From ed007f70246d15f1f5728553cec272f589c5d298 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@disroot.org>
Date: Sun, 27 Oct 2019 10:26:10 -0300
Subject: [PATCH 01/29] Privacy Policy complete draft

---
 pp_draft.md | 263 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 263 insertions(+)
 create mode 100644 pp_draft.md

diff --git a/pp_draft.md b/pp_draft.md
new file mode 100644
index 0000000..d7805a4
--- /dev/null
+++ b/pp_draft.md
@@ -0,0 +1,263 @@
+---
+title: Privacy Policy
+bgcolor: '#1F5C60'
+fontcolor: '#FFF'
+---
+** v1.2 - October 2019**
+<br><br>
+
+<a name="top"></a>
+# Table of Contents
+
+!. [What this Privacy policy covers?](#coverage)
+
+- [Definitions used on this Privacy Policy](#definitions)
+
+
+1. [What data do we collect?](#data_we_collect)
+    - 1.1. [What do we do with your data?](#what_we_do)
+    - 1.2. [How do we store your data?](#how_we_store)
+
+
+2. [What we do not do with your data](#what_we_do_not)
+
+3. [Where the data is stored?](#where_store)
+
+
+4. [Per service detailed privacy notices](#per_service)
+  - [4.1. Email](#email)
+  - [4.2. Cloud](#cloud)
+  - [4.3. XMPP Chat](#chat)
+  - [4.4. SearX](#searx)
+  - [4.5. Upload](#upload)
+  - [4.6. Pads](#pads)
+  - [4.7. Polls](#polls)
+  - [4.8. Bin](#bin)
+  - [4.9. Forum](#forum)
+  - [4.10. Project Board](#project_board)
+  - [4.11. Conference calls](#calls)
+  - [4.12. Diaspora*](#diaspora)
+  - [4.13. GIT](#git)
+
+
+5. [Your rights](#rights)
+  - [5.1. Access to your information](#access_information)
+
+
+6. [Changes on this Privacy Policy](#changes)
+
+----
+<a name="coverage"></a>
+# What this Privacy Policy covers?
+This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope.<br>
+In any case, is important to **note that sharing data with other services providers is a user's choice** and is configured by the users in their settings per service including the decision of with whom and what to share.
+
+<a name="definitions"></a>
+## Definitions used on this Privacy Policy
+- **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
+- **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications.
+- **GDPR**: General Data Protection Regulation (EU).
+- **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
+- **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
+- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers.
+- **Federated services**: Services that operates on the basis of so-called **federation protocols** which enables users signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
+
+[Back to top](#top)
+
+---
+<a name="data_we_collect"></a>
+# 1. What data do we collect?
+We require a username and password to identify the account holder and provide the services offered by **Disroot.org**. All additional information you supply on any of the services provided by us is **optional**.<br>
+
+(For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)
+
+<a name="what_we_do"></a>
+## 1.1. What do we do with your data?
+
+- Our processing of your information is limited to storing it for you to use.
+
+- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.<br>
+(Detailed information on [Per service privacy notices](#per_services) section)
+
+<a name="how_we_store"></a>
+## 1.2. How do we store your data?
+To protect your data we use the following security measures:
+
+* a. We use disk encryption on all data to prevent data leak in case the servers are stolen, confiscated, or in any way physically tampered with.
+
+* b. We provide and require SSL/TLS encryption on all provided services.
+
+* c. We utilise “end to end” and/or “server-side” encryption whenever it is possible in software used to provide maximum security for the users.
+
+[Back to top](#top)
+
+<a name="what_we_do_not"></a>
+# 2. What we do not do with your data
+
+- We do not collect any data other than what is needed to provide you the service.
+
+- We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
+
+- We do not sell nor share your data to third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
+
+- We do not require any additional information that is not crucial for the operation of the service (we do not ask for additional email addresses, phone numbers)
+
+- We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for troubleshooting purposes, or under suspicion of breaking **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
+
+
+[Back to top](#top)
+
+<a name="where_store"></a>
+# 3. Where the data is stored?
+We store all data in our own servers located in the Netherlands.
+
+[Back to top](#top)
+
+<a name="per_service"></a>
+# 4. Per service detailed privacy notices
+
+<a name="email"></a>
+## 4.1 - **Email Service** (https://mail.disroot.org)
+  - All emails, unless encrypted by the user (with GPG for example) are stored unencrypted on our servers.
+  - IP addresses of currently logged in users via IMAP/POP3 protocol are stored as long as the device is logged in to the server *(per each device logged in)*.
+  - Server logs which store information such as, but not limited to, your username and your IP Address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - Given the email is a **federated** protocol, when interacting with email addresses hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
+  - Service requires login with Disroot credentials.
+
+<a name="cloud"></a>
+## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
+  - All files sent to the cloud are encrypted with a key-pair created based on the user password, to add an extra level of security. Note however that the keys are stored on the server, which compromises the level of security to some degree (e.g.: once an attacker knows your password and obtained the encryption key-pair, can decrypt the data). However **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any files stored on the cloud without knowing user's password prior.
+  - Everything else except for files (calendars, contacts, news, tasks, bookmarks, etc) is stored unencrypted in a database, unless an app provides external encryption (non so far). This is a disadvantaged restriction of the software we are utilizing for this service (Nextcloud).
+  - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - Service requires login with Disroot credentials.
+
+<a name="chat"></a>
+## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
+  - Chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
+  - Roster (your XMPP contact list) is stored on the server's database.
+  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted.
+  - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - Given the XMPP is a **federated** chat protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
+  - Files uploaded to the server are stored as is for a period of 6 months.
+  - Service requires login with Disroot credentials.
+
+<a name="searx"></a>
+## 4.4 - **Disroot SearX** (https://search.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
+  - No search queries are saved on the server nor any personal information of our users is leaked to the other search engine.
+  - Service does not require login or providing any personal data.
+
+<a name="upload"></a>
+## 4.5 - **Disroot Upload** (https://upload.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
+  - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
+  - Files uploaded to the server are wiped based on the retention period set by user upon upload.
+  - Service does not require login or providing any personal data.
+
+<a name="pads"></a>
+## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - We do not collect any other personal data that can be linked to the pads.
+  - Pad content is stored on the server in the database as is (plain-text).
+  - Untouched pads expire after 6 months and are then removed from the server.
+  - Service does not require login or providing any personal data.
+
+<a name="polls"></a>
+## 4.7 - **Disroot Polls** (https://poll.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
+  - Poll data is stored on the server in the database as is (plain-text).
+  - Expired polls (depending on user setting during poll creation) are removed from the database.
+  - Service does not require login or providing any personal data.
+
+<a name="bin"></a>
+## 4.8 - **Disroot Bin** (https://bin.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
+  - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
+  - Files uploaded to the server are wiped based on the retention period set by user upon upload.
+  - Comments and discussions under pastes are **end-to-end encrypted**.
+  - Service does not require login or providing any personal data.
+
+<a name="forum"></a>
+## 4.9 - **Disroot Forum** (https://forum.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - Service does store your last used IP address in the database.
+  - All forum data (groups, threads, posts, usernames, email addresses) is stored on the server in the database as is (plain-text).
+  - Service requires you to create separate forum only account or use Disroot credentials to interact with discussions.
+
+<a name="project_board"></a>
+## 4.10 - **Disroot Project Board** (https://board.disroot.org)
+  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
+  - Service requires login with Disroot credentials.
+
+<a name="calls"></a>
+## 4.11 - **Disroot Conference calls** (https://calls.disroot.org)
+  - **No log data** (IP address, session cookie, etc) is stored on the server.
+  - No user data is permanently stored on the server.
+
+<a name="diaspora"></a>
+## 4.12 - **Disroot Diaspora\* pod** (https://pod.disroot.org)
+  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - Due to the **federated** nature of the service, your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
+  - Private posts/messages are only sent to users on other servers if you intentionally interact with them.
+  - All pod data (usernames, email addresses, posts and messages,polls, contacts, photos and images) is stored on the server in the database as is (plain-text).
+
+<a name="git"></a>
+## 4.13 - **Disroot GIT** (https://git.disroot.org)
+  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+  - All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull request data is stored on the server in the database as is (plain-text).
+  - Service requires you to create separate git only account to interact with others.
+
+[Back to top](#top)
+
+<a name="rights"></a>
+# 5. Your rights
+Under the **GDPR** you have a number of rights with regard to your personal data:
+
+* a. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
+* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete whenever it possible*.
+* c. **Right to erase** - The right to request delete or remove your Data from our servers.
+* d. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
+* e. **Right to Data portability** - The right to move, copy or transfer your Data.
+* f. **Right to object** - The right to object to our use of your Data.
+
+\* *This not applies to* **username** *and* **email address** *as they are integral part of your user account and cannot be modified*.
+
+To make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via email to:
+
+- **info@disroot.org** - General contact information
+
+For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
+
+If you are not satisfied with the way a compliant you make regarding to how your Data is handled by us, you have the right to send a complaint to the **Information Commissioners’ Office**.
+
+**Dutch Data Protection Authority (Dutch DPA)**
+
+**Postal address**<br>
+Autoriteit Persoonsgegevens<br>
+PO Box 93374<br>
+2509 AJ DEN HAAG<br>
+<br>
+**Phone:** (+31) - (0)70 - 888 85 00<br>
+**Fax:** (+31) - (0)70 - 888 85 01<br>
+
+<a name="access_information"></a>
+## 5.1. Access to your information
+Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible website.
+
+**How to access and self-export your personal data**<br>
+https://howto.disroot.org/en/tutorials/user/gdpr
+
+**To modify your personal data or delete your account**<br>
+https://user.disroot.org
+
+[Back to top](#top)
+
+<a name="changes"></a>
+# 6. Changes on this Privacy Policy
+
+[Back to top](#top)

From 5c5babf9a1d7d52519a827b1f91fae16ec2232a7 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Sun, 27 Oct 2019 15:06:14 +0000
Subject: [PATCH 02/29] Actualizar 'pp_draft.md'

---
 pp_draft.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index d7805a4..19aec76 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -127,7 +127,7 @@ We store all data in our own servers located in the Netherlands.
 <a name="cloud"></a>
 ## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
   - All files sent to the cloud are encrypted with a key-pair created based on the user password, to add an extra level of security. Note however that the keys are stored on the server, which compromises the level of security to some degree (e.g.: once an attacker knows your password and obtained the encryption key-pair, can decrypt the data). However **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any files stored on the cloud without knowing user's password prior.
-  - Everything else except for files (calendars, contacts, news, tasks, bookmarks, etc) is stored unencrypted in a database, unless an app provides external encryption (non so far). This is a disadvantaged restriction of the software we are utilizing for this service (Nextcloud).
+  - Everything else except for files (calendars, contacts, news, tasks, bookmarks, etc) is stored unencrypted in a database, unless an app provides external encryption (none so far). This is a disadvantaged restriction of the software we are utilizing for this service (Nextcloud).
   - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
   - Service requires login with Disroot credentials.
 

From 1c92c420124abd9f7b8107d7eafdbd50be64a4cf Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@disroot.org>
Date: Tue, 29 Oct 2019 15:59:00 -0300
Subject: [PATCH 03/29] Fixes on PP coverage + What data do we collect +
 Services names + Chat information + PP Disroot email added

---
 pp_draft.md | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/pp_draft.md b/pp_draft.md
index 19aec76..f96b1a5 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -28,14 +28,14 @@ fontcolor: '#FFF'
   - [4.1. Email](#email)
   - [4.2. Cloud](#cloud)
   - [4.3. XMPP Chat](#chat)
-  - [4.4. SearX](#searx)
+  - [4.4. Search](#searx)
   - [4.5. Upload](#upload)
   - [4.6. Pads](#pads)
   - [4.7. Polls](#polls)
   - [4.8. Bin](#bin)
   - [4.9. Forum](#forum)
   - [4.10. Project Board](#project_board)
-  - [4.11. Conference calls](#calls)
+  - [4.11. Calls](#calls)
   - [4.12. Diaspora*](#diaspora)
   - [4.13. GIT](#git)
 
@@ -49,7 +49,7 @@ fontcolor: '#FFF'
 ----
 <a name="coverage"></a>
 # What this Privacy Policy covers?
-This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope.<br>
+This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities or transferred to them, therefore these interactions are out of this Privacy Policy's scope.<br>
 In any case, is important to **note that sharing data with other services providers is a user's choice** and is configured by the users in their settings per service including the decision of with whom and what to share.
 
