Monal Website
You can find our latest privacy policy for our website here: Website Privacy PolicyMonal App
Our privacy policy may differ between app versions. Before reading our privacy policy for our App you first need to find out the Monal version that you are using.How to find out your Monal version
- Open Monal
- Open up the settings menu in the upper left corner (gearwheel)
- Scroll down to the last entry “version”
Monal App Privacy Policies
Releases Privacy Policy 6.0 and newer Privacy Policy Rev 003 5.2.0 up to 5.4.x Privacy Policy Rev 002 before 5.2.0 Privacy Policy Rev 001
Privacy Monal App ≥ 6.0.0
TLDR
- We never see your messages.
- We do not know who you are chatting with.
- We can not identify a user.
- We can see your XMPP domain and a Monal-specific unique device id (push token) every time you receive a push message
- We see your IP addresses if you are on a call and your XMPP server does not provide a STUN or TURN server.
- We may see your contact’s IP address if you are using our TURN server.
- We may see your XMPP ID (JID) if you press the “ping” button in the notification debug menu
Structure
The App Monal may interact with Monal servers to support Push messages or if you are establishing a call with a contact but your XMPP Server does neither provide a STUN nor a TURN server.
Our privacy details are structured as follows. First, we would like to give you a short introduction how Monal is handling push messages to ensure a pleasant user experience. We will then briefly explain VoIP calls and its privacy implications. Afterwards we like to inform you how we are using crash and usage reports, logs and GDPR Subject Access Requests (SAR).
Push
App Resources are very limited on iOS and macOS. Monal for example can only run a limited time in the background after a user either locked the screen or switched the app. Hence, apps on iOS and macOS can not simply keep a connection to your XMPP server open 24/7 to inform you about new messages. To overcome these limitations your XMPP server can request our push server to send push messages to your device through Apple. With these push messages we can request Apple to wake up Monal on your device. Once it has been woken up it has about 30 seconds to connect to your XMPP server, fetch all new messages and show a push notification for these new messages, if needed.
How push works
Every time that Monal loggs in at your XMPP servers, it asks your server to inform our push server once you receive an XMPP message while Monal is closed/disconnected. To do this, we request a Monal-specific push token from Apple and provide this token to your XMPP server. Using this Monal-specific push token your XMPP server can instruct our push server to send push messages via Apples push system to wake up the app on your device.
Once push messages are enabled for your Monal instance on all your XMPP servers, your XMPP servers will open a encrypted server to server (s2s) connection to one of our push servers. Using this s2s connection your XMPP servers will then be able to talk to our push servers. To wake up your Monal instance your XMPP servers send us:
- Your unique Monal-specific device id (push token) that was generated by Apple
- The domain of the XMPP server that you are using
Push-Server ping
To help you debug push issues, Monal allows you to ping our push servers. This allows you to check whether your server can reach our push servers properly, but it also reveals your XMPP ID (JID) to our push servers (but not your Monal-specific unique device ID, which is used for normal push notifications).
However, it would be theoretically possible to correlate your unique device id and your JID if you are the only Monal user on your XMPP server.
Push
- We never see your messages.
- We do not know who you are chatting with.
- We could only ever track what XMPP domains a push token is/was using.
- We can not identify a user.
Push-Servers
We currently provide the following independent push server regions:
- Europe
- Alpha (based in Europe, only used for debugging with higher log levels, not for production use)
Note: Our previously used US push region was unfortunately shutdown due to fosshost ceasing operation.
