Privacy Policy

Last Updated: March 2026

At Anjara Project, privacy isn’t just a feature—it’s our foundation. This Privacy Policy explains how we collect, use, protect, and handle your personal information.

Our Privacy Commitment

We built Anjara on these principles:

Minimal Data Collection – We only collect what’s absolutely necessary to provide our services

No Data Selling – We will never sell, rent, or trade your personal data to third parties

No Tracking or Profiling – We don’t track your behavior or build advertising profiles

Your Data, Your Control – You own your data and can export or delete it anytime

Transparency – We’re clear about what we do (and don’t do) with your information

GDPR Compliant – We follow strict European data protection regulations

Who We Are

Service Provider: Anjara Project

Website: https://www.anjara.org

Operated by: Hex IT Group and Red Viper Technologies

Data Controller: Hex IT Group

Location: Italy, European Union

Contact for Privacy Matters:

Email: privacy@service.anjara.org

Address: Hex IT Group – Via Mongardino 2/2 – 40037 – Sasso Marconi (BO) – Italy

What Information We Collect

1. Information You Provide Directly

When you create an account:

Username (becomes part of your email address)

Password (encrypted, we cannot read it)

Recovery email address (for account security)

Optional: Display name, profile information

When you use our services:

Email Service: Email content, contacts, calendar events (stored encrypted)

WordPress Blog: Posts, pages, comments, media files you upload

Nextcloud: Files, photos, documents you upload

Mastodon: Posts, profile information, interactions

Matrix: Messages (end-to-end encrypted), contacts

WriteFreely: Blog posts, settings

When you make payments:

Billing information (processed by payment providers, not stored by us)

Purchase history and invoices

2. Information Collected Automatically

Technical Information (minimal):

IP address (for security and service delivery)

Browser type and version

Device type (desktop, mobile, tablet)

Access times and dates

Service usage logs (for troubleshooting only)

What we DON’T collect:

❌ Browsing history outside our services

❌ Third-party tracking cookies

❌ Location data (beyond country from IP)

❌ Contacts from your device

❌ Data for advertising purposes

How We Use Your Information

We use your information ONLY for these purposes:

1. Provide and Maintain Services

Deliver email, storage, blog, and communication services

Sync your data across devices

Authenticate your identity

Process payments for premium features

2. Improve and Optimize Services

Fix bugs and technical issues

Understand service usage patterns (aggregated, not individual)

Develop new features

Optimize performance

3. Communicate with You

Send service-related notifications (password resets, storage alerts)

Respond to support requests

Important updates about service changes

Optional newsletter (only if you opt-in)

What we DON’T do:

❌ Sell your data to advertisers

❌ Scan your email content for advertising

❌ Share your information with third parties for their marketing

❌ Use your data to profile or track you across the web

How We Protect Your Data

Security Measures

Encryption:

All data transmitted over HTTPS/TLS

Email stored encrypted on our servers

Passwords hashed with industry-standard algorithms (bcrypt)

Optional: End-to-end encryption for email (PGP/GPG)

Infrastructure Security:

European data centers (GDPR compliant)

Regular security audits

Daily encrypted backups

Firewall and DDoS protection

Two-factor authentication (2FA) available

Regular software updates

Access Controls:

Minimal staff access to user data

Access logs maintained

Data segregation between users

No backdoors or master keys

Data Isolation:

Your email is YOUR email – we can’t read it

Encrypted messages stay encrypted

Files stored in isolated environments

Data Retention

How Long We Keep Your Data

Active Accounts:

Data retained as long as your account is active

You control your data – delete anytime

Inactive Accounts:

Free accounts: Deleted after 12 months of inactivity

Paid accounts: Retained as long as subscription is active

We send warning emails before deletion

After Account Deletion:

Most data deleted immediately

Some data retained for 30 days (recovery period)

Backups purged within 90 days

Legal/billing records: Up to 7 years (required by law)

Specific Services:

Email: Deleted emails removed from backups within 90 days

Blog Posts: Publicly published content may be cached by search engines

Mastodon: Public posts may be federated (copies on other servers)

Files: Permanently deleted after 30-day grace period

Data Sharing and Disclosure

When We Share Your Information

We share data ONLY in these limited circumstances:

1. With Service Providers

We use minimal third-party providers who help us operate:

Payment Processors (Stripe, PayPal) – Only for processing payments

Email Infrastructure – For sending service notifications

Cloud Hosting – European data centers only

Backup Services – Encrypted backups only

All providers:

✅ Sign data processing agreements

✅ Located in EU or GDPR-compliant

✅ Have minimal access to data

✅ Cannot use data for their own purposes

2. With Your Consent

When you explicitly authorize sharing

When you use federation features (Mastodon, ActivityPub)

3. For Legal Reasons

We may disclose data if required by law:

Valid court order or subpoena

Prevent fraud or abuse

Protect rights and safety

We will:

Notify you when legally possible

Request narrow scope from authorities

Publish transparency reports annually

Fight overbroad requests

4. Federation (Mastodon, ActivityPub)

Public posts on Mastodon are federated to other servers

WordPress blogs with ActivityPub share posts across Fediverse

This is by design for decentralized social networking

You control what you make public

Your Rights (GDPR)

