Privacy Policy
This policy explains what personal data Axion processes, why we process it, and what
rights you have under the EU General Data Protection Regulation (Regulation (EU)
2016/679, “GDPR”). It applies to the messaging service operated at
axionchat.chat, the federated Matrix homeserver
matrix.axionchat.chat, the Jitsi instance at
meet.axionchat.chat, and the Axion mobile and desktop clients
(“the Service”).
1. Who we are
Axion is operated as an independent privacy project by Adil Mustafayev, currently residing in Azerbaijan. The operator intends to migrate the Service to an Estonian e-Residency company in the near future; this policy will be updated and republished when the controller changes, and you will be notified by in-app banner and email (where you have provided one).
For the purpose of GDPR Art. 4(7), the operator is the data controller for the personal data described below. The controller’s contact details are:
- Privacy enquiries and rights requests: trust@aevrix.org
- Security and abuse reports: security@aevrix.org
Because the operator is currently established outside the EU/EEA but offers the Service to EU residents, GDPR applies under Art. 3(2). A formal Art. 27 representative will be appointed at the same time as the Estonian entity is incorporated; until then, EU residents may contact the operator directly using the addresses above.
2. Data we collect
Axion is designed to collect the minimum data required to operate a Matrix homeserver. We do not use advertising identifiers, third-party analytics, fingerprinting, cross-site trackers, or social plugins. The following table lists every category of personal data we hold.
| Category | What it contains | Source | Lawful basis |
|---|---|---|---|
| Account identifier | Localpart of your Matrix ID (the part before :axionchat.chat) which you choose at sign-up. |
You | Contract — Art. 6(1)(b) |
| Authentication secret | An Argon2id hash of your password. We never store the plaintext password. | You | Contract — Art. 6(1)(b) |
| Recovery email (optional) | An email address you provide for password reset. Stored encrypted at rest with a key held only by the homeserver. | You | Consent — Art. 6(1)(a) |
| Device list | An identifier and human-readable name for each device you sign in from, plus the public part of its end-to-end encryption keys. | Your client | Contract — Art. 6(1)(b) |
| Room membership and timestamps | Which rooms your account is a member of, when each event was sent, and the order of events. This is metadata produced by the Matrix protocol; the homeserver inevitably sees it. Message content in encrypted rooms is opaque to us. | Your client | Contract — Art. 6(1)(b) |
| Profile data | Display name and avatar URL, if you choose to set them. These are visible to other users you communicate with. | You | Consent — Art. 6(1)(a) |
| Push notification token | The FCM or APNs token your device assigns, plus the room and event ID for each delivered notification. The notification payload itself is encrypted; only the metadata necessary to wake your device is sent. | Your client | Consent — Art. 6(1)(a) |
| Server logs | HTTP method, path, status code, request size, IP address, and a coarse user-agent string. Used for abuse mitigation and debugging. Stored for a maximum of 14 days. | Your client | Legitimate interest — Art. 6(1)(f) |
| Voice and video session metadata | For calls hosted on meet.axionchat.chat: the room name, conference start/end timestamps, and the IP addresses of TURN relay clients. Audio and video streams are not recorded. |
Your client | Contract — Art. 6(1)(b) |
| Abuse and moderation records | Reports submitted via /report or to security@, plus the resulting moderation action (warn, kick, ban) issued by the Mjolnir bot. |
You and other users | Legitimate interest — Art. 6(1)(f) |
What we do not have. Because Matrix end-to-end encryption is enabled by default for direct messages and private rooms, the homeserver only stores an opaque ciphertext blob for those messages and cannot decrypt it. We do not have access to your message bodies, attachments, voice recordings, or video. We do not collect phone numbers, government identifiers, contact-book uploads, or biometric data.
3. Lawful basis
Each category in the table above is assigned a specific GDPR Article 6 basis. In summary:
- Contract (Art. 6(1)(b)) covers everything strictly necessary to give you a working account: your username, password hash, device list, and the Matrix protocol metadata that the server must process to deliver your messages.
- Consent (Art. 6(1)(a)) covers optional features: recovery email, profile data, and push notifications. You can withdraw consent at any time from the client settings or by emailing trust@aevrix.org. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Legitimate interest (Art. 6(1)(f)) covers short-lived server logs and moderation records. Our interest is in keeping the Service available, secure, and free of harassment. We have weighed this against your interests and concluded that the 14-day retention window and the absence of profiling make the impact on you minimal. You can object on the grounds in section 7.
4. Retention
| Data | Retention |
|---|---|
| Account and profile | For the lifetime of the account. Erased on deactivation request, except where federation has propagated content (see section 5). |
| Encrypted message ciphertext | Until you delete the message client-side, or until the room is purged. Servers in the federation may retain their own copy independently. |
| Server access logs | 14 days, then automatically rotated and destroyed. |
| Moderation records | 2 years from the last related incident, then anonymised. |
| Backups | Encrypted, off-site backups are kept for 30 days on a rolling window. After 30 days they are overwritten by newer snapshots. |
| Push notification metadata | Not stored beyond the immediate delivery attempt. |
5. Federation: an honest disclosure
Axion is a federated Matrix homeserver. When you join a room that includes accounts from another Matrix homeserver, the Matrix protocol sends those servers a copy of every event in the shared room. This includes your username, your display name, your avatar URL, the timestamp of each event, and (for non-encrypted rooms) the message body. Once an event has been federated to a remote server, we cannot delete it from that server: we can only delete our own copy.
