Privacy Strategy
Where your data lives
Deep in the Sand runs across hardware Ammo physically owns or rented servers:
- Hetzner (Germany) — EU-based, ISO 27001 certified, with strict data-protection and physical-security policies that fall under GDPR.
- Fasthosts (UK) — UK-based, ISO 27001 certified, operating under UK GDPR / Data Protection Act 2018.
All servers are rented by and administered solely by Ammo — no other tenant or hosting-provider staff has shell access to the running systems beyond what the providers' standard hypervisor-level policies allow. The providers' own protections (24/7 physical access control, CCTV, biometric entry, ISO-audited operational procedures) sit underneath the application-level protections described on this page.
Intra-server traffic
All communication between servers — whether at home or rented — runs over a private WireGuard mesh. That means:
- Every byte between machines is encrypted in transit with modern cryptography (Curve25519 + ChaCha20-Poly1305), regardless of whether it's crossing the public internet.
- Services only have access to the parts of the network they need.
- If a rented server was compromised at the network level, an attacker would see only encrypted WireGuard packets between unidentified peers.
The only off-site touchpoint for backups is the encrypted Restic repository on BorgBase (see Backup Strategy), where the provider cannot read your files at all.
Between users
- Each person can only see their own data. Accounts are isolated at the application level (your Linkwarden bookmarks, Joplin notes, Vikunja tasks are not visible to anyone else).
- Shared spaces (a family cookbook in Mealie, a Vaultwarden collection) are opt-in.
What Ammo, as admin, can see
To be transparent: as the server administrator, I have technical access to most application databases. I do not look at your data. I only access it:
- to diagnose a bug or recover a broken account, ideally with your permission,
- when you ask me to (e.g. "please restore my note from yesterday"),
- in the rare case of a serious abuse or security incident.
What even Ammo cannot see
Some services are designed so that only you can decrypt your data, by design:
| Service | Why admin cannot read it |
|---|---|
| Vaultwarden | Your vault is encrypted with a key derived from your master password. The server only ever sees ciphertext. If you forget your master password, nobody — including me — can recover it. |
| Bento PDF | Runs entirely in your browser. The server never receives your PDFs. |
| PrivateBin | Pastes are encrypted in your browser with a key that only lives in the URL fragment (#…), which is never sent to the server. |
| Send | Files are end-to-end encrypted before upload; the server stores only ciphertext. |
| Jitsi Meet | Calls support end-to-end encryption (E2EE) when enabled; media is peer-to-peer where possible. |
| Joplin Server | Notes are end-to-end encrypted if you enable E2EE in the Joplin client (recommended). |
In short
Your data is on hardware I own, encrypted in flight, isolated per-user, and — for the most sensitive services — encrypted in a way that even I can't read it.
Problem with this service? Message Ammo or email admin(Q)deepinthesand(P)com.