ゆめちのくに (YumechiNoKuni) is strongly committed to protecting user's privacy and proving that we are trustworthy. This privacy policy outlines the types of personal information we receive, how it might be processed, what measures have been taken to protect your data, and how to verify our compliance with our policy.
The informal version: We are as far as we know the most transparent and privacy-preserving instance in the fediverse.
## Personal Information
### Information We Collect
- **Account Information**: When you sign up for an account, we will collect information such as your username, email address, and password. Your username will be publicly displayed but your email address will be kept private except to the administrators. Your password will be encrypted with bcrypt and will not be recoverable without a brute force search, thus it is paramount that you set a password that is not easily guessable.
- **Profile Information**: You may choose to provide additional information on your profile, such as a display name, avatar, and bio. This information will be publicly displayed and federated to other instances, and there is no way to prevent this.
- **Posts, Pages and other Content**: Any content you post on the site will be stored on our servers, unless you have set the post to be "private" or "followers-only (under the condition that you do not have followers not on our instance)", we cannot guarantee that your content will not be seen by unintended parties, nor any foreign instances will honor your request to delete the data. This is a hard limit of the federation protocol and we cannot change this, however we are more than willing to allow you to register a new account dedicated to private content.
- **Multimedia and Drive Files**: The drive feature allows you to upload files as if it were a cloud storage service, however please note that anyone who has the ID or link to the file can access it. While the ID is theoretically hard to guess, it is not considered secure and should not be used for sensitive information. It was also not encrypted to your account, which means (while we have taken measures to prevent this) it is possible a malicious program on the server could access your files.
- **IP Address**: There is built-in support for logging IP addresses used for login attempts, which you can review in your account settings in the "Security" tab. There is currently no self-service way to disable this feature, however you can request for us no longer to log your IP address by contacting us.
- **Server Logs**: Requests that result in queries to other instances or cause errors are logged for debugging purposes. While they are usually not easily traceable to a specific user, we may know someone was trying to access a specific resource.
- **Metrics**: We collect metrics on the server side. The metrics are highly aggregated and do not contain any identifying information, it contains information such as a histogram of time taken to process the request by the kind of request is being made and whether the request was successful, the amount of memory used by the server and the amount of incoming and outgoing federation messages.
## How We Use Your Information (and How we can Prove it)
### Moderation
We have required all moderators and administrators to not use their privileged accounts for any purpose other than moderation (or even logging in without a specific purpose). However we cannot guarantee that your data will not be accidentally accessed during routine system maintenance, for example many database management requires inspecting the data directly. We promise we will not make any use of any accidental access to your data and try our best to forget it as soon as possible.
### Legal
While I will make an effort to vet every legal request I receive, I cannot guarantee that I will be able to make every power to protect your data in the event of a legal request. I will make an effort to inform you of any legal request I receive and whether I have complied with it, unless I am legally prohibited from doing so. I am located in Texas, US.
### Code Access
As with the AGPL license required by upstream, the source code for this instance is available at https://forge.yumechi.jp/yume/yumechi-no-kuni. We have also made effort to ensure that the environment can easily be replicated by not requiring manual intervention for new features such as Pgroonga full text search, and we have added build-time injection of the commit hash so you can easily see exactly what version of the code is running (you can access it via the `/nodeinfo/2.1` endpoint from any of our running instance that is not in development mode).
### Email
We do not use any third-party email services to send or receive emails. All email communications are handled completely in-house. We have taken measures to ensure our email safety by:
- Using SPF, DKIM, and DMARC to prevent email spoofing.
- Using MTA-STS to ensure that all email communications you sent to us are encrypted.
- Requiring all outgoing emails to be encrypted with STARTTLS.
However the moderator contact email may be handled by a third-party service. If this is not acceptable to you, please contact us through a direct message on the instance.
### Storage
Your data is stored on a server located in Wien, Austria. We have applied full disk encryption to the server and confined each service to its own user and enabled mandatory access control to prevent unauthorized access to your data. You may request a copy of your data by contacting us and your request will be processed within 7 days, you can either request for a package that we deemed to be relatively complete or specify the kind of data you want to receive.
If you are not satisfied with the data we provide, you can prepare using local environment and send in a SQL query you want the result of, provided it does not harm the integrity of the service or invade the privacy of other users.
### Network Requests
When you use our service, your device will make requests to our servers. We have taken measures to ensure that all communication you make while using our service is never observed by a third party. We have taken steps to ensure this by:
- Not using a third-party CDN that will decrypt your connection to our service.
- Using HTTPS with preloaded HSTS to ensure that your connection is encrypted and secure. This means even a newly-installed browser will refuse to connect to our service if it cannot establish a secure connection.
- Enforcing a sandbox on your browser to prevent any external contents or unintended scripts from running on our webpage. This consists of several HTTP headers including strict Content Security Policy, Content Type Options, and Frame Restrictions.
- Preventing third-party websites from tracking you, we have used a strict Referrer Policy to prevent any links you click on our service from being sent to the third-party website. We also requested your browser to disable features known to have questionable privacy properties such as `fLoC`, `Topics API`, `Attribution Reporting` and DRM on our browser sandbox. You can review our security headers along with a professional explanation by visiting https://securityheaders.com/?q=https%3A%2F%2Fmi.yumechi.jp%2F.
- Place a proxy in front of all media files that hides the origin of the request and prevents dangerous file formats from being downloaded. The source code of the proxy is available at https://forge.yumechi.jp/yume/yumechi-no-kuni-proxy-worker.
However, there are two exceptions to this:
#### Follower-only Posts
While your network requests are never directly sent to a third party, your requests to look up external resources such as uploading files by URL, remote user and note lookups, will result in a request from our server to the external server, and depending on whether the external server claims they require user authentication, this request might be traced back to you.
However unlike the upstream implementation, YumechiNoKuni requires all external lookups to be conducted over HTTPS over port 443 using a modern encryption suite, this means when you lookup a specific user or link, you can be sure that the information of the lookup is not disclosed to other parties.
While we used security features that are enforced by all mainstream browsers, we cannot guarantee that third-party apps will maintain the same level of security. If you use services other than the website or PWA (the 'Add to Home Screen' feature), you should be aware that we cannot guarantee the promises we made in the previous section.
### Metrics
While we do not allow public access to our metrics endpoint in production (we may allow long-time users access in the future), the raw metrics endpoint in our staging environment is open for public review at https://test0.mi.yumechi.jp/metrics and https://test0.mi.yumechi.jp/metrics/cluster.
This information is sent to a third-party service [Grafana Cloud](https://grafana.com/products/cloud/) for visualization and alerting. We post periodic PDF exports of a public dashboard demonstrating the metrics we collect at https://mi.yumechi.jp/@mihari.
## What you can do to Protect Your Privacy
### Account Security
- **Use a Strong Password**: In order to guarantee our website does not depend on a third-party service, we only use a cool-down period for failed login attempts. Please use a strong password that is not easily guessable.
- **Enable Two-Factor Authentication**: We support two-factor authentication using TOTP or WebAuthn. You can enable it in your account settings in the "Security" tab. We have changed the behavior from upstream such that if you only use your hardware key for 2FA, we will prefer but not require you to password-protect your hardware key as it is a common practice for systematic users of hardware keys to keep a physically secure backup key.
- **Reset your Token**: This is currently a limitation inherited from upstream and we are working on a solution, but in the meantime, please go to Settings -> Security -> Regenerate Login Token from a secure device to invalidate all your sessions whenever you logged in from a public computer or suspect one of your sessions has been compromised.
