privacy policy
this content was last modified on: 2026-05-12.
data xmpp.lol collects
xmpp.lol does not require personally identifiable information to register. to avoid providing us personal information, use Tor or a VPN and follow basic OPSEC.
at any point, we may be retaining the following about your account.
- registration info (address, hashed password, IP, user agent, timestamps)
- cookies used to keep you logged into the site and webmail
- session information saved by webmail to provide access
- mail storage (anything in your inbox, sent, or other folders)
- mail filters configured through webmail
- XMPP buddy rosters and data saved by client extensions
- 48 to 72 hours of IMAP and SMTP log information
we may also retain, unrelated to your account: HTTP access logs containing your IP address, user agent, and the type/location of your requests.
we do not guarantee the above is stored, only that we do not knowingly collect information beyond it.
what the IMAP / SMTP logs include
- when mail is sent: the username, destination address, and connection info (e.g. IP address, quota information).
- when you connect to IMAP: the IP address and username you log in with, and whether that login succeeded.
sharing of data
xmpp.lol does not sell or share your personal data. we own 100% of our server hardware and your information is encrypted server-side at all times. if mail is sent through us to a server we cannot establish a TLS connection with or received from a server that does not attempt TLS that mail is transmitted over the internet without encryption. we have no third parties.
use of data
automatically, by a robot:
- all mail sent or received is automatically scanned for spam.
- stats like how many messages you've sent are used for quota tracking.
may be looked at by a human or robot to investigate abuse:
- your registration information
- IMAP / SMTP logs
- mail filters
when a legal order shows up:
- the honest answer lives on the abuse & legal page: i do not have a compliance department, i am not in your jurisdiction, and i cannot produce records i never kept. an order for "all data on this account" returns roughly the same thing whether i cooperate or not almost nothing.
- i will never quietly start logging a specific user, add a backdoor, or tip anyone off. if that ever changes against my will, the warrant canary stops updating. watch it instead of trusting this sentence.
proof of ownership
because we require no personal information, your ability to log in is the only way to prove ownership of your account. do not lose your password.
right to erasure
you have the right to erasure, but for security reasons you must take precise action yourself. your data has three classes:
- registration information deleted under an erasure request.
- user-managed information must be deleted by you.
- automatically deleted information no action ever required.
steps to fully erase your account:
- delete all user-managed information manually.
- visit /delete.
- complete the account erasure form.
- your account is deleted immediately if it is over 30 days old; otherwise it is deleted when it reaches 30 days old.
we have a genuine security need to keep registration information for 30 days. user-managed data can be deleted at any time.
backups
backups are not user-specific and are immutable, so data may not be removable from them directly. on restoration, any erased accounts are discarded from the restore. to accomplish this, on erasure we keep a record of only the address to purge backups on restore and to prevent registration of a duplicate account.
transparency
A valid subpoena issued in connection with an official criminal investigation is required to compel the disclosure of basic subscriber records (defined in 18 U.S.C. Section 2703 (c) (2)), which may include: name, length of service, credit card information, email address(es). Exigent circumstances requests are handled on a case-by-case basis.
However, I cannot give what I do not log. xmpp.lol does not retain metadata or message content beyond what is strictly necessary for transit.