How to change the push region
- Open Monal
- Open up the settings menu in the upper left corner (gearwheel)
- Open the Notifications menu
- Scroll down
- Select a region
Push server regions
If you are an XMPP server administrator, and you restricted s2s connections, please allow s2s to all our regions.
| Region | Hostname | Notice |
|---|---|---|
| Europe | eu.prod.push.monal-im.org |
Push server locations
| Name | Region | Hoster | Location | Notice |
|---|---|---|---|---|
| s1.eu.prod.push.monal-im.org | Europe | Hetzner | Finland | |
| s2.eu.prod.push.monal-im.org | Europe | PHP-Friends | Germany |
VoIP (STUN / TURN)
With Monal 6.0 we introduced VoIP support. To establish the connection between you and the remote party (the remote contact) Monal utilizes STUN and TURN. In general STUN (Session Traversal Utilities for NAT) is used to allow a VoIP call even when you are behind firewalls.
Calls established using only STUN will directly exchange packets (P2P) between you and your contact. Hence, your contact may see your IP address. If you do not want your contact to see your IP Address while being on a call, disable P2P connection in Monal’s privacy settings. Once disabled Monal tries to establish the call using a TURN (Traversal Using Relays around NAT) server.
Note: Not all XMPP servers currently provide STUN and TURN servers. If your XMPP server does not provide STUN and TURN servers, Monal may use our fallback servers. These fallback servers provide both STUN and TURN. You can disable Monal to use these fallback turn servers. Please note, that we may disable our fallback STUN and TURN servers at any time, if too many users are using them.
If you use our fallback servers we will see:
- Your IP Addresses
- The IPs of your contact or the IPs of their TURN-Server
- The duration of the call
We will not see the contents of that call, because these are E2E encrypted.
Crash reports and app usage
Monal does track crashes and usage data anonymously using the tools provided by Apple. This is opt-in only and controlled by iOS and macOS global settings. If a user decides not to send any data to developers, no crash logs are sent to Monal developers.
Unfortunately, most bugs and crashes can’t be tracked down using only the Apple-tools mentioned above. Monal therefore also tracks crashes using its own on-device system (no data will ever reach a third party provider like Crashlytics etc.).
After a crash, the user will be prompted to send a crash report directly to Monal developers. If you decline to submit such a report, no information will be transmitted from your device. If you agree to send such a report to us, that crash report will be sent via email to crash@monal-im.org using your normal email app. If you want to send the report to somebody else, just change the receiver of that email before finally sending it.
These crash-reports contain privacy sensitive data usually consisting of:
- The iOS and Monal versions that experienced the crash
- The iOS and Monal versions that reported the crash (usually the same as above)
- The concrete hardware model of your device and its processor architecture (e.g. your iPhone model)
- The name of the storage location of Monal’s data on your device (usually the same for all crash reports)
- The backtraces of all threads and the exact crash error message (if any)
- The contents of some in-memory variables at the time of the crash
- The full log file recorded on your device for the last 48 hours or less, see below for a list of contents
You can read the whole contents of a crash report after sending it to yourself by using our graphical Crash-Analyzer located at our DebugTools repository. An up-to-date explanation on how to use the Crash-Analyzer can always be found in the Crash-Analyzer article in our wiki.
Logs
Your local device will contain a log file. This contains sensitive personal data(!) like all sent and received raw XMPP stanzas, decrypted message contents, app usage times (opening and closing the app is logged) as well as many more debug information.
It will be rotated every 48 hours or less (if reaching 128 MiB in size) and a maximum of up to 4 log files are stored on your device. These files will never be transferred to us, except if you explicitly (manually) send them to us (e.g., via email).
You can read the whole contents of a logfile after exporting it using the debug menu in Monal or from a crash report you sent to yourself by using our graphical Log-Viewer from our DebugTools repository. An up-to-date explanation on how to export and read a logfile can always be found in the Logging article in our wiki.
GDPR Subject Access Requests (SAR)
European GDPR allows users to request a copy of all data retained about them. Starting with Monal 5.2.0 we no longer see your JIDs (username@domain.tld) in our push servers. We therefore are not able to send you retained data related to your JID. We furthermore are unable to provide your retained data related to your unique push token because we have no way to verify that Apple issued you a provided token. If you have questions regarding GDPR, please send us a mail to mailto:info@monal-im.org.