brokentech.cloud/content/privacy.md

12 KiB
Raw Permalink Blame History

+++ title = 'Privacy Policy' date = 2024-02-13T07:45:42+01:00 +++

The website that brought you here is part of the Broken Tech Cloud family of websites hosted by me, mart-w privacy@mart-w.de. This privacy policy explains how those websites collect the personal data they collect from you if you interact with them.

To Make it Short

I have no interest in collecting any more data about you than absolutely necessary, and the data I do have to collect I treat with the utmost respect for your privacy. This includes measures such as:

  • Sparse data collection.
  • Regular pruning of collected data.
  • Encryption.
  • No sharing data with third parties whatsoever, except when its necessary to provide the services you use.
  • No inclusion of third-party assets like externally hosted CAPTCHA or analytics solutions.

You can always reach out to me to ask questions about the handling of your personal data and to make use of your rights laid out in the EU General Data Protection Regulation (GDPR). Please direct those requests at privacy@mart-w.de.

What Data Is Collected?

Logging

When you use the services provided by me, some of your actions will be temporarily recorded in log files together with basic, but nevertheless personally identifiable information, such as your IP address or username. Examples of events being logged might be:

  • You making a request against one of my webservers, in which case your IP will be stored together with the exact time and date of your request and the requested resource.
  • You performing an action on one of my services, for example playing media, changing sensitive settings, or trying to access resources you are not allowed to access. In those cases a user ID that is directly linkable to you may be stored, together with information about the event that took place.

It is in my legitimate interest to record this logging data in order to detect and mitigate security risks, prevent abuse of my services, and identify issues affecting the functionality of my services. I do reserve the right to use automated tools to detect anomalies in the log data. However, those logs will never be reviewed manually for any other reason than the ones I just provided.

In some cases, there can be a legitimate interest or even a legal obligation to keep log files for an extended amount of time, for example during investigations by national authorities or in the aftermath of a cybersecurity incident. In all other cases, log files will be deleted automatically **after 7 days at the latest. Due to technical limitations, some of the log files are stored unencrypted until they are deleted.

Identity Data

My services make use of a central Identity Provider (IDP), which manages your access to the various services and provides identity information to them in case this is necessary. When you create an account, the following data about you will be stored:

  • Your username.
  • Your display name.
  • Your email address.
  • A unique identifier (UUID) linked to your account.
  • Which groups youre being assigned to, and, by proxy, your access rights across my different services.
  • Information about your active sessions.
  • Your chosen login credentials in an undecryptably encrypted format.

Optionally, you can provide the IDP with additional profile information which will be stored alongside your other information. This includes data such as:

  • Your legal name.
  • Your pronouns.
  • Your profile picture.

The purpose for the collection of this data is to provide a secure and consistent login solution and to keep your profile information up-to-date across all connected services. For that reason, this data will be retained indefinitely unless you request deletion of your account and thus also forfeit your access to my other services.

Application-Specific Data

Using your IDP account or even by other means, you can access a variety of different services. In general, those services will not store any data about you until you log into them for the first time. One exception to this rule are services that employ federation mechanisms in order to interface with other similar services. In those cases, it might be that you interact with my services indirectly through another service youre signed up to.

Jellyfin

Jellyfin is a media server. If you decide to make use of this service, it will store the following information about you:

  • Profile information, including:
    • Your username.
    • Your unique user ID.
    • What libraries you may access.
    • Whether you have administrative rights.
    • Optionally your profile picture.
  • Your watch, read, and listen history.
  • Any playlists you create.

The mentioned profile information will largely be provided by the IDP and thus mirror your information stored there. All information connected to your Jellyfin account is required to provide the service, and will be retained indefinitely unless you request your account to be deleted.

Forgejo

Forgejo ist a Git forge, i.e. a platform that can be used to store and manage version-controlled projects and collaborate on them. If you decide to make use of this service, it will store the following information about you:

  • Profile information, including:
    • Your username.
    • Your email address.
    • What groups and organisations you belong to.
    • What resources you have access to.
    • Whether you have administrative rights.
    • Optionally:
      • Your legal name.
      • Your biography text.
      • Your website's URL.
      • Your location.
      • Your profile picture.
      • Any additional information you choose to add to your account.
  • Your repositories and all data stored in them.
  • Your contributions to other repositories.
  • A log of all interactions you have made with your own or other repositories.

