Privateness information

This mail server hosted at politicalscience.cloud runs on a voluntary, honorary basis and serves to enable its users to do some cool stuff. It follows the principle of data minimisation and processes personal data only for this purpose. Since you can expect this processing (otherwise you would not use the service), I consider the legal basis for data-processing to be your consent (according to Art. 6 (1) lit. a GDPR) which you can revoke for the future at any time.

You have the right to see what data is stored about you, access it in a machine-readable way, to have it corrected, deleted, or at least restricted from further usage if there are legal or other substantial reasons not to delete it. Just use the general contact credentials given below and expect an answer within a month.

Server rules

The server shall be used only for its named purpose.

Stored user and contact data

As is typical for a mail server, it stores, receives, and delivers your e-mail; of course your mail account name and its password are stored as well, together with aliases pointing to your account if applicable. As a user you can easily access the stored mails by connecting to your mailbox (for example with Thunderbird or another mail client of your choice), move them to trash or delete them immediately.

As a user's contact you do not have this option, of course, and there is no way to give you such access without violating the user's privacy. This is just the nature of email just as it is with postal mail. Only in case of paramount security interests (you know "life and death" things and such) will I begin to consider intrusion into my users' privacy to delete specific mails.

Due to software constraints you cannot delete your account (and thus your data) yourself. Just use the general contact credentials below and I will delete your account. After logs and backup (see below) time all data related to you will be gone from this system.

Spam protection

Spam protection is necessary not only because spam can be quite obnoxious and detrimental to user experience, but also in order to help users against Phishing and other fraudulent attempts. Furthermore, protection from outbound spam is necessary to secure server reputation; a loss in reputation would result in the mail server being blocked and hence useless. Thus, I consider this processing in your interest and a legitimate interest of mine in the sense of Art. 6 (1) lit. f GDPR.

For spam protection I use rspamd with its self-learning modules. However, this means that every single e-mail is fully processed and its meta-data as well as its text are used to train spam detection: if you move an email to spam or vice-versa the system learns and improves its classifiers and neural networks. I don't think that this process leaves the system with any deanonymiseable data, since even if readable pieces remain it should require additional data to link them to a user.

Third party services

No external services are either embedded or used.

Non-vetoable processing

However, there are server logs and backups. Servers logs (including IP addresses, user agents, visited pages, etc.) are necessary in terms of security, that is in order to provide basic protection against brute force attacks, other attacks, as well as spam. They are also a technical necessity, since they allow debugging and maintenance works. Logs are saved for up to 7 days and up to another 10 days in complete server backups. Complete backups are necessary in case of technical or administrative failures as well as repair works after attacks like ransomware. I consider this processing a legitimate interest in the sense of Art. 6 (1) lit. f GDPR, but also a legal obligation according to Art. 6 (1) lit. c GDPR since I am obliged to protect your data and thus my systems. This means that you cannot veto this processing.

Logs and other system informations are collected by my monitoring system, hosted at Strato (Germany).

Service provider

No other administrators. The service is hosted on a EU-located server at Netcup, which confirmed in a contract on commissioned data processing (CCDP) that they will process the data only according to the contractual purposes. Backups might also be stored with other hosters (as is recommended), but only end-to-end-encrypted and with a CCDP.

The responsible supervisory authority is the data protection officer of Rheinland-Pfalz (Rheinland-pfälzischer Landesbeauftragter für Datenschutz und Informationsfreiheit).