 <a name="definitions"></a>
@@ -67,7 +67,10 @@ In any case, is important to **note that sharing data with other services provid
 ---
 <a name="data_we_collect"></a>
 # 1. What data do we collect?
-We require a username and password to identify the account holder and provide the services offered by **Disroot.org**. All additional information you supply on any of the services provided by us is **optional**.<br>
+- Account creation requires a valid email address which is deleted from our database after the account has been approved/denied.
+- We require a username and password to identify the account holder and provide the services offered by **Disroot.org**.
+- Necessary information related to the operation and functioning of the services, which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Per service privacy notices](#per_services).*
+- All additional information you supply on any of the services provided by us is **optional**.
 
 (For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)
 
@@ -75,8 +78,8 @@ We require a username and password to identify the account holder and provide th
 ## 1.1. What do we do with your data?
 
 - Our processing of your information is limited to storing it for you to use.
+- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.
 
-- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.<br>
 (Detailed information on [Per service privacy notices](#per_services) section)
 
 <a name="how_we_store"></a>
@@ -98,9 +101,11 @@ To protect your data we use the following security measures:
 
 - We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
 
-- We do not sell nor share your data to third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
+- We do not sell your data to third party.
 
-- We do not require any additional information that is not crucial for the operation of the service (we do not ask for additional email addresses, phone numbers)
+- We do not share your data to third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
+
+- We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address).
 
 - We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for troubleshooting purposes, or under suspicion of breaking **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
 
@@ -133,16 +138,15 @@ We store all data in our own servers located in the Netherlands.
 
 <a name="chat"></a>
 ## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
-  - Chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
   - Roster (your XMPP contact list) is stored on the server's database.
-  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted.
+  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionaly, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
   - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
   - Given the XMPP is a **federated** chat protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
   - Files uploaded to the server are stored as is for a period of 6 months.
   - Service requires login with Disroot credentials.
 
-<a name="searx"></a>
-## 4.4 - **Disroot SearX** (https://search.disroot.org)
+<a name="search"></a>
+## 4.4 - **Disroot Search** (https://search.disroot.org)
   - **No log data** (IP address, session cookie, etc) is stored on the server.
   - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
   - No search queries are saved on the server nor any personal information of our users is leaked to the other search engine.
@@ -195,7 +199,7 @@ We store all data in our own servers located in the Netherlands.
   - Service requires login with Disroot credentials.
 
 <a name="calls"></a>
-## 4.11 - **Disroot Conference calls** (https://calls.disroot.org)
+## 4.11 - **Disroot Calls** (https://calls.disroot.org)
   - **No log data** (IP address, session cookie, etc) is stored on the server.
   - No user data is permanently stored on the server.
 
@@ -229,6 +233,7 @@ Under the **GDPR** you have a number of rights with regard to your personal data
 
 To make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via email to:
 
+- **data.protection.officer@disroot.org** - Person responsible for this Privacy Policy
 - **info@disroot.org** - General contact information
 
 For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.

From d86dd9bacf2841d672a56634864307772dca7942 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Tue, 29 Oct 2019 19:05:14 +0000
Subject: [PATCH 04/29] Actualizar 'pp_draft.md'

---
 pp_draft.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index f96b1a5..3110922 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -139,7 +139,7 @@ We store all data in our own servers located in the Netherlands.
 <a name="chat"></a>
 ## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
   - Roster (your XMPP contact list) is stored on the server's database.
-  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionaly, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
+  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
   - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
   - Given the XMPP is a **federated** chat protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
   - Files uploaded to the server are stored as is for a period of 6 months.

From 0e787fc6af0514f38db62100a4eb31c14d05ab73 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 30 Oct 2019 13:05:33 +0000
Subject: [PATCH 05/29] Actualizar 'pp_draft.md'

---
 pp_draft.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index 3110922..1116a85 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -97,7 +97,7 @@ To protect your data we use the following security measures:
 <a name="what_we_do_not"></a>
 # 2. What we do not do with your data
 
-- We do not collect any data other than what is needed to provide you the service.
+- We do not collect any other data than what is needed to provide you the service.
 
 - We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
 

From ab70c631c48c5163e39d0a7616cc685fcda169d6 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Sat, 2 Nov 2019 19:04:13 +0000
Subject: [PATCH 06/29] Added "Changes on this PP"

Text needs revision
---
 pp_draft.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pp_draft.md b/pp_draft.md
index 1116a85..272f0a0 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -264,5 +264,9 @@ https://user.disroot.org
 
 <a name="changes"></a>
 # 6. Changes on this Privacy Policy
+From time to time we may need to update this Privacy Policy. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks, and blog post. We recommend that you regularly check for any changes on this policy.
+
+Last update of this Privacy Policy:
+
 
 [Back to top](#top)

From 4ba9bf3e5e2925c5c8595619e308fc940fe9b2fa Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Mon, 4 Nov 2019 19:42:40 +0000
Subject: [PATCH 07/29] Actualizar 'pp_draft.md'

---
 pp_draft.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pp_draft.md b/pp_draft.md
index 272f0a0..8f3860d 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -36,7 +36,7 @@ fontcolor: '#FFF'
   - [4.9. Forum](#forum)
   - [4.10. Project Board](#project_board)
   - [4.11. Calls](#calls)
-  - [4.12. Diaspora*](#diaspora)
+  - [4.12. Social](#diaspora)
   - [4.13. GIT](#git)
 
 
@@ -204,7 +204,7 @@ We store all data in our own servers located in the Netherlands.
   - No user data is permanently stored on the server.
 
 <a name="diaspora"></a>
-## 4.12 - **Disroot Diaspora\* pod** (https://pod.disroot.org)
+## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
   - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
   - Due to the **federated** nature of the service, your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
   - Private posts/messages are only sent to users on other servers if you intentionally interact with them.

From 018ca5195cae88249a734e329a919daf7417db79 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 13 Nov 2019 18:46:10 +0000
Subject: [PATCH 08/29] Added Administrative data collection info

---
 pp_draft.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pp_draft.md b/pp_draft.md
index 8f3860d..f5fe9af 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -70,8 +70,10 @@ In any case, is important to **note that sharing data with other services provid
 - Account creation requires a valid email address which is deleted from our database after the account has been approved/denied.
 - We require a username and password to identify the account holder and provide the services offered by **Disroot.org**.
 - Necessary information related to the operation and functioning of the services, which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Per service privacy notices](#per_services).*
+- When you make an online donation to **Disroot.org**, we only collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The only purpose for which we use this data is administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.*
 - All additional information you supply on any of the services provided by us is **optional**.
 
+* 
 (For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)
 
 <a name="what_we_do"></a>

From b84f9b800399a26293cd47a9666eff3536c1e0df Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 13 Nov 2019 18:49:02 +0000
Subject: [PATCH 09/29] PP text updated

---
 pp_draft.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index f5fe9af..db35c6e 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -73,7 +73,6 @@ In any case, is important to **note that sharing data with other services provid
 - When you make an online donation to **Disroot.org**, we only collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The only purpose for which we use this data is administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.*
 - All additional information you supply on any of the services provided by us is **optional**.
 
-* 
 (For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)
 
 <a name="what_we_do"></a>

From d5e0c04f63b5f66d57cb322d6f4379e4c685606c Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 13 Nov 2019 18:49:54 +0000
Subject: [PATCH 10/29] Actualizar 'pp_draft.md'

---
 pp_draft.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index db35c6e..22f5ccf 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -70,7 +70,7 @@ In any case, is important to **note that sharing data with other services provid
 - Account creation requires a valid email address which is deleted from our database after the account has been approved/denied.
 - We require a username and password to identify the account holder and provide the services offered by **Disroot.org**.
 - Necessary information related to the operation and functioning of the services, which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Per service privacy notices](#per_services).*
-- When you make an online donation to **Disroot.org**, we only collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The only purpose for which we use this data is administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.*
+- When you make an online donation to **Disroot.org**, we only collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The only purpose for which we use this data is administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
 - All additional information you supply on any of the services provided by us is **optional**.
 
 (For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)

From 7a4e3f17ea054c5322200f290efcee4ab9cd3e59 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 13 Nov 2019 19:43:38 +0000
Subject: [PATCH 11/29] Added calc and pads modifications to Pads privacy notes

---
 pp_draft.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pp_draft.md b/pp_draft.md
index 22f5ccf..5585c9d 100644
--- a/pp_draft.md
+++ b/pp_draft.md
@@ -166,7 +166,7 @@ We store all data in our own servers located in the Netherlands.
   - **No log data** (IP address, session cookie, etc) is stored on the server.
   - We do not collect any other personal data that can be linked to the pads.
   - Pad content is stored on the server in the database as is (plain-text).
-  - Untouched pads expire after 6 months and are then removed from the server.
+  - Untouched pads and calcs expire after 6 months and are then removed from the server.
   - Service does not require login or providing any personal data.
 
 <a name="polls"></a>

From 01bd12737a8bb5f117e540d403f33d875ae4c37b Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Sat, 1 Feb 2020 00:05:09 -0300
Subject: [PATCH 12/29] Privacy Statement draft updated

---
 privacy_policy.md | 378 ++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 349 insertions(+), 29 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 378bc19..b8a8841 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -1,62 +1,382 @@
 ---
-title: Privacy Policy
+title: Privacy Statement
 bgcolor: '#1F5C60'
 fontcolor: '#FFF'
 ---
-** v1.2 - October 2019**
+
+**Version 1.2 - February 2020**
 <br><br>
 
+<a name="top"></a>
 # Table of Contents
 
-!. What this Privacy policy covers?
-  - Definitions used on this Privacy Policy
-1. What data do we collect?
-  - What do we do with your data?
-2. What we do not do with your data
-  - How do we store your data?
-3. Where the data is stored?
-4. Per service detailed privacy notices
-5. Your rights
-  - Access to your information
-6. Changes on this Privacy Policy
+#### [What is the scope of this Privacy Statement?](#coverage)
+
+#### [Definitions used on this Privacy Policy](#definitions)
+
+
+#### 1. [What data do we collect?](#data_we_collect)
+- 1.1. [What do we do with your data?](#what_we_do)
+- 1.2. [How do we store your data?](#how_we_store)
+
+#### 2. [What we do not do with your data](#what_we_do_not)
+
+#### 3. [Where the data is stored?](#where_store)
+
+#### 4. [Detailed privacy notices per services](#per_service)
+- [4.1. Email](#email)
+- [4.2. Cloud](#cloud)
+- [4.3. XMPP Chat](#chat)
+- [4.4. Search](#searx)
+- [4.5. Upload](#upload)
+- [4.6. Pads](#pads)
+- [4.7. Polls](#polls)
+- [4.8. Bin](#bin)
+- [4.9. Forum](#forum)
+- [4.10. Project Board](#project_board)
+- [4.11. Calls](#calls)
+- [4.12. Social](#diaspora)
+- [4.13. GIT](#git)
+
+
+#### 5. [Your rights](#rights)
+- [5.1. Access to your information](#access_information)
+
+#### 6. [Changes on this Privacy Policy](#changes)
 
 ----
 
-# What this Privacy Policy covers?
-This privacy policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities, therefore these interactions are out of this Privacy Policy's scope. In any case, is important to note that sharing data with other services providers is a user's choice and is configured by the users in their settings per service including the decision of with whom and what to share.
+<a name="coverage"></a>
+
+# What is the scope of this Privacy Statement?
+This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
+It is important to note that **sharing data with other services providers is a user’s choice** (see [What data do we collect?](#data_we_collect)) and is configured by the users in their service settings, including the decision what to share and with whom.
+
+
+<a name="definitions"></a>
+## Definitions used on this Privacy Statement
+
+- **GDPR**: General Data Protection Regulation, [EU 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1580499932731&uri=CELEX:32016R0679)
+
+- **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
 
-## Definitions used on this Privacy Policy
-- **Data**: According to the GDPR, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
 - **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications.
-- **GDPR**: General Data Protection Regulation (EU).
+
 - **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
+
 - **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
+
 - **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers.
-- **Federated services**: Services that operates on the basis of so-called **Federation Protocols** which enables users signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Hubzilla** and **XMPP**.
+
+- **Disroot credentials**: they are the username and password created and used by the user to log in to the services provided by us.
+
+- **Federated services**: Services that operates on the basis of so-called **federation protocols** which enables users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
+
+[Back to top](#top)
 
 ---
-
+<a name="data_we_collect"></a>
 # 1. What data do we collect?
+If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by **Disroot.org**:
 
-## What do we do with your data?
+-  A valid email address: required for account creation that is deleted from our database after the account has been approved/denied.
 