Under GDPR, you have these rights:

1. Right to Access

View all personal data we hold about you

Request: Settings → Download My Data

Delivered within 30 days

2. Right to Rectification

Correct inaccurate information

Update your profile anytime

Contact support for help

3. Right to Erasure (“Right to be Forgotten”)

Delete your account and all associated data

Settings → Delete Account

Some data retained for legal requirements (billing records)

4. Right to Data Portability

Export your data in standard formats

Email: MBOX format

Contacts: vCard format

Calendar: iCal format

Files: Direct download

WordPress: XML export

5. Right to Restrict Processing

Limit how we use your data

Contact: privacy@service.anjara.org

6. Right to Object

Object to data processing for specific purposes

Opt-out of optional communications

8. Right to Lodge a Complaint

File complaint with your data protection authority

Italy: Garante per la Protezione dei Dati Personali

Your country’s authority if different

Cookies and Tracking

Our Cookie Policy

Essential Cookies Only:

We use minimal cookies required for service functionality:

Session Cookie – Keeps you logged in (deleted when you close browser)

Security Cookie – Prevents CSRF attacks

Preference Cookie – Remembers your settings (language, theme)

What we DON’T use:

❌ Advertising cookies

❌ Tracking cookies

❌ Third-party analytics cookies

❌ Social media cookies

❌ Behavioral profiling cookies

Analytics:

We use privacy-respecting analytics (Matomo self-hosted)

IP addresses anonymized

No data shared with third parties

You can opt-out: Settings → Privacy

Children’s Privacy

Anjara services are not directed at children under 16.

We do not knowingly collect data from children under 16

If we discover a child’s account, we will delete it

Parents: Contact us immediately if you believe your child created an account

Email: privacy@service.anjara.org

International Data Transfers

Your data stays in the European Union:

All servers located in EU data centers

Subject to GDPR protections

No transfers to countries with weaker privacy laws

Exception: Federation features (Mastodon) – your public posts may reach servers worldwide

Changes to This Policy

How we handle updates:

We may update this policy occasionally

Major changes: Email notification to all users

Minor changes: Posted on this page with “Last Updated” date

Continued use after changes = acceptance

Don’t agree? You can delete your account

Third-Party Services

Links to Other Websites

Our services may contain links to external sites:

We’re not responsible for their privacy practices

Read their privacy policies separately

We don’t control external content

Federated Services

Mastodon & ActivityPub:

Public posts federated to other servers

Other server admins may see your public posts

We don’t control other servers’ privacy practices

Choose carefully what you make public

Data Breaches

In the unlikely event of a data breach:

We’ll notify affected users within 72 hours

We’ll notify relevant authorities (as required by GDPR)

We’ll explain what happened, what data was affected, and what we’re doing

Transparency is our priority

Contact Us About Privacy

Have questions or concerns about privacy?

Email: privacy@service.anjara.org

Response Time: Within 72 hours

Subject Access Requests: Within 30 days

For general support:

Email: support@service.anjara.org

Dashboard: Create support ticket

For data protection complaints:

Contact your national data protection authority

Legal Basis for Processing (GDPR)

We process your data based on:

Contract Performance:

Providing services you signed up for

Processing payments

Legitimate Interests:

– Preventing fraud and abuse

Improving services

Security and stability

Legal Obligations:

Compliance with laws

Tax and accounting requirements

Consent:

Optional features (newsletter, analytics)

You can withdraw anytime

Summary: What Makes Anjara Different

Most Services:

Scan your email for ads

Track you across the web

Sell your data to advertisers

Complex privacy policies hiding bad practices

Anjara:

✅ Never scans your content

✅ No tracking or profiling

✅ Never sells your data

✅ Never sells your data

✅ Clear, honest privacy policy

✅ You own and control your data

✅ GDPR compliant

✅ European hosting

✅ Open-source software

✅ Privacy by design

Frequently Asked Questions

Q: Can Anjara read my emails?

A: No. Emails are stored encrypted. We have no master key and cannot access your email content.

Q: Do you scan emails like Gmail does?

A: Absolutely not. We don’t scan email content for any purpose. No advertising, no profiling.

Q: What happens to my data if Anjara shuts down?

A: We’ll give 90 days notice. You can export all your data. We’ll help migrate to alternatives.

Q: Can government agencies access my data?

A: Only with valid legal order. We notify users when legally allowed and publish transparency reports.

Q: Is my data backed up?

A: Yes, daily encrypted backups for disaster recovery. Backups stored in EU, encrypted, retained 90 days.

Q: Can I really delete all my data?

A: Yes. Account deletion removes all data. Backups purged within 90 days. Some billing records retained for legal compliance (up to 7 years).

By using Anjara services, you acknowledge that you have read and understood this Privacy Policy.

Have questions? Email privacy@service.anjara.org

Last Updated: March 5, 2026

Version: 1.0

Questions about our privacy practices?

Contact Privacy Team →

Ready to take back your privacy?

Create Free Account →