GDPR

Updated: 13/5-25

Privacy Policy

Midvault is built from the ground up with privacy as the highest priority.
We comply with the EU’s General Data Protection Regulation (GDPR) – but we go beyond legal minimums. Our core philosophy is to give users full control over their digital presence and to minimize the need for trust. This isn’t just a legal obligation – it’s the foundation of everything we do.

This policy explains how we handle personal data within our two main services:
Matrix/Element – secure, end-to-end encrypted communication
Nextcloud (Test Server) – private cloud storage for evaluation purposes

👤 Data Controller
Company: Midvault
Email: admin@midvault.nu
Location: Dalarna, Sweden

🗨️ Matrix (Public Chat Platform)
Midvault provides a public Matrix homeserver for secure communication.

End-to-End Encryption: All messages in private and group chats are encrypted by default.
Midvault cannot read your messages, as encryption keys are only stored on user devices.
In rare cases (e.g. public rooms or disabled encryption), messages may be sent unencrypted. Even in those cases, Midvault does not log, index, or analyze message contents.

The only personal data stored is basic account metadata, such as your username, login timestamps, and IP address (retained for up to 364 days for security purposes).
Messages you send remain visible to other participants even if you delete your account, in line with how the Matrix protocol works.

You may request account deletion at any time. This will deactivate your account and remove your identity from the server.
Note: Self-hosted Matrix servers managed separately by users through Midvault are not covered by this policy.

☁️ Nextcloud (Test Server)
Midvault offers a limited-time trial server for testing the Nextcloud platform.
The trial period is typically up to 14 days following an approved registration.
During this time, you may store files and test features, but we strongly advise not uploading sensitive or personal data, as this environment is not intended for production use.

Data stored on the server is encrypted at rest (full disk encryption).
Midvault administrators can technically access file contents, but only when strictly necessary for support or maintenance – and never for analysis or sharing.

After the trial period ends, all user accounts and files are automatically deleted within 14 days.
Note: Self-hosted Nextcloud instances operated through Midvault or by users independently are not covered by this policy.

 How We Use Your Data
We process personal data only for the following purposes:
To provide access to services
To handle support requests
To send critical system notifications (never marketing)
We never share data with third parties.

 Data Storage and Security
All data is stored on servers owned and operated by Midvault in Sweden.
Only authorized administrators may access stored data – and only when necessary for support or operations.

Your Rights Under GDPR
You have the right to:
Access your personal data
Correct inaccurate data
Request deletion of your data
Withdraw your consent
File a complaint with the Swedish Authority for Privacy Protection (IMY)

📩 Contact
If you have any questions regarding how we handle personal data, contact us at:
✉️ admin@midvault.nu