Privacy Policy

Last Updated: January 2026

1. Introduction and Data Controller

This chatroom service ("Service") is operated as a personal hobby project for learning and experimentation with online communication systems, spam detection, and chat moderation techniques.

Contact: hello@indexlobby.com

This Privacy Policy explains what data we collect, how we use it, your rights, and the legal basis for processing your personal data under the General Data Protection Regulation (GDPR) and similar privacy laws. By using this Service, you acknowledge that you have read and understood this policy.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent (GDPR Art. 6(1)(a)): By checking the consent box and entering the Service, you provide explicit consent for data collection and processing as described in this policy. You may withdraw consent at any time.
  • Legitimate Interests (GDPR Art. 6(1)(f)): Service operation, security, abuse prevention, moderation, and system analysis are necessary for our legitimate interests in maintaining a functional and safe platform and learning about chat system behavior.

Purpose: This hobby project collects and analyzes data to learn about online communication patterns, test spam detection techniques, experiment with moderation systems, and understand user behavior in chat environments. Data may be used for personal learning, technical blog posts, or portfolio demonstrations in aggregated or anonymized form.

3. Data We Collect

3.1 User-Provided Information

  • Usernames: The username you choose when entering the chatroom (2-20 characters, alphanumeric with underscores and hyphens). Usernames are not verified and may be pseudonymous.
  • Messages: All chat messages you send, including public lobby messages and private direct messages. See Section 3.4 for important privacy considerations regarding private messages.

3.2 Automatically Collected Information

  • IP Addresses: Your IP address is collected from connection headers and may be used for rate limiting, abuse prevention, ban enforcement, security analysis, and moderation purposes.
  • Connection Metadata: Timestamps of connections and disconnections, session duration, connection attempts, and technical connection parameters.
  • Activity Data: User actions including joining, leaving, message frequency, timing patterns, and interaction patterns.
  • Session Information: Temporary reservation tokens (30 seconds), authentication status, and session state.
  • Rate Limiting Data: Temporary tracking of message frequency and connection attempts per IP address and username.

3.3 Browser Storage (Not Cookies)

  • sessionStorage: We use browser sessionStorage (not persistent cookies) to store your username and session state locally in your browser. This data is automatically cleared when you close your browser tab and never leaves your device.
  • No Tracking Cookies: We do not use persistent cookies, third-party tracking technologies, or analytics services.

3.4 Important Privacy Considerations

Private Messages Are Not Encrypted: While labeled "private," direct messages between users are stored in plaintext and are accessible to system administrators for moderation and system analysis purposes. Private messages should be treated as having limited privacy and may be reviewed for moderation or to understand chat system behavior.

Do Not Share Sensitive Information: Do not share sensitive personal information, passwords, financial data, health information, or confidential information through this Service. You are solely responsible for any information you choose to disclose.

Experimental Environment: This is a hobby project for learning and experimentation. All communications and activities may be analyzed to understand system behavior and improve spam detection and moderation techniques. You should treat all interactions as potentially subject to review and analysis.

User Responsibility: You are responsible for maintaining the confidentiality of any information you share through this Service. We are not responsible for information you voluntarily disclose in public or private chats.

4. How We Use Your Data

Purpose Legal Basis Data Types
Analysis of communication patterns and system behavior Consent + Legitimate Interest Messages, activity data, metadata
Service operation and functionality Legitimate Interest Usernames, sessions, connection data
Abuse prevention, rate limiting, spam detection Legitimate Interest IP addresses, activity patterns, message frequency
Moderation and ban enforcement Legitimate Interest IP addresses, usernames, messages, moderation records

5. Data Retention

We apply different retention periods based on the purpose and legal basis for processing. All retention periods are subject to applicable legal obligations and may be modified where required by law.

5.1 Chat and Activity Data (Consent + Legitimate Interest)

  • Messages and Activity Logs: Retained for as long as the Service operates to enable analysis of communication patterns, system behavior, and spam detection effectiveness. Retention may be indefinite for the purpose of learning and experimentation. You may withdraw consent and request deletion, subject to limitations described in Section 8.2.
  • Aggregated/Anonymized Data: Once data is anonymized such that re-identification is no longer reasonably possible, it is no longer considered personal data under GDPR and may be retained indefinitely for analysis and learning purposes.

