we can also mention omemo in e2ee section.

  10. I prefer if we mention Monocles Chat instead of Conversations as it is much nicer experience.

  11. I'd prefer to drop the term open source and only mention Free Software as I'm more aligned with idea of freedom of users than a development model to create better software.

  12. We should also mention diasp.in and poddery.com XMPP also follows this policy, but new accounts are only created on durare.org. It may be better to mention Matrix service of poddery.com is maintained by FSCI and link to that privacy policy. We may also mention that even though we serve three domain, it is physically hosted on the same server so if the server goes down, all three domains would be down.

  13. We should probably encourage users to donate and link to donate page as well.

P

pun Fri 12 Dec 2025 10:23AM

Durare.org is now a B class provider on providers.xmpp.net as we have finished adding a legal notice at https://durare.org/notice.html.

As far as what is our data retention policy, I'm adding a table with details, please feel free to correct me.

Data

Retained till

Messages stored on the server (if user has enabled MAM)

180 days

Email collected via formbricks form.

Not known yet

Files uploaded to the server

180 days

Roster (if user's client uploads it to the server for syncing purposes)

Till the user has an account on the server.

Last active date

Till the users has an account on the server

Failed login attempt IP addresses

Not known yet

MUC bookmarks (if the user's client uploads them onto the server)

Till the user has an account?

Voice and video communication data

Not stored (right?)

Last activity (if user chooses to put it on the server) -- this is time and not date

Till the setting is enabled, last activity will be stored on the server.