This is an archived document. The latest version is available at /privacy
Effective: November 2, 2013
We take privacy and security very seriously at IRCCloud. In this policy, we aim to be explicit about how we store your personal data, particularly passwords and other credentials.
We operate a responsible disclosure program which offers cash rewards to security researchers who responsibly report security issues in IRCCloud.
Please send an email to email@example.com if you have any questions.
Your account password
We store your account password using a strong hash function designed for passwords (bcrypt). This would make it very expensive for an attacker to recover your password if they gained access to the hashes.
As a matter of good practice, we recommend that you use a strong, unique password for IRCCloud, and that you don't reuse your IRCCloud password on other websites. We recommend using a secure password manager such as LastPass or 1Password.
Other passwords and credentials
If you choose to save server or Nickserv passwords and other on-connect commands, we store these using reversable encryption with a per-user key. We only decrypt these at the point of transmission and never store or log them unencrypted.
OPERing, and sending passwords via IRCCloud
We don't store commands you send to the server, such as /oper or Chanserv passwords. However, be aware that any passwords or credentials included in a response from the server will be stored in your backlog.
Some IRC network policies prohibit OPERing up on hosted IRC clients, so check with your network administrators if you are unsure.
Payment information (full credit card details, etc), isn't stored on our servers. They are held by the payment processing services we use: either PayPal or Stripe. We only have access to the last 4 digits of your card number, and never see the CCV security code.
Access to IRCCloud, via the website or mobile apps, is always encrypted over HTTPS.
We also send HTTP Strict Transport Security (HSTS) headers, and our domain is included in the preloaded HSTS lists in Chrome and Firefox. This means your session can't be hijacked due to insecure wifi or coffee-shop/firesheep style exploits.
Embedding media from external sites can cause your web browser to warn that this site is “not fully secure”. Your IRCCloud session and data are always secure and private, but embedded media may load insecurely. Also, be aware that embedding external media may result in your IP address being revealed to the external service, even for secure content.
IRC Network Security
While connections to IRCCloud are always encrypted, bear in mind that you can make insecure (non-SSL) connections to IRC networks.
Additionally, it may be difficult to ensure your conversations don't pass over insecure server-server or server-client connections once they've left our servers. Unless you trust your IRC network and are fully aware of these security risks, we recommend that you do not send sensitive information over IRC.
As part of the service, we log and archive all activity in channels you join and private messages.
We store these logs on a separate server cluster to the rest of the system, with no direct references to email addresses and personal data stored alongside them.
Your logs are not encrypted, because we send them back to you as plaintext, and we need to be able to index them for searching.
Our staff will ask your permission if they need to access your logs, typically to assist with technical support. We may access your account and view your history without asking your permission when investigating abuse or misuse of the service, in accordance with our abuse policy.
If you delete your account, a connection, or channel, your logs are purged from our active data store within 7 days, and from all backups after a maximum of 60 days.
Legal Demands for Data
We will not reveal user data to a third party unless:
- We are compelled to by law, or
- We believe it is necessary to prevent death or serious physical harm to someone.
If we believe a legal request to be too broad, we will seek to narrow it. Where appropriate, we will notify users about a legal request for their data unless we are prevented from doing so by law.
- We are a UK Limited Company, with an office in London.
- Our website is hosted in California, USA.
Archived versions of our terms and policies are available at /legal-archives