Privacy Policy

Are you (not) a bot?We think you are! Contact me if you're human :) (forward me your user agent: mozilla/5.0 applewebkit/537.36 (khtml, like gecko; compatible; claudebot/1.0; +claudebot@anthropic.com))

Your privacy is important to us. This page explains what data ARI.LT (Ari-web) collects, how it is used, stored, and protected, as well as your rights and options regarding your personal information. By using ARI.LT (Ari-web), you acknowledge and accept these terms in full.

Note that ARI.LT (Ari-web) is operated by an individual under an Individual Activity Certificate (individuali veikla pagal pažymą) registered in Lithuania. Further legal identification (e.g., legal name, address) details are provided on invoices and where required by law. For legal purposes, note that "Arija A.", "Ari Archer" are public and informal names used for this project (please refer to me by those names in social contexts though!)

Last updated: 2026-06-11 (2026, June 11th)

# Logging

To provide and protect the services, ARI.LT (Ari-web) collects and retains detailed logs from various components of its infrastructure:

  • Nginx (access and error logs): Logs include IP addresses, user agents, remote and/or authenticated users (if applicable), request methods and URIs, request timestamps and lengths, HTTP status codes, response sizes, response times, and HTTP referrers. Error logs capture timestamps, error levels, messages, and context. These logs are analysed by fail2ban for abuse detection and retained for abuse investigations. The complete configuration is available at https://git.ari.lt/ari.lt/nginx.conf .
  • Forgejo (HTTP logging): Records timestamps, IP addresses, accessed routes, timing information, network ports, protocols, and network statuses. These logs help secure the service similarly to Nginx logs.
  • Mailcow (email server logs): Comprehensive email system logs include:
    • Sender and receiver IP addresses (both server and client IPs).
    • Email delivery status and error messages.
    • Authentication attempts (successful and failed).
    • System and queue management messages.
    • Spam filtering results and statuses using tools like rspamd.
    • DNS and DNSSEC verification logs.
    • Webmail access logs, including IMAP and POP3 login events and sessions.
    • Virus scanning outcomes.
    • Supporting Nginx and PHP logs for webmail frontends.
    Logs are retained using the Docker's logging system to be watched by internal Mailcow's fail2ban, and left in rotation for the whole rotation period for abuse prevention.
  • SSH: Records IP addresses, ports, timestamps, hostnames, and event types (e.g., authentication, connections) to safeguard shell access and prevent brute-force attacks.
  • Rate Limiting: Tracks IP addresses, email addresses (where relevant), and access times to control resource use and mitigate abuse.
  • Firewall (UFW) Logs: Includes events like blocks and connections limited, attack attempts, with detailed metadata such as timestamps, hostnames, network interfaces, MAC addresses, IP and packet headers, source/destination ports, and protocol flags. Automated and manual analyses identify and respond to suspicious behaviours.
  • Nextcloud: Logs authentication events and errors to maintain security and detect threats.
  • Audit: Internal security logs capturing system and administrative actions, totaling up to ~40MB, retained for security monitoring, incident investigation, and integrity verification.
  • TOR: Only TOR daemon notices are logged and nothing else to ensure anonimity.
  • Network: We store anonymous traffic and bandwidth statistics to monitor network I/O.

Most logs are retained for approximately one (1) month, while some audit and internal security logs are kept longer to ensure service integrity and ongoing protection. Logs may be analysed anonymously to generate statistical insights for improving service reliability, security, performance, and improving overall experience. These anonymous statistics may be shared publicly or privately for non-commercial purposes. None of the raw logs will ever leave the hands of administrators of the ari-web infrastructure, unless it is completely anonymised. No activity will ever be ever linked to your IP address long-term (outside of short-term IP bans) and the logs are not used for any tracking purposes.

# Your Data

ARI.LT (Ari-web) collects only the data necessary to provide and maintain its services. The types of data collected for each service are outlined below:

  • Forgejo Git Forge: Includes login data, all files and repositories you upload, email addresses, hashed passwords, 2FA status, timestamps of account creation and last login, encrypted CI/CD secrets, logs, repository metadata, issues, commits, pull requests, projects, releases, packages, wiki content, and other data standard to the Forgejo platform.
  • Email (Mailcow): Covers spam filtering scores, email messages stored or quarantined via IMAP, account information, hashed passwords, and other essential data for email operation as handled by Mailcow.
  • Roundcube Webmail: Stores preferences, encrypted passwords, login tokens, and session data, managed per standard Roundcube operation.
  • Private PocketBase Instance: Contains all account information and any data you upload to the database, as per typical PocketBase usage.
  • Nextcloud: Stores all uploaded files, profile information, and related data consistent with standard Nextcloud service use.
  • Arivertisements: Aside from standard system logs necessary for operation, no user data is collected. The web server logs are sanitised to remove the user agent and referrer data to protect the cross-origin privacy of users.