+- An username and a password: required to identify the account holder and provide the services offered by **Disroot.org**.
+
+- Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Privacy notices per service](#per_services).*
+
+- When a user make an online donation to **Disroot.org**, we collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "[How do we store your data?](#how_we_store)" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
+
+- Any other additional and **optional** information that the user chooses to provide in any of the services.
+
+(For more detailed information, please refer to the [Detailed privacy notices per service](#per_services) section below)
+
+
+<a name="what_we_do"></a>
+## 1.1. What do we do with your data?
+
+- Our processing of your information is limited to providing the service.
+
+- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.
+
+(Detailed information on [Privacy notices per service](#per_services) section)
+
+<a name="how_we_store"></a>
+## 1.2. How do we store your data?
+To protect your data we use the following security measures:
+
+* a. We use disk encryption on all data to prevent data leak in case the servers are stolen, confiscated, or in any way physically tampered with.
+
+* b. We provide and require SSL/TLS encryption on all provided services.
+
+* c. We utilize “end to end” and/or “server-side” encryption whenever it is possible in software used to provide maximum security for the users.
+
+[Back to top](#top)
+
+<a name="what_we_do_not"></a>
 # 2. What we do not do with your data
 
-## How do we store your data?
+- We do not collect any other data than what is needed to provide you the service.
 
+- We do not, in any way, process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
+
+- We do not sell your data to any third party.
+
+- We do not share your data to any third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
+
+- We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address).
+
+- We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
+
+
+[Back to top](#top)
+
+
+<a name="where_store"></a>
 # 3. Where the data is stored?
+We store all data in our own servers, located in the Netherlands.
 
-# 4. Per service detailed privacy notices
+[Back to top](#top)
 
+<a name="per_service"></a>
+# 4. Detailed privacy notices per service
+
+
+<a name="email"></a>
+## 4.1 - **Disroot Email** (https://mail.disroot.org)
+
+- This service requires login with **Disroot** credentials.
+- All emails, unless encrypted by the user (with GPG, for example) are stored unencrypted on our servers.
+
+- IP addresses of currently logged in users via IMAP/POP3 protocols are stored as long as the device is logged in the server *(per each device logged in)*.
+
+- Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files are created. Logs are kept mainly to prevent *brute-force attacks* (a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually finding the right ones) on accounts as well as provide quick insight when debugging issues.
+
+- Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
+
+
+<a name="cloud"></a>
+## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
+
+- This service requires login with **Disroot** credentials.
+
+- All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user's password prior.
+
+- Except the files, everything else (calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
+
+- Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+
+
+<a name="chat"></a>
+## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
+
+- This service requires login with **Disroot** credentials.
+
+- The roster (your XMPP contact list) is stored on the server's database.
+
+- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
+
+- Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+
+- Given that XMPP is a **federated** protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
+
+- Files uploaded to the server are stored as is (plain-text or encrypted) for a period of 6 months.
+
+
+<a name="search"></a>
+## 4.4 - **Disroot Search** (https://search.disroot.org)
+
+- This service does not require login or providing any personal data.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+
+- No search queries are saved on the server nor any personal information of our users is leaked to the other search engine.
+
+
+<a name="upload"></a>
+## 4.5 - **Disroot Upload** (https://upload.disroot.org)
+
+- This service does not require login or providing any personal data.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+
+- All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
+
+- Files uploaded to the server are wiped based on the retention period set by the user upon upload.
+
+
+<a name="pads"></a>
+## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
+
+- This service does not require login or providing any personal data.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- We do not collect any other personal data that can be linked to the pads.
+
+- Pad content is stored on the server in the database as is (plain-text).
+
+- Untouched pads and calcs expire after 6 months and are then removed from the server.
+
+
+<a name="polls"></a>
+## 4.7 - **Disroot Polls** (https://poll.disroot.org)
+
+- This service does not require login or providing any personal data.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+
+- Poll data is stored on the server in the database as is (plain-text).
+
+- Expired polls are removed from the database according to the user setting during poll creation.
+
+
+<a name="bin"></a>
+## 4.8 - **Disroot Bin** (https://bin.disroot.org)
+
+- This service does not require login or providing any personal data.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+
+- All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
+
+- Files uploaded to the server are wiped based on the retention period set by the user upon upload.
+
+- Comments and discussions under pastes are **end-to-end encrypted**.
+
+
+<a name="forum"></a>
+## 4.9 - **Disroot Forum** (https://forum.disroot.org)
+
+- This service requires to create separate account or use **Disroot** credentials to interact with discussions.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- Service does store your last used IP address in the database.
+
+- All forum data (groups, threads, posts, usernames, email addresses) is stored on the server in the database as is (plain-text).
+
+
+<a name="project_board"></a>
+## 4.10 - **Disroot Project Board** (https://board.disroot.org)
+
+- This service requires login with **Disroot** credentials.
+
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+
+- All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
+
+
+<a name="calls"></a>
+## 4.11 - **Disroot Calls** (https://calls.disroot.org)
+
+- This service does not require login.
+
+- **No log data** (IP address, session cookie, etc.) is stored on the server.
+
+- No user data is permanently stored on the server.
+
+
+<a name="diaspora"></a>
+## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
+
+- This service requires to create a separate account.
+
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+
+- This service works on **federated protocols** which means your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
+
+- Private posts/messages are only sent to users on other servers if you intentionally interact with them.
+
+- All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) is stored on the server in the database as is (plain-text).
+
+
+<a name="git"></a>
+## 4.13 - **Disroot GIT** (https://git.disroot.org)
+
+- This service requires to create a separate git account to interact with others.
+
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+
+- All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., is stored on the server in the database as is (plain-text).
+
+
+[Back to top](#top)
+
+
+<a name="rights"></a>
 # 5. Your rights
 
-## Access to your information
-Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible website.
+Under the **GDPR** you have a number of rights with regard to your personal data:
 
-**How to access and self-export your personal data**<br>
-https://howto.disroot.org/en/tutorials/user/gdpr
+* a. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
 
-**To modify your personal data or delete your account**<br>
-https://user.disroot.org
+* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete*.
 
+* c. **Right to erase** - The right to request delete or remove your Data from our servers.
+
+* d. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
+
+* e. **Right to Data portability** - The right to move, copy or transfer your Data.
+
+* f. **Right to object** - The right to object to our use of your Data.
+
+\* *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified*.
+
+You have the right to lodge a complain, make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), by contacting us via email to:
+
+- **data.protection.officer@disroot.org** - Person responsible for this Privacy Statement
+
+- **info@disroot.org** - General contact information
+
+For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
+
+If you are not satisfied with the way your Data is handled by us, or think its processing is not appropriate, you have the right to send a complaint to the **Information Commissioners’ Office**.
+
+**Dutch Data Protection Authority (Dutch DPA)**
+
+**Postal address**<br>
+Autoriteit Persoonsgegevens<br>
+PO Box 93374<br>
+2509 AJ DEN HAAG<br>
+<br>
+**Phone:** (+31) - (0)70 - 888 85 00<br>
+**Fax:** (+31) - (0)70 - 888 85 01<br>
+
+
+<a name="access_information"></a>
+## 5.1. Access to your information
+
+Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible website.
+
+#### To learn how to access and self-export your personal data
+
+* https://howto.disroot.org/en/tutorials/user/gdpr
+
+#### To modify your personal data or delete your account
+
+* https://user.disroot.org
+
+
+[Back to top](#top)
+
+
+<a name="changes"></a>
 # 6. Changes on this Privacy Policy
+
+From time to time we may need to update this Privacy Statement. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
+
+#### Last update of this Privacy Statement:
+
+
+<br>
+
+[Back to top](#top)

From 9fff29ad045677d5404de153a69f56d908818ea0 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Sat, 1 Feb 2020 03:14:58 +0000
Subject: [PATCH 13/29] Outdated PP

---
 pp_draft.md | 273 ----------------------------------------------------
 1 file changed, 273 deletions(-)
 delete mode 100644 pp_draft.md

