Consumer Rights Wiki

Consumer Rights Wiki:Privacy policy: Difference between revisions

← Older edit
VisualWikitext
Updated privacy policy (major rework)
No edit summary
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__NOTOC__
__NOTOC__
==Consumer Rights Wiki Privacy Policy==
==Consumer Rights Wiki Privacy Policy==
Last Updated: Jan 20, 2026
Last Updated: January 20, 2026


This Privacy Policy explains how the Consumer Rights Wiki ("CRW," "we," "us," or "our"), our service providers, and our partners, collect, use, share, and protect Personally Identifying Information (PII), and other data, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
This Privacy Policy explains how the Consumer Rights Wiki ("CRW," "we," "us," or "our"), our service providers, and our partners, collect, use, share, and protect Personally Identifying Information (PII), and other data, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Line 8: Line 8:
The data controller responsible for your personal data is:
The data controller responsible for your personal data is:


**FULU Foundation**  
'''FULU Foundation'''  
Fulu Foundation, Austin, Texas 78705
Fulu Foundation, Austin, Texas 78705
Line 15: Line 15:
We process personal data based on the following legal grounds under Article 6 of the GDPR:
We process personal data based on the following legal grounds under Article 6 of the GDPR:


===Contract (Article 6(1)(b))===
'''Contract (Article 6(1)(b))'''
Data used for:
Data used for:
* Account registration and management
* Account registration and management
Line 21: Line 21:
* Enabling wiki contributions and editing
* Enabling wiki contributions and editing


===Legitimate Interests (Article 6(1)(f))===
'''Legitimate Interests (Article 6(1)(f))'''
Data used for:
Data used for:
* IP address processing for security and anti-spam protection
* IP address processing for security and anti-spam protection
Line 28: Line 28:
* Prevention of abuse and vandalism
* Prevention of abuse and vandalism


==2.1 Data Minimization==
===2.1 Data Minimization===
We adhere to the principle of data minimization, collecting only the personal data that is necessary for the specific purposes outlined in this policy. We do not collect excessive or irrelevant data.
We adhere to the principle of data minimization, collecting only the personal data that is necessary for the specific purposes outlined in this policy. We do not collect excessive or irrelevant data.


==2.2 Special Categories of Data==
===2.2 Special Categories of Data===
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If such data is inadvertently collected through user-generated content, it is not processed by us for any purpose.
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If such data is inadvertently collected through user-generated content, it is not processed by us for any purpose.


Line 38: Line 38:
===3.1 Account Information===
===3.1 Account Information===
When you create an account, we collect:
When you create an account, we collect:
* **Username** - Stored indefinitely, or until account deletion request
* '''Username''' - Stored indefinitely, or until account deletion request
* **Email address** - Stored indefinitely, or until account deletion request
* '''Email address''' - Stored indefinitely, or until account deletion request
* **Hashed password** - Stored indefinitely, or until account deletion request
* '''Hashed and salted password''' - Stored indefinitely, or until account deletion request


===3.2 Contribution Data===
===3.2 Contribution Data===
* **Edit history and contributions** - Stored indefinitely as necessary for wiki functionality and attribution under legitimate interest
* '''Edit history and contributions''' - Stored indefinitely as necessary for wiki functionality and attribution under legitimate interest
* **Timestamps of edits** - Stored indefinitely as part of contribution history
* '''Timestamps of edits''' - Stored indefinitely as part of contribution history
* **Discussion posts and comments** - Stored indefinitely as part of wiki content
* '''Discussion posts and comments''' - Stored indefinitely as part of wiki content


===3.3 Technical Data===
===3.3 Technical Data===
* **IP addresses** - Stored in server logs and backups for 90 days for security purposes, and indefinitely in edit history for attribution and anti-vandalism purposes
* '''IP addresses''' - Stored in server logs and backups for 90 days for security purposes, and indefinitely in edit history for attribution and anti-vandalism purposes
* **Browser type and version** - Processed temporarily for technical compatibility and for generation of anonymized analytics
* '''Browser type and version''' - Processed temporarily for technical compatibility and for generation of anonymized analytics
* **Device information** - Processed temporarily for technical compatibility and for generation of anonymized analytics
* '''Device information''' - Processed temporarily for technical compatibility and for generation of anonymized analytics


===3.4 Analytics Data (via Plausible Analytics)===
===3.4 Analytics Data (via Plausible Analytics)===
Line 59: Line 59:
* Device type and browser information
* Device type and browser information


**Important**: Plausible does not use cookies or persistent identifiers, or create profiles. All data is aggregated and anonymous.
'''Important''': Plausible does not use cookies or persistent identifiers, or create profiles. All data is aggregated and anonymous.


