Merge branch '1.What_it_covers' of Disroot/Disroot-Privacy-Policy into master

This commit is contained in:
Fede.- 2019-10-24 18:01:17 +00:00 зафіксовано Gitea
джерело b8ec70fc96 a177515b8e
коміт 9e734db177
1 змінених файлів з 24 додано та 90 видалено

@ -3,99 +3,33 @@ title: Privacy Policy
bgcolor: '#1F5C60'
fontcolor: '#FFF'
---
** v1.1 - May 2018**
** v1.2 - October 2019**
<br><br>
This privacy policy applies to all Services hosted on Disroot.org and its sub-domains. We try to keep it as unified and simple as we possibly can.
**Disclaimer!** We reserve the right to change any of the points. All changes will be publicly available and will be communicated to all users via the forum, Diaspora, Mastodon and Blog. Major changes to Privacy Policy will be sent additionally via email to all users.
# Table of Contents
*Our motto:*
## "The less we know about our users the better"
!. What this Privacy policy covers?
- Definitions used on this Privacy Policy
1. What data do we collect?
- What do we do with your data?
2. What we do not do with your data
- How do we store your data?
3. Where the data is stored?
4. Per service detailed privacy notices
5. Your rights
- Access to your information
6. Changes on this Privacy Policy
### 1.What do we do with your data:
1. We require a username and password to identify the account holder and provide the services offered by Disroot.org All additional information you supply on any of the services provided by Disroot.org are optional.
----
2. Our processing of your information is limited to storing it for you to use.
# What this Privacy Policy covers?
This privacy policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope. In any case, is important to note that sharing data with other services providers is a user's choice and is configured by the users in their settings per service including the decision of with whom and what to share.
3. We store logs of your activity for period no longer then 24h (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.
3. Further access to your personal data and stored files and other information you provide to any of the services offered by disroot.org is under your control.
4. We use disk encryption on all data to prevent data leak in cases where servers are stolen, confiscated, or in any way physically tampered with.
6. We provide and require SSL/TLS encryption on all provided services
### 2. What we do not do with your data:
1. We do not collect any data other then what is needed to provide you the service.
2. We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
3. We do not share nor sell your data to third party unless in case of network inter-operatable (federated) services require certain data to operate (eg. other email service provider needs to know your email address to be able to deliver emails).
4. We do not require any additional information that is not crucial for operation of the service (we do not ask for additional email addresses, phone numbers)
5. We do not read/look nor process your personal data, emails, files etc. stored on our servers unless needed for troubleshooting purposes, or under suspicion of breaking Terms Of Services in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
### 3. Access to your information:
1. Federation.
<br>
Some of the services provided by Disroot.org such as Nextcloud, Email, Diaspora, Hubzilla, Xmpp and Matrix chat are operating based on so called Federation Protocols. This enables users signed up at different service providers to interact with each other. Because of the nature of the protocols (ability to send each other messages, likes, share files, chat) some of the data is naturally shared with other entities. However, sharing data with other service provider is the user's choice and is configured by the users in their settings per service including the decision of with whom and what to share.
2. You may be shown embedded videos and link previews from other websites while using services provided by Disroot.org. This may expose you to web tracking by external services, such as (but not limited to) Facebook, Twitter, and Google.
3. All data and files stored on services that are bound to personal information (services that require logging in) are available for you to download for either archival purposes or to transfer to another compatible website.
### 4. Your Rights
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
<br>
You have the right to lodge a complaint to the Information Commissioners Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data.
Identity and contact details of controller and data protection officer:
<br><br>
Stichting Disroot.org is the controller of data for the purposes of the DPA 18 and GDPR. 3
If you have any concerns as to how your data is processed you can contact:
<ul>
<li>- <b>data.protection.officer@disroot.org</b> - Person repsponsible for Privacy Policy</li>
<li>- <b>info@disroot.org</b> - General contact information </li>
</ul>
---
## 5. Per Service additional privacy policies and exceptions:
1. **search.disroot.org**
<ul>
<li>- No data (IP address, session cookie etc) is stored on the server, unless for troubleshooting purposes, after which the log data is purged from the server.</li>
</ul>
2. **upload.disroot.org**
<ul>
<li>- No data (IP address, session cookie etc) is stored on the server, unless for troubleshooting purposes, after which the log data is purged from the server.</li>
<li>- All files uploaded to the service are end-to-end encrypted. we, Disroot admins have no way of decrypting that information</li>
</ul>
3. **bin.disroot.org**
<ul>
<li>- No data (IP address, session cookie etc) is stored on the server, unless for troubleshooting purposes, after which the log data is purged from the server.</li>
<li>- All files uploaded to the service are end-to-end encrypted. we, Disroot admins have no way of decrypting that information</li>
</ul>
4. **pad.disroot.org** and **calc.disroot.org**
<ul>
<li>- We do not collect IP addresses and other personal data that can be linked to the pad.</li>
</ul>
5. **cloud.disroot.org**
<ul>
<li>- All files send to the cloud are encrypted with a keypair created based on the user password, to create extra level of security. Note however that the keys are stored on the server which compromises the level of security</li>
<li>- Everything else except for files (calendars, contacts, news, tasks, bookmarks etc) is stored in plain-text in a database, unless an app provides external encryption (non so far).</li>
</ul>
6. **email**
<ul>
<li>- All emails, unless encrypted by user (with gpg for example) are stored on our servers in plain-text.</li>
<li>- IP addresses of currently logged in user via IMAP/POP3 protocol are stored as long as the device is logged in to the server. (per each device logged in)</li>
</ul>
7. **poll.disroot.org**
<ul>
<li>- No IP addresses are stored on the server, unless temporarily for troubleshooting, after which they are purged from the server</li>
</ul>
## Definitions used on this Privacy Policy
- **Data**: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
- **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications.
- **GDPR**: General Data Protection Regulation (EU).
- **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
- **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers.
- **Federated services**: Services that operates on the basis of so-called **Federation Protocols** which enables users signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Hubzilla** and **XMPP**.