diff --git a/pp_draft.md b/pp_draft.md
deleted file mode 100644
index 5585c9d..0000000
--- a/pp_draft.md
+++ /dev/null
@@ -1,273 +0,0 @@
----
-title: Privacy Policy
-bgcolor: '#1F5C60'
-fontcolor: '#FFF'
----
-** v1.2 - October 2019**
-<br><br>
-
-<a name="top"></a>
-# Table of Contents
-
-!. [What this Privacy policy covers?](#coverage)
-
-- [Definitions used on this Privacy Policy](#definitions)
-
-
-1. [What data do we collect?](#data_we_collect)
-    - 1.1. [What do we do with your data?](#what_we_do)
-    - 1.2. [How do we store your data?](#how_we_store)
-
-
-2. [What we do not do with your data](#what_we_do_not)
-
-3. [Where the data is stored?](#where_store)
-
-
-4. [Per service detailed privacy notices](#per_service)
-  - [4.1. Email](#email)
-  - [4.2. Cloud](#cloud)
-  - [4.3. XMPP Chat](#chat)
-  - [4.4. Search](#searx)
-  - [4.5. Upload](#upload)
-  - [4.6. Pads](#pads)
-  - [4.7. Polls](#polls)
-  - [4.8. Bin](#bin)
-  - [4.9. Forum](#forum)
-  - [4.10. Project Board](#project_board)
-  - [4.11. Calls](#calls)
-  - [4.12. Social](#diaspora)
-  - [4.13. GIT](#git)
-
-
-5. [Your rights](#rights)
-  - [5.1. Access to your information](#access_information)
-
-
-6. [Changes on this Privacy Policy](#changes)
-
-----
-<a name="coverage"></a>
-# What this Privacy Policy covers?
-This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. In the specific case of the so-called federated services, and because of the very nature of the protocols they use (which has the ability to send messages, likes, share files, chat, among others features) some of the data is necessarily shared with other entities or transferred to them, therefore these interactions are out of this Privacy Policy's scope.<br>
-In any case, is important to **note that sharing data with other services providers is a user's choice** and is configured by the users in their settings per service including the decision of with whom and what to share.
-
-<a name="definitions"></a>
-## Definitions used on this Privacy Policy
-- **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
-- **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications.
-- **GDPR**: General Data Protection Regulation (EU).
-- **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
-- **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
-- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers.
-- **Federated services**: Services that operates on the basis of so-called **federation protocols** which enables users signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
-
-[Back to top](#top)
-
----
-<a name="data_we_collect"></a>
-# 1. What data do we collect?
-- Account creation requires a valid email address which is deleted from our database after the account has been approved/denied.
-- We require a username and password to identify the account holder and provide the services offered by **Disroot.org**.
-- Necessary information related to the operation and functioning of the services, which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Per service privacy notices](#per_services).*
-- When you make an online donation to **Disroot.org**, we only collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The only purpose for which we use this data is administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "How do we store your data?" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
-- All additional information you supply on any of the services provided by us is **optional**.
-
-(For more detailed information, please refer to the [Per service privacy notices](#per_services) section below)
-
-<a name="what_we_do"></a>
-## 1.1. What do we do with your data?
-
-- Our processing of your information is limited to storing it for you to use.
-- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.
-
-(Detailed information on [Per service privacy notices](#per_services) section)
-
-<a name="how_we_store"></a>
-## 1.2. How do we store your data?
-To protect your data we use the following security measures:
-
-* a. We use disk encryption on all data to prevent data leak in case the servers are stolen, confiscated, or in any way physically tampered with.
-
-* b. We provide and require SSL/TLS encryption on all provided services.
-
-* c. We utilise “end to end” and/or “server-side” encryption whenever it is possible in software used to provide maximum security for the users.
-
-[Back to top](#top)
-
-<a name="what_we_do_not"></a>
-# 2. What we do not do with your data
-
-- We do not collect any other data than what is needed to provide you the service.
-
-- We do not in any way process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
-
-- We do not sell your data to third party.
-
-- We do not share your data to third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
-
-- We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address).
-
-- We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for troubleshooting purposes, or under suspicion of breaking **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
-
-
-[Back to top](#top)
-
-<a name="where_store"></a>
-# 3. Where the data is stored?
-We store all data in our own servers located in the Netherlands.
-
-[Back to top](#top)
-
-<a name="per_service"></a>
-# 4. Per service detailed privacy notices
-
-<a name="email"></a>
-## 4.1 - **Email Service** (https://mail.disroot.org)
-  - All emails, unless encrypted by the user (with GPG for example) are stored unencrypted on our servers.
-  - IP addresses of currently logged in users via IMAP/POP3 protocol are stored as long as the device is logged in to the server *(per each device logged in)*.
-  - Server logs which store information such as, but not limited to, your username and your IP Address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - Given the email is a **federated** protocol, when interacting with email addresses hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
-  - Service requires login with Disroot credentials.
-
-<a name="cloud"></a>
-## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
-  - All files sent to the cloud are encrypted with a key-pair created based on the user password, to add an extra level of security. Note however that the keys are stored on the server, which compromises the level of security to some degree (e.g.: once an attacker knows your password and obtained the encryption key-pair, can decrypt the data). However **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any files stored on the cloud without knowing user's password prior.
-  - Everything else except for files (calendars, contacts, news, tasks, bookmarks, etc) is stored unencrypted in a database, unless an app provides external encryption (none so far). This is a disadvantaged restriction of the software we are utilizing for this service (Nextcloud).
-  - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - Service requires login with Disroot credentials.
-
-<a name="chat"></a>
-## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
-  - Roster (your XMPP contact list) is stored on the server's database.
-  - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
-  - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - Given the XMPP is a **federated** chat protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
-  - Files uploaded to the server are stored as is for a period of 6 months.
-  - Service requires login with Disroot credentials.
-
-<a name="search"></a>
-## 4.4 - **Disroot Search** (https://search.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
-  - No search queries are saved on the server nor any personal information of our users is leaked to the other search engine.
-  - Service does not require login or providing any personal data.
-
-<a name="upload"></a>
-## 4.5 - **Disroot Upload** (https://upload.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
-  - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
-  - Files uploaded to the server are wiped based on the retention period set by user upon upload.
-  - Service does not require login or providing any personal data.
-
-<a name="pads"></a>
-## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - We do not collect any other personal data that can be linked to the pads.
-  - Pad content is stored on the server in the database as is (plain-text).
-  - Untouched pads and calcs expire after 6 months and are then removed from the server.
-  - Service does not require login or providing any personal data.
-
-<a name="polls"></a>
-## 4.7 - **Disroot Polls** (https://poll.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
-  - Poll data is stored on the server in the database as is (plain-text).
-  - Expired polls (depending on user setting during poll creation) are removed from the database.
-  - Service does not require login or providing any personal data.
-
-<a name="bin"></a>
-## 4.8 - **Disroot Bin** (https://bin.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled only for duration of the problem fixing time and are purged immediately after.
-  - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
-  - Files uploaded to the server are wiped based on the retention period set by user upon upload.
-  - Comments and discussions under pastes are **end-to-end encrypted**.
-  - Service does not require login or providing any personal data.
-
-<a name="forum"></a>
-## 4.9 - **Disroot Forum** (https://forum.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - Service does store your last used IP address in the database.
-  - All forum data (groups, threads, posts, usernames, email addresses) is stored on the server in the database as is (plain-text).
-  - Service requires you to create separate forum only account or use Disroot credentials to interact with discussions.
-
-<a name="project_board"></a>
-## 4.10 - **Disroot Project Board** (https://board.disroot.org)
-  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
-  - Service requires login with Disroot credentials.
-
-<a name="calls"></a>
-## 4.11 - **Disroot Calls** (https://calls.disroot.org)
-  - **No log data** (IP address, session cookie, etc) is stored on the server.
-  - No user data is permanently stored on the server.
-
-<a name="diaspora"></a>
-## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
-  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - Due to the **federated** nature of the service, your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
-  - Private posts/messages are only sent to users on other servers if you intentionally interact with them.
-  - All pod data (usernames, email addresses, posts and messages,polls, contacts, photos and images) is stored on the server in the database as is (plain-text).
-
-<a name="git"></a>
-## 4.13 - **Disroot GIT** (https://git.disroot.org)
-  - Server logs which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
-  - All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull request data is stored on the server in the database as is (plain-text).
-  - Service requires you to create separate git only account to interact with others.
-
-[Back to top](#top)
-
-<a name="rights"></a>
-# 5. Your rights
-Under the **GDPR** you have a number of rights with regard to your personal data:
-
-* a. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
-* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete whenever it possible*.
-* c. **Right to erase** - The right to request delete or remove your Data from our servers.
-* d. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
-* e. **Right to Data portability** - The right to move, copy or transfer your Data.
-* f. **Right to object** - The right to object to our use of your Data.
-
-\* *This not applies to* **username** *and* **email address** *as they are integral part of your user account and cannot be modified*.
-
-To make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via email to:
-
-- **data.protection.officer@disroot.org** - Person responsible for this Privacy Policy
-- **info@disroot.org** - General contact information
-
-For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
-
-If you are not satisfied with the way a compliant you make regarding to how your Data is handled by us, you have the right to send a complaint to the **Information Commissioners’ Office**.
-
-**Dutch Data Protection Authority (Dutch DPA)**
-
-**Postal address**<br>
-Autoriteit Persoonsgegevens<br>
-PO Box 93374<br>
-2509 AJ DEN HAAG<br>
-<br>
-**Phone:** (+31) - (0)70 - 888 85 00<br>
-**Fax:** (+31) - (0)70 - 888 85 01<br>
-
-<a name="access_information"></a>
-## 5.1. Access to your information
-Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible website.
-
-**How to access and self-export your personal data**<br>
-https://howto.disroot.org/en/tutorials/user/gdpr
-
-**To modify your personal data or delete your account**<br>
-https://user.disroot.org
-
-[Back to top](#top)
-
-<a name="changes"></a>
-# 6. Changes on this Privacy Policy
-From time to time we may need to update this Privacy Policy. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks, and blog post. We recommend that you regularly check for any changes on this policy.
-
-Last update of this Privacy Policy:
-
-
-[Back to top](#top)

From f4d6903f4ba7974a0810f75ae3657e4058988499 Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Wed, 5 Feb 2020 12:50:54 -0300
Subject: [PATCH 14/29] Update on Privacy Statement Draft

---
 privacy_policy.md | 116 +++++++++++++++++++++++++---------------------
 1 file changed, 62 insertions(+), 54 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index b8a8841..7ef75de 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -10,20 +10,21 @@ fontcolor: '#FFF'
 <a name="top"></a>
 # Table of Contents
 
-#### [What is the scope of this Privacy Statement?](#coverage)
+### [Definitions used on this Privacy Policy](#definitions)
 
-#### [Definitions used on this Privacy Policy](#definitions)
+### [The Data covered by this Privacy Statement](#coverage)
 
 
-#### 1. [What data do we collect?](#data_we_collect)
+
+### 1. [What data do we collect?](#data_we_collect)
 - 1.1. [What do we do with your data?](#what_we_do)
 - 1.2. [How do we store your data?](#how_we_store)
 
-#### 2. [What we do not do with your data](#what_we_do_not)
+### 2. [What we do not do with your data](#what_we_do_not)
 
-#### 3. [Where the data is stored?](#where_store)
+### 3. [Where the data is stored?](#where_store)
 
-#### 4. [Detailed privacy notices per services](#per_service)
+### 4. [Detailed privacy notices per services](#per_service)
 - [4.1. Email](#email)
 - [4.2. Cloud](#cloud)
 - [4.3. XMPP Chat](#chat)
@@ -39,38 +40,39 @@ fontcolor: '#FFF'
 - [4.13. GIT](#git)
 
 
-#### 5. [Your rights](#rights)
+### 5. [Your rights](#rights)
 - [5.1. Access to your information](#access_information)
 
-#### 6. [Changes on this Privacy Policy](#changes)
+### 6. [Changes on this Privacy Statement](#changes)
 
 ----
 
-<a name="coverage"></a>
-
-# What is the scope of this Privacy Statement?
-This Privacy Policy applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
-It is important to note that **sharing data with other services providers is a user’s choice** (see [What data do we collect?](#data_we_collect)) and is configured by the users in their service settings, including the decision what to share and with whom.
-
-
 <a name="definitions"></a>
 ## Definitions used on this Privacy Statement
 
 - **GDPR**: General Data Protection Regulation, [EU 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1580499932731&uri=CELEX:32016R0679)
 
-- **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submit on any of them.
+- **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submits on any of them.
 
-- **Services**: the set of differents softwares, protocols and standards used to exchange data between web applications.
+- **Services**: the set of different softwares, protocols and standards used to exchange data between web applications.
 
 - **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
 
 - **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
 
-- **Platform**: is the set of services provided by **Disroot.org** and that are hosted on our servers.
+- **Platform**: the set of services provided by **Disroot.org** and that are hosted on our servers.
 
 - **Disroot credentials**: they are the username and password created and used by the user to log in to the services provided by us.
 
-- **Federated services**: Services that operates on the basis of so-called **federation protocols** which enables users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
+- **Federated services**: services that operate on the basis of so-called **federation protocols** which enable users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
+
+- **Brute-force attack**: is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones.
+
+<a name="coverage"></a>
+
+## The Data covered by this Privacy Statement
+This **Privacy Statement** applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
+It is important to note that **sharing data with other services providers is a user’s choice** (see [1. What data do we collect?](#data_we_collect)) and is configured by the users in their services settings, including the decision what to share and with whom.
 
 [Back to top](#top)
 
@@ -79,15 +81,15 @@ It is important to note that **sharing data with other services providers is a u
 # 1. What data do we collect?
 If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by **Disroot.org**:
 
--  A valid email address: required for account creation that is deleted from our database after the account has been approved/denied.
+-  A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process.
 
 - An username and a password: required to identify the account holder and provide the services offered by **Disroot.org**.
 
-- Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Privacy notices per service](#per_services).*
+- Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc.<br> *More detailed information about this and how we handle it can be found in the [Privacy notices per service](#per_services).*
 
-- When a user make an online donation to **Disroot.org**, we collect personal data such as, but not limited to, username (if any), country, transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "[How do we store your data?](#how_we_store)" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
+- When a user makes an online donation to **Disroot.org**, we collect personal data such as, but not limited to, username (if any), country (in case of extra storage request for tax purposes), transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "[How do we store your data?](#how_we_store)" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
 
-- Any other additional and **optional** information that the user chooses to provide in any of the services.
+- Any additional information that the user chooses to supply while using the services provided by us (whether it is chats, posts, emails, etc.). This additional information is optional and with the user's consent.
 
 (For more detailed information, please refer to the [Detailed privacy notices per service](#per_services) section below)
 
@@ -97,19 +99,20 @@ If a user chooses to use any of the services provided by us, the following data
 
 - Our processing of your information is limited to providing the service.
 
-- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.
+- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion and monitor the health of the platform.
 
 (Detailed information on [Privacy notices per service](#per_services) section)
 
+
 <a name="how_we_store"></a>
 ## 1.2. How do we store your data?
 To protect your data we use the following security measures:
 
-* a. We use disk encryption on all data to prevent data leak in case the servers are stolen, confiscated, or in any way physically tampered with.
+* a. We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with.
 
-* b. We provide and require SSL/TLS encryption on all provided services.
+* b. We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services.
 
-* c. We utilize “end to end” and/or “server-side” encryption whenever it is possible in software used to provide maximum security for the users.
+* c. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
 
 [Back to top](#top)
 
@@ -118,11 +121,11 @@ To protect your data we use the following security measures:
 
 - We do not collect any other data than what is needed to provide you the service.
 
-- We do not, in any way, process, analyze your behavior or personal characteristics (profiling). We have no advertisements or business relationships with advertisers.
+- We do not, in any way, process, analyze your behavior or personal characteristics to create profiles about you or your usage of the services. We have no advertisements or business relationships with advertisers.
 
 - We do not sell your data to any third party.
 
-- We do not share your data to any third party unless in case of federated services which requires certain data to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
+- We do not share your data to any third party unless in case of federated services which requires certain data to be shared in order to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
 
 - We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address).
 
@@ -134,7 +137,7 @@ To protect your data we use the following security measures:
 
 <a name="where_store"></a>
 # 3. Where the data is stored?
-We store all data in our own servers, located in the Netherlands.
+We store all data in **our own servers**, located in a data center in the **Netherlands**.
 
