brokentech.cloud/content/privacy.md

262 lines
12 KiB
Markdown
Raw Permalink Normal View History

+++
title = 'Privacy Policy'
date = 2024-02-13T07:45:42+01:00
+++
The website that brought you here is part of the Broken Tech Cloud family of
websites hosted by me, mart-w <privacy@mart-w.de>. This privacy policy explains
how those websites collect the personal data they collect from you if you
interact with them.
## To Make it Short
I have no interest in collecting any more data about you than absolutely
necessary, and the data I do have to collect I treat with the utmost respect
for your privacy. This includes measures such as:
* Sparse data collection.
* Regular pruning of collected data.
* Encryption.
* No sharing data with third parties whatsoever, except when its necessary
to provide the services you use.
* No inclusion of third-party assets like externally hosted CAPTCHA or
analytics solutions.
You can always reach out to me to ask questions about the handling of your
personal data and to make use of your rights laid out in the EU General Data
Protection Regulation (GDPR). Please direct those requests at privacy@mart-w.de.
## What Data Is Collected?
### Logging
When you use the services provided by me, some of your actions will be temporarily
recorded in log files together with basic, but nevertheless personally identifiable
information, such as your IP address or username. Examples of events being logged
might be:
* You making a request against one of my webservers, in which case your IP will
be stored together with the exact time and date of your request and the requested
resource.
* You performing an action on one of my services, for example playing media,
changing sensitive settings, or trying to access resources you are not allowed to
access. In those cases a user ID that is directly linkable to you may be stored,
together with information about the event that took place.
It is in my legitimate interest to record this logging data in order to detect
and mitigate security risks, prevent abuse of my services, and identify issues
affecting the functionality of my services. I do reserve the right to use
automated tools to detect anomalies in the log data. However, those logs will
never be reviewed manually for any other reason than the ones I just provided.
In some cases, there can be a legitimate interest or even a legal obligation to
keep log files for an extended amount of time, for example during investigations
by national authorities or in the aftermath of a cybersecurity incident. In all
other cases, log files will be deleted automatically **after 7 days at the latest.
Due to technical limitations, some of the log files are stored unencrypted until
they are deleted.
## Identity Data
My services make use of a central Identity Provider (IDP), which manages your
access to the various services and provides identity information to them in case
this is necessary. When you create an account, the following data about you will
be stored:
* Your username.
* Your display name.
* Your email address.
* A unique identifier (UUID) linked to your account.
* Which groups youre being assigned to, and, by proxy, your access rights across
my different services.
* Information about your active sessions.
* Your chosen login credentials in an undecryptably encrypted format.
Optionally, you can provide the IDP with additional profile information which
will be stored alongside your other information. This includes data such as:
* Your legal name.
* Your pronouns.
* Your profile picture.
The purpose for the collection of this data is to provide a secure and consistent
login solution and to keep your profile information up-to-date across all connected
services. For that reason, this data will be retained **indefinitely** unless you
request deletion of your account and thus also forfeit your access to my other
services.
## Application-Specific Data
Using your IDP account or even by other means, you can access a variety of
different services. In general, those services will not store any data about
you until you log into them for the first time. One exception to this rule
are services that employ federation mechanisms in order to interface with other
similar services. In those cases, it might be that you interact with my services
indirectly through another service youre signed up to.
### Jellyfin
Jellyfin is a media server. If you decide to make use of this service, it will
store the following information about you:
* Profile information, including:
* Your username.
* Your unique user ID.
* What libraries you may access.
* Whether you have administrative rights.
* Optionally your profile picture.
* Your watch, read, and listen history.
* Any playlists you create.
The mentioned profile information will largely be provided by the IDP and thus
mirror your information stored there. All information connected to your Jellyfin
account is required to provide the service, and will be retained **indefinitely**
unless you request your account to be deleted.
### Forgejo
Forgejo ist a Git forge, i.e. a platform that can be used to store and manage
version-controlled projects and collaborate on them. If you decide to make use
of this service, it will store the following information about you:
* Profile information, including:
* Your username.
* Your email address.
* What groups and organisations you belong to.
* What resources you have access to.
* Whether you have administrative rights.
* Optionally:
* Your legal name.
* Your biography text.
* Your website's URL.
* Your location.
* Your profile picture.
* Any additional information you choose to add to your account.
* Your repositories and all data stored in them.
* Your contributions to other repositories.
* A log of all interactions you have made with your own or other repositories.
