Effective: March 27, 2018
We are IRCCloud Ltd, a limited company registered in England and Wales, with company number 07417638. We are registered with the Information Commissioner’s Office, with registration number ZA917842.
We take privacy and security very seriously at IRCCloud. In this policy, we aim to be explicit about how we store your personal data, particularly passwords and other credentials.
We operate a responsible disclosure program which offers cash rewards to security researchers who responsibly report security issues in IRCCloud.
Please send an email to firstname.lastname@example.org if you have any questions.
How and why we process personal data
We process your username, email address, password, and records of your communications, to provide the service to you.
We process your payment information to bill you for the service, and we keep records of payments as required by law. (We do not store your payment information; this is kept by our payment service providers.)
If you contact us (e.g. our support team, or via social media), we’ll use your information to answer your questions, and for the legitimate interests of maintaining and improving our service.
We use your IP address for the legitimate interest of securing and protecting our services.
We analyse website traffic, for the legitimate interests of monitoring performance and optimising our site.
You are not required to provide any data to us but, if you do not, you will not be able to use service.
Recipients of personal data
We rely on a number of third parties to help us provide the service. This includes payment processors and hosting providers.
Except for these, we will not reveal user data to a third party unless:
- We are compelled to by law, or
- We believe it is necessary to prevent death or serious physical harm to someone.
If we believe a legal request to be too broad, we will seek to narrow it. Where appropriate, we will notify users about a legal request for their data unless we are prevented from doing so by law.
Transfers of personal data outside the EEA
We transfer your personal data to a number of providers in the USA. These include providers of hosting services, payment processing services and various administrative services.
The majority of these are reliant on the European Commission’s model contract clauses.
PayPal, one of our payment services providers, is based in the EEA, but may transfer personal data outside the EEA to provide its service. It uses binding corporate rules for transfers between PayPal-related companies. You can find more information here.
For more information, please email email@example.com.
We keep logs of your IRC communications until you delete your account with us, or a connection, or channel. This means that, even if you stop using IRCCloud for a while, when you next log in, it will be as if you never went away.
When you delete your account, a connection, or channel, your logs are purged from our active data store within 7 days, and from all backups after a maximum of 60 days. You can delete it any time from your settings on the web site.
We keep website analytics information for approximately a week.
We keep records of your payments indefinitely, to resolve disputes and for our accounting records.
You have the right to
- request from us access to and rectification or erasure of your personal data;
- restriction of processing or to object to processing; and
- request data portability.
If you have any questions, please send an email to firstname.lastname@example.org.
We hope you will never need to use it, and we will deal promptly and effectively with any complaints you might have, but you also have the right to lodge a complaint with a data protection supervisory authority, such as the Information Commissioner’s Office.
Your account password
We store your account password using a strong hash function designed for passwords (bcrypt). This would make it very expensive for an attacker to recover your password if they gained access to the hashes.
As a matter of good practice, we recommend that you use a strong, unique password for IRCCloud, and that you don't reuse your IRCCloud password on other websites. We recommend using a secure password manager such as LastPass or 1Password.
Other passwords and credentials
If you choose to save server or Nickserv passwords and other on-connect commands, we store these using reversable encryption with a per-user key. We only decrypt these at the point of transmission and never store or log them unencrypted.
OPERing, and sending passwords via IRCCloud
We don't store commands you send to the server, such as /oper or Chanserv passwords. However, be aware that any passwords or credentials included in a response from the server will be stored in your backlog.
Some IRC network policies prohibit OPERing up on hosted IRC clients, so check with your network administrators if you are unsure.
Payment information (full credit card details, etc), isn't stored on our servers. They are held by the payment processing services we use: either PayPal or Stripe. We only have access to the last 4 digits of your card number, and never see the CCV security code.
Access to IRCCloud, via the website or mobile apps, is always encrypted over HTTPS.
We also send HTTP Strict Transport Security (HSTS) headers, and our domain is included in the preloaded HSTS lists in Chrome and Firefox. This means your session can't be hijacked due to insecure wifi or coffee-shop/firesheep style exploits.
Be aware that embedding external media may result in your IP address being revealed to the embedded external service.
IRC Network Security
While connections to IRCCloud are always encrypted, bear in mind that you can make insecure (non-SSL) connections to IRC networks.
Additionally, it may be difficult to ensure your conversations don't pass over insecure server-server or server-client connections once they've left our servers. Unless you trust your IRC network and are fully aware of these security risks, we recommend that you do not send sensitive information over IRC.
As part of the service, we log and archive all activity in channels you join and private messages.
We store these logs on a separate server cluster to the rest of the system, with no direct references to email addresses and personal data stored alongside them.
Your logs are not encrypted, because we send them back to you as plaintext, and we need to be able to index them for searching.
Our staff will ask your permission if they need to access your logs, typically to assist with technical support. We may access your account and view your history without asking your permission when investigating abuse or misuse of the service, in accordance with our abuse policy.
Archived versions of our terms and policies are available at /legal-archives