As I mentioned in the description, the GDPR definition of data is tremendously broad. The list of types of personal data that could lead to the identification of a natural person in the digital context further include email addresses, cookies, IP addresses and, overall, lots of online identifiers. It has to be adjusted to the context of Disroot.
I think the text about federation should be more explanatory. Maybe something like this, though perhaps this fits more in Access to your information. So unless we add better explanation there, we should provide a bit more then suggested in the pull request:
Federated services: Services that operates on the basis of so-called Federation Protocols which enables users signed up at different services providers to interact with each other. Examples of these services are Nextcloud, Email, Hubzilla and XMPP.Because of the nature of the protocols (ability to send each other messages, likes, share files, chat) some of the data is naturally shared or transmited to other entities (eg. sending email to different provider). We cannot take responsiblity for privacy practices of others, however, sharing data with other service provider is the user's choice, and depending on service, user can decide with whom and what to share (eg. user can choose not to send the email to different provider).