 [Back to top](#top)
 
@@ -146,13 +149,14 @@ We store all data in our own servers, located in the Netherlands.
 ## 4.1 - **Disroot Email** (https://mail.disroot.org)
 
 - This service requires login with **Disroot** credentials.
-- All emails, unless encrypted by the user (with GPG, for example) are stored unencrypted on our servers.
+
+- All emails, unless encrypted by the user (with GnuPG/PGP, for example) are stored unencrypted on our servers.
 
 - IP addresses of currently logged in users via IMAP/POP3 protocols are stored as long as the device is logged in the server *(per each device logged in)*.
 
-- Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files are created. Logs are kept mainly to prevent *brute-force attacks* (a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually finding the right ones) on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent *brute-force attacks* on accounts and to provide quick insight when debugging issues.
 
-- Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
+- Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers (eg. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control.
 
 
 <a name="cloud"></a>
@@ -160,11 +164,11 @@ We store all data in our own servers, located in the Netherlands.
 
 - This service requires login with **Disroot** credentials.
 
-- All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user's password prior.
+- All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However, **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user's password prior.
 
-- Except the files, everything else (calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
+- Excluding the files, everything else (calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
 
-- Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 
 <a name="chat"></a>
@@ -174,9 +178,9 @@ We store all data in our own servers, located in the Netherlands.
 
 - The roster (your XMPP contact list) is stored on the server's database.
 
-- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months.
+- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months. You can decide to not have any history stored on the server per chat.
 
-- Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 - Given that XMPP is a **federated** protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
 
@@ -190,9 +194,9 @@ We store all data in our own servers, located in the Netherlands.
 
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 
-- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+- Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
 
-- No search queries are saved on the server nor any personal information of our users is leaked to the other search engine.
+- Personal information of our users is never leaked to the other search engines.
 
 
 <a name="upload"></a>
@@ -202,7 +206,7 @@ We store all data in our own servers, located in the Netherlands.
 
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 
-- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+- Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
 
 - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
 
@@ -230,7 +234,7 @@ We store all data in our own servers, located in the Netherlands.
 
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 
-- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+- Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
 
 - Poll data is stored on the server in the database as is (plain-text).
 
@@ -244,7 +248,7 @@ We store all data in our own servers, located in the Netherlands.
 
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 
-- The only situation where logs can be enabled is in case of troubleshooting. Logs are then enabled for duration of the problem fixing time and are purged immediately after.
+- Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
 
 - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
 
@@ -260,9 +264,9 @@ We store all data in our own servers, located in the Netherlands.
 
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 
-- Service does store your last used IP address in the database.
+- The forum software stores your last used IP address in the database.
 
-- All forum data (groups, threads, posts, usernames, email addresses) is stored on the server in the database as is (plain-text).
+- All forum data (groups, threads, posts, usernames, email addresses) are stored on the server in the database as is (plain-text).
 
 
 <a name="project_board"></a>
@@ -270,7 +274,7 @@ We store all data in our own servers, located in the Netherlands.
 
 - This service requires login with **Disroot** credentials.
 
-- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
 
@@ -290,13 +294,13 @@ We store all data in our own servers, located in the Netherlands.
 
 - This service requires to create a separate account.
 
-- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 - This service works on **federated protocols** which means your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
 
-- Private posts/messages are only sent to users on other servers if you intentionally interact with them.
+- Private posts/messages are sent to users on other servers only if you intentionally choose to interact with them.
 
-- All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) is stored on the server in the database as is (plain-text).
+- All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) are stored on the server in the database as is (plain-text).
 
 
 <a name="git"></a>
@@ -304,9 +308,9 @@ We store all data in our own servers, located in the Netherlands.
 
 - This service requires to create a separate git account to interact with others.
 
-- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of logfiles are created. Logs are kept mainly to prevent brute-force attacks on accounts as well as provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
-- All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., is stored on the server in the database as is (plain-text).
+- All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
 
 
 [Back to top](#top)
@@ -329,7 +333,8 @@ Under the **GDPR** you have a number of rights with regard to your personal data
 
 * f. **Right to object** - The right to object to our use of your Data.
 
-\* *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified*.
+\* *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified.<br>
+Usernames remain in the database, even after erasure request, to prevent old usernames being re-used by new users, compromising the privacy of both and enabling possible identity theft. For that reason, usernames of accounts that have been deleted remain in the database to avoid being reused. However, all the linked personal information is deleted permanently.*
 
 You have the right to lodge a complain, make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), by contacting us via email to:
 
@@ -339,6 +344,9 @@ You have the right to lodge a complain, make enquires, excercise any of the righ
 
 For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
 
+**Stichting Disroot.org**:<br>
+Dutch Chamber of Commerce (KVK) number: 69988099
+
 If you are not satisfied with the way your Data is handled by us, or think its processing is not appropriate, you have the right to send a complaint to the **Information Commissioners’ Office**.
 
 **Dutch Data Protection Authority (Dutch DPA)**
@@ -355,7 +363,7 @@ PO Box 93374<br>
 <a name="access_information"></a>
 ## 5.1. Access to your information
 
-Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible website.
+Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible service.
 
 #### To learn how to access and self-export your personal data
 
@@ -370,7 +378,7 @@ Access to your personal data, stored files and other information you provide to
 
 
 <a name="changes"></a>
-# 6. Changes on this Privacy Policy
+# 6. Changes on this Privacy Statement
 
 From time to time we may need to update this Privacy Statement. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
 

From 794c86eb3e658745f2941f750afbc0388fc86103 Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Sun, 9 Feb 2020 16:10:57 -0300
Subject: [PATCH 15/29] Added link to changes' history.

---
 privacy_policy.md | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 7ef75de..c3c8e4a 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -99,7 +99,7 @@ If a user chooses to use any of the services provided by us, the following data
 
 - Our processing of your information is limited to providing the service.
 
-- We store logs of your activity for a period no longer than 24hs (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion and monitor the health of the platform.
+- We store logs of your activity for a period no longer than 24 hours (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion and monitor the health of the platform.
 
 (Detailed information on [Privacy notices per service](#per_services) section)
 
@@ -154,7 +154,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 - IP addresses of currently logged in users via IMAP/POP3 protocols are stored as long as the device is logged in the server *(per each device logged in)*.
 
-- Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent *brute-force attacks* on accounts and to provide quick insight when debugging issues.
+- Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 - Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers (eg. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control.
 
@@ -178,13 +178,13 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 - The roster (your XMPP contact list) is stored on the server's database.
 
-- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if specified by user on per chatroom basis, is stored on the server for a period of 6 months. You can decide to not have any history stored on the server per chat.
+- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if not specified by the user on per chatroom basis, is stored on the server for a period of three months. You can decide to not have any history stored on the server per chat.
 
 - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 - Given that XMPP is a **federated** protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
 
-- Files uploaded to the server are stored as is (plain-text or encrypted) for a period of 6 months.
+- Files uploaded to the server are stored as is (plain-text or encrypted) for a period of three months.
 
 
 <a name="search"></a>
@@ -224,7 +224,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 - Pad content is stored on the server in the database as is (plain-text).
 
-- Untouched pads and calcs expire after 6 months and are then removed from the server.
+- Untouched pads and calcs expire after six months and are then removed from the server.
 
 
 <a name="polls"></a>
@@ -323,7 +323,7 @@ Under the **GDPR** you have a number of rights with regard to your personal data
 
 * a. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
 
-* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete*.
+* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete.*
 
 * c. **Right to erase** - The right to request delete or remove your Data from our servers.
 
@@ -333,20 +333,23 @@ Under the **GDPR** you have a number of rights with regard to your personal data
 
 * f. **Right to object** - The right to object to our use of your Data.
 
+
 \* *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified.<br>
 Usernames remain in the database, even after erasure request, to prevent old usernames being re-used by new users, compromising the privacy of both and enabling possible identity theft. For that reason, usernames of accounts that have been deleted remain in the database to avoid being reused. However, all the linked personal information is deleted permanently.*
 
+
 You have the right to lodge a complain, make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), by contacting us via email to:
 
 - **data.protection.officer@disroot.org** - Person responsible for this Privacy Statement
 
-- **info@disroot.org** - General contact information
+- **info@disroot.org** - General information contact
 
 For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
 
 **Stichting Disroot.org**:<br>
 Dutch Chamber of Commerce (KVK) number: 69988099
 
+
 If you are not satisfied with the way your Data is handled by us, or think its processing is not appropriate, you have the right to send a complaint to the **Information Commissioners’ Office**.
 
 **Dutch Data Protection Authority (Dutch DPA)**
@@ -381,9 +384,13 @@ Access to your personal data, stored files and other information you provide to
 # 6. Changes on this Privacy Statement
 
 From time to time we may need to update this Privacy Statement. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
+<br>
+
+You can follow the history of changes on this document on our git repository [**here**](https://git.disroot.org/Disroot/Disroot-Privacy-Policy/commits/branch/master)
 
 #### Last update of this Privacy Statement:
 
+- February 6th, 2020
 
 <br>
 

From 954ddf03d0753efca6872b794607c801bda99cd1 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Sun, 9 Feb 2020 19:15:32 +0000
Subject: [PATCH 16/29] Fixed last update date

---
 privacy_policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index c3c8e4a..50f2a6a 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -390,7 +390,7 @@ You can follow the history of changes on this document on our git repository [**
 
 #### Last update of this Privacy Statement:
 
-- February 6th, 2020
+- February 9th, 2020
 
 <br>
 

From aacd7505c24a4b09975356d50598b044135af60b Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Mon, 10 Feb 2020 15:16:32 -0300
Subject: [PATCH 17/29] - Added notice about translations - Modified the
 Changes section text

---
 privacy_policy.md | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 50f2a6a..ef486fa 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -10,12 +10,13 @@ fontcolor: '#FFF'
 <a name="top"></a>
 # Table of Contents
 
+### [About this document](#about)
+
 ### [Definitions used on this Privacy Policy](#definitions)
 
 ### [The Data covered by this Privacy Statement](#coverage)
 
 
-
 ### 1. [What data do we collect?](#data_we_collect)
 - 1.1. [What do we do with your data?](#what_we_do)
 - 1.2. [How do we store your data?](#how_we_store)
@@ -47,6 +48,12 @@ fontcolor: '#FFF'
 
 ----
 
+<a name="about"></a>
+## About this document
+This document has been written in English by **Disroot.org** and is the only text that has legal force.<br>
+Any translation of this **Privacy Statement** is community effort to make the information accessible and should be taken as such, with no other value than merely informative.
+
+
 <a name="definitions"></a>
 ## Definitions used on this Privacy Statement
 
@@ -68,8 +75,8 @@ fontcolor: '#FFF'
 
 - **Brute-force attack**: is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones.
 
-<a name="coverage"></a>
 
+<a name="coverage"></a>
 ## The Data covered by this Privacy Statement
 This **Privacy Statement** applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
 It is important to note that **sharing data with other services providers is a user’s choice** (see [1. What data do we collect?](#data_we_collect)) and is configured by the users in their services settings, including the decision what to share and with whom.
@@ -383,14 +390,14 @@ Access to your personal data, stored files and other information you provide to
 <a name="changes"></a>
 # 6. Changes on this Privacy Statement
 
-From time to time we may need to update this Privacy Statement. If we decide to do so, all changes will be publicly available and will be communicated to all users via the forum, our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
+Any and all changes to this **Privacy Statement** will be publicly available and communicated to all users via our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
 <br>
 
-You can follow the history of changes on this document on our git repository [**here**](https://git.disroot.org/Disroot/Disroot-Privacy-Policy/commits/branch/master)
+You can follow the history of changes on this document on our version control system [**here**](https://git.disroot.org/Disroot/Disroot-Privacy-Policy/commits/branch/master)
 
 #### Last update of this Privacy Statement:
 
-- February 9th, 2020
+- February 10th, 2020
 
 <br>
 

From 8a7996a3f8ad442cd838336f99a9ac6a4edfd4c7 Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Mon, 10 Feb 2020 15:20:07 -0300
Subject: [PATCH 18/29] Fixed some missing lines of the "About this document"
 text

---
 privacy_policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index ef486fa..4ad506d 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -51,7 +51,7 @@ fontcolor: '#FFF'
 <a name="about"></a>
 ## About this document
 This document has been written in English by **Disroot.org** and is the only text that has legal force.<br>
-Any translation of this **Privacy Statement** is community effort to make the information accessible and should be taken as such, with no other value than merely informative.
+Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative, and for which we are not responsible.
 
