https://www.vultr.com/legal/tos/
Section 12:
You hereby grant to Vultr a non-exclusive, perpetual, irrevocable, royalty-free, fully paid-up, worldwide license (including the right to sublicense
through multiple tiers) to use, reproduce, process, adapt, publicly perform, publicly display, modify, prepare derivative works, publish, transmit
and distribute each of your User Content, or any portion thereof, in any form, medium or distribution method now known or hereafter existing, known
or developed, and otherwise use and commercialize the User Content in any way that Vultr deems appropriate, without any further consent, notice and/or
compensation to you or to any third parties, for purposes of providing the Services to you.
If you ask your parents if you can stay up late to finish your homework essay, it should follow that you only gain that right until the essay is finished.
If you ask if you can stay up late for the rest of your life, it should follow that you gain that right for the rest of your life.
If you ask for both at the same time, in the same sentence, you might grow up to write TOS for vultr.
They do offer relatively inexpensive solutions, though. And LinkedIn is a good example of a business whose revenues are largely made from sharing and harvesting data from both paid and free users for the benefit of some of those paying users, and some third parties, too.
Vultr is just even cheekier than LinkedIn.
Who's to say if they'll actually act on this, but them setting themselves up to legally do this is all a bit gross.
"Vultr [will own] [all of your] User Content [and do whatever Vultr wants with] the User Content [...] for the purposes of providing the Services to you."
You could read that as: "if you want to work with us we will own all of your user content".
I am not a lawyer but I have seen startups distort/rationalize legal language as their tech services evolve to grandfather new situations into old language.
I don’t know if vultr language is worse than others, but my concern would be that someone selling you out can squeeze a lot in that clause for a long time, particularly if you never find out. Arguably that’s in bad faith, but…
Say that to provide the Services to you, vultr has to supplement its income by (old school) selling your videos to a dvd publishing company, or (newer) creating their own streaming tv channel, or providing them to an AI model training company, or providing them to an “affiliate” advertising-serving broker who slurps your created content and slaps one or more segmentation labels about your content (“kink”, “religion(X)”, “gamer”) tied to your email which it then resells to world+dog?
Ie is selling you out part of what vultr needs to do to provides the Services to you?
I find it very hard to trust companies based solely on their legal language when that language is viewed from an adversarial position. But I am not lawyer to know what kinds of “misreadings” are “beyond the pale”/not legally defensible.
"an adversarial position" is the only position you should assume when interpreting legal texts. After all, if push comes to shove, your the actual adversary. And in any other case the legal text is not needed.
On top Vultr gives all the liabilities to the v̶i̶c̶t̶i̶m̶ ... customer:
> As between you and us, you own your User Content and you have full responsibility for all User Content you make or submit, including its legality, reliability and appropriateness, while using the Services.
If this is the case, is there a way to protect against it? Is there a way to keep the data encrypted? Thinking along the lines of bitlocker on windows.
I once asked Hetzner, do they have protections in place against a rogue employee peeking at data inside my servers, as I was worried about some sensitive data stored in there. Their response was: "If you are asking that question, you are probably mining crypto, so we'll ban you".
Similar experience with Hetzner. They seem to be extremely ban-happy. I get banned when I first sign up for no particular reason other than I tend to have my VPN on. After emailing support and providing identification, I still got banned after changing my billing to use privacy.com
I suppose you could stick with AWS or Azure. I ended up using the VPS that sponsors mailcow (eth-services.de) which is slightly more expensive by a few cents
I'm not seeking to defend Vultr here, but perhaps people need to think about this in a sensible manner.
Given the way of today's internet, with GPT-bots crawling your stuff without your permission to use in their services, and with search-engines crawling and generally providing means of content removal that have limited effect .... what else are Vultr supposed to do ?
If you are granting them permission to, for example, "display" your content. Then there's not much they can do if you cancel your Vultr account but your content remains part of the GPT training material ?
I run my private nextcloud server on vultr. Everything is behind a login wall. They absolutely do not have my permission to use my years of notes, legal documents, calendar information, and photos (most of which have never been posted publicly) in any way!
