Holos

Introduction

This Privacy Policy describes how test collects, uses, and protects your personal information when you use our federated social network service.

Data We Collect

We collect the following types of data to provide and improve our service:

account_circleAccount Information

  • Email address (for account recovery and important notifications)
  • Username (handle)
  • Password (encrypted with bcrypt)
  • Email verification status
  • Account creation and update timestamps

vpn_keyAuthentication Data

  • Login sessions (device info, IP address, user agent)
  • Authentication tokens (JWT - JSON Web Tokens, hashed)
  • API keys (if you create them, stored hashed)
  • OAuth authorization codes and refresh tokens
  • Two-factor authentication secrets (if enabled)

Sessions expire after 30 days. OAuth codes expire after 10 minutes.

edit_noteContent and Activity

  • ActivityPub public key (for federation)
  • Posts and activities you create (stored on your device, proxied through this server)
  • Interactions with federated content (relayed through this server)
  • Pending activities queue (delivered within 7 days)

notificationsNotifications

  • Push notification endpoint (Expo token or UnifiedPush URL)
  • Notification preferences (mentions, DMs, follows, likes, boosts)
  • Push notification enabled/disabled status

You can disable push notifications at any time.

settingsTechnical Data

  • IP addresses (for security and abuse prevention)
  • User agent strings (browser/app information)
  • Device information (for session management)
  • Mobile tunnel URLs (for federation connectivity)

securitySecurity and Audit Logs

  • Login attempts (successful and failed) - 90 days retention
  • Rate limit violations - 30 days retention
  • API key usage logs - 30 days retention
  • Admin actions - 1 year retention
  • Ban history - permanent (audit trail)

gavelModeration Data

  • Reports received from other instances
  • Ban status and reasons
  • Moderation actions taken on your account

How We Use Your Data

Service Operation

To provide core functionality, enable federation with other ActivityPub instances, and deliver your content across the network.

Security and Anti-Abuse

To prevent spam, detect abuse, enforce rate limits, and protect against unauthorized access.

Communication

To send essential emails (email verification, ban notifications).

Service Improvement

To monitor server performance and optimize functionality (anonymized metrics only).

Data Sharing

publicFederation (ActivityPub Protocol)

Public content you create is shared with other federated instances according to the ActivityPub protocol. This includes your public posts, profile information, and interactions.

extensionThird-Party Services

Push Notifications (Optional): Expo Push Notifications or self-hosted UnifiedPush. Only your push endpoint/token is shared, not your content.

Email (SMTP) (Optional): Optional email service configured by the administrator (e.g., Gmail, SendGrid, self-hosted). Used only for verification emails and ban notifications.

verified We do NOT use any analytics, advertising, or tracking services (no Google Analytics, no Sentry, no third-party trackers).

policyLegal Requirements

We may disclose your information if required by law or to protect our rights and the safety of our users.

Data Retention

We automatically delete data according to the following schedule:

Data Type Retention Period
User account data Until you delete your account
Login sessions 30 days
OAuth authorization codes 10 minutes
OAuth refresh tokens 90 days
Pending ActivityPub activities 7 days
Login attempt logs 90 days
Admin login logs 90 days
Rate limit logs 30 days
API key usage logs 30 days
Admin action logs 1 year
Server performance metrics 24 hours
Ban history Permanent (audit trail)

Your Rights

You have the following rights regarding your personal data:

check_circle Data Export

Download all your data in JSON format through your account settings.

check_circle Account Deletion

Permanently delete your account and all associated data through your account settings. This action cannot be undone.

check_circle Session Management

View all active sessions and revoke access from specific devices in your security settings.

check_circle OAuth Token Management

View and revoke OAuth tokens from third-party applications in your security settings.

check_circle Notification Control

Enable or disable push notifications and customize notification preferences in your app settings.

check_circle API Key Management

Create, view, and revoke API keys for third-party integrations in your developer settings.

Security Measures

  • Passwords are encrypted using bcrypt (industry-standard hashing)
  • API keys and tokens are stored hashed, never in plaintext
  • Two-factor authentication (2FA) available for additional security
  • Rate limiting to prevent abuse and brute-force attacks
  • HTTPS encryption for all connections
  • HttpOnly, Secure, and SameSite cookies to prevent XSS and CSRF attacks

Cookies

We use minimal cookies:

cookieSession Cookie (Dashboard Only)

  • Name: sessionid
  • : To keep you logged in to the dashboard
  • : 1 hour
  • : HttpOnly, Secure (production), SameSite=Lax

verified We do NOT use tracking cookies, advertising cookies, or analytics cookies. We do NOT perform cross-site tracking or fingerprinting.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last Updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: hello@holos.social

Open Source & Transparency

Holos is open-source software (AGPL-3.0 license). You can review our code, database schema, and privacy practices at any time. This transparency ensures accountability and trust.

Effective Date: 2025-01-10 Last Updated: 2025-01-10

Powered by Holos - A mobile-first Fediverse platform

HomeAbout