Federation is opt-in per room: rooms you create on Axion default to “public federation off” only if you select that option. Joining a remote room or inviting a remote user explicitly federates that room. We will not silently disable federation, and we will not federate a room you create unless you or another participant takes an action that requires it.
Please do not assume that erasure on Axion is sufficient to remove your data from rooms you have shared with other homeservers. Use Matrix’s redaction feature inside the client to request that remote servers also delete the event; remote operators decide whether to honour that request.
6. International transfers and subprocessors
The Axion homeserver, database and Jitsi instance are hosted on a single dedicated virtual server in Germany (Hetzner-class infrastructure, Falkenstein region). Personal data is stored at rest in Germany, an EU/EEA Member State, and is encrypted on disk.
To deliver the Service we use a small number of subprocessors. The full live list, including each subprocessor’s headquarters, role, and DPA link, is published at /legal/subprocessors.html and summarised here:
| Subprocessor | Role | HQ | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, storage, network | Germany (EU) | Intra-EU, no Art. 44 transfer |
| Cloudflare, Inc. | CDN, DDoS mitigation, DNS for axionchat.chat | United States; EU edge nodes terminate TLS | Standard Contractual Clauses (2021/914) plus the EU–US Data Privacy Framework certification |
| Migadu Email AG | Transactional email for the axionchat.chat domain (password reset, security alerts) | Switzerland | Adequacy decision for Switzerland (Commission Decision 2000/518/EC, renewed 2024) |
| Backblaze, Inc. | Encrypted off-site backup storage (Backblaze B2, EU Central region) | United States; data resides in the Netherlands | Standard Contractual Clauses; backups are encrypted with a key held only by the operator before upload, so Backblaze cannot read the data |
| Google LLC (Firebase Cloud Messaging) | Delivery of push notifications to Android clients | United States | Standard Contractual Clauses plus the EU–US Data Privacy Framework. We send only the encrypted notification envelope and the destination token. |
| Apple Inc. (APNs) | Delivery of push notifications to iOS and macOS clients | United States; EU edge nodes | Standard Contractual Clauses. We send only the encrypted notification envelope and the destination token. |
We do not sell, rent, or share your data with any party not listed above. We will give you at least 30 days’ notice before adding a new subprocessor; during that window you may object by emailing trust@aevrix.org. If we cannot reach an accommodation, you have the right to terminate your account and exercise your right to erasure.
7. Your GDPR rights
You have the following rights with respect to your personal data:
- Access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
- Rectification (Art. 16) — correct inaccurate data. Most fields (display name, avatar, recovery email) are self-service inside your client.
- Erasure (Art. 17) — delete your account. We will deactivate the account, hash-and-tombstone the localpart so it cannot be re-registered to impersonate you, and delete profile data, device records, and recovery email within 30 days. Federated copies must be addressed to the relevant remote homeserver, as discussed in section 5.
- Restriction (Art. 18) — ask us to stop processing while a rectification or objection is being resolved.
- Portability (Art. 20) — receive your account data in a structured, commonly used, machine-readable format (Matrix Client-Server API export plus a JSON dump of profile and device records).
- Objection (Art. 21) — object to processing based on legitimate interest. We will stop unless we can show compelling legitimate grounds that override your interests.
- No automated decision-making (Art. 22) — we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. Mjolnir-based abuse moderation is supervised by a human operator before any account is permanently banned.
- Lodge a complaint (Art. 77) — you may complain to the data protection authority of your habitual residence in the EU/EEA. A list is maintained by the EDPB at edpb.europa.eu.
7.1 How to exercise your rights
Send an email to trust@aevrix.org from the recovery email associated with your account, or from any address you can verifiably tie to the account by sending us a fresh signed message from inside an Axion client. We respond within 30 days (extendable by 60 days for complex requests, in which case we will tell you within the first 30 days). The service is free of charge unless requests are manifestly unfounded or excessive.
8. Children
Axion is not directed at children under 16. We do not knowingly process the personal data of children under 16 without verifiable parental consent in line with Art. 8 GDPR and the local age threshold of the user’s country of residence (where higher). If you believe we hold data on a child below this age, contact trust@aevrix.org and we will delete it.
9. Security measures
Specific technical and organisational measures (encryption, access control, backup,
incident response, hardening posture) are described in our
Data Processing Agreement. Headline measures:
end-to-end encryption by default, TLS 1.3 only, Argon2id password hashing, full-disk
encryption (LUKS), SSH on a non-standard port behind two-factor authentication,
fail2ban, CrowdSec, daily AIDE integrity checks, off-site encrypted backups,
least-privilege Docker isolation, and a publicly disclosed
security.txt for vulnerability reports.
10. Changes to this policy
We will publish material changes at least 30 days before they take effect, by updating this page (the “Effective” date above), posting a banner inside the Axion clients, and — for users who provided one — sending a notice to your recovery email. Editorial fixes that do not change the substance of how we process data may be made without notice; the previous version remains available on request.
11. Contact
Privacy: trust@aevrix.org
Security and vulnerability disclosure: security@aevrix.org
Postal address: provided on request to verified rights-holders, to keep the operator’s
home address out of public scrapers.