On this website specifically:

  • Guestbook: Your E-Mail (RC4 encrypted, mainly for obfuscation), website (optionally), the name you entered in the form, your message, message posted datetime, message score, unique message ID, and whether or not you confirmed the comment. This information is stored until an administrator deletes your comment, the user deletes the comment through the sent link in their email, or the user does not confirm their email in 3 days.
  • AriGPT: Your prompt, admin answer, and prompting time. This information is stored indefinitely unless requested otherwise by the author, deleted by an administrator, or an administrator has not answered the question in 3 days.
  • Contact Page: Contact request time, subject, your name, your IP address (attached to the contact request if any files are uploaded), any uploaded attachments (if any), your reach back contact(s) (if provided), your message, and a SHA256 hash of a unique proof string sent to the users for authorship verification/proof purposes. This information is stored until your contact request has been processed or was reviewed and ignored.

Various cookies, while not directly data, may be sent to users to rate limit their activity, provide session or permanent storage, or manage (permanent) access. These cookies will never be used for commercial purposes directly (such as selling/tracking) or unnecessary tracking of users - only to provide, protect, or improve functionality of services. By using ARI.LT (Ari-web) services, you agree to have these cookies served to you.

# How Your Data Is Used

The collected data (and logs) is primarily used to:

  • Provide, operate, maintain, and improve services.
  • Maintain and improve service stability and quality.
  • Protect against abuse, spam, and unauthorised access.
  • Moderate community interactions and enforce community standards.
  • Monitor and respond to security incidents.
  • Analyse anonymised usage data to enhance the project.

Your data (and logs) is never sold or shared with third parties.

For the purposes of applicable data protection laws, the operator of ARI.LT (Ari-web) acts as the data controller for personal data processed through the services unless otherwise stated.

# Data Protection Measures

As a primarily solo operator, ARI.LT (Ari-web) employs multiple layers of security to protect your data, including:

  • Encryption of data in transit (HTTPS) and at rest where possible.
  • Enforcement of encryption through systems like HSTS preload.
  • Use of strong firewall rules and DDoS protection via the hosting provider.
  • General system hardening and configuration rules.
  • Regular system updates and security hardening techniques.
  • Active monitoring and logging to detect and prevent abuse.
  • Hashing (and salting) sensitive information where applicable.
  • Restricting applications via local sandboxing and private networks.

While these measures significantly reduce risk, no system can be guaranteed completely secure. Your understanding and caution when sharing sensitive data are appreciated.

# Backups

Because we want to ensure service resilience we implement off-site backups held in Lithuania, privately, on an encrypted and compressed drive and archive on an external storage device, without any on-site backups.

This device never leaves a private household of the project owner and is encrypted using symmetric encryption methods, ensuring security even if information was leaked. The password is securely stored behind multiple layers of encryption and the knowledge of the owner how to access the device.

All data removal, editing, and other data-related requests are handled promptly within the live system and backups are updated accordingly right away without any auxiliary data storage. Backups are stored for up to three (3) months (maximum without any data-related requests) or less.

# Your Rights and Control

You remain in full control of your data on ARI.LT (Ari-web). If you wish to:

  • request deletion or removal of your data or logs,
  • request an export or clarification of stored information,
  • or have any privacy concerns or questions,

please contact us anytime at legal@ari.lt. Your requests will be handled as promptly as possible.

Where applicable under law, all users have the right to access, rectify, erase, and port their personal data.

# User Obligations

Users must be at least sixteen (16) years old to access or use ARI.LT (Ari-web) services. If you are under this age, please do not use the services.

Users are also expected to protect their own privacy and security diligently.

# Hosting and Location

ARI.LT (Ari-web) is securely hosted in Germany by ETH-Services, a provider that offers robust technical infrastructure with advanced DDoS protection. Their systems continuously monitor traffic for suspicious activity to ensure high security and reliability.

Our DNS is managed through deSEC DNS, while domain registration is handled by Hostinger. Additionally, our SSL certificates are provisioned by Let's Encrypt.

Certain personal data may be processed by infrastructure providers where necessary to deliver services, including hosting, DNS, email, and certificate management providers.

Please note that we are independent and have no official affiliation, partnership, or endorsement by any of these companies or organisations.

# Governing Law

This Privacy Policy and all related agreements shall be governed by the laws of the Republic of Lithuania. In case of court disputes, the parties agree to first seek an amicable resolution through negotiation or mediation before considering any legal action in the courts of Lithuania.

# Changes to Terms

This Privacy Policy may be updated over time. Continued use of services after changes constitutes acceptance of the new terms. You are responsible for keeping yourself up to date with these terms.

# Contacts

Questions or concerns about this Privacy Policy should be directed to legal@ari.lt.