This instance is administrated by Tom Dickinson. “Admin”, “I”, or “Me” in the following text refers to Tom Dickinson.
When we speak about privacy and security on large corporate social media platforms, we are usually referring to their data policies in a large-scale and impersonal context, like whether they will track you, build advertising profiles on you, perform social experiments on users, or sell the data to third parties. With a small social network hosted by someone you personally know, you do not usually have to worry about about that. But there are other things you might want to consider.
For instance, whatever social platform you are using, a person with sufficiently high levels of access can, in theory, read your DMs (unless they are end-to-end encrypted, and on most platforms they are not). But for the most cases, you do not expect any employees at the corporation to have a particular personal interest in you that might motivate them to browse your personal private data. You cannot make that same assumption when signing up to a social network run by someone you know.
Before using this service, please consider the access you are giving me, and consider whether you trust me enough to be comfortable giving me that access.
All posts, mentions, Direct Messages (DMs), and profile data are hosted on a Linode server run by the admin. All content is stored in a plaintext unencrypted format at present. The nonprofit that maintains Mastodon have indicated that in the future they may implement end-to-end encryption for Direct Messages, but at this time no such encryption is used.
All uploaded images are hosted either on the same server or in an Amazon S3 bucket owned by the admin. All images are publicly accessible, if you know the image’s URL.
The section “Admin Access on labyrinth.social” below, specifies the admin’s policies and commitments regarding accessing user data.
However, as with all “fediverse” services, Mastodon/Hometown posts can be and often are made available to users on other servers. This is referred to as “federation.” Once your post has been federated to another server, that server has a copy of your post and there is absolutely no guarantee that the software or users of that server will abide by the policies of this server, or even respect the private/public setting of your post.
Additionally, regular backups are made of the server, which means that material you have deleted may be retained in a backup.
Therefore, please think of the privacy measures of Mastodon/Hometown as barriers and impediments, not unbreakable forcefields, and do not use this or any other non-encrypted fediverse service to exchange pictures or images that you would find devastating if they were made public.
Keep in mind that even when the Mastodon/Hometown software does not allow for it, the admin’s server access does allow them to do the following:
It’s important to me to disclose that I can do these things, but it’s equally important that I promise you I will not do these things, with possible exceptions in the following situations:
I take this promise seriously and ask you to trust me.
For your security, it’s recommended that you enable two-factor authentication.
You can do this on your Preferences page. In the sidebar, look for “Account”. Once you have opened “Account”, look for “Two Factor Auth”.
Unlike some services, Mastodon does not allow for two-factor authentication over SMS text message. So you will need a authenticator app that allows for TOTP (Time-based one-time password) authentication. A good free option is Google Authenticator (available for Android oriOS).
Any of the information we collect from you may be used in the following ways:
We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. Among other things, your browser session, as well as the traffic between your applications and the API, are secured with SSL, and your password is hashed using a strong one-way algorithm. You may enable two-factor authentication to further secure access to your account.
We will make a good faith effort to:
You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.
You may irreversibly delete your account at any time.
Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow). These cookies enable the site to recognize your browser and, if you have a registered account, associate it with your registered account.
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.
Your public content may be downloaded by other servers in the network. Your public and followers-only posts are delivered to the servers where your followers reside, and direct messages are delivered to the servers of the recipients, in so far as those followers or recipients reside on a different server than this.
When you authorize an application to use your account, depending on the scope of permissions you approve, it may access your public profile information, your following list, your followers, your lists, all your posts, and your favourites. Applications can never access your e-mail address or password.
Our site, products and services are all directed to people who are at least 13 years old. If you are under the age of 13, per the requirements of COPPA (Children’s Online Privacy Protection Act) do not use this site.