> what else are Vultr supposed to do ?
Continue providing the services they do, with reasonable terms, or die. No, you can't just up and take all my photos and sell them to some AI training dataset because you wanted more money. Sorry!
What are you planning to do? I'm in the same situation, but without accepting the terms i'm no even able to "delete" my server/account. (already backing up things to move away)
Maybe it's time that basement servers should be the norm for self hosters.
I bought a HardKermel x64 servers and happy that I have no ToS to worry about. I can send encrypted back ups to utilize any cloud out there without a concern.
Could've tried Pi but some docker packages don't run on Arm.
> Edit: As an EU customer, and having called my lawyer really quickly, we don't even think that this is legal / would hold up in court in the EU. Also they'd have been required to summarise the TOS changes as by our local law.
While companies can write whatever they want in their TOS, I would wary using the rights I just gave to myself. It can be devastating.
I'm conflicted on comments like that. On one hand, companies make mistakes otherwise they'd never lose in court, but they do from time to time. On the other hand, Vultr has their own lawyers, presumably higher paid and better armed than an individual would have access to, so how confident can one be that their personal lawyer has a better legal theory than the corporate lawyers?
Happens a lot, mostly when US Companies with a majority of their customers in the US make changes without thinking about other countries/ taking them seriously.
Additionally, ToS really don't count for much in the EU, they're usually not enforcable anyway, if there's anything out of the ordinary at all. There's a whole lot of stuff in ToS nobody is ever going to be able to enforce at all.
They probably expected to fly under the radar, without making sure it's even okay everywhere. Well, that's not going to happen I guess.
I suppose it doesn't make a material difference if it's enforceable, since if you have personal data on their platform right now you have to assume it's been accessed or consumed in some form.
They obviously had an inent to start using the data for something, and given what I know about tech businesses, I wouldn't assume they only started once the ToS change was made. I would consider my data compromised.
Well I think the Reddit commentator is probably right, but these TOS significantly increase the risk of using Vultr, regardless of the legality in whichever jurisdiction.
The problem is that if Vultr really thinks it can exercise these rights, then there is a risk that proprietary information stored on their servers will be made public -- despite what EU or any other laws might say.
It doesn't really matter if you can take them to court if Vultr causes a data leak that results in the loss all your customers. And most of us don't have the resources to be able to do that anyway.
All of that said. I've found Vultr really good to work with and I am crossing my fingers, though not assuming, that this is a mistake.
I've raised a ticket with them, and I'll give them a couple of weeks before I make plans to pull out. Fortunately I'm still in stealth mode and have zero customers, so I can afford to wait. I'd be absolutely freaking out right now if I had live customers.
What a company write in their TOS is an indication of what they intend to do. Broad scopes also means broad intentions (like startups).
You could read into that, that Vultr is intending to break the law in the EU, however little there is to do about it.
Its a liability for the customers knowing this. But it is also a liability for Vultr who will see it more difficult to establish in the EU, should that ever be wanted.
It's not even about how much paid/skilled they are.
The new ToS were surely a big project with tens of hours (or more) of research done for it.
The redditor's lawyer just picked up a phone and offered some gut response. My lawyer friends are happy to share their thoughts, but they usually tell me that they need to do research to provide reliable guidance.
If Vultr thinks they have the rights, they will use my data.
The odds that they will ever be found out, that if found out they will be successfully sued, and that if that happens I will be made whole for whatever damage I have suffered, are slim.
The clause implies it is in their mind that they can play these games.
Better use a competitor that explicitly claims that you are renting the server for .. yourself.
I don't use Google Compute, but wonder if their terms are better. It would not surprise me at all if you allow Google to crawl all of your Compute instances and combine that with data from their many other sources (Chrome, Chrome OS, Android services, DNS servers, analytics, usage on their properties such GMaps/Youtube, etc.)
That particular Vulture certainly won't fly in the EU.
