Improve privacy policy structure and contents #2

Open
b12f wants to merge 1 commit from pp-v2 into main

View file

@ -6,11 +6,11 @@ Information on data privacy and protection for the services operated by pub.sola
We run multiple public services:
* our Matrix service, consisting of the "Homeserver"; `https://matrix.pub.solar`, as well as the web-based Element-Messenger ([chat.pub.solar](https://chat.pub.solar/)),
* our Nextcloud service at `https://cloud.pub.solar`,
* our Mastodon service at `https://mastodon.pub.solar`.
* our Gitea service at `https://git.pub.solar`.
* our Keycloak authentication service at `https://auth.pub.solar`.
* our Nextcloud service at `https://cloud.pub.solar`,
* our Gitea service at `https://git.pub.solar`.
* our Matrix service, consisting of the "Homeserver"; `https://matrix.pub.solar`, as well as the web-based Element-Messenger ([chat.pub.solar](https://chat.pub.solar/)),
* our Mastodon service at `https://mastodon.pub.solar`.
## Responsible for operating the service
@ -27,29 +27,77 @@ If you have any questions regarding data protection, please contact us at [crew@
## What is the purpose of the data processing?
"Matrix" is an open, decentralized communication service for real-time communication. It enables members of pub.solar n.e.V., as well as other interested parties, to communicate with other users of this server as well as other Matrix users of federated Matrix servers via chat and audio/video telephony by means of a Matrix account.
The services we offer each require their own dataset to be able to function. A specific service only records data if you use it.
If you become a member of the association, we'll have to process personal data to make sure we oblige by German law.
Review

... we'll have to process personal data to make sure we comply with German law.

... we'll have to process personal data to make sure we _comply with_ German law.
## What personal data is processed?
If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by pub.solar in the authentication service:
A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process.
An username and a password: required to identify the account holder and provide the services offered by pub.solar.
Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc. More detailed information about this and how we handle it can be found in the Privacy notices per service.
When a user makes an online donation to pub.solar, we collect personal data such as, but not limited to, username (if any), country (in case of extra storage request for tax purposes), transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
Any additional information that the user chooses to supply while using the services provided by us (whether it is chats, posts, emails, etc.). This additional information is optional and with the user's consent.
If you become a member in the association, we record your full name, email address, and home address.
Review

If you become a member of the association...

If you become a member _of_ the association...
### Keycloak (auth.pub.solar)
A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process.
Review

A user's email address is not getting deleted automatically right now. Would you like to add this here as an incentive for us to create such an automation?

A user's email address is not getting deleted automatically right now. Would you like to add this here as an incentive for us to create such an automation?
An username and a password: required to identify the account holder and provide the services offered by pub.solar.
Review

An username (called pub.solar ID).
Also maybe mention possible second factor here?

An username _(called pub.solar ID)_. Also maybe mention possible second factor here?
### Nextcloud (cloud.pub.solar)
This service requires login with pub.solar credentials.
Review

Let's stick to pub.solar ID everywhere.

Let's stick to _pub.solar ID_ everywhere.
Everything (files, calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
We do not currently encrypt files when you upload them because we've had some bad experiences with dataloss incurred through end-to-end encryption.
Review

dataloss -> data loss

dataloss -> data loss
Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
Review

Let's make this 7 days. We're not working full time on pub.solar, so we might notice an issue with a delay and still want to be able to debug it.

Let's make this 7 days. We're not working full time on pub.solar, so we might notice an issue with a delay and still want to be able to debug it.
### Git (git.pub.solar)
This service requires login with pub.solar credentials.
Review

Let's stick to pub.solar ID everywhere.

Let's stick to _pub.solar ID_ everywhere.
Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
### Matrix (chat.pub.solar & matrix.pub.solar)
This service requires login with pub.solar credentials.
Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
### Mastodon (mastodon.pub.solar)
This service requires login with pub.solar credentials.
Basic account information: If you register on this server, you may be asked to enter a username, an e-mail address and a password. You may also enter additional profile information such as a display name and biography, and upload a profile picture and header image. The username, display name, biography, profile picture and header image are always listed publicly.
Posts, following and other public information: The list of people you follow is listed publicly, the same is true for your followers. When you submit a message, the date and time is stored as well as the application you submitted the message from. Messages may contain media attachments, such as pictures and videos. Public and unlisted posts are available publicly. When you feature a post on your profile, that is also publicly available information. Your posts are delivered to your followers, in some cases it means they are delivered to different servers and copies are stored there. When you delete posts, this is likewise delivered to your followers. The action of reblogging or favouriting another post is always public.
Direct and followers-only posts: All posts are stored and processed on the server. Followers-only posts are delivered to your followers and users who are mentioned in them, and direct posts are delivered only to users mentioned in them. In some cases it means they are delivered to different servers and copies are stored there. We make a good faith effort to limit the access to those posts only to authorized persons, but other servers may fail to do so. Therefore it's important to review servers your followers belong to. You may toggle an option to approve and reject new followers manually in the settings. Please keep in mind that the operators of the server and any receiving server may view such messages, and that recipients may screenshot, copy or otherwise re-share them. Do not share any sensitive information over Mastodon.
IPs and other metadata: When you log in, we record the IP address you log in from, as well as the name of your browser application. All the logged in sessions are available for your review and revocation in the settings. The latest IP address used is stored for up to 12 months. We also may retain server logs which include the IP address of every request to our server.
## How long will the personal data be stored?
The personal data will be deleted from our server after 15 months of inactivity. The deletion requests are forwarded to the federated servers. However, we have no influence on their execution.
Financial data, for example from donations, will have to be kept for 10 years, required by German tax law.
Data regarding your pub.solar assocation membership will be deleted after you leave the assocation.
## Where is the personal data stored?
We run our all of our services on servers of the company [Greenbaum Cloud](https://greenbaum.cloud/).
We run our all of our services on dedicated servers of the company [Hetzner GmbH](https://hetzner.com/). The data on these servers is encrypted at rest. Backups are made to several locations, the data is encrypted before it is sent to the backup locations.
Review

I would make this more broad to be flexible:

We run our all of our services on servers hosted in germany. The data on these servers is encrypted at rest. Backups are made to different locations, the data is encrypted before it is sent to the backup locations.

I would make this more broad to be flexible: > We run our all of our services on servers hosted in germany. The data on these servers is encrypted at rest. Backups are made to different locations, the data is encrypted before it is sent to the backup locations.
## Data subject rights
@ -78,48 +126,6 @@ We do not require any additional information that is not crucial for the operati
We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our Terms Of Services in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
## Privacy Policy per service
### Cloud
Our cloud runs Nextcloud.
This service requires login with pub.solar credentials.
Everything (files, calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
We do not currently encrypt files when you upload them because we've had some bad experiences with dataloss incurred through end-to-end encryption.
Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
### Git
This service requires login with pub.solar credentials.
Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
### Matrix
This service requires login with pub.solar credentials.
Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
### Mastodon
This service requires login with pub.solar credentials.
Basic account information: If you register on this server, you may be asked to enter a username, an e-mail address and a password. You may also enter additional profile information such as a display name and biography, and upload a profile picture and header image. The username, display name, biography, profile picture and header image are always listed publicly.
Posts, following and other public information: The list of people you follow is listed publicly, the same is true for your followers. When you submit a message, the date and time is stored as well as the application you submitted the message from. Messages may contain media attachments, such as pictures and videos. Public and unlisted posts are available publicly. When you feature a post on your profile, that is also publicly available information. Your posts are delivered to your followers, in some cases it means they are delivered to different servers and copies are stored there. When you delete posts, this is likewise delivered to your followers. The action of reblogging or favouriting another post is always public.
Direct and followers-only posts: All posts are stored and processed on the server. Followers-only posts are delivered to your followers and users who are mentioned in them, and direct posts are delivered only to users mentioned in them. In some cases it means they are delivered to different servers and copies are stored there. We make a good faith effort to limit the access to those posts only to authorized persons, but other servers may fail to do so. Therefore it's important to review servers your followers belong to. You may toggle an option to approve and reject new followers manually in the settings. Please keep in mind that the operators of the server and any receiving server may view such messages, and that recipients may screenshot, copy or otherwise re-share them. Do not share any sensitive information over Mastodon.
IPs and other metadata: When you log in, we record the IP address you log in from, as well as the name of your browser application. All the logged in sessions are available for your review and revocation in the settings. The latest IP address used is stored for up to 12 months. We also may retain server logs which include the IP address of every request to our server.
## References/License
We have created the basic structure of this data protection information with the help of [DS-GVO.clever-Tools](https://www.baden-wuerttemberg.datenschutz.de/ds-gvo.clever/) and adapted it to our needs. We have also used parts of [Datenschutzerklärung der TU-Dresden](https://doc.matrix.tu-dresden.de/privacy/) and adjusted them accordingly. Text is licensed [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/deed.de).