Please read this document carefully before accessing or using this service!
Data privacy is important, and we want you to understand the issues involved. For that reason we decided to use plain English instead as much as possible, to make our terms as clear as possible. Some sections still have room for improvement - we plan to tackle these over time.
Where you read 'modular.im' or 'Modular', it refers to the service made available at https://modular.im for the purchase, provisioning, configuration, monitoring and management of hosted homeservers and associated services.
Where you read 'homeserver', 'homeservers' or 'the Homeserver', it refers to the services configured within Modular which store User account and personal conversation history, provide additional functionality such as bots and bridges, and (where enabled by the Customer) communicate via the open Matrix decentralised communication protocol with the public Matrix Network.
Where you read New Vector, New Vector Ltd. or we or us, it refers to New Vector Ltd., and its French subsidiary: New Vector SARL and their agents.
New Vector Ltd. is both the Data Controller and the Data Processor for Modular. We can be contacted as per the details below:
Email: [email protected]
10 Queen Street Place
Should you have other questions or concerns about this document, please send us an email at [email protected].
This document explains Data Privacy as it relates to Modular Customers. Modular Customers use Modular to provision and manage hosted homeservers. Apart from where otherwise noted, this document does not address Data Privacy issues relating to the messaging and file data submitted by Users to the hosted homeserver instances.
This document is designed to explain Data Privacy issues relating to a Modular Customer. Put simply, you're a Customer if you're paying (or otherwise compensating) New Vector Ltd to provide a dedicated hosted messaging service. If you have an account registered on a homeserver that you use to send and receive messages, you're a User.
It is possible to be both a Customer and a User, but we encourage you to consider these roles separately when thinking about Data Privacy concerns.
Over time we may make changes to this document. If we make a material change we will provide the Customer with reasonable notice prior to the change. We will set forth the date upon which the changes will become effective; any use of Modular by the Customer, or any use of a hosted homserver by a User will constitute the Customer's acceptance of these changes.
Your access and use of Modular is always subject to the most current version of this document.
New Vector processes your data under Performance of Contract. This means that we process your data only as necessary to meet our contractual obligations to you, or to engage with you to do something before entering into a contract (such as providing a quote).
The Customer can use Modular to provision and manage hosted Matrix.org homeservers. The Customer owns and controls all messages and files submitted to their homeserver by User accounts registered natively on their homeserver. This ownership does not extend to messages and files submitted over federation or bridging.
This means that, in addition to the usual data access controls defined by the Matrix protocol, all unencrypted messages and files can be accessed by the Customer, and that access is retained even if no User account within the system retains access to the data.
You can request that New Vector forget your personal data by closing your account. For assistance, please contact support on [email protected]
Under GDPR you have a right to request a copy of your data in a commonly-accepted format. If you would like a copy of your data, please send a request to [email protected].
You have rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances. Some of these rights are explored in more detail elsewhere in this document. For completeness, your rights under GDPR are:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
We collect information about you when you input it to Modular.im or otherwise provide it directly to us.
We collect information when you register for an account. This information is kept to a minimum on purpose, and is restricted to:
Authentication Identifier; one of:
Email address and password
Your authentication identifier is used to authenticate your access to Modular.im and to uniquely identify you.
Paying for hosted homeserver service via Modular is handled entirely by our payment processor, Stripe. The processor stores your credit card information as well as your billing contact information in order to process your monthly or annual automatic renewals, or to allow you to upgrade or downgrade your subscription without re-entering a credit card number.
We never have access to, nor store your full credit card information.
The payment processor code we use also sets a cookie in your browser, to remember your info for future purchases. You can delete or block that cookie if you wish; our website will continue to work.
We require you to enter your billing information. This data, as well as the last four digits of your credit card which is sent to us by our payment processor, is stored in our transaction database in order to maintain our financial records. This information appears on your invoice, which can be accessed by anyone who as been sent the url link to your invoice. We make the invoice links purposefully long and hard to guess for added security, and we prevent search engines from indexing them.
The history of changes to the billing contact information on the invoice made by you or our team are logged and stored in our transaction database.
The data we collect in our transaction database, including Personal Data, is not shared with third parties, except for the purposes of determining the validity of a payment. In this case we may share the name and email address associated with the purchase with the credit card holder, your company's accounting department, or with our payment processor when responding to a chargeback.
We log the IP addresses of everyone who accesses Modular.im. This data is used in order to mitigate abuse, debug operational issues, and monitor traffic patterns. Our logs are kept for not longer than 30 days.
We track fully anonymised usage data for Modular.im. This data helps us to understand how our users are using the application so that we can make improvements.
Our analytics are powered by the Free and Open Source analytics platform Matomo, hosted entirely within our network. We don't share any analytics data with third parties.
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to
(a) comply with any applicable law, regulation, legal process or governmental request,
(b) protect the security or integrity of our products and services (e.g. for a security audit),
(c) protect New Vector Ltd. and our users from harm or illegal activities, or
(d) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the serious bodily harm of any person.
We never store password data in plain text; instead they are stored hashed (with at least 12 rounds of bcrypt, including both a salt and a server-side pepper secret). Passwords sent to the server are encrypted using SSL.
It is your sole responsibility to keep your user name, password and other sensitive information confidential. Actions taken using your credentials shall be deemed to be actions taken by you, with all consequences including service termination, civil and criminal penalties.
If you become aware of any unauthorized use of your account or any other breach of security, you must notify New Vector Ltd. immediately by sending an email to [email protected]. Users should manage good password hygiene (e.g. using a password manager) and change their password if they believe their account is compromised.
If you forget your password (and you have registered an email address) you can use the password reset facility to reset it.
You can manage your account by signing in to Modular at https://modular.im.
We will never change a password for you.
We never knowingly collect or maintain information in Modular.im from those we know are under 16, and no part of Modular.im is structured to attract anyone under 16. If you are under 16, please do not use the Service.
You can access all your personally identifiable information that we collect by using the account management interface at https://modular.im. You can download a copy of all your data as per section 2.1.4.
Data stored in Modular.im is accessible by the Customer's account and by New Vector Ltd engineers (employees and contractors) under the conditions outlined below.
We restrict who at New Vector Ltd. (employees and contractors) can access Modular.im data to roles which require access in order to maintain the health of Modular.
We never share what we see with other users or the general public.
Physical access to our offices and locations use typical physical access restrictions.
We use secure private keys when accessing servers via SSH, and protect our AWS console passwords locally with a password management tool.
In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.
If we or substantially all of our assets are acquired by a third party, personal data held by us about our users will be one of the transferred assets.
All of the Modular.im user data resides within the same dedicated cluster. We use software best practices to guarantee that only the Customer can access it. In other words, we segment User data via software. We do our best and are very confident we're doing a good job at it, but, like every other service that hosts User data on the same database, we cannot guarantee that it is immune to a sophisticated attack.
If you have discovered a security concern, please email us at [email protected]. We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. Data security is our highest priority, and work to address any issues that arise as quickly as possible.
Please act in good faith towards our users' privacy and data during your disclosure. White hat security researchers are always appreciated.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention at [email protected] if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
If you want to make a complaint about the way we have processed your personal information to the supervisory authority, you can contact the ICO (the statutory body which oversees data protection law) at https://www.ico.org.uk/concerns.