Without a simple summarization for end users you can't just hide "unexpected" things in ToS-updates. And, well, a cloud-hoster deciding randomy to own your content hosted on servers you pay for is certainly neither expected nor typical.
That’s remarkable. I’m a huge fan of vultr and I don’t want to believe that this has been done in bad faith, but of course long experience sadly suggests otherwise.
That said, due to the type of service they provide, vultr customers like myself don’t necessarily even have the right to grant them the rights that they claim here. If I run a SaaS and people are uploading photos for work (eg photos of property damage for the purposes of identifying and repairing it), those photos are not my property and must not become public. The idea that this could ever be OK is batshit insane.
So I hope/suspect this policy is going to be reverted pretty quickly, since it seems quite incompatible with their core business.
No way can I risk my customers data being “publicly displayed”!
> You are responsible for the information, text, opinions, messages, comments, audio visual works, motion pictures, photographs, animation, videos, graphics, sounds, music, software, Apps, and any other content or material that
That's the prefix to your first paragraph, meaning you as the user is responsible for that, not that Vultr is responsible for that.
Your second paragraph is explicitly about "for purposes of providing the Services to you" which it'd be really hard to argue that "using your user's uploaded photo for Vultr's marketing promotion" is for the purpose of providing a service to you, so I don't think you have to be afraid of that.
I'm sure Vultr's terms and conditions contain horrible shit, just like any other terms and conditions. But I don't think those two paragraphs highlight anything more nefarious than usual.
You missed the "in any way that Vultr deems appropriate" clause. This is a classic weasel phrase which means they can do as they please.
"Why did you sell my data to an AI company?" "We deemed it appropriate."
There is also the sublicensing clause, which means they can sell it to anyone, and "process, adapt, [...] modify, prepare derivative works", which has nothing to do with hosting, but allows them to change your data and reuse it for any purpose they "deem appropriate".
"Deemed" in particular doesn't require any sort of reasoning or argument for the company to make any decision it likes. And "appropriate" is not a synonym for "necessary".
"Why did you sell my data?" "We deemed it appropriate for the purposes of providing the Services to you."
What's your legal refutation to this under US law?
(In the EU, this whole clause would possibly be unenforceable from the start, but I know a lot less about EU law.)
This passage is a clause from a legal agreement, typically found in the terms of service for a platform or service provider like Vultr. It outlines the rights you, as a user, are granting to Vultr regarding any content you create or upload while using their services. Let's break it down for clarity:
Non-exclusive: Vultr does not have exclusive rights to your content. You can grant similar rights to others.
Perpetual: The rights you grant are everlasting.
Irrevocable: You cannot take back these rights once they are granted.
Royalty-free: Vultr does not have to pay you for the use of your content.
Fully paid-up: No future payments will be required from Vultr to you for the use of your content.
Worldwide license: Vultr can use your content anywhere in the world.
Right to sublicense through multiple tiers: Vultr can grant these rights to other parties, who can then grant them to further parties, and so on.
To use, reproduce, process, adapt, publicly perform, publicly display, modify, prepare derivative works, publish, transmit, and distribute your content: Vultr can do just about anything with your content, including modifying it and sharing it, in any current or future media or format.
In any way that Vultr deems appropriate: Vultr has the discretion to use your content however it sees fit.
Without any further consent, notice, and/or compensation to you or to any third parties: Vultr does not need to ask for your permission, inform you, or pay you or anyone else to exercise these rights.
For purposes of providing the Services to you: The clause often stipulates that these rights are granted to Vultr so they can operate, improve, and promote their services effectively.
This type of clause is common in the terms of service for online platforms and services. It essentially allows the service provider to operate their platform efficiently, showcase user-generated content, and adapt and improve services without needing to seek permission from users each time they need to handle content. It’s important for users to understand these terms, as they significantly affect how one's content can be used and shared by the service provider.
> typically found in the terms of service for a platform or service provider like Vultr
> showcase user-generated content
What? Am I unaware of some service they offer? I don't want an infrastructure provider doing anything with my content. They shouldn't even have access to anything that's not publicly accessible unless someone needs one-off access to help with a support incident.
