Privacy Policy

Last updated: 7 December 2025

This Privacy Policy explains how The Haunted Lighthouse Limited (“we”, “us”, “our”) collects, uses and protects your personal data when you use:

• our main website at haunted.lighthouse.co.im (the “Website”);
• our Mastodon instance at lighthouse.co.im (the “Mastodon Service”); and
• our Forgejo-based git hosting at git.lighthouse.co.im (the “Forgejo Service”).

We take a privacy-first, data-minimal approach. We only collect what we genuinely need to provide and protect the services, and we do not sell, rent or trade your data.

1. Who we are

The Haunted Lighthouse Limited is a company based in the Isle of Man. For any questions about this policy or your data, you can contact:

The Haunted Lighthouse Limited
Peel, Isle of Man
Email: compliance@haunted.lighthouse.co.im

For the purposes of UK GDPR and aligned Isle of Man data protection law, we act as the data controller for personal data processed via our Website, Mastodon Service and Forgejo Service.

2. What data we collect

2.1 Data you provide to us directly

• Account details
  When you create an account on our Mastodon or Forgejo services, we collect information such as:
  • email address;
  • chosen username and display name;
  • password (stored in hashed form only);
  • profile information you choose to provide (bio, avatar, header image, links, etc.).
• Content you publish
  On Mastodon this includes posts, replies, direct messages, media uploads and any other activity you perform. On Forgejo this includes repositories, issues, pull requests, comments and other project content.
• Support and correspondence
  When you email us or contact us through other channels, we collect the information you provide so we can respond and keep appropriate records.

2.2 Data collected automatically

• Server logs
  Our servers automatically record technical information when you access our services, such as:
  • IP address;
  • date and time of requests;
  • requested URLs and HTTP status codes;
  • user-agent (browser / client information).
  These logs are used for security, troubleshooting and abuse prevention.
• Session and security data
  We may store limited session identifiers and security tokens (for example, to keep you logged in, to prevent cross-site request forgery, and to enforce rate limits).

2.3 Federated data (Mastodon)

Mastodon is a federated social network. This means that when you interact with users on other Mastodon instances or compatible services:

• your public posts and profile data may be copied to other servers outside our direct control;
• remote servers may cache or retain copies of your data according to their own policies;
• when remote users interact with you, we receive their public profile information and content.

We cannot enforce deletion or correction of data stored on third-party servers that have already federated with our instance. We will, however, honour your rights on the data we control directly.

3. How we use your data

We process your personal data for the following purposes:

• Providing the services
  To create and manage your account, deliver timelines, serve repositories and enable the features you use.
  Legal basis: performance of a contract.
• Security and abuse prevention
  To protect the services from spam, abuse, unauthorised access and attacks, and to apply moderation decisions.
  Legal basis: legitimate interests; in some cases legal obligation.
• Backups and disaster recovery
  To maintain reliable backups of Mastodon and Forgejo data on secure storage (for example on our own infrastructure and off-site encrypted vaults) so we can restore service after a failure.
  Legal basis: legitimate interests.
• Communication with you
  To send essential service messages (such as password reset emails, security notices or critical service updates). We do not send marketing newsletters.
  Legal basis: performance of a contract; legitimate interests.
• Legal compliance
  To comply with applicable laws, respond to lawful requests and enforce our Terms of Service.
  Legal basis: legal obligation; legitimate interests.

4. Data sharing and processors

We do not sell your personal data. We may share it only with:

• Hosting and infrastructure providers
  For example, data centre providers and storage services that host our servers and backups. These providers act as our data processors and are bound by contracts and data protection safeguards.
• Federated services (Mastodon only)
  When you interact with users on other instances, your public profile and posts are shared with those servers, as required by the protocol. This is inherent to how the fediverse works.
• Service providers for payments or billing (Forgejo hosting customers only)
  If you purchase a paid plan, limited data (such as your email and payment reference) may be processed by third-party payment processors. We do not store your full card details on our servers.
• Legal authorities
  Where we are required to do so by law, or where we reasonably believe it is necessary to protect the rights, property or safety of our users, the public or ourselves.

5. International transfers

Our infrastructure may be hosted in data centres located in the European Union or other jurisdictions that provide adequate data protection safeguards. Where data is transferred outside the UK or EU/EEA, we will take reasonable steps to ensure that appropriate protection is in place (for example, contractual safeguards).

6. How long we keep your data

• Account data – kept while your account is active. If you delete your account, we delete or anonymise data within a reasonable period, subject to backups.
• Backups – kept for a limited rolling retention period and used only for disaster recovery.
• Logs – retained for a limited time then deleted or anonymised unless needed for investigations.

7. Your rights

You may have rights to:

• access the data we hold about you;
• request correction, deletion or restriction;
• object to certain processing;
• request data portability where applicable;
• withdraw consent where processing is based on consent.

To exercise these rights, email compliance@haunted.lighthouse.co.im.

8. Cookies

We use only limited cookies necessary for login, security and essential preferences. See our Cookie Policy for details.

9. VPNs, Tor and network privacy

We allow access via VPNs and Tor, provided behaviour complies with our Terms and community rules. Moderation decisions focus on behaviour, not IP address or physical location.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Significant changes may be announced via the Website or Mastodon.

11. Contact

Questions about this Policy can be sent to contact@haunted.lighthouse.co.im.