 
 <a name="definitions"></a>

From db0f4040fe79fefee55874c6f9982ea7a9f43bd2 Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Mon, 10 Feb 2020 19:37:34 -0300
Subject: [PATCH 19/29] "About this document" text fix

---
 privacy_policy.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 4ad506d..b1db1ef 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -50,9 +50,9 @@ fontcolor: '#FFF'
 
 <a name="about"></a>
 ## About this document
-This document has been written in English by **Disroot.org** and is the only text that has legal force.<br>
-Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative, and for which we are not responsible.
-
+This document has been written in English by **Disroot.org** and is the only text for which we are responsible.<br>
+Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative.
+<br>
 
 <a name="definitions"></a>
 ## Definitions used on this Privacy Statement

From 31d613460b9a4282ca7fa8ddb11b02305afc3875 Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Tue, 11 Feb 2020 20:24:13 +0000
Subject: [PATCH 20/29] Update on "About this Document" text

---
 privacy_policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index b1db1ef..041d369 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -50,7 +50,7 @@ fontcolor: '#FFF'
 
 <a name="about"></a>
 ## About this document
-This document has been written in English by **Disroot.org** and is the only text for which we are responsible.<br>
+This document has been originally written in English and is the only version for which **Stichting Disroot.org** can be held accountable.<br>
 Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative.
 <br>
 

From 86edd01a3345cde809ca0e25594ad9389d8ef92e Mon Sep 17 00:00:00 2001
From: fede <fede@disroot.org>
Date: Wed, 12 Feb 2020 00:47:51 -0300
Subject: [PATCH 21/29] Minor fixes on general text

---
 privacy_policy.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 041d369..9a31d9d 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -42,7 +42,7 @@ fontcolor: '#FFF'
 
 
 ### 5. [Your rights](#rights)
-- [5.1. Access to your information](#access_information)
+- 5.1. [Access to your information](#access_information)
 
 ### 6. [Changes on this Privacy Statement](#changes)
 
@@ -54,6 +54,7 @@ This document has been originally written in English and is the only version for
 Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative.
 <br>
 
+
 <a name="definitions"></a>
 ## Definitions used on this Privacy Statement
 
@@ -397,7 +398,7 @@ You can follow the history of changes on this document on our version control sy
 
 #### Last update of this Privacy Statement:
 
-- February 10th, 2020
+- February 12th, 2020
 
 <br>
 

From 3d2da8cfc5e48a53d54edd56c9eb1d755fddbbff Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Tue, 18 Feb 2020 01:36:31 +0000
Subject: [PATCH 22/29] Removing all non-style code

All internal links code were removed
---
 privacy_policy.md | 93 +++++++++++++----------------------------------
 1 file changed, 26 insertions(+), 67 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 9a31d9d..2e972ea 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -7,55 +7,52 @@ fontcolor: '#FFF'
 **Version 1.2 - February 2020**
 <br><br>
 
-<a name="top"></a>
 # Table of Contents
 
-### [About this document](#about)
+### About this document
 
-### [Definitions used on this Privacy Policy](#definitions)
+### Definitions used on this Privacy Policy
 
-### [The Data covered by this Privacy Statement](#coverage)
+### The Data covered by this Privacy Statement
 
 
-### 1. [What data do we collect?](#data_we_collect)
-- 1.1. [What do we do with your data?](#what_we_do)
-- 1.2. [How do we store your data?](#how_we_store)
+### 1. What data do we collect?
+- 1.1. What do we do with your data?
+- 1.2. How do we store your data?
 
-### 2. [What we do not do with your data](#what_we_do_not)
+### 2. What we do not do with your data
 
-### 3. [Where the data is stored?](#where_store)
+### 3. Where the data is stored?
 
-### 4. [Detailed privacy notices per services](#per_service)
-- [4.1. Email](#email)
-- [4.2. Cloud](#cloud)
-- [4.3. XMPP Chat](#chat)
-- [4.4. Search](#searx)
-- [4.5. Upload](#upload)
-- [4.6. Pads](#pads)
-- [4.7. Polls](#polls)
-- [4.8. Bin](#bin)
-- [4.9. Forum](#forum)
-- [4.10. Project Board](#project_board)
-- [4.11. Calls](#calls)
-- [4.12. Social](#diaspora)
-- [4.13. GIT](#git)
+### 4. Detailed privacy notices per services
+- 4.1. Email
+- 4.2. Cloud
+- 4.3. XMPP Chat
+- 4.4. Search
+- 4.5. Upload
+- 4.6. Pads
+- 4.7. Polls
+- 4.8. Bin
+- 4.9. Forum
+- 4.10. Project Board
+- 4.11. Calls
+- 4.12. Social
+- 4.13. GIT
 
 
-### 5. [Your rights](#rights)
-- 5.1. [Access to your information](#access_information)
+### 5. Your rights
+- 5.1. Access to your information
 
-### 6. [Changes on this Privacy Statement](#changes)
+### 6. Changes on this Privacy Statement
 
 ----
 
-<a name="about"></a>
 ## About this document
 This document has been originally written in English and is the only version for which **Stichting Disroot.org** can be held accountable.<br>
 Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative.
 <br>
 
 
-<a name="definitions"></a>
 ## Definitions used on this Privacy Statement
 
 - **GDPR**: General Data Protection Regulation, [EU 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1580499932731&uri=CELEX:32016R0679)
@@ -77,15 +74,12 @@ Any translation of this **Privacy Statement** is a community effort to make the
 - **Brute-force attack**: is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones.
 
 
-<a name="coverage"></a>
 ## The Data covered by this Privacy Statement
 This **Privacy Statement** applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
 It is important to note that **sharing data with other services providers is a user’s choice** (see [1. What data do we collect?](#data_we_collect)) and is configured by the users in their services settings, including the decision what to share and with whom.
 
-[Back to top](#top)
 
 ---
-<a name="data_we_collect"></a>
 # 1. What data do we collect?
 If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by **Disroot.org**:
 
@@ -102,7 +96,6 @@ If a user chooses to use any of the services provided by us, the following data
 (For more detailed information, please refer to the [Detailed privacy notices per service](#per_services) section below)
 
 
-<a name="what_we_do"></a>
 ## 1.1. What do we do with your data?
 
 - Our processing of your information is limited to providing the service.
@@ -112,7 +105,6 @@ If a user chooses to use any of the services provided by us, the following data
 (Detailed information on [Privacy notices per service](#per_services) section)
 
 
-<a name="how_we_store"></a>
 ## 1.2. How do we store your data?
 To protect your data we use the following security measures:
 
@@ -122,9 +114,7 @@ To protect your data we use the following security measures:
 
 * c. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
 
-[Back to top](#top)
 
-<a name="what_we_do_not"></a>
 # 2. What we do not do with your data
 
 - We do not collect any other data than what is needed to provide you the service.
@@ -140,20 +130,12 @@ To protect your data we use the following security measures:
 - We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
 
 
-[Back to top](#top)
-
-
-<a name="where_store"></a>
 # 3. Where the data is stored?
 We store all data in **our own servers**, located in a data center in the **Netherlands**.
 
-[Back to top](#top)
 
-<a name="per_service"></a>
 # 4. Detailed privacy notices per service
 
-
-<a name="email"></a>
 ## 4.1 - **Disroot Email** (https://mail.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -167,7 +149,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers (eg. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control.
 
 
-<a name="cloud"></a>
 ## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -179,7 +160,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 
-<a name="chat"></a>
 ## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -195,7 +175,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Files uploaded to the server are stored as is (plain-text or encrypted) for a period of three months.
 
 
-<a name="search"></a>
 ## 4.4 - **Disroot Search** (https://search.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -207,7 +186,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Personal information of our users is never leaked to the other search engines.
 
 
-<a name="upload"></a>
 ## 4.5 - **Disroot Upload** (https://upload.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -221,7 +199,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Files uploaded to the server are wiped based on the retention period set by the user upon upload.
 
 
-<a name="pads"></a>
 ## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -235,7 +212,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Untouched pads and calcs expire after six months and are then removed from the server.
 
 
-<a name="polls"></a>
 ## 4.7 - **Disroot Polls** (https://poll.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -249,7 +225,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Expired polls are removed from the database according to the user setting during poll creation.
 
 
-<a name="bin"></a>
 ## 4.8 - **Disroot Bin** (https://bin.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -265,7 +240,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Comments and discussions under pastes are **end-to-end encrypted**.
 
 
-<a name="forum"></a>
 ## 4.9 - **Disroot Forum** (https://forum.disroot.org)
 
 - This service requires to create separate account or use **Disroot** credentials to interact with discussions.
@@ -277,7 +251,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All forum data (groups, threads, posts, usernames, email addresses) are stored on the server in the database as is (plain-text).
 
 
-<a name="project_board"></a>
 ## 4.10 - **Disroot Project Board** (https://board.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -287,7 +260,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
 
 
-<a name="calls"></a>
 ## 4.11 - **Disroot Calls** (https://calls.disroot.org)
 
 - This service does not require login.
@@ -297,7 +269,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - No user data is permanently stored on the server.
 
 
-<a name="diaspora"></a>
 ## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
 
 - This service requires to create a separate account.
@@ -311,7 +282,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) are stored on the server in the database as is (plain-text).
 
 
-<a name="git"></a>
 ## 4.13 - **Disroot GIT** (https://git.disroot.org)
 
 - This service requires to create a separate git account to interact with others.
@@ -321,10 +291,6 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
 
 
-[Back to top](#top)
-
-
-<a name="rights"></a>
 # 5. Your rights
 
 Under the **GDPR** you have a number of rights with regard to your personal data:
@@ -371,7 +337,6 @@ PO Box 93374<br>
 **Fax:** (+31) - (0)70 - 888 85 01<br>
 
 
-<a name="access_information"></a>
 ## 5.1. Access to your information
 
 Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible service.
@@ -385,10 +350,6 @@ Access to your personal data, stored files and other information you provide to
 * https://user.disroot.org
 
 
-[Back to top](#top)
-
-
-<a name="changes"></a>
 # 6. Changes on this Privacy Statement
 
 Any and all changes to this **Privacy Statement** will be publicly available and communicated to all users via our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
@@ -400,6 +361,4 @@ You can follow the history of changes on this document on our version control sy
 
 - February 12th, 2020
 
-<br>
-
-[Back to top](#top)
+<br>
\ No newline at end of file

From a70b206157435915ea939276dab6d578d865221d Mon Sep 17 00:00:00 2001
From: meaz <meaz@disroot.org>
Date: Sun, 1 Mar 2020 19:06:37 +0100
Subject: [PATCH 23/29] adjustment for better viewing in website repo

---
 privacy_policy.md | 213 ++++++++++++++--------------------------------
 1 file changed, 65 insertions(+), 148 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 2e972ea..0636db2 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -1,359 +1,275 @@
 ---
 title: Privacy Statement
-bgcolor: '#1F5C60'
-fontcolor: '#FFF'
+bgcolor: '#FFF'
+fontcolor: '#1F5C60'
+section_id: privacy
+text_align: left
 ---
 
-**Version 1.2 - February 2020**
-<br><br>
+# Privacy Statement
 
-# Table of Contents
+<br>
 
-### About this document
-
-### Definitions used on this Privacy Policy
-
-### The Data covered by this Privacy Statement
-
-
-### 1. What data do we collect?
-- 1.1. What do we do with your data?
-- 1.2. How do we store your data?
-
-### 2. What we do not do with your data
-
-### 3. Where the data is stored?
-
-### 4. Detailed privacy notices per services
-- 4.1. Email
-- 4.2. Cloud
-- 4.3. XMPP Chat
-- 4.4. Search
-- 4.5. Upload
-- 4.6. Pads
-- 4.7. Polls
-- 4.8. Bin
-- 4.9. Forum
-- 4.10. Project Board
-- 4.11. Calls
-- 4.12. Social
-- 4.13. GIT
-
-
-### 5. Your rights
-- 5.1. Access to your information
-
-### 6. Changes on this Privacy Statement
-
-----
+<a name="about"></a>
 
 ## About this document
+
 This document has been originally written in English and is the only version for which **Stichting Disroot.org** can be held accountable.<br>
 Any translation of this **Privacy Statement** is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative.
 <br>
 
+<a name="definitions"></a>
 
 ## Definitions used on this Privacy Statement
 
 - **GDPR**: General Data Protection Regulation, [EU 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1580499932731&uri=CELEX:32016R0679)
-
 - **Data**: According to the **GDPR**, data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by **Disroot.org** as well as the information the user optionally submits on any of them.
-
 - **Services**: the set of different softwares, protocols and standards used to exchange data between web applications.
-
 - **User** or **you**: any person or third party that access and uses the services provided by **Disroot.org**.
-
 - **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
-
 - **Platform**: the set of services provided by **Disroot.org** and that are hosted on our servers.
-
 - **Disroot credentials**: they are the username and password created and used by the user to log in to the services provided by us.
-
 - **Federated services**: services that operate on the basis of so-called **federation protocols** which enable users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
-
 - **Brute-force attack**: is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones.
 