5.2 Operational Data (Legitimate Interest)

  • IP Addresses: Retained for up to 30 days for security analysis, abuse prevention, rate limiting purposes, and operational requirements. IP addresses associated with active bans may be retained for the duration of the ban plus 90 days for appeal processes.
  • Connection Logs: Generally retained for up to 90 days for debugging, security analysis, and abuse investigation, then reviewed for deletion where no longer needed.
  • Moderation Records: Retained for up to 2 years for audit purposes, dispute resolution, and pattern analysis, then reviewed for deletion unless ongoing legal or operational requirements necessitate continued retention.

5.3 Temporary Data

  • Username Reservations: 30 seconds, then automatically deleted
  • Active Session State: Deleted upon disconnect
  • sessionStorage: Automatically cleared when you close your browser tab

5.4 Retention Justification

Extended retention of chat and activity data allows for ongoing learning about communication patterns over time, experimentation with spam detection and moderation techniques, understanding of long-term system behavior, and development of improved chat systems. Where possible and technically feasible, we implement data minimization and pseudonymization techniques.

6. Administrative Access and Data Security

The service operator and authorized administrators may have access to chat messages (public and private) for system analysis and moderation, user connection history and session data, IP addresses and network information for operational purposes and behavior analysis, and moderation tools and user management functions. Access is restricted to individuals with legitimate operational needs.

Security Measures: We strive to implement reasonable security measures to protect your data, which may include access controls limiting data access to authorized personnel, rate limiting to prevent abuse and denial-of-service attacks, cryptographically signed authentication tokens with time-limited expiration, password hashing (bcrypt) for administrator accounts, connection validation and origin checking, regular security reviews and updates where feasible, and database access restricted to secure server environments.

Limitations: However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data. Private messages are stored in plaintext without end-to-end encryption. By using this Service, you acknowledge these limitations and assume the risk of unauthorized access or data breaches.

7. Data Sharing and Third Parties

  • No Commercial Sharing: We do not sell, rent, or commercially share your personal data with third parties.
  • No External Tracking: We do not use external analytics services, advertising networks, or third-party trackers.
  • Public Sharing: Aggregated, anonymized, or pseudonymized data may be shared publicly in blog posts, technical demonstrations, or portfolio materials in forms designed to prevent individual identification.
  • Legal Requirements: We may disclose data where required by law, court order, governmental authority, or where necessary to protect our rights, property, or safety, or that of others.

8. Your Rights Under GDPR

Subject to applicable law and the limitations described below, you have the following rights regarding your personal data:

8.1 Rights You Can Exercise

  • Right to Access (Art. 15): Request a copy of personal data we hold about you, including messages, connection logs, and metadata. We aim to respond within 30 days as required by GDPR.
  • Right to Rectification (Art. 16): Request correction of inaccurate data. Note that usernames and messages may be immutable for system integrity, but we can add corrections or context where technically feasible.
  • Right to Object (Art. 21): Object to processing based on legitimate interests. We will assess whether our legitimate grounds override your interests, rights, and freedoms.
  • Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances as provided by law.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format where technically feasible.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent for data processing at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe we have violated your privacy rights.

8.2 Right to Erasure (Deletion) - Important Limitations

You have the right to request deletion of your personal data under GDPR Article 17, subject to the following:

What Can Generally Be Deleted:

  • IP addresses used for rate limiting (after expiration of retention period)
  • Connection logs older than retention periods
  • Temporary session data
  • Your ability to access the Service

What May Be Retained Under GDPR Exemptions (Art. 17(3)):

  • Legitimate Interests: Messages and activity data may be retained where necessary for our legitimate interests in operating and improving the Service, provided these interests are not overridden by your fundamental rights and freedoms.
  • Legal Obligations (Art. 17(3)(b)): Data necessary for compliance with legal obligations.
  • Legal Claims (Art. 17(3)(e)): Data necessary for establishment, exercise, or defense of legal claims.

Pseudonymization Alternative: Where full deletion cannot be accommodated under applicable exemptions, we may offer pseudonymization: replacing your username with an anonymized identifier and disassociating IP addresses, designed to prevent re-identification while preserving system data for ongoing learning and analysis.

Transparency Commitment: When you submit a deletion request, we will clearly explain which data can be deleted and which data, if any, qualifies for retention under applicable exemptions. You have the right to challenge our decision with your data protection authority.

8.3 How to Exercise Your Rights

To exercise any of these rights, contact us at hello@indexlobby.com with your username(s), approximate dates of use, the specific right you wish to exercise, and any relevant details to help us locate your data. We aim to respond within 30 days as required by GDPR, and no later than legally mandated timeframes. Identity verification may be required for security purposes.

