Do we need to disclose Matrix (Element) in our privacy policy?

Yes. Matrix (Element) is a third-party communication service that processes user data, including encrypted messages, user identifiers, and device encryption keys. Under GDPR Article 13 and CCPA § 1798.100, you must disclose its use, the data collected, and how users can exercise their rights. Transparency about the decentralized architecture and end-to-end encryption is particularly important.

What specific data does Matrix (Element) collect?

Matrix collects encrypted message content, user IDs and display names, room membership information, metadata about conversations, and device keys necessary for encryption. Because messages are end-to-end encrypted by default, the Matrix.org Foundation and individual homeserver operators cannot access plaintext message content, though metadata and account information remain visible to the federated network.

Does Matrix (Element) require a cookie consent banner?

No. Matrix (Element) does not use cookies for tracking or analytics. However, your website may use cookies for other purposes, requiring separate disclosure. If you self-host your homeserver, you control data storage entirely; if using federated servers, review the specific homeserver's cookie policy.

Who processes data and where is it stored?

The Matrix.org Foundation (United Kingdom) operates the reference implementation, but Matrix is decentralized—data is distributed across federated homeservers run by various organizations globally. If users register on matrix.org, their data is processed in the UK under GDPR. Self-hosted homeservers keep data on your infrastructure. Review https://matrix.org/legal/privacy-notice/ and your specific homeserver's privacy terms.

Social & Communication

Privacy policy clauses for Matrix (Element)

Matrix (Element) is a decentralized, open-source messaging protocol that enables end-to-end encrypted communication. Websites integrate Element to offer secure, federated chat functionality where message content remains encrypted and users maintain control over their data across distributed servers.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Matrix (Element) collects

Your privacy policy must disclose each of the following data types when you use Matrix (Element).

Encrypted message content

User IDs and display names

Room membership and metadata

Device keys for encryption

When does Matrix (Element) trigger privacy obligations?

Obligations triggered by Matrix (Element) integration

Adding Matrix (Element) to your site or app creates immediate data processing obligations because user identifiers, display names, and room membership metadata flow to your homeserver (whether self-hosted or federated) the moment a user registers or joins a room. Encrypted message content itself is not readable by the server, but metadata is.

### GDPR Article 13/14 disclosure requirement

If you operate a homeserver or direct users to register on one, you are a data controller. GDPR Articles 13 (at collection) and 14 (indirect collection) require you to disclose: the identity of your controller, processing purposes, legal basis, recipients (including The Matrix.org Foundation if federated), retention periods, and user rights. This applies if your user base includes EU residents—no threshold minimum.

Common compliance pitfalls

Common Matrix (Element) compliance mistakes

### 1. Treating encrypted content as not requiring disclosure

The mistake: Teams assume that because Matrix uses end-to-end encryption by default, they don't need to disclose message content in their privacy notice or comply with subject access requests.

Why it happens with Matrix: The encryption marketing is prominent, and builders conflate "encrypted in transit" with "not processed." However, unencrypted metadata (user IDs, display names, device keys, room membership, timestamps) is processed by the homeserver and must be disclosed under GDPR Article 13 and CCPA Section 1798.100. In subject access requests, you must provide this metadata even if message content itself cannot be decrypted.

Consequence: DPA enforcement action for incomplete transparency. ICO, CNIL, or state attorneys general can fine up to €20 million or 4% of revenue (GDPR Article 83) for failure to disclose data categories at collection.

### 2. Forgetting the Data Processing Agreement (DPA) with The Matrix.org Foundation

The mistake: Using a federated Matrix homeserver or relying on matrix.org infrastructure without a signed Data Processing Agreement in place.

Why it happens with Matrix: Federated architecture feels like peer-to-peer, not vendor relationships. The Matrix.org Foundation hosts infrastructure but many operators don't realize they need a DPA because they believe data is decentralized and outside their control.

Consequence: GDPR Article 28(3) requires a written contract with any processor. Absence of a DPA is a direct breach. Auditors flag this immediately, and regulators can impose fines for unauthorized processing.

### 3. Not documenting data retention policy for encrypted rooms

The mistake: Saying "we use Matrix, messages are encrypted" without specifying how long room metadata, device keys, and deleted messages are retained on your homeserver.

Why it happens with Matrix: Self-hosting creates an assumption of control, but backup, archival, and federation policies vary. Teams forget that GDPR Article 5(1)(e) and CCPA Section 1798.105 require clear retention and deletion protocols.

Consequence: When a user requests deletion under GDPR Article 17 or CCPA Section 1798.105, you cannot comply if you haven't documented how to purge their data from your homeserver. Regulators escalate these failures to enforcement.

Privacy policy clauses for Matrix (Element)

What data Matrix (Element) collects

When does Matrix (Element) trigger privacy obligations?

Obligations triggered by Matrix (Element) integration

Where data goes

Common compliance pitfalls

Common Matrix (Element) compliance mistakes

Legal note

Sample privacy policy clause

What regulators look for

Regulatory audit focus areas for Matrix (Element)

Frequently asked questions

Do we need to disclose Matrix (Element) in our privacy policy?

What specific data does Matrix (Element) collect?

Does Matrix (Element) require a cookie consent banner?

Who processes data and where is it stored?

Don't ship without Bandit.