Sign in Subscribe

Tophhie Cloud Personal Data Server - Privacy Policy

Effective Date: 2nd September 2025

Service: Tophhie Cloud Personal Data Server ("PDS") for atproto/Bluesky repositories
Controller: Tophhie Cloud (United Kingdom)
Contact: privacy@tophhie.cloud

This Privacy Policy explains what we collect, why we collect it, where we store it, and how you can exercise your rights. It applies only to the Tophhie Cloud PDS.

1) What we collect (atproto/Bluesky context)

We process only the data required to run your atproto repository and make it accessible over the Bluesky network.

A. Account & Identity (required to operate your repo)

  • atproto identifiers: DID (did:plc…) and handle
  • Account metadata: email, password hash, session tokens, invite/app password entries (if used)
  • Operational security: timestamps, IP addresses, user‑agent/device strings for sign‑in and error logs

B. Repository Content (your data, under your control)

  • Records and history for common NSIDs (examples):
    • app.bsky.actor.profile
    • app.bsky.feed.post
    • app.bsky.feed.like
    • app.bsky.feed.repost
    • app.bsky.graph.follow
    • app.bsky.graph.block
    • app.bsky.graph.list
    • app.bsky.graph.listitem
    • and other atproto records you create
  • Media blobs you upload (e.g., images), plus generated thumbnails

C. Admin/Operational Metadata

  • Repo event log (CAR blocks/commit chain), tombstones, integrity checksums
  • Service logs: availability, performance and security events

Special category data: We don't see it. If you choose to put sensitive personal data in your posts or profile, it may be published according to your actions and atproto's federation model (see Section 5).

2) Why we process your data (lawful basis)

  • Contract necessity: to create, host, maintain and serve your atproto repository so you can use Bluesky/atproto.
  • Legitimate interests: to secure the service (rate limiting, abuse prevention, availability), with minimal impact on your privacy.
  • Legal obligations: to comply with applicable UK laws and respond to lawful requests.

We do not use your data for analytics, profiling, advertising, or unrelated purposes. Full stop.

3) Where we store and process data

  • Hosting: Microsoft Azure regions within the United Kingdom.
  • Backups: Daily backups of PDS data, encrypted at rest.
  • Data residency: We keep your PDS data in the UK and do not transfer internationally.

Microsoft acts as our infrastructure sub-processor (IaaS). They do not use your data for their own purposes. No other processors are used.

4) How long we keep data

  • Active Data: retained while your account/repo remains active.
  • Backups: daily snapshots retained on a rolling basis (default up to 30 days) to support disaster recovery and integrity verification.
  • Deletion: when your delete your account or repo, we remove active copies, and the data ages out of backups within the retention window.

5) Sharing & Disclosure

  • No sales. No ads. No unrelated sharing. We do not sell, rent, or otherwise share your personal data with third parties for their purposes.
  • Federation transparency (important): atproto is a public, federated protocol. When you publish public records, you are directing us to make those records discoverable to other atproto services as part of the protocol.
  • Legal: We may disclose data if required to comply with law or protect the service and users.

6) Security

We implement a layered security model, including:

  • Encryption in transit and at rest (including backups)
  • Least-privilege access, audit logging, and strict admin controls
  • Network isolation and patch management
  • Abuse/rate-limit protections and integrity checks

7) Your Rights (UK GDPR)

You have the right to access, rectify, erase, restrict processing, object to processing, and data portability (export). You won’t be charged for exercising these rights, and we’ll respond within one month. Contact privacy@tophhie.cloud to make a request.

If you have concerns, you can complain to us at privacy@tophhie.cloud, and you can also complain to the Information Commissioner’s Office (ICO):

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113
ico.org.uk

8) Accessing, exporting, or deleting your repository

  • Export: you can request a repository export (e.g., CAR file) for portability.
  • Deletion: you can request account/repo deletion; we'll remove active data and allow backups to roll off per Section 4.
  • Backups: we can expedite purge from backups where technically feasible and without undermining service integrity.

9) Children's Privacy

The PDS is not intended for children under 13. Do not use the service if you are under 13.

10) Change to this Policy

We'll post updates here and, when material, notify you via your registered contact email before changes take effect.

11) How to contact us

Email: privacy@tophhie.cloud