It's not "content" for a lot of customers. It's private, proprietary information. What if someone is using Vultr to host an app for a company that requires an NDA from the webdev? Are they stuck in limbo as of right now?
The Vultr account owner might not even be the owner of the data hosted in the account. The whole thing is crazy. How are there people here defending this as "normal"?
[typically found in the terms of service] [Let's break it down for clarity] [This type of clause is common in the terms of service for online platforms] [It’s important for users]
This comment reeks like ChatGPT generated content, tbh.
Everyone (maybe rightfully) up in arms, but I imagine you would need an agreement like this is they were finally getting on board with something like elastic compute. Everytime they spin up a new machine on your behalf they're essentially redistributing all the files on that machine. I understand everyones gun shy, but I've been using Vultr for years and I'm much less suspicious of them than the likes of google/amazon. I've personally never had an issue with them, but I definitely think it's a healthy response to go fight or flight when you're essentially signing all your rights away.
Let's do one thing, host Nintendo content and since vultr now has commercial rights over "my uploads" let's see how Nintendo bites them in the ass. This can be done and dusted in a few days given enough traction
So are they afraid that Warner uploads Dune 2 torrent to their servers and immediately sues them for distribution? And to protect against that, they reserve the right to create Dune 3 out of it using Sora and distribute that themselves?
272 comments
[ 2.1 ms ] story [ 1420 ms ] threadThis seems the key part
Either way you read it, it seems like poor wording.
If you ask if you can stay up late for the rest of your life, it should follow that you gain that right for the rest of your life.
If you ask for both at the same time, in the same sentence, you might grow up to write TOS for vultr.
First time I hear such requirement
True but most times, when you are the product, the service is free. In this case you pay for the service.
Vultr is just even cheekier than LinkedIn.
Who's to say if they'll actually act on this, but them setting themselves up to legally do this is all a bit gross.
https://www.vultr.com/marketplace/apps/woocommerce/
"Vultr [will own] [all of your] User Content [and do whatever Vultr wants with] the User Content [...] for the purposes of providing the Services to you."
You could read that as: "if you want to work with us we will own all of your user content".
I don’t know if vultr language is worse than others, but my concern would be that someone selling you out can squeeze a lot in that clause for a long time, particularly if you never find out. Arguably that’s in bad faith, but…
Say that to provide the Services to you, vultr has to supplement its income by (old school) selling your videos to a dvd publishing company, or (newer) creating their own streaming tv channel, or providing them to an AI model training company, or providing them to an “affiliate” advertising-serving broker who slurps your created content and slaps one or more segmentation labels about your content (“kink”, “religion(X)”, “gamer”) tied to your email which it then resells to world+dog?
Ie is selling you out part of what vultr needs to do to provides the Services to you?
I find it very hard to trust companies based solely on their legal language when that language is viewed from an adversarial position. But I am not lawyer to know what kinds of “misreadings” are “beyond the pale”/not legally defensible.
> As between you and us, you own your User Content and you have full responsibility for all User Content you make or submit, including its legality, reliability and appropriateness, while using the Services.
Imagine the copyright infringement case Getty Images v. Vultr:
“Your honor, Joe Shmo LLC gave us an eternal right to do anything we want with this image that is watermarked ‘Getty Images’, so Getty can’t sue us.”
Maybe we need a provision in context law that directly penalizes anyone who writes a ludicrous provision into a contract.
> without compensation
Truly exquisite contract drafting, gentlemen.
I’ll be migrating to Hetzner in any case.
Without the pipe dream of efficient homomorphic encryption you can’t protect your data from a hostile VPS provider.
Given the way of today's internet, with GPT-bots crawling your stuff without your permission to use in their services, and with search-engines crawling and generally providing means of content removal that have limited effect .... what else are Vultr supposed to do ?
If you are granting them permission to, for example, "display" your content. Then there's not much they can do if you cancel your Vultr account but your content remains part of the GPT training material ?
