Last updated: March 2026
Draft, subject to change
Toskr is in early access. This Privacy Policy will be reviewed by counsel before public launch and may change.
This Privacy Policy describes how Toskr ("Toskr," "we," "us," or "our") collects, uses, stores, and discloses information about you when you use our website at toskr.io and associated hosted Matrix server infrastructure (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, do not use the Service.
Privacy is not an afterthought at Toskr, it is the reason we exist. We built this service for people and organizations who take communication privacy seriously. We will always be direct about what we can and cannot see, and why. No marketing language, no vague commitments.
When you create an account, we collect your name, email address, and a hashed version of your password. We do not store your password in plain text.
Payment processing is handled by Stripe. We do not store your full payment card details. We retain billing records including subscription status, payment history, and invoices as required for accounting and legal compliance.
We store configuration data related to your Matrix server, including its domain, plan, status, and settings you configure (such as federation preferences and registered user accounts). We may collect server-level metrics such as resource usage to ensure compliance with our Terms of Service and to maintain infrastructure health.
When you contact us via email, we retain those communications for support and legal purposes.
Messages, files, and other content transmitted through your Matrix server are stored on infrastructure we operate on your behalf. Here is exactly what that means in practice:
We do not scan, analyze, mine, or otherwise process your message content for advertising, profiling, product improvement, or any purpose beyond what is necessary to keep your server running. Your conversations are yours.
We use the information we collect to:
We do not sell your personal data. We do not use your data for advertising or share it with third parties for their marketing purposes.
These are not legal qualifications, they are plain commitments we are making to you:
We may share your information with:
We do not sell, rent, or share your personal data with any third party for commercial purposes beyond what is necessary to operate the Service.
If you enable federation on your Matrix server, your server will exchange data, including user identifiers, room metadata, and message content, with other Matrix homeservers on the open Matrix network. This exchange occurs between your server and servers operated by independent third parties outside of our control.
We are not responsible for the privacy practices of third-party Matrix servers. You are responsible for understanding the privacy implications of federation and for ensuring your usage complies with applicable law, including laws governing cross-border data transfers.
We retain your account and server data for as long as your account is active or as needed to provide the Service.
Upon cancellation or termination of your account, your data, including all Matrix server content, messages, files, and user records, will be retained for up to 30 days before being permanently deleted. If you actively delete your account through the portal, your data will be deleted within 24 hours.
Billing records and financial data may be retained for longer periods where required by law or accounting standards.
We take reasonable technical and organizational measures to protect your information against unauthorized access, loss, or misuse. These include encrypted connections (TLS/HTTPS) for all data in transit, hashed password storage, and access controls on our infrastructure.
We strongly encourage all users to enable end-to-end encryption in their Matrix rooms wherever possible. E2EE is the most effective protection available: encrypted messages are mathematically opaque to us, to any future infrastructure provider, and to anyone who might make legal demands of us. Your server is yours, E2EE keeps your conversations that way.
No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and we are not liable for unauthorized access that is outside of our reasonable control.
The Service uses session cookies strictly necessary for authentication and to maintain your logged-in state. We do not use advertising cookies, third-party tracking pixels, or analytics services that profile your behavior across websites.
Depending on your location, you may have rights regarding your personal data, including the right to access, correct, delete, or export your data. To exercise any of these rights, contact us at support@toskr.io.
You may delete your account and associated data at any time through your account settings in the portal. Account deletion will trigger permanent deletion of your data within 24 hours.
The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.
We may update this Privacy Policy from time to time. The current version is always posted on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
For any questions or concerns regarding this Privacy Policy or your personal data, contact us at support@toskr.io.