9. Age Requirements

Minimum Age: You must be at least 16 years old to use this Service. Users aged 13-15 may use the Service only with verifiable parental or guardian consent.

Representation: By using this Service, you represent and warrant that you meet these age requirements or have obtained necessary parental consent.

Parents/Guardians: If you become aware that a child under 13 has used this Service, or a child aged 13-15 has used it without proper consent, please contact us immediately at hello@indexlobby.com. We will promptly investigate and take appropriate action, including deletion of data where required by law.

10. International Data Transfers

Data Location: This Service may be hosted on servers located in various jurisdictions, potentially including the United States, European Union, or other locations.

Transfer Mechanisms: When personal data is transferred from the EU/EEA to countries without an adequacy decision, we rely on appropriate safeguards as required by GDPR Chapter V, which may include your explicit consent for the transfer (provided when you agree to this Privacy Policy), Standard Contractual Clauses where implemented with service providers, or other legally recognized transfer mechanisms.

Your Rights: You may obtain information about transfer safeguards by contacting hello@indexlobby.com.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will take reasonable steps to, where required by applicable law:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required (GDPR Art. 33)
  • Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms (GDPR Art. 34)
  • Describe the nature of the breach, likely consequences, and measures taken or proposed to address it
  • Post a notice on the Service homepage where widespread user notification is appropriate

We strive to maintain security measures to prevent breaches, but cannot guarantee that breaches will not occur.

12. Changes to This Policy

Right to Modify: We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or Service features.

Notice Period: Material changes affecting your rights will generally be effective 30 days after posting to this page and notification via a prominent notice on the Service homepage, except where immediate changes are required by law.

Continued Use: Your continued use of the Service after the notice period constitutes acceptance of the updated policy.

Right to Object: If you do not agree with material changes, you have the right to withdraw consent, request data deletion (subject to applicable exemptions), and cease using the Service.

Version History: Previous versions of this policy may be requested by contacting hello@indexlobby.com.

13. Supervisory Authority

If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights under GDPR.

Find your supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

14. Disclaimer and Limitation of Liability

Service Provided "As Is": This Service is provided on an "as is" and "as available" basis. We make no warranties or guarantees about data availability, security, or uninterrupted access. We do not warrant that the Service will be error-free or that defects will be corrected.

Limitation of Liability: To the maximum extent permitted by law, we shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from privacy breaches, data loss, unauthorized access, or your use of the Service, including but not limited to loss of data, loss of profits, or business interruption.

Exceptions: Nothing in this policy excludes or limits our liability for fraud, fraudulent misrepresentation, death or personal injury caused by our negligence, or any liability that cannot be excluded or limited under applicable law.

Your Responsibility: You acknowledge that you use this Service at your own risk and are responsible for implementing appropriate measures to protect your own data and privacy.

15. Governing Law and Jurisdiction

Applicable Law: This Privacy Policy and all data processing activities shall be governed by and construed in accordance with applicable data protection laws, including GDPR where applicable, and the laws of the jurisdiction in which the Service operates.

Disputes: Any disputes relating to this Privacy Policy or our data processing practices shall be subject to the jurisdiction of the appropriate courts, provided that nothing in this section affects your mandatory consumer protection rights or your right to lodge a complaint with your local data protection authority.

EU/EEA Users: If you are located in the EU/EEA, you retain all rights granted under GDPR and your local implementing legislation, regardless of this governing law provision.

16. Severability

If any provision of this Privacy Policy is found to be unenforceable, invalid, or contrary to applicable law by a court of competent jurisdiction, that provision shall be limited, modified, or eliminated to the minimum extent necessary so that this Privacy Policy shall otherwise remain in full force and effect and enforceable.

17. Contact Information

For questions, concerns, or requests regarding this Privacy Policy, your personal data, or to exercise your rights:

Email: hello@indexlobby.com

We aim to respond to all inquiries within 30 days as required by GDPR, and no later than legally required timeframes.

By checking the consent box and using this Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and retention of your data as described herein, including the limitations on deletion rights under applicable legal exemptions.

This Privacy Policy is designed to comply with GDPR and similar privacy regulations. It should not be considered legal advice to users. If you have specific legal concerns about your privacy rights, you should consult with a qualified attorney in your jurisdiction.