Privacy Policy (2021-08-30)

User privacy is one of the primary goals of DivestOS.
Detailed below is everything you need to know about how your data is handled.
Please see our infrastructure page to learn how we keep our services safe.

Control over your data

  • Requesting your data:
    • Web server logs will not be provided.
    • konvers.me chat logs of your user can be retrieved by joining the room with an XMPP client supporting (MUC-)MAM.
    • Donation history via Stripe can be provided upon request from a matching email address.
  • Correction of your data: We do not believe we have any data that can be corrected, but do reach out if necessary.
  • Deletion of your data:
    • Web server logs are kept for no longer than two weeks.
    • konvers.me access logs are deleted weekly.
    • konvers.me messages can be deleted upon special request.
  • Expressing concerns: We are always open to suggestions and collaboration on how we can further improve user privacy. Please e-mail us or open an issue on the project repository and lets get a discussion going!

E-Mail:

What data we (Divested Computing Group) collect

  • Website
    • What is received: Cookies (detailed below), Page Visited, Referring Page, User Agent, and IP Address
    • Cookies
      • PHPSESSID - Set by the server to maintain variables such as CSRF tokens
    • How often: On every page visit
    • Why it is received: Used to serve the web pages to users
    • When it will be deleted: Web server logs are kept for no longer than two weeks
    • What else will it be used for: Nothing else
    • How to anonymize: Visit the site using the Tor Browser
    • Example: [IP Address] - - [Timestamp] "GET /index.php?page=privacy_policy HTTP/2.0" 200 3441 "-" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
  • ROM
    • The ROM does not contain any analytics and any requests are used only for supporting it
  • ROM: Updater
    • What is received: Device Model, Incremental Build ID, Default User Agent, IP Address
    • How often: On every boot and also once per day
    • Why it is received: Used to serve system updates
    • When it will be deleted: Web server logs are kept for no longer than two weeks
    • What else will it be used for: Will be occasionally used to determine how many users we have and what percent are up-to-date or not
    • How to anonymize: Install Orbot and enable 'Perform requests over Tor'
    • How to disable: Disable 'Auto updates check'
    • Settings can be accessed via:
      • 9+: Settings > System > Advanced > DivestOS updates > 3dot > Preferences
      • <9: Settings > About > DivestOS updates > 3dot > Preferences
    • Example: [IP Address] - - [Timestamp] "GET /updater.php?base=LineageOS&device=mata&inc=engemy20210814031730 HTTP/1.1" 200 276 "-" "Dalvik/2.1.0 (Linux; U; Android 11; PH-1 Build/RQ3A.210805.001.A1)"
  • ROM: DivestOS F-Droid Repos
    • What is received: Repo Index Requests/App APK Requests/App Icon Requests, F-Droid Version, IP Address
    • How often: Once per day
    • Why it is received: Used to serve apps and their updates
    • When it will be deleted: Web server logs are kept for no longer than two weeks
    • What else will it be used for: Nothing else
    • How to anonymize: Install Orbot and enable 'Use Tor' in F-Droid > Settings
    • How to reduce: Decrease the 'Automatic update interval' in F-Droid > Settings
    • How to disable: Disable the 'DivestOS' repos in F-Droid > Settings > Repositories
    • Example: [IP Address] - - [Timestamp] "HEAD /fdroid/official/index-v1.jar HTTP/1.1" 200 - "-" "F-Droid 1.13.1"
  • App: Hypatia
    • What is received: Signature Database Requests, IP Address
    • How often: Manually
    • Why it is received: Used to serve signature databases
    • When it will be deleted: Web server logs are kept for no longer than two weeks
    • What else will it be used for: Nothing else
    • How to anonymize: Install Orbot and enable 'Download over Tor'
    • Example: [IP Address] - - [Timestamp] "GET /MalwareScannerSignatures/Android.hsb.gz HTTP/1.1" 304 - "-" "Hypatia"
  • Chat rooms (MUC) available on xmpp:konvers.me
    • What is received: JID, nickname, avatar, messages you send, your server IP address, your client IP address only if fetching an HTTP uploaded image
    • How often: When you join and are connected to a room
    • Why it is received: Used to provide the chat service to you
    • When it will be deleted: Messages are not deleted per default MAM policy. Access logs are deleted weekly. IP addresses are not stored in the access logs.
    • What else will it be used for: Nothing else
    • How to anonymize: Use a throwaway JID and nickname. Route your XMPP client over Tor.

What data third parties collect

Third parties are used to support specific features and apps

  • Website Payments
    • Who: Stripe
    • What they receive: Name, Bank Card, E-Mail Address, User Agent, Browser Fingerprint, IP Address, Location from Geo-IP
    • What we receive: Name, Bank Name, E-Mail Address, User Agent, Location from Geo-IP
    • How often: When you donate
    • Why they receive: Used to process the payment
    • What else will we use it for: Nothing else
    • How to anonymize: Use a fake name, debit gift card, disposable e-mail address, and connect via a computer at your local library
    • How to disable: Requests to Stripe's servers will not occur until you attempt to donate
    • Privacy Policy: Stripe Privacy Policy
  • ROM: Captive Portal Check
    • Who: Google
    • Description: Used to determine if there is a captive portal
    • What they receive: Static User Agent, IP Address
    • How often: On every Wi-Fi and cell connection
    • How to disable: Captive portal toggle in settings app or $ adb shell settings put global captive_portal_mode 0;
    • Settings can be accessed via:
      • 9+: Settings > Network & Internet > Advanced > Captive portal mode
      • <9: Settings > Network > Data usage > Disable Captive Portal
    • Privacy Policy: Google Privacy Policy
  • ROM: F-Droid Official Repo
    • Who: F-Droid
    • What they receive: Repo Index Requests/App APK Requests/App Icon Requests, F-Droid Version, IP Address
    • How often: Once per day
    • Why they receive: Used to serve apps and their updates
    • How to anonymize: Install Orbot and enable 'Use Tor' in F-Droid > Settings
    • How to reduce: Decrease the 'Automatic update interval' in F-Droid > Settings
    • How to disable: Disable the 'F-Droid' repos in F-Droid > Settings > Repositories
    • Privacy Policy: F-Droid Security Information