> what else are Vultr supposed to do ? Continue providing the services they do, with reasonable terms, or die. No, you can't just up and take all my photos and sell them to some AI training dataset because you wanted more money. Sorry!
I bought a HardKermel x64 servers and happy that I have no ToS to worry about. I can send encrypted back ups to utilize any cloud out there without a concern.
Could've tried Pi but some docker packages don't run on Arm.
> Edit: As an EU customer, and having called my lawyer really quickly, we don't even think that this is legal / would hold up in court in the EU. Also they'd have been required to summarise the TOS changes as by our local law.
While companies can write whatever they want in their TOS, I would wary using the rights I just gave to myself. It can be devastating.
Additionally, ToS really don't count for much in the EU, they're usually not enforcable anyway, if there's anything out of the ordinary at all. There's a whole lot of stuff in ToS nobody is ever going to be able to enforce at all.
They probably expected to fly under the radar, without making sure it's even okay everywhere. Well, that's not going to happen I guess.
They obviously had an inent to start using the data for something, and given what I know about tech businesses, I wouldn't assume they only started once the ToS change was made. I would consider my data compromised.
The problem is that if Vultr really thinks it can exercise these rights, then there is a risk that proprietary information stored on their servers will be made public -- despite what EU or any other laws might say.
It doesn't really matter if you can take them to court if Vultr causes a data leak that results in the loss all your customers. And most of us don't have the resources to be able to do that anyway.
All of that said. I've found Vultr really good to work with and I am crossing my fingers, though not assuming, that this is a mistake.
I've raised a ticket with them, and I'll give them a couple of weeks before I make plans to pull out. Fortunately I'm still in stealth mode and have zero customers, so I can afford to wait. I'd be absolutely freaking out right now if I had live customers.
What a company write in their TOS is an indication of what they intend to do. Broad scopes also means broad intentions (like startups).
You could read into that, that Vultr is intending to break the law in the EU, however little there is to do about it.
Its a liability for the customers knowing this. But it is also a liability for Vultr who will see it more difficult to establish in the EU, should that ever be wanted.
The new ToS were surely a big project with tens of hours (or more) of research done for it.
The redditor's lawyer just picked up a phone and offered some gut response. My lawyer friends are happy to share their thoughts, but they usually tell me that they need to do research to provide reliable guidance.
The odds that they will ever be found out, that if found out they will be successfully sued, and that if that happens I will be made whole for whatever damage I have suffered, are slim.
The clause implies it is in their mind that they can play these games.
Better use a competitor that explicitly claims that you are renting the server for .. yourself.
I don't use Google Compute, but wonder if their terms are better. It would not surprise me at all if you allow Google to crawl all of your Compute instances and combine that with data from their many other sources (Chrome, Chrome OS, Android services, DNS servers, analytics, usage on their properties such GMaps/Youtube, etc.)
Without a simple summarization for end users you can't just hide "unexpected" things in ToS-updates. And, well, a cloud-hoster deciding randomy to own your content hosted on servers you pay for is certainly neither expected nor typical.
Good luck enforcing anything of that, vultr.
That said, due to the type of service they provide, vultr customers like myself don’t necessarily even have the right to grant them the rights that they claim here. If I run a SaaS and people are uploading photos for work (eg photos of property damage for the purposes of identifying and repairing it), those photos are not my property and must not become public. The idea that this could ever be OK is batshit insane.
So I hope/suspect this policy is going to be reverted pretty quickly, since it seems quite incompatible with their core business.
No way can I risk my customers data being “publicly displayed”!
I doubt the random blogs etc had much AI training value in the first place so this very much feels like an own goal
I left because I couldn't use LVM, the fact they need to know disk geometry for a VM never sat well with me.
I'm under no illusion, I know the host needs to be trusted, but this is a weird/gross implementation.
> You are responsible for the information, text, opinions, messages, comments, audio visual works, motion pictures, photographs, animation, videos, graphics, sounds, music, software, Apps, and any other content or material that
That's the prefix to your first paragraph, meaning you as the user is responsible for that, not that Vultr is responsible for that.