+  <br>
+
+<a name="coverage"></a>
 
 ## The Data covered by this Privacy Statement
+
 This **Privacy Statement** applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
 It is important to note that **sharing data with other services providers is a user’s choice** (see [1. What data do we collect?](#data_we_collect)) and is configured by the users in their services settings, including the decision what to share and with whom.
 
+<br>
+
+<a name="data_we_collect"></a>
 
----
 # 1. What data do we collect?
+
 If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by **Disroot.org**:
 
--  A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process.
-
+- A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process.
 - An username and a password: required to identify the account holder and provide the services offered by **Disroot.org**.
-
-- Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc.<br> *More detailed information about this and how we handle it can be found in the [Privacy notices per service](#per_services).*
-
+- Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc. *More detailed information about this and how we handle it can be found in the [Privacy notices per service](#per_services).*
 - When a user makes an online donation to **Disroot.org**, we collect personal data such as, but not limited to, username (if any), country (in case of extra storage request for tax purposes), transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the "[How do we store your data?](#how_we_store)" section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully.
-
 - Any additional information that the user chooses to supply while using the services provided by us (whether it is chats, posts, emails, etc.). This additional information is optional and with the user's consent.
 
 (For more detailed information, please refer to the [Detailed privacy notices per service](#per_services) section below)
 
+<a name="what_we_do"></a>
 
 ## 1.1. What do we do with your data?
 
 - Our processing of your information is limited to providing the service.
-
 - We store logs of your activity for a period no longer than 24 hours (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion and monitor the health of the platform.
 
 (Detailed information on [Privacy notices per service](#per_services) section)
 
+<a name="how_we_store"></a>
 
 ## 1.2. How do we store your data?
+
 To protect your data we use the following security measures:
 
-* a. We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with.
-
-* b. We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services.
-
-* c. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
+1. We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with.
+2. We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services.
+3. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
 
+<a name="what_we_do_not"></a>
 
 # 2. What we do not do with your data
 
 - We do not collect any other data than what is needed to provide you the service.
-
 - We do not, in any way, process, analyze your behavior or personal characteristics to create profiles about you or your usage of the services. We have no advertisements or business relationships with advertisers.
-
 - We do not sell your data to any third party.
-
 - We do not share your data to any third party unless in case of federated services which requires certain data to be shared in order to operate (e.g. other email service provider needs to know your email address to be able to deliver emails).
-
 - We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address).
-
 - We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
 
+<a name="where_store"></a>
 
 # 3. Where the data is stored?
+
 We store all data in **our own servers**, located in a data center in the **Netherlands**.
 
+<a name="per_service"></a>
 
 # 4. Detailed privacy notices per service
 
+<a name="email"></a>
+
 ## 4.1 - **Disroot Email** (https://mail.disroot.org)
 
 - This service requires login with **Disroot** credentials.
-
 - All emails, unless encrypted by the user (with GnuPG/PGP, for example) are stored unencrypted on our servers.
-
 - IP addresses of currently logged in users via IMAP/POP3 protocols are stored as long as the device is logged in the server *(per each device logged in)*.
-
 - Server logs, which store information such as, but not limited to, your username and your IP address, *from* and *to* email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-
 - Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers (eg. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control.
 
+<a name="cloud"></a>
 
 ## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
 
 - This service requires login with **Disroot** credentials.
-
 - All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However, **no** "Master Key" does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user's password prior.
-
 - Excluding the files, everything else (calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud).
-
 - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
+<a name="chat"></a>
 
 ## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
 
 - This service requires login with **Disroot** credentials.
-
 - The roster (your XMPP contact list) is stored on the server's database.
-
 - Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if not specified by the user on per chatroom basis, is stored on the server for a period of three months. You can decide to not have any history stored on the server per chat.
-
 - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-
 - Given that XMPP is a **federated** protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
-
 - Files uploaded to the server are stored as is (plain-text or encrypted) for a period of three months.
 
+<a name="search"></a>
 
 ## 4.4 - **Disroot Search** (https://search.disroot.org)
 
 - This service does not require login or providing any personal data.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
-
 - Personal information of our users is never leaked to the other search engines.
 
+<a name="upload"></a>
 
 ## 4.5 - **Disroot Upload** (https://upload.disroot.org)
 
 - This service does not require login or providing any personal data.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
-
 - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
-
 - Files uploaded to the server are wiped based on the retention period set by the user upon upload.
 
+<a name="pads"></a>
 
 ## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
 
 - This service does not require login or providing any personal data.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - We do not collect any other personal data that can be linked to the pads.
-
 - Pad content is stored on the server in the database as is (plain-text).
-
 - Untouched pads and calcs expire after six months and are then removed from the server.
 
+<a name="polls"></a>
 
 ## 4.7 - **Disroot Polls** (https://poll.disroot.org)
 
 - This service does not require login or providing any personal data.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
-
 - Poll data is stored on the server in the database as is (plain-text).
-
 - Expired polls are removed from the database according to the user setting during poll creation.
 
+<a name="bin"></a>
 
 ## 4.8 - **Disroot Bin** (https://bin.disroot.org)
 
 - This service does not require login or providing any personal data.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - Logs may be enabled occasionally in case of troubleshooting. Logs are then enabled for the duration of problem assessment and are purged immediately after.
-
 - All files uploaded to the server are **end-to-end encrypted** which means no one with access to the server can decrypt/read the data.
-
 - Files uploaded to the server are wiped based on the retention period set by the user upon upload.
-
 - Comments and discussions under pastes are **end-to-end encrypted**.
 
+<a name="forum"></a>
 
 ## 4.9 - **Disroot Forum** (https://forum.disroot.org)
 
 - This service requires to create separate account or use **Disroot** credentials to interact with discussions.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - The forum software stores your last used IP address in the database.
-
 - All forum data (groups, threads, posts, usernames, email addresses) are stored on the server in the database as is (plain-text).
 
+<a name="project_board"></a>
 
 ## 4.10 - **Disroot Project Board** (https://board.disroot.org)
 
 - This service requires login with **Disroot** credentials.
-
 - Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-
 - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
 
+<a name="calls"></a>
 
 ## 4.11 - **Disroot Calls** (https://calls.disroot.org)
 
 - This service does not require login.
-
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
-
 - No user data is permanently stored on the server.
 
+<a name="diaspora"></a>
 
 ## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
 
 - This service requires to create a separate account.
-
 - Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-
 - This service works on **federated protocols** which means your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
-
 - Private posts/messages are sent to users on other servers only if you intentionally choose to interact with them.
-
 - All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) are stored on the server in the database as is (plain-text).
 
+<a name="git"></a>
 
 ## 4.13 - **Disroot GIT** (https://git.disroot.org)
 
 - This service requires to create a separate git account to interact with others.
-
 - Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-
 - All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
 
+<a name="rights"></a>
 
 # 5. Your rights
 
 Under the **GDPR** you have a number of rights with regard to your personal data:
 
-* a. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
-
-* b. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete.*
-
-* c. **Right to erase** - The right to request delete or remove your Data from our servers.
-
-* d. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
-
-* e. **Right to Data portability** - The right to move, copy or transfer your Data.
-
-* f. **Right to object** - The right to object to our use of your Data.
-
-
-\* *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified.<br>
-Usernames remain in the database, even after erasure request, to prevent old usernames being re-used by new users, compromising the privacy of both and enabling possible identity theft. For that reason, usernames of accounts that have been deleted remain in the database to avoid being reused. However, all the linked personal information is deleted permanently.*
+1. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
+2. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete.*
+3. **Right to erase** - The right to request delete or remove your Data from our servers.
+4. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
+5. **Right to Data portability** - The right to move, copy or transfer your Data.
+6. **Right to object** - The right to object to our use of your Data.
 
+> *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified.*
+> *Usernames remain in the database, even after erasure request, to prevent old usernames being re-used by new users, compromising the privacy of both and enabling possible identity theft. For that reason, usernames of accounts that have been deleted remain in the database to avoid being reused. However, all the linked personal information is deleted permanently.*
 
 You have the right to lodge a complain, make enquires, excercise any of the rights described above or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), by contacting us via email to:
 
 - **data.protection.officer@disroot.org** - Person responsible for this Privacy Statement
-
 - **info@disroot.org** - General information contact
 
 For the purposes of the **GDPR**, **Disroot.org** is the "data controller". This means that **Disroot** determines the purposes for which and the manner which your data is processed.
 
-**Stichting Disroot.org**:<br>
+**Stichting Disroot.org**:
 Dutch Chamber of Commerce (KVK) number: 69988099
 
-
 If you are not satisfied with the way your Data is handled by us, or think its processing is not appropriate, you have the right to send a complaint to the **Information Commissioners’ Office**.
 
 **Dutch Data Protection Authority (Dutch DPA)**
+**Postal address**
+Autoriteit Persoonsgegevens
+PO Box 93374
+2509 AJ DEN HAAG
+**Phone:** (+31) - (0)70 - 888 85 00
+**Fax:** (+31) - (0)70 - 888 85 01
 
-**Postal address**<br>
-Autoriteit Persoonsgegevens<br>
-PO Box 93374<br>
-2509 AJ DEN HAAG<br>
-<br>
-**Phone:** (+31) - (0)70 - 888 85 00<br>
-**Fax:** (+31) - (0)70 - 888 85 01<br>
-
+<a name="access_information"></a>
 
 ## 5.1. Access to your information
 
 Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible service.
 
-#### To learn how to access and self-export your personal data
-
-* https://howto.disroot.org/en/tutorials/user/gdpr
-
-#### To modify your personal data or delete your account
-
-* https://user.disroot.org
+- Learn how to access and self-export your personal data [**here**](https://howto.disroot.org/en/tutorials/user/gdpr)
+- Modify your personal data or delete your account [**here**](https://user.disroot.org)
 
+<a name="changes"></a>
 
 # 6. Changes on this Privacy Statement
 
 Any and all changes to this **Privacy Statement** will be publicly available and communicated to all users via our social networks and blog post. We recommend that you regularly check for any changes on this Statement.
-<br>
 
 You can follow the history of changes on this document on our version control system [**here**](https://git.disroot.org/Disroot/Disroot-Privacy-Policy/commits/branch/master)
 
@@ -361,4 +277,5 @@ You can follow the history of changes on this document on our version control sy
 
 - February 12th, 2020
 
-<br>
\ No newline at end of file
+<br>
+[Back to top](#top)

From d763739e486804285dc7ceb7267f29780dab8df8 Mon Sep 17 00:00:00 2001
From: Muppeth <muppeth@disroot.org>
Date: Tue, 10 Mar 2020 23:03:42 +0100
Subject: [PATCH 24/29] changed xmpp retention to 1month; removed diaspora.

---
 privacy_policy.md | 31 +++++++++++--------------------
 1 file changed, 11 insertions(+), 20 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 0636db2..98cb058 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -72,9 +72,9 @@ If a user chooses to use any of the services provided by us, the following data
 
 To protect your data we use the following security measures:
 
-1. We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with.
-2. We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services.
-3. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
+- We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with.
+- We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services.
+- We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
 
 <a name="what_we_do_not"></a>
 
@@ -122,7 +122,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 - This service requires login with **Disroot** credentials.
 - The roster (your XMPP contact list) is stored on the server's database.
-- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if not specified by the user on per chatroom basis, is stored on the server for a period of three months. You can decide to not have any history stored on the server per chat.
+- Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if not specified by the user on per chatroom basis, is stored on the server for a period of one month. You can decide to not have any history stored on the server per chat.
 - Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 - Given that XMPP is a **federated** protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control.
 - Files uploaded to the server are stored as is (plain-text or encrypted) for a period of three months.
@@ -202,19 +202,10 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - **No log data** (IP address, session cookie, etc.) is stored on the server.
 - No user data is permanently stored on the server.
 