===3.5 Security Services===
===3.5 Security Services===
**hCaptcha** processes the following when you interact with protected forms:
'''hCaptcha''' processes the following when you interact with protected forms:
* Technical connection data (IP address, timestamp)
* Technical connection data (IP address, timestamp)
* Interaction data with the captcha interface
* Interaction data with the captcha interface
'''CloudFlare''' processes the following when you connect to the site:
* Technical connection data (Traffic routing data, HTTP request metadata)


==4. Data Retention and Backup Schedule==
==4. Data Retention and Backup Schedule==


===4.1 Primary Data Retention===
===4.1 Primary Data Retention===
 
{| class="wikitable"
| Data Type | Retention Period | Justification |
|-
|-----------|------------------|---------------|
! Data Type
| Account data (username, email, password) | Indefinitely until deletion request | Necessary to perform contract |
! Retention Period
| Contribution history | Indefinitely | Legitimate interest in maintaining wiki integrity and attribution |
! Justification
| IP addresses in server logs | 30 days | Security and anti-abuse purposes |
|-
| IP addresses in edit history | Indefinitely until deletion request | Attribution and anti-vandalism |
| Account data (username, email, hashed and salted password)
| Analytics data (aggregated) | Indefinitely | Legitimate interest in service improvement |
| Indefinitely until deletion request
| Necessary to perform contract
|-
| Contribution history
| Indefinitely
| Legitimate interest in maintaining wiki integrity and attribution
|-
| IP addresses in server logs
| 30 days
| Security and anti-abuse purposes
|-
| IP addresses in edit history
| Indefinitely until deletion request
| Attribution and anti-vandalism
|-
| Analytics data (aggregated)
| Indefinitely
| Legitimate interest in service improvement
|}


===4.2 Backup and Recovery Schedule===
===4.2 Backup and Recovery Schedule===


| Backup Type | Frequency | Retention Period | Data Included |
{| class="wikitable"
|-------------|-----------|------------------|---------------|
|-
| Daily backups | Every 24 hours | 7 days | Full database, user accounts, contribution history, configuration |
! Backup Type
| Monthly backups | 1st of each month | 6 months | Full database, user accounts, contribution history, configuration |
! Frequency
| Server logs | Continuous | 30 days rolling | Access logs, error logs, security logs |
! Retention Period
! Data Included
|-
| Daily backups
| Every 24 hours
| 7 days
| Full database, user accounts, contribution history, configuration
|-
| Monthly backups
| 1st of each month
| 6 months
| Full database, user accounts, contribution history, configuration
|-
| Server logs
| Continuous
| 30 days rolling
| Access logs, error logs, security logs
|}


**Important Notes on Backups:**
'''Important Notes on Backups:'''
* All backups are fully encrypted
* All backups are fully encrypted
* Deleted data may persist in backups until the backup retention period expires
* Deleted data may persist in backups until the backup retention period expires
Line 94: Line 132:
==5. International Data Transfers==
==5. International Data Transfers==


Our servers are hosted by Hetzner and DigitalOcean in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:
Our servers are hosted by Hetzner in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:


* **EU-US Data Privacy Framework**: Our hosting providers participate in the EU-US Data Privacy Framework, ensuring adequate protection for your personal data
* '''EU-US Data Privacy Framework''': Our hosting providers participate in the EU-US Data Privacy Framework, ensuring adequate protection for your personal data
* **hCaptcha transfers**: Data may be transferred to Intuition Machines, Inc. in the USA under the EU-US Data Privacy Framework (European Commission adequacy decision C(2023) 4745)
* '''hCaptcha transfers''': Data may be transferred to Intuition Machines, Inc. in the USA under the EU-US Data Privacy Framework (European Commission adequacy decision C(2023) 4745)


==6. Your Rights Under GDPR==
==6. Your Rights Under GDPR==
Line 132: Line 170:
===7.1 Service Providers (Data Processors)===
===7.1 Service Providers (Data Processors)===


| Service Provider | Data Types Processed | Location | Purpose |
{| class="wikitable"
|-----------------|---------------------|----------|----------|
|-
| **Hetzner** | Server infrastructure, web application data | US/EU | Primary hosting infrastructure |
! Service Provider
| **DigitalOcean** | Database (all user accounts, contributions), file storage, system backups | USA | Database hosting, storage, backup services |
! Data Types Processed
| **CloudFlare** | Analytics data, traffic patterns, security logs, attack mitigation data | USA | DDoS protection, CDN, security analytics |
! Location
| **hCaptcha** | IP addresses, interaction data | USA | Spam prevention |
! Purpose
|-
| '''Hetzner'''
| Server infrastructure, web application data, user data, backups
| US/EU
| Primary hosting infrastructure
|-
| '''CloudFlare'''
| Analytics data, traffic patterns, security logs, attack mitigation data
| USA
| DDoS protection, CDN, security analytics
|-
| '''hCaptcha'''
| IP addresses, interaction data
| USA
| Spam prevention
|}


====7.1.1 Privacy statement for the service hCaptcha====
====7.1.1 Privacy statement for the service hCaptcha====
Line 161: Line 215:
Our website infrastructure and web application are hosted on servers provided by Hetzner.  
Our website infrastructure and web application are hosted on servers provided by Hetzner.  


Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data. Note that primary user data and databases are stored with DigitalOcean.
Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data.  


Purpose of processing: provision of hosting infrastructure for the web application, ensuring system availability and performance.
Purpose of processing: provision of hosting infrastructure for the web application, ensuring system availability and performance.
Line 175: Line 229:
Please read Hetzner's [https://www.hetzner.com/legal/privacy-policy full privacy policy] for more information.
Please read Hetzner's [https://www.hetzner.com/legal/privacy-policy full privacy policy] for more information.


====7.1.3 Privacy statement for the service DigitalOcean====
====7.1.3 Privacy statement for the service CloudFlare====
 
Our primary database, file storage, