From c044bfa8fb0b558e3fedeb352471c6d619227d45 Mon Sep 17 00:00:00 2001 From: muppeth Date: Fri, 11 Oct 2019 21:56:46 +0000 Subject: [PATCH 1/6] TOC (#9) --- privacy_policy.md | 106 ++++++---------------------------------------- 1 file changed, 13 insertions(+), 93 deletions(-) diff --git a/privacy_policy.md b/privacy_policy.md index b535b8b..93d91f8 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -3,99 +3,19 @@ title: Privacy Policy bgcolor: '#1F5C60' fontcolor: '#FFF' --- -** v1.1 - May 2018** +** v1.2 - October 2019**

-This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. We try to keep it as unified and simple as we possibly can. -**Disclaimer!** We reserve the right to change any of the points. All changes will be publicly available and will be communicated to all users via the forum, Diaspora, Mastodon and Blog. Major changes to Privacy Policy will be sent additionally via email to all users. +# Table of Contents -*Our motto:* -## "The less we know about our users the better" - -### 1.What do we do with your data: -1. We require a username and password to identify the account holder and provide the services offered by Disroot.org All additional information you supply on any of the services provided by Disroot.org are optional. - -2. Our processing of your information is limited to storing it for you to use. - -3. We store logs of your activity for period no longer then 24h (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform. - -3. Further access to your personal data and stored files and other information you provide to any of the services offered by disroot.org is under your control. - -4. We use disk encryption on all data to prevent data leak in cases where servers are stolen, confiscated, or in any way physically tampered with. - -6. We provide and require SSL/TLS encryption on all provided services - -### 2. What we do not do with your data: -1. We do not collect any data other then what is needed to provide you the service. - -2. We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers. - -3. We do not share nor sell your data to third party unless in case of network inter-operatable (federated) services require certain data to operate (eg. other email service provider needs to know your email address to be able to deliver emails). - -4. We do not require any additional information that is not crucial for operation of the service (we do not ask for additional email addresses, phone numbers) - -5. We do not read/look nor process your personal data, emails, files etc. stored on our servers unless needed for troubleshooting purposes, or under suspicion of breaking Terms Of Services in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder. - -### 3. Access to your information: - 1. Federation. -
- Some of the services provided by Disroot.org such as Nextcloud, Email, Diaspora, Hubzilla, Xmpp and Matrix chat are operating based on so called Federation Protocols. This enables users signed up at different service providers to interact with each other. Because of the nature of the protocols (ability to send each other messages, likes, share files, chat) some of the data is naturally shared with other entities. However, sharing data with other service provider is the user's choice and is configured by the users in their settings per service including the decision of with whom and what to share. - - 2. You may be shown embedded videos and link previews from other websites while using services provided by Disroot.org. This may expose you to web tracking by external services, such as (but not limited to) Facebook, Twitter, and Google. - - 3. All data and files stored on services that are bound to personal information (services that require logging in) are available for you to download for either archival purposes or to transfer to another compatible website. - -### 4. Your Rights -Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability. -If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. -
-You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data. -Identity and contact details of controller and data protection officer: -

-Stichting Disroot.org is the controller of data for the purposes of the DPA 18 and GDPR. 3 -If you have any concerns as to how your data is processed you can contact: - - ---- -## 5. Per Service additional privacy policies and exceptions: -1. **search.disroot.org** - - -2. **upload.disroot.org** - - -3. **bin.disroot.org** - - -4. **pad.disroot.org** and **calc.disroot.org** - - -5. **cloud.disroot.org** - - -6. **email** - - -7. **poll.disroot.org** - +!. What this Privacy policy covers? + - Definitions used on this Privacy Policy +1. What data do we collect? + - What do we do with your data? +2. What we do not do with your data + - How do we store your data? +3. Where the data is stored? +4. Per service detailed privacy notices +5. Your rights + - Access to your information +6. Changes on this Privacy Policy From 092fc3779457a02f6fb684c3393b01215c3139e4 Mon Sep 17 00:00:00 2001 From: "Fede.-" Date: Sat, 12 Oct 2019 17:36:39 +0000 Subject: [PATCH 2/6] What the PP covers Define the scope of the PP --- privacy_policy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/privacy_policy.md b/privacy_policy.md index 93d91f8..018c491 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -19,3 +19,7 @@ fontcolor: '#FFF' 5. Your rights - Access to your information 6. Changes on this Privacy Policy +---- + +# What this Privacy Policy covers? +This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. \ No newline at end of file From b24094412c4f8eb0f91cc29334d9f0930105e06c Mon Sep 17 00:00:00 2001 From: "Fede.-" Date: Sat, 12 Oct 2019 17:37:38 +0000 Subject: [PATCH 3/6] What the PP covers Define the scope of the PP --- privacy_policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/privacy_policy.md b/privacy_policy.md index 018c491..7acfc5b 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -19,6 +19,7 @@ fontcolor: '#FFF' 5. Your rights - Access to your information 6. Changes on this Privacy Policy + ---- # What this Privacy Policy covers? From a531d07bc49a3f215efa40366118614d5ccec63f Mon Sep 17 00:00:00 2001 From: "Fede.-" Date: Sun, 13 Oct 2019 15:22:07 +0000 Subject: [PATCH 4/6] Scope and definitions The data definition of the GDPR is tremendously broad. The list of types of personal data that could lead to the identification of a natural person in the digital context further include email addresses, cookies, IP addresses and, overall, lots of online identifiers. It has to be adjusted to the context of Disroot. --- privacy_policy.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/privacy_policy.md b/privacy_policy.md index 7acfc5b..8bac3a9 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -23,4 +23,12 @@ fontcolor: '#FFF' ---- # What this Privacy Policy covers? -This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. \ No newline at end of file +This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. + +## Definitions used on this Privacy Policy +- **Data**: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them. +- **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications. +- **GDPR**: General Data Protection Regulation (EU). +- **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**. +- **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org +- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers. \ No newline at end of file From d7af2b8b868ebe4878d7208143a820eb92f890ec Mon Sep 17 00:00:00 2001 From: "Fede.-" Date: Mon, 14 Oct 2019 18:32:31 +0000 Subject: [PATCH 5/6] Actualizar 'privacy_policy.md' --- privacy_policy.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/privacy_policy.md b/privacy_policy.md index 8bac3a9..1b5b486 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -23,7 +23,7 @@ fontcolor: '#FFF' ---- # What this Privacy Policy covers? -This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. +This privacy policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of federated services, because of the very nature of this protocols (ability to send messages, likes, share files, chat) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope. In any case, is important to note that sharing data with other services providers is a user's choice and is configured by the users in their settings per service including the decision of with whom and what to share. ## Definitions used on this Privacy Policy - **Data**: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them. @@ -31,4 +31,5 @@ This privacy policy applies to all Services hosted on Disroot.org and its sub-do - **GDPR**: General Data Protection Regulation (EU). - **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**. - **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org -- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers. \ No newline at end of file +- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers. +- **Federated services**: Services that operates on the basis of so-called **Federation Protocols** which enables users signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Hubzilla** and **XMPP**. \ No newline at end of file From a177515b8e5982b5725517d9007cd750f529a4bb Mon Sep 17 00:00:00 2001 From: "Fede.-" Date: Tue, 15 Oct 2019 22:43:37 +0000 Subject: [PATCH 6/6] Actualizar 'privacy_policy.md' --- privacy_policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privacy_policy.md b/privacy_policy.md index 1b5b486..9dac310 100644 --- a/privacy_policy.md +++ b/privacy_policy.md @@ -23,7 +23,7 @@ fontcolor: '#FFF' ---- # What this Privacy Policy covers? -This privacy policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of federated services, because of the very nature of this protocols (ability to send messages, likes, share files, chat) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope. In any case, is important to note that sharing data with other services providers is a user's choice and is configured by the users in their settings per service including the decision of with whom and what to share. +This privacy policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope. In any case, is important to note that sharing data with other services providers is a user's choice and is configured by the users in their settings per service including the decision of with whom and what to share. ## Definitions used on this Privacy Policy - **Data**: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.