-<a name="diaspora"></a>
-
-## 4.12 - **Disroot Social (Diaspora\* pod)** (https://pod.disroot.org)
-
-- This service requires to create a separate account.
-- Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
-- This service works on **federated protocols** which means your public posts are shared/transfered to other independently operated servers in the network over which we have no control.
-- Private posts/messages are sent to users on other servers only if you intentionally choose to interact with them.
-- All pod data (usernames, email addresses, posts and messages, polls, contacts, photos and images) are stored on the server in the database as is (plain-text).
 
 <a name="git"></a>
 
-## 4.13 - **Disroot GIT** (https://git.disroot.org)
+## 4.12 - **Disroot GIT** (https://git.disroot.org)
 
 - This service requires to create a separate git account to interact with others.
 - Server logs, which store information such as, but not limited to, your IP address, your username, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
@@ -226,12 +217,12 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 Under the **GDPR** you have a number of rights with regard to your personal data:
 
-1. **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
-2. **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete.*
-3. **Right to erase** - The right to request delete or remove your Data from our servers.
-4. **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
-5. **Right to Data portability** - The right to move, copy or transfer your Data.
-6. **Right to object** - The right to object to our use of your Data.
+- **Right to access** - The right to request (I) copies of your personal Data or (II) access to the information you submited and we hold at any time.
+- **Right to correct** - The right to have your Data rectified if it is inaccurate or incomplete.*
+- **Right to erase** - The right to request delete or remove your Data from our servers.
+- **Right to restrict the use of your Data** - The right to restrict processing or limit the way we use your Data.
+- **Right to Data portability** - The right to move, copy or transfer your Data.
+- **Right to object** - The right to object to our use of your Data.
 
 > *Your* **Disroot username** *and* **Disroot email address** *are integral part of your user account and cannot be modified.*
 > *Usernames remain in the database, even after erasure request, to prevent old usernames being re-used by new users, compromising the privacy of both and enabling possible identity theft. For that reason, usernames of accounts that have been deleted remain in the database to avoid being reused. However, all the linked personal information is deleted permanently.*

From c3023d75f9cbff328ec6191615e5ef8d25880b9e Mon Sep 17 00:00:00 2001
From: Muppeth <muppeth@disroot.org>
Date: Tue, 10 Mar 2020 23:44:30 +0100
Subject: [PATCH 25/29] added PS version

---
 privacy_policy.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 98cb058..4867fd6 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -7,7 +7,7 @@ text_align: left
 ---
 
 # Privacy Statement
-
+**v1.2 - March 2020**
 <br>
 
 <a name="about"></a>

From 61d2412c6fb459e537d5c312982041962bc03cad Mon Sep 17 00:00:00 2001
From: "Fede.-" <fede@no-reply@disroot.org>
Date: Wed, 11 Mar 2020 02:48:14 +0000
Subject: [PATCH 26/29] Removed Diaspora* from federated services examples

---
 privacy_policy.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/privacy_policy.md b/privacy_policy.md
index 4867fd6..134fcbd 100644
--- a/privacy_policy.md
+++ b/privacy_policy.md
@@ -29,10 +29,10 @@ Any translation of this **Privacy Statement** is a community effort to make the
 - **Disroot, Disroot.org, we** or **us**: Stichting Disroot.org
 - **Platform**: the set of services provided by **Disroot.org** and that are hosted on our servers.
 - **Disroot credentials**: they are the username and password created and used by the user to log in to the services provided by us.
-- **Federated services**: services that operate on the basis of so-called **federation protocols** which enable users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Diaspora\***, **Hubzilla** and **XMPP**.
+- **Federated services**: services that operate on the basis of so-called **federation protocols** which enable users who signed up at different services providers to interact with each other. Examples of these services are **Nextcloud**, **Email**, **Hubzilla** and **XMPP**.
 - **Brute-force attack**: is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones.
 
-  <br>
+<br>
 
 <a name="coverage"></a>
 

From 56a05d3c604bd608d68aacf59b86bf74f6570929 Mon Sep 17 00:00:00 2001
From: antil0pa <antilopa@disroot.org>
Date: Wed, 11 Mar 2020 11:33:17 +0100
Subject: [PATCH 27/29] adjusted page naming so it is can be cloned to website

---
 privacy_policy.md => fullbar.en.md | 50 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 24 deletions(-)
 rename privacy_policy.md => fullbar.en.md (99%)

diff --git a/privacy_policy.md b/fullbar.en.md
similarity index 99%
rename from privacy_policy.md
rename to fullbar.en.md
index 134fcbd..b06b61d 100644
--- a/privacy_policy.md
+++ b/fullbar.en.md
@@ -6,12 +6,14 @@ section_id: privacy
 text_align: left
 ---
 
+<a name="top"></a>
+<br>
 # Privacy Statement
 **v1.2 - March 2020**
 <br>
 
 <a name="about"></a>
-
+<br>
 ## About this document
 
 This document has been originally written in English and is the only version for which **Stichting Disroot.org** can be held accountable.<br>
@@ -19,7 +21,7 @@ Any translation of this **Privacy Statement** is a community effort to make the
 <br>
 
 <a name="definitions"></a>
-
+<br>
 ## Definitions used on this Privacy Statement
 
 - **GDPR**: General Data Protection Regulation, [EU 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1580499932731&uri=CELEX:32016R0679)
@@ -35,7 +37,7 @@ Any translation of this **Privacy Statement** is a community effort to make the
 <br>
 
 <a name="coverage"></a>
-
+<br>
 ## The Data covered by this Privacy Statement
 
 This **Privacy Statement** applies to all services hosted on **Disroot.org** and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside **Disroot**. Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. mail or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement.<br>
@@ -44,7 +46,7 @@ It is important to note that **sharing data with other services providers is a u
 <br>
 
 <a name="data_we_collect"></a>
-
+<br>
 # 1. What data do we collect?
 
 If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by **Disroot.org**:
@@ -58,7 +60,7 @@ If a user chooses to use any of the services provided by us, the following data
 (For more detailed information, please refer to the [Detailed privacy notices per service](#per_services) section below)
 
 <a name="what_we_do"></a>
-
+<br>
 ## 1.1. What do we do with your data?
 
 - Our processing of your information is limited to providing the service.
@@ -67,7 +69,7 @@ If a user chooses to use any of the services provided by us, the following data
 (Detailed information on [Privacy notices per service](#per_services) section)
 
 <a name="how_we_store"></a>
-
+<br>
 ## 1.2. How do we store your data?
 
 To protect your data we use the following security measures:
@@ -77,7 +79,7 @@ To protect your data we use the following security measures:
 - We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users.
 
 <a name="what_we_do_not"></a>
-
+<br>
 # 2. What we do not do with your data
 
 - We do not collect any other data than what is needed to provide you the service.
@@ -88,17 +90,17 @@ To protect your data we use the following security measures:
 - We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our **Terms Of Services** in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder.
 
 <a name="where_store"></a>
-
+<br>
 # 3. Where the data is stored?
 
 We store all data in **our own servers**, located in a data center in the **Netherlands**.
 
 <a name="per_service"></a>
-
+<br>
 # 4. Detailed privacy notices per service
 
 <a name="email"></a>
-
+<br>
 ## 4.1 - **Disroot Email** (https://mail.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -108,7 +110,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Given that email works on a **federated** protocol, when interacting with email addresses hosted on third party servers (eg. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control.
 
 <a name="cloud"></a>
-
+<br>
 ## 4.2 - **Disroot Cloud** (https://cloud.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -117,7 +119,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues.
 
 <a name="chat"></a>
-
+<br>
 ## 4.3 - **Disroot XMPP Chat** (https://webchat.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -128,7 +130,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Files uploaded to the server are stored as is (plain-text or encrypted) for a period of three months.
 
 <a name="search"></a>
-
+<br>
 ## 4.4 - **Disroot Search** (https://search.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -137,7 +139,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Personal information of our users is never leaked to the other search engines.
 
 <a name="upload"></a>
-
+<br>
 ## 4.5 - **Disroot Upload** (https://upload.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -147,7 +149,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Files uploaded to the server are wiped based on the retention period set by the user upon upload.
 
 <a name="pads"></a>
-
+<br>
 ## 4.6 - **Disroot Pads** (https://pad.disroot.org and https://calc.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -157,7 +159,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Untouched pads and calcs expire after six months and are then removed from the server.
 
 <a name="polls"></a>
-
+<br>
 ## 4.7 - **Disroot Polls** (https://poll.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -167,7 +169,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Expired polls are removed from the database according to the user setting during poll creation.
 
 <a name="bin"></a>
-
+<br>
 ## 4.8 - **Disroot Bin** (https://bin.disroot.org)
 
 - This service does not require login or providing any personal data.
@@ -178,7 +180,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - Comments and discussions under pastes are **end-to-end encrypted**.
 
 <a name="forum"></a>
-
+<br>
 ## 4.9 - **Disroot Forum** (https://forum.disroot.org)
 
 - This service requires to create separate account or use **Disroot** credentials to interact with discussions.
@@ -187,7 +189,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All forum data (groups, threads, posts, usernames, email addresses) are stored on the server in the database as is (plain-text).
 
 <a name="project_board"></a>
-
+<br>
 ## 4.10 - **Disroot Project Board** (https://board.disroot.org)
 
 - This service requires login with **Disroot** credentials.
@@ -195,7 +197,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All board data (usernames, project data, email addresses) is stored on the server in the database as is (plain-text).
 
 <a name="calls"></a>
-
+<br>
 ## 4.11 - **Disroot Calls** (https://calls.disroot.org)
 
 - This service does not require login.
@@ -204,7 +206,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 
 
 <a name="git"></a>
-
+<br>
 ## 4.12 - **Disroot GIT** (https://git.disroot.org)
 
 - This service requires to create a separate git account to interact with others.
@@ -212,7 +214,7 @@ We store all data in **our own servers**, located in a data center in the **Neth
 - All git data such as, but not limited to, usernames, email addresses, messages, code, files, versions, pull requests, etc., are stored on the server in the database as is (plain-text).
 
 <a name="rights"></a>
-
+<br>
 # 5. Your rights
 
 Under the **GDPR** you have a number of rights with regard to your personal data:
@@ -248,7 +250,7 @@ PO Box 93374
 **Fax:** (+31) - (0)70 - 888 85 01
 
 <a name="access_information"></a>
-
+<br>
 ## 5.1. Access to your information
 
 Access to your personal data, stored files and other information you provide to any of the services offered by **Disroot.org** is under your control. This means that all data stored on our services that are bound to personal information (services that require logging in) are available for you to download either for archival purposes or to transfer to another compatible service.
@@ -257,7 +259,7 @@ Access to your personal data, stored files and other information you provide to
 - Modify your personal data or delete your account [**here**](https://user.disroot.org)
 
 <a name="changes"></a>
-
+<br>
 # 6. Changes on this Privacy Statement
 
 Any and all changes to this **Privacy Statement** will be publicly available and communicated to all users via our social networks and blog post. We recommend that you regularly check for any changes on this Statement.

From 3df79738255a31089379bc546a2a193ab1f6437f Mon Sep 17 00:00:00 2001
From: antil0pa <antilopa@disroot.org>
Date: Wed, 11 Mar 2020 11:59:08 +0100
Subject: [PATCH 28/29] removed title

---
 fullbar.en.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/fullbar.en.md b/fullbar.en.md
index b06b61d..6f1b498 100644
--- a/fullbar.en.md
+++ b/fullbar.en.md
@@ -6,11 +6,8 @@ section_id: privacy
 text_align: left
 ---
 
-<a name="top"></a>
 <br>
-# Privacy Statement
 **v1.2 - March 2020**
-<br>
 
 <a name="about"></a>
 <br>

From c0ddc4e1150007688ff90aa9cef753f1f86ebbce Mon Sep 17 00:00:00 2001
From: meaz <meaz@disroot.org>
Date: Wed, 11 Mar 2020 14:19:54 +0100
Subject: [PATCH 29/29] udpate the last update date

---
 fullbar.en.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fullbar.en.md b/fullbar.en.md
index 6f1b498..d02bde7 100644
--- a/fullbar.en.md
+++ b/fullbar.en.md
@@ -265,7 +265,7 @@ You can follow the history of changes on this document on our version control sy
 
 #### Last update of this Privacy Statement:
 
-- February 12th, 2020
+- March 1th, 2020
 
 <br>
 [Back to top](#top)