The mentioned profile information will largely be provided by the IDP and thus
mirror your information stored there. All information connected to your Forgejo
account is required to provide the service, and will be retained **indefinitely**
unless you request your account to be deleted. Notice that, while I can and will
delete your own repositories together with your account, **your contributions to
other projects cannot be removed and will be retained indefinitely.** This is
necessary due to the way Git functions.
#### Federation
Forgejo supports a feature called federation, which lets you contribute to
projects hosted on different Git forges and also lets users from those forges
contribute to your projects. If you are a user of my Forgejo instance, this means
that some of your data can be shared with other forges in order to facilitate
this cross-instance collaboration. There is currently no way for you to opt out
of this. If you do not consent to your data being shared in that manner, you
cannot use my Forgejo instance at this point.
The federation feature also implies that your data can end up stored on my forge
even if you dont have an account on it, by means of collaborating on projects
hosted on my instance through an account you have on another instance. Again, as
noted earlier, those contributions cannot be removed due to the inner workings
of Git. If you do not consent to your data being shared with and stored on my
instance, please get into contact with the administrator of your instance, as it
is their responsibility to manage federation on their instance and inform their
users adequately about their data being shared.
### Matrix
Matrix is a federated chat application. You cannot currently join my Matrix
instance as a user. However, similar to the case with Forgejo, the fact that
Matrix employs federation means that data related to you can end up processed
and stored on my instance. This can include, but is not limited to:
* Your user ID.
* Your unencrypted messages, if you dont use encryption and either text me or
are a member of a chat group that I am also a part of.
* Your encrypted messages, if you use encryption and either text me or are a
member of a chat group that I am also a part of.
* Metadata such as timestamps of your messages and what groups you are a member of.
If you do not consent to me storing and processing your data, please reach out
to the administrator of your instance, as it is their responsibility to manage
federation on their instance and inform their users adequately about their data
being shared. Sadly, due to the way Matrix works on a technical level, I cannot
delete your data after it has been shared with my instance and it will be
retained **indefinitely.**
## How Is Your Data Stored?
Your data is stored securely and, as far as technically possible, encrypted
on my own servers at home in Darmstadt, Germany. The applicable data retention
periods depend on both the kind of data and the service it is linked to.
Therefore, you can find information on that in the chapters relevant to the
respective services.
### Backups
Please keep in mind that, to ensure recovery after disasters, cybersecurity
incidents, data loss due to human error or other other events, regular backups
of all stored data (except for most logs) are made and sent off-site for safe
keeping. All such backups are securely encrypted so that nobody except for me
is able to access the data. However, as a consequence of those backups existing,
it may happen that data is retained in this encrypted state for **up to one year**
after it has been superficially deleted from the live servers.
## Marketing
Your personal information is not used for any kinds of marketing purposes.
## Cookies
Cookies are text files placed on your computer to collect standard Internet
log information and visitor behavior information. When you visit my websites,
I may collect information from you automatically through cookies or similar technology.
For further information, visit https://allaboutcookies.org/.
### How Are Cookies Used?
On my services, the use of cookies is reserved only to keep session information
(i.e. keep you logged in) and to enhance the security of my services. Therefore,
all cookies that your web browser will receive from my web services are integral
to their functionality and cannot be avoided.
### How to Manage Cookies
You can set your browser not to accept cookies, and the above website tells you
how to remove cookies from your browser. However, in a few cases, some of our
website features may not function as a result.
## Your Rights
Under the GDPR, you are entitled to the following:
The right to access
: You have the right to request a copy of your personal data.
The right to rectification
: You have the right to request that I correct any information you believe is
inaccurate. You also have the right to request that I complete the information
you believe is incomplete.
The right to erasure
: You have the right to request that I erase your peronal data, under certain
conditions.
The right to restrict processing
: You have the right to request that I restrict the processing of your personal
data, under certain conditions.
The right to object to processing
: You have the right to object to my processing of your personal data, under
certain conditions.
The right to data portability
: You have the right to request that I transfer the data that I have collected
to another organisation, or directly to your, under certain conditions.
If you make a request, I have one month to respond to you.
## Privacy Policies of Other Websites
My websites contain links to other websites. This privacy policy applies only to
my websites, so if you click on a link to another website, you should read their
privacy policy.
## Changes to This Privacy Policy
This privacy policy is under regular review and any updates will be placed on
this web page. This privacy policy was last updated on the 13th February, 2024.
## How to Contact Me
If you have any questions about this privacy policy, the data I hold on you, or
you would like to exercise one of your data protection rights, please get in
touch with me. Either email me at privacy@mart-w.de or write to me at:
Martin Wurm
c/o Chaos Computer Club Darmstadt e. V.
Wilhelminenstraße 17
64283 Darmstadt