Your second paragraph is explicitly about "for purposes of providing the Services to you" which it'd be really hard to argue that "using your user's uploaded photo for Vultr's marketing promotion" is for the purpose of providing a service to you, so I don't think you have to be afraid of that.
I'm sure Vultr's terms and conditions contain horrible shit, just like any other terms and conditions. But I don't think those two paragraphs highlight anything more nefarious than usual.
"Why did you sell my data to an AI company?" "We deemed it appropriate."
There is also the sublicensing clause, which means they can sell it to anyone, and "process, adapt, [...] modify, prepare derivative works", which has nothing to do with hosting, but allows them to change your data and reuse it for any purpose they "deem appropriate".
No, I didn't, but you again missed the full context. Neither of those terms can be considered in isolation, so again:
> You hereby grant to Vultr a non-exclusive [...] in any way that Vultr deems appropriate [...] for purposes of providing the Services to you
So unless it's for the purpose of providing you the service, it doesn't matter what Vultr "deems" appropriate.
Feel free to check this with a lawyer if you feel unsure.
"Deemed" in particular doesn't require any sort of reasoning or argument for the company to make any decision it likes. And "appropriate" is not a synonym for "necessary".
"Why did you sell my data?" "We deemed it appropriate for the purposes of providing the Services to you."
What's your legal refutation to this under US law?
(In the EU, this whole clause would possibly be unenforceable from the start, but I know a lot less about EU law.)
"... for purposes of providing the Services to you."
if you take the narrowest read, it would allow them to store or cache them. That's it.
It is a wildcard that allows them to do whatever they want with the data and then argue, "We deemed it appropriate."
Non-exclusive: Vultr does not have exclusive rights to your content. You can grant similar rights to others.
Perpetual: The rights you grant are everlasting.
Irrevocable: You cannot take back these rights once they are granted.
Royalty-free: Vultr does not have to pay you for the use of your content.
Fully paid-up: No future payments will be required from Vultr to you for the use of your content.
Worldwide license: Vultr can use your content anywhere in the world.
Right to sublicense through multiple tiers: Vultr can grant these rights to other parties, who can then grant them to further parties, and so on.
To use, reproduce, process, adapt, publicly perform, publicly display, modify, prepare derivative works, publish, transmit, and distribute your content: Vultr can do just about anything with your content, including modifying it and sharing it, in any current or future media or format.
In any way that Vultr deems appropriate: Vultr has the discretion to use your content however it sees fit.
Without any further consent, notice, and/or compensation to you or to any third parties: Vultr does not need to ask for your permission, inform you, or pay you or anyone else to exercise these rights.
For purposes of providing the Services to you: The clause often stipulates that these rights are granted to Vultr so they can operate, improve, and promote their services effectively.
This type of clause is common in the terms of service for online platforms and services. It essentially allows the service provider to operate their platform efficiently, showcase user-generated content, and adapt and improve services without needing to seek permission from users each time they need to handle content. It’s important for users to understand these terms, as they significantly affect how one's content can be used and shared by the service provider.
ChatGPT may eat those legal disco companies, too
> showcase user-generated content
What? Am I unaware of some service they offer? I don't want an infrastructure provider doing anything with my content. They shouldn't even have access to anything that's not publicly accessible unless someone needs one-off access to help with a support incident.
It's not "content" for a lot of customers. It's private, proprietary information. What if someone is using Vultr to host an app for a company that requires an NDA from the webdev? Are they stuck in limbo as of right now?
The Vultr account owner might not even be the owner of the data hosted in the account. The whole thing is crazy. How are there people here defending this as "normal"?
This comment reeks like ChatGPT generated content, tbh.
Also, why perpetual?
They are essentially data processor, they act on your behalf and should not do things with data that you have not asked for.
That's why is proceeded by "for purposes of providing the Services to you"
Nothing here... move away from the fake outrage.
Rubbish. That wouldn’t require an explicit and broad right to commercialise and profit from your content
The small portion dealing with piracy isn’t what the uproar is a out