Your privacy is important to us. This page explains what data Ari-web collects, how it is used, stored, and protected, as well as your rights and options regarding your personal information. By using Ari-web, you acknowledge and accept these terms in full.

Last updated: 2025-08-25 (2025, August 25th)

Personal Project Nature

Ari-web is a personal project primarily operated by an individual and not affiliated with any legal entity or company. Because of this, there are no formal guarantees regarding data handling or liability. Nothing in these terms excludes or limits liability that cannot be excluded or limited by law. When using Ari-web services, you understand that your data is stored on a privately administered server managed primarily by a single person.

Please consider this carefully before sharing any information through the services.

Logging

To provide and protect the services, Ari-web collects and retains detailed logs from various components of its infrastructure:

  • Nginx (access and error logs): Logs include IP addresses, user agents, remote and/or authenticated users (if applicable), request methods and URIs, request timestamps and lengths, HTTP status codes, response sizes, response times, and HTTP referrers. Error logs capture timestamps, error levels, messages, and context. These logs are analysed by fail2ban for abuse detection and retained for abuse investigations.
  • Forgejo (HTTP logging): Records timestamps, IP addresses, accessed routes, timing information, network ports, protocols, and network statuses. These logs help secure the service similarly to Nginx logs.
  • Mailcow (email server logs): Comprehensive email system logs include:
    • Sender and receiver IP addresses (both server and client IPs).
    • Email delivery status and error messages.
    • Authentication attempts (successful and failed).
    • System and queue management messages.
    • Spam filtering results and statuses using tools like rspamd.
    • DNS and DNSSEC verification logs.
    • Webmail access logs, including IMAP and POP3 login events and sessions.
    • Virus scanning outcomes.
    • Supporting Nginx and PHP logs for webmail frontends.
    Logs are retained using the Docker's logging system to be watched by internal Mailcow's fail2ban, and left in rotation for the whole rotation period for abuse prevention.
  • XMPP: Logs IP addresses, authentication attempts, MUC logs, and error reports. Fail2ban protects against brute-force attacks.
  • SSH: Records IP addresses, ports, timestamps, hostnames, and event types (e.g., authentication, connections) to safeguard shell access and prevent brute-force attacks.
  • Rate Limiting: Tracks IP addresses, email addresses (where relevant), and access times to control resource use and mitigate abuse.
  • Firewall (UFW) Logs: Includes events like blocks and connections limited, attack attempts, with detailed metadata such as timestamps, hostnames, network interfaces, MAC addresses, IP and packet headers, source/destination ports, and protocol flags. Automated and manual analyses identify and respond to suspicious behaviours.
  • Nextcloud: Logs authentication events and errors to maintain security and detect threats.
  • Security Audit Logs: Internal logs capturing system and administrative actions, totaling up to ~40MB, retained for security monitoring, incident investigation, and integrity verification.

Most logs are retained for approximately one (1) month, while some audit and internal security logs are kept longer to ensure service integrity and ongoing protection. Logs may be analysed anonymously to generate statistical insights for improving service reliability and content quality, which may be shared publicly or privately for non-commercial purposes due to their completely anonymous nature. None of these logs ever leave the hands of administrators of the ari-web infrastructure, unless it is completely anonymised.

Your Data

Ari-web collects only the data necessary to provide and maintain its services. The types of data collected for each service are outlined below:

  • XMPP/Jabber Server: Messages and files exchanged on the server, typically retained for up to 4 weeks. Multi-User Chats (MUCs) retention varies depending on your privacy settings. And other data standard to Prosody and XMPP.
  • Forgejo Git Forge: Includes login data, all files and repositories you upload, email addresses, hashed passwords, 2FA status, timestamps of account creation and last login, encrypted CI/CD secrets, logs, repository metadata, issues, commits, pull requests, projects, releases, packages, wiki content, and other data standard to the Forgejo platform.
  • Email (Mailcow): Covers spam filtering scores, email messages stored or quarantined via IMAP, account information, hashed passwords, and other essential data for email operation as handled by Mailcow.
  • Roundcube Webmail: Stores preferences, encrypted passwords, login tokens, and session data, managed per standard Roundcube operation.
  • Private PocketBase Instance: Contains all account information and any data you upload to the database, as per typical PocketBase usage.
  • Nextcloud: Stores all uploaded files, profile information, and related data consistent with standard Nextcloud service use.
  • Arivertisements: Aside from standard system logs necessary for operation, no user data is collected.

On this website specifically:

  • Guestbook: Your E-Mail (RC4 encrypted, mainly for obfuscation), website (optionally) the name you entered in the form, your message, message posted datetime, message score, unique message ID, and whether or not you confirmed the comment.
  • AriGPT: Your prompt, admin answer, and prompting time.

Various cookies, while not directly data, may be sent to users to rate limit their activity, provide session or permanent storage, or manage (permanent) access. These cookies will never be used for commercial purposes or unnecessary tracking of users - only to provide, protect, or improve functionality of services. By using Ari-web services, you agree to have these cookies served to you.

How Your Data Is Used

The collected data (and logs) is primarily used to:

  • Provision, provide, and deplete services.
  • Maintain and improve service stability and quality.
  • Protect against abuse, spam, and unauthorised access.
  • Moderate community interactions and enforce community standards.
  • Monitor and respond to security incidents.
  • Analyse anonymised usage data to enhance the project.

Your data (and logs) is never sold or shared with third parties.

Data Protection Measures

As a primarily solo operator, Ari-web employs multiple layers of security to protect your data, including:

  • Encryption of data in transit (HTTPS) and at rest where possible.
  • Enforcement of encryption through systems like HSTS preload.
  • Use of strong firewall rules and DDoS protection via the hosting provider.
  • General system hardening and configuration rules.
  • Regular system updates and security hardening techniques.
  • Active monitoring and logging to detect and prevent abuse.
  • Hashing (and salting) sensitive information where applicable.

While these measures significantly reduce risk, no system can be guaranteed completely secure. Your understanding and caution when sharing sensitive data are appreciated.

Your Rights and Control

You remain in full control of your data on Ari-web. If you wish to:

  • request deletion or removal of your data or logs,
  • request an export or clarification of stored information,
  • or have any privacy concerns or questions,

please contact us anytime at legal@ari.lt. Your requests will be handled as promptly as possible.

Where applicable under law, all users have the right to access, rectify, erase, and port their personal data.

User Obligations

Users must be at least sixteen years old (16+) to access or use any Ari-web services to comply with GDPR (General Data Protection Regulation) and COPPA (Children's Online Privacy Protection Act). If you are under this age, please do not use the services.

Users are also expected to protect their own privacy and security diligently.

Hosting and Location

Ari-web is hosted in Germany by ETH-Services (ETH-services.de), which provides technical infrastructure including DDoS protection that analyses traffic for suspicious activity.

Governing Law

This Privacy Policy and all related agreements shall be governed by the laws of the Republic of Lithuania. In case of court disputes, the parties agree to first seek an amicable resolution through negotiation or mediation before considering any legal action in the courts of Lithuania.

Changes to Terms

This Privacy Policy may be updated over time. Continued use of services after changes constitutes acceptance of the new terms. You are responsible for keeping yourself up to date with these terms.

Contact

Questions or concerns about this Privacy Policy should be directed to legal@ari.lt.