The mentioned profile information will largely be provided by the IDP and thus mirror your information stored there. All information connected to your Forgejo account is required to provide the service, and will be retained indefinitely unless you request your account to be deleted. Notice that, while I can and will delete your own repositories together with your account, your contributions to other projects cannot be removed and will be retained indefinitely. This is necessary due to the way Git functions.

Federation

Forgejo supports a feature called federation, which lets you contribute to projects hosted on different Git forges and also lets users from those forges contribute to your projects. If you are a user of my Forgejo instance, this means that some of your data can be shared with other forges in order to facilitate this cross-instance collaboration. There is currently no way for you to opt out of this. If you do not consent to your data being shared in that manner, you cannot use my Forgejo instance at this point.

The federation feature also implies that your data can end up stored on my forge even if you dont have an account on it, by means of collaborating on projects hosted on my instance through an account you have on another instance. Again, as noted earlier, those contributions cannot be removed due to the inner workings of Git. If you do not consent to your data being shared with and stored on my instance, please get into contact with the administrator of your instance, as it is their responsibility to manage federation on their instance and inform their users adequately about their data being shared.

Matrix

Matrix is a federated chat application. You cannot currently join my Matrix instance as a user. However, similar to the case with Forgejo, the fact that Matrix employs federation means that data related to you can end up processed and stored on my instance. This can include, but is not limited to:

  • Your user ID.
  • Your unencrypted messages, if you dont use encryption and either text me or are a member of a chat group that I am also a part of.
  • Your encrypted messages, if you use encryption and either text me or are a member of a chat group that I am also a part of.
  • Metadata such as timestamps of your messages and what groups you are a member of.

If you do not consent to me storing and processing your data, please reach out to the administrator of your instance, as it is their responsibility to manage federation on their instance and inform their users adequately about their data being shared. Sadly, due to the way Matrix works on a technical level, I cannot delete your data after it has been shared with my instance and it will be retained indefinitely.

How Is Your Data Stored?

Your data is stored securely and, as far as technically possible, encrypted on my own servers at home in Darmstadt, Germany. The applicable data retention periods depend on both the kind of data and the service it is linked to. Therefore, you can find information on that in the chapters relevant to the respective services.

Backups

Please keep in mind that, to ensure recovery after disasters, cybersecurity incidents, data loss due to human error or other other events, regular backups of all stored data (except for most logs) are made and sent off-site for safe keeping. All such backups are securely encrypted so that nobody except for me is able to access the data. However, as a consequence of those backups existing, it may happen that data is retained in this encrypted state for up to one year after it has been superficially deleted from the live servers.

Marketing

Your personal information is not used for any kinds of marketing purposes.

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit my websites, I may collect information from you automatically through cookies or similar technology.

For further information, visit https://allaboutcookies.org/.

How Are Cookies Used?

On my services, the use of cookies is reserved only to keep session information (i.e. keep you logged in) and to enhance the security of my services. Therefore, all cookies that your web browser will receive from my web services are integral to their functionality and cannot be avoided.

How to Manage Cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Your Rights

Under the GDPR, you are entitled to the following:

The right to access
You have the right to request a copy of your personal data.
The right to rectification
You have the right to request that I correct any information you believe is inaccurate. You also have the right to request that I complete the information you believe is incomplete.
The right to erasure
You have the right to request that I erase your peronal data, under certain conditions.
The right to restrict processing
You have the right to request that I restrict the processing of your personal data, under certain conditions.
The right to object to processing
You have the right to object to my processing of your personal data, under certain conditions.
The right to data portability
You have the right to request that I transfer the data that I have collected to another organisation, or directly to your, under certain conditions.

If you make a request, I have one month to respond to you.

Privacy Policies of Other Websites

My websites contain links to other websites. This privacy policy applies only to my websites, so if you click on a link to another website, you should read their privacy policy.

Changes to This Privacy Policy

This privacy policy is under regular review and any updates will be placed on this web page. This privacy policy was last updated on the 13th February, 2024.

How to Contact Me

If you have any questions about this privacy policy, the data I hold on you, or you would like to exercise one of your data protection rights, please get in touch with me. Either email me at privacy@mart-w.de or write to me at:

Martin Wurm
c/o Chaos Computer Club Darmstadt e. V.
Wilhelminenstraße 17
64283 Darmstadt