This privacy policy describes how Lemmygrad.ml (“Lemmygrad.ml”, “we”, “us”) collects, protects and uses the personally identifiable information you may provide through the Lemmygrad.ml website or its API. The policy also describes the choices available to you regarding our use of your personal information and how you can access and update this information. This policy also describes how your engagement (profile information, posts, comments, direct messages, votes) is distributed and accessed. This policy does not apply to the practices of companies or organizations that Lemmygrad.ml does not own or control, or to individuals that Lemmygrad.ml does not employ or manage.

By joining this service you are engaging in, and contributing to, the very exciting and emerging space of free open communication on the internet. HOWEVER YOU ARE JOINING WITH THE UNDERSTANDING THAT THIS SERVICE IS RUNNING ON VERY EARLY RELEASE SOFTWARE AND SHOULD BE CONSIDERED ENTIRELY EXPERIMENTAL. ALTHOUGH ALL REASONABLE PRECAUTIONS HAVE BEEN TAKEN TO MAINTAIN THE SECURITY OF YOUR PERSONAL DATA, WE CAN NOT GUARANTEE THAT THE SOFTWARE OR THIS INSTANCE CONFIGURATION IS FREE FROM DEFECT THAT MAY RESULT IN THE EXPOSURE OF ANY OR ALL SUBMITTED DATA.

You also understand that there are controls to prevent the distribution of your email and IP address. However due to the nature of federated services, all of your engagement (your profile;posts;comments;messages;votes) on this platform should be considered public. We feel that proper precautions should be taken by the user regardless of what services they choose to use to engage in internet discourse, but it is highly recommended that you do not share any information on Lemmygrad.ml, or the Lemmy platform, that could in any way personally identify you.

What information do we collect?

  • Basic account information: If you register on this server, you will be asked to enter a username, a password, an optionally an e-mail address. You may also enter additional profile information such as a display name and biography, and upload a profile picture. The username, display name, biography, profile picture are always listed publicly.
  • Posts, comments, subscribing, voting, and other public information: When you post, the date and time is stored as well as the application you posted from. Posts and comments may contain media attachments, such as pictures and videos. Posts and comments are available publicly. Anything displayed on your profile is also publicly available information. Your comment history is available publicly. Your posts, comments and votes are delivered to the communities they are posted on, in some cases it means they are delivered to different servers and copies are stored there. When you delete posts, comments and votes, this is likewise broadcast to other instances, however there is no guarantee that the removal request will be respected, or even broadcast to all instances. There are conditions that may result in copies of your profile, posts, comments, voting record not being removed or editable when requesting so from your local instance. Communities you subscribe to may be disclosed to the admins of remote instances. Although user vote records are not accessible through the UI, this should also be considered public, and there are conditions which result in it becoming publicly viewable. This service interoperates with other federated services such as Mastodon; the format, interpretation, and display of your engagement may function differently than it does on Lemmy.
    In essence, your email address remains private to this local instance, however due to the nature of federated services all engagement (your profile;posts;comments;messages;votes) should be considered public and you are responsible for taking appropriate precautions in how you engage. Do not share any sensitive or information you do not want public over Lemmy.
  • Direct messages: Direct messages are stored as plain text in the PostgreSQL database. For encrypted communication, please use a dedicated platform like Matrix. In some cases, messages are delivered to different instances and copies are stored there. We make a good faith effort to limit the access to these direct messages to only authorized persons, but other instances may fail to do so. Therefore it’s important to review the instances of users you are engaging with. Please keep in mind that the operators of the instance and any receiving instance may view such messages, and that recipients may screenshot, copy or otherwise re-share them. Do not share any sensitive information over Lemmy direct messages.
  • IPs and other metadata: When you log in, we do not record the IP address you log in from. We retain the name of your browser application. We may retain server logs which do not include the IP address from which requests are made to the server.

What do we use your information for?

Any of the information we collect from you may be used in the following ways:

  • To provide the core functionality of Lemmy. You can only engage with other people’s content and post your own content when you are logged in. For example, you may subscribe to other communities for content discovery.
  • To aid moderation of the community.
  • The email address you provide may be used to send you information, notifications about other people interacting with your content or sending you messages, and to respond to inquiries, and/or other requests or questions.

How do we protect your information?

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. Among other things, your browser session, as well as the traffic between your applications and the API, are secured with SSL, and your password is hashed using a strong one-way algorithm.

We are disclosing that Lemmy currently does not support SSL for PostgreSQL. This instance has mitigated this security risk by running the PostgreSQL service on the same host as the instance backend, and has blocked all incoming and outgoing network connections to the PostgreSQL service.

The PostgreSQL database is regularly back up by the instance administrators.

We cannot guarantee that third-party clients will not steal the user’s login credentials. When using a client other than the official web client (located at https://lemmygrad.ml). it is the user’s reponsibility to secure their credentials. Using a trusted, open-source client helps with this.

What is our data retention policy?

We do not retain the IP addresses of the users of our instance.

You may irreversibly delete your account at any time. However, this does not guarantee all instances will be notified or respect the deletion of your public data.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow). These cookies enable the site to recognize your browser and, if you have a registered account, associate it with your registered account.

We use cookies to understand and save your preferences for future visits.

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.

Your public content may be downloaded by other servers in the network. Your public and community posts are delivered to the servers where the community resides, and direct messages are delivered to the servers of the recipients, in so far as those communities or recipients reside on a different server than this.

When you authorize an application to use your account, depending on the scope of permissions you approve, it may access your public profile information, your subscription list, all your posts, and your voting history. Applications can never access your e-mail address or password from the API, however it may be required to give access to your account (ie. logging in).

Site usage by children

If this server is in the EU or the EEA: Our site, products and services are all directed to people who are at least 16 years old. If you are under the age of 16, per the requirements of the GDPR (General Data Protection Regulation) do not use this site.

If this server is in the USA: Our site, products and services are all directed to people who are at least 13 years old. If you are under the age of 13, per the requirements of COPPA (Children’s Online Privacy Protection Act) do not use this site.

Law requirements can be different if this server is in another jurisdiction.

This document is CC-BY-SA. Originally adapted from BanzooIO/federated_policies_and_tos, which was originally adapted from the Mastodon privacy policy.