Skip to main content
Connectivity Tester
English
BETA This service is in beta — please report issues on the Forum.
Legal

Privacy Policy

This policy describes what data the Matrix Connection Tester collects, why it collects it, and what rights you have over it.

Last updated: May 2026

1. Who is the data controller?

The Matrix Connection Tester is free, open-source software (AGPL-3.0) that anyone can self-host. The data controller is the operator of the specific instance you are using.

If you are unsure who operates this instance, check the footer links or contact the site administrator.

2. What we collect and why

2.1 Federation tests — no account required

When you enter a homeserver domain and run a test, the domain is sent to the API server to perform federation checks. We do not store the raw domain name.

If you tick "contribute to public statistics" on the home page (the checkbox is off by default), we record the result (pass / fail) and software version information. The domain name is always stored as a salted BLAKE3 hash — keyed with a server-side secret salt and irreversible. The raw domain is never written to storage.

2.2 Alert account

Creating an account to receive downtime alerts involves processing the following data:

  • Email address(es) — your primary address is used for account verification, magic-link sign-in, password reset, and alert notifications. You may add additional addresses, each with its own notification preference.
  • Display name (optional) — shown in the UI only.
  • Password — stored as an Argon2id hash. Your plaintext password is never stored or transmitted after hashing.
  • Timezone — an IANA timezone name (e.g. Europe/Berlin) used to interpret your quiet-hours settings.
  • Alert configurations — the homeserver domains you choose to watch, together with notification preferences and quiet hours.
  • Notification history — a rolling log of the last 50 events per alert (failures, recoveries, and similar).
  • Webhook endpoints (optional) — HTTPS URLs you configure to receive event notifications as signed HTTP POST requests. Each webhook may have an optional HMAC-SHA256 secret for payload verification. Webhook secrets are stored server-side and are never returned in API responses.

We use this data solely to deliver the notifications you configure. We never send marketing email.

2.3 Technical / server logs

The server may record IP addresses in access logs for security and operational purposes. Log retention period is configured by the operator.

3. Legal basis (GDPR)

This service is provided on a best-effort, no-warranty basis. No uptime guarantees are made or implied.

  • Account and alert data: your consent, given when you create an account and configure alerts. You may withdraw consent at any time by deleting your account.
  • Statistics opt-in: your explicit consent (you tick the checkbox per test run; the default is off).
  • Server access logs: legitimate interest in security and operational stability.

4. Third-party processors

We do not sell or share personal data with third parties. Email notifications are routed through an email delivery provider configured by the operator; only your email address and the notification content are transmitted for each delivery.

Webhook notifications are delivered directly to the HTTPS URLs you configure. These may point to third-party services (e.g. Slack, PagerDuty, or custom endpoints). Each delivery transmits the event type, a timestamp, and the server name over HTTPS. No personal account information is included in webhook payloads.

No third-party analytics, advertising networks, or tracking pixels are present on this site.

5. Cookies and browser storage

This site does not use cookies. During the sign-in and registration flow, session tokens are held server-side and a signed cookie is used only to maintain your authenticated session.

6. Data retention

  • Account data (email addresses, display name, timezone, alert configurations): retained until you delete your account.
  • Alert event history: rolling window of the last 50 events per alert; deleted with your account.
  • Email notification log: a record of each notification sent is automatically pruned after 7 days and deleted immediately when you delete your account.
  • Webhook delivery log: delivery records are retained for 30 days then pruned automatically. Full payloads are not stored in the delivery log.
  • Anonymised statistics (salted BLAKE3 hash + pass/fail + software version): retained for 30 days; they cannot be linked back to you or your account.
  • Server access logs: retention period set by the operator.

7. Your rights

Under GDPR (and equivalent legislation) you have the right to:

  • Access — download everything we hold about you from Account → Download data. The export is a machine-readable JSON file (GDPR Article 20).
  • Deletion — permanently delete your account and all associated data from Account → Delete account. This is irreversible. Anonymised statistics (hashed domain, pass/fail) are not linked to your account and remain in place.
  • Correction — update or add email addresses from Account → Email addresses.
  • Portability — the JSON export (Account → Download data) covers all structured personal data we hold.
  • Withdraw consent — statistics consent is given per test run via the checkbox on the home page; simply leave it unticked on future runs.
  • Object or restrict — contact the operator if you believe processing is unlawful or want to raise a concern.

You also have the right to lodge a complaint with your national data protection authority.

8. Changes to this policy

We may update this policy when the service changes. The "last updated" date at the top of this page will reflect any revision. Continued use of the service after a change constitutes acceptance of the updated policy.

9. Contact

For privacy enquiries or to exercise your rights, contact the operator of this instance.