Privacy
Nothing to hide (NTH) is a privacy infrastructure provider based in The Netherlands. We operate privacy-enhancing services world wide and in this privacy statement we will elaborate on what personal data we collect, how we collect personal data, for what purposes we use personal data, how we retain personal data and to whom personal data is disclosed by us. Further, this privacy statement includes information regarding your rights with respect to the processing of your personal data. If you have any questions about the processing of (your) personal data, please contact us.
Our public services are built in accordance with current privacy design strategies and best practices in mind. In short this means:
- We limit, separate, abstract and hide (the processing of) personal data as much as possible.
- We’re transparent about the processing of personal data to our data subjects.
- We will never sell personal data to third-parties.
- We don’t share personal data with third-parties unless it’s one of our data processors (like Tuta GmbH for handling our email) or unless we are compelled to do so by a competent authority.
Sometimes we use “personal identifiable information” (PII) instead of “personal data”.
1 Website
When you visit our website (nothingtohide.nl), your IP address and browser user agent are processed by our webserver in order to serve the website’s content to your browser. In addition we retain these personal data for 30 days for the purpose of finding and preventing abuse and keeping the website available.
| PII | Controller | Purpose | Legal basis |
|---|---|---|---|
| IP address | NTH | Detect and prevent abuse/availability | Legitimate interest |
| Browser user agent | NTH | Detect and prevent abuse/availability | Legitimate interest |
2 Email
You can send us an email. In order to receive, read, reply to and (permanently) archive these emails we process your mailserver’s IP address, contents of the email and email address(es)/account name(s) of email recipients and senders.
Nothing to hide uses the Germany based secure email service Tutanota by Tutao GmbH (Tutao) to handle its email. Do note that upon request we can provide a secure email link for sharing sensitive information or data.
| PII | Controller | Processor | Purpose | Legal basis |
|---|---|---|---|---|
| Server IP address | NTH | Tutao | Handling email | Legitimate interest |
| Email address | NTH | Tutao | Handling email | Legitimate interest |
| Name(s) | NTH | Tutao | Handling email | Legitimate interest |
| Email contents | NTH | Tutao | Handling email | Legitimate interest |
3 Tor
When you use one of our Tor relays, your traffic will be routed through our infrastructure. Nothing to hide operates many Tor exit relays, but we also have a few Tor guard/middle relays. Do note that under normal circumstances (i.e. using the Tor Browser) NTH’s guard/middle and exit relays won’t be used together. We don’t log anything regarding the Tor relays or Tor traffic so although we process such data on a realtime basis, we are not able to educe or reproduce these data.
3.1 Guard relays
When you use one of our guard relays, your source IP address and your traffic’s heavily encrypted contents are processed. We retain these personal data until the packets have been delivered to the target middle relay, generally less than a second.
| PII | Controller | Purpose | Legal basis |
|---|---|---|---|
| Source IP address | NTH | Required for Tor | Legitimate interest |
| Encrypted contents | NTH | Required for Tor | Legitimate interest |
3.2 Middle relays
When you use one of our middle relays, your traffic’s heavily encrypted contents are processed. We retain these personal data until the packets have been delivered to the target exit relay, generally less than a second.
| PII | Controller | Purpose | Legal basis |
|---|---|---|---|
| Encrypted contents | NTH | Required for Tor | Legitimate interest |
3.3 Exit relays
When you use one of our exit relays, your destination IP address and your traffic’s contents are processed. We retain these personal data until the packets have been delivered to the target server, generally less than a second.
| PII | Controller | Purpose | Legal basis |
|---|---|---|---|
| Destination IP address | NTH | Required for Tor | Legitimate interest |
| Encrypted contents | NTH | Required for Tor | Legitimate interest |
3.4 Processing outside of the EER
Because of the global scope and purpose of the Tor network, it is possible or even likely that your personal data transferred through one of our Tor relays will be transferred to (other data controllers and their data processors in) countries outside of the European Economic Area (EEA). The EEA comprises all EU countries, Norway, Liechtenstein and Iceland. In general transfers of personal data to countries outside of the EER are subject to additional rules under the General Data Protection Regulation (GDPR). But due to the nature of the Tor network we can’t give any guarantees about appropriate safeguards. Please be mindful about what Tor relays are part of your circuit and your traffic’s destination.
4 DNS servers
When you use our DNS servers, your client’s source IP address and the contents of the DNS query itself are processed by our DNS servers. Your DNS queries will be encrypted (because of DNS-over-TLS) before they are send to us for further processing. This makes sure parties with a network presence in between your client (requesting a specific DNS record) and the DNS server (answering) can’t eavesdrop on the DNS query/answer content.
Do note that when you use one of our Tor exit relays, you’re automatically using our DNS servers because those DNS queries are resolved by our own DNS servers. In this case your client’s source IP address isn’t processed by our DNS servers since the Tor exit relay will send the DNS request to our DNS server from its own IP address.
| PII | Controller | Purpose | Legal basis |
|---|---|---|---|
| Source IP address | NTH | Required for DNS | Legitimate interest |
| DNS query contents | NTH | Required for DNS | Legitimate interest |
5 Your rights
You may ask us for information about and access to your personal data and to object to the processing of your personal data by us. Further, under certain circumstances you have the right to ask us to rectify or delete your personal data, to restrict the processing of your personal data by us and to receive your personal data in a structured, commonly used and machine readable format and to (have) transmit(ted) your personal data to another organization.
Finally, you have the right to lodge a complaint with the Dutch Data Protection Authority.