Introduction
1.1 English, Not Legalese
Privacy is important, and we want you to understand the issues involved. We have decided to use plain English as much as possible, to make our terms as clear as possible.
When you read ‘the Identity Server’, ‘the Identity Servers’, or ‘the Service’ below, it refers to the Identity Server made available at https://sydent.ilab.zone and which provides account discovery services for NI2CE Messenger users. Innovation Hub ACT is the Data Processor for the Service. We can be contacted as per the details below:
Email: info@innovationhub-act.org
2. What is a Matrix Identity Server?
Identity Servers support contact discovery on Matrix by letting people look up Third Party Identifiers to see if the owner has linked them with their Matrix ID.
2.1 What is a Third Party Identifier?
A Third Party Identifier is an identifier that uniquely identifies a person, but isn’t a Matrix ID.
Most commonly this is an email address or a telephone number.
2.2 How does it support contact discovery?
Identity Servers offer the following services:
Verified Association of Matrix ID with Third Party Identifier
You can ask the Identity Server to establish that you own your email address or phone number and associate it with your Matrix ID. The Identity Server will verify that you own that identifier by sending a link or code to your email address or phone. The association is not considered valid until your ownership of the Third Party Identifier has been confirmed.
Account Lookup by Third Party Identifier
You can look up a Matrix ID by searching for its associated Third Party Identifiers. You cannot look up Third Party Identifiers by searching for their associated Matrix ID. For
example: if Alice has used the Identity Server to link her email, alice@example.com with her Matrix ID, @alice:example.com, other users can look up her Matrix ID by querying the
Identity Server with her email address, but they cannot discover her email address by querying the service with her Matrix ID.
The Identity Server supports both individual and bulk Third Party Identifier lookup:
Individual Third Party Identifier Lookup
Individual Third Party Identifier Lookup is usually used when inviting a user to a Matrix room by their Third Party Identifier.
Bulk Third Party Identifier Lookup
Bulk Third Party Identifier Lookup is usually used to check whether any of your existing contacts already have a Matrix ID.
3 Access to Your Data / Privacy Policy
3.1 What is the legal basis for processing my data?
3.1.1 Legal Basis for Processing
Your data is processed under Legitimate Interest. This means that we process your data only as necessary to deliver the Service, and in a manner that you understand and expect.
The Legitimate Interest of the Service is the discoverability of contacts across a Matrix ecosystem. The processing of user data we undertake is necessary to provide the Service.
This facility is an optional component of the services provided by NI2CE Messenger, designed to make contact discovery easier. Matrix works very well without an Identity Server.
3.1.2 Right to Erasure
You can remove your data from the Service at any time by using a Matrix client (such as NI2CE Messenger) to remove your Third Party Identifiers from the connected Identity Server. The data will be rendered inaccessible straight away, and will be deleted from the Identity Server database within 30 days.
3.1.3 Data Portability
You have a right to request a copy of your data in a commonly-accepted format. If you would like a copy of your data, please send a request to info@innovationhub-act.org.
3.1.4 Your Rights as Data Subject
You have rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances. Some of these rights are explored in more detail elsewhere in this document. For completeness, your rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
If you have any questions or are unsure how to exercise your rights, please contact us at info@innovationhub-act.org.
3.2 What Information Do You Collect About Me and Why?
The information we collect is purely for the purpose of letting people discover Matrix IDs that have been publicly linked with a Third Party Identifier (such as email or telephone number). We do not profile users or their data on the Service.
3.2.1 Information you provide to us:
We collect information about you when you input it into the Service or otherwise provide it directly to us.
● Matrix ID
● Third Party Identifiers (such as email or telephone number)
3.2.2 Information we collect automatically as you use the service: Third Party Identifiers you look up
Third Party Identifiers that are looked up are logged in our application logs. These logs are kept for not longer than 7 days. Haproxy logs may be kept up to 60 days.
Connection Information
Currently, we log the IP address of the party who accesses the Service. Since this is usually the homeserver requesting data on behalf of its user(s), it is usually the IP address of the homeserver that is logged. This data is used in order to mitigate abuse, debug operational issues, and monitor traffic patterns. Our logs are kept for not longer than 180 days.
3.3 What Information is Shared With Third Parties and Why?
3.3.1 Sharing Data with Connected Services
The purpose of the Service is to share your associated Matrix ID with whomever looks up your linked Third Party Identifiers.
3.4 Sharing Data in Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights
In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to
- comply with any applicable law, regulation, legal process or governmental request,
- protect the security or integrity of our products and services (e.g. for a security audit),
- protect NATO HQ SACT Innovation Branch and our users from harm or illegal activities, or
- respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the serious bodily harm of any person.
3.5 Our Commitment to Children’s Privacy
We never knowingly collect or maintain information in the Service from those we know are under 16, and no part of the Service is structured to attract anyone under 16. If you are under 16, please do not use the Service.
3.6 How Can I Access or Correct My Information?
You can view and modify your published Third Party Identifiers by using any compatible Matrix client (such as NI2CE Messenger) and managing your User Settings.
3.7 Who Can See My Matrix ID/Third Party Identifier Associations?
Anyone within the private NATO HQ SACT federation who knows your Third Party Identifier can query the Service to see if you have linked it with a Matrix ID. Queries only work in this direction It is not possible for parties who only know your Matrix ID to query the service and discover your Third Party Identifiers.
The association between your Matrix ID and your Third Party Identifiers is stored in NATO HQ SACT Innovation Branch databases. This means that, unlike regular users, NATO HQ SACT Innovation Branch employees and contractors can look up your Third Party Identifiers from your Matrix ID (subject to the NATO HQ SACT Innovation Branch data access guidelines below).
3.8 What Are the Guidelines NATO HQ SACT Innovation Branch Follows
When Accessing My Data?
- We restrict who at NATO HQ SACT Innovation Branch (employees and contractors) can access user data to roles which require access in order to maintain the health of the Service.
- We never share what we see with other users or the general public.
4. Making a Complaint
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention at info@innovationhub-act.org if they think that our collection or use of information is unfair, misleading or inappropriate. We would also
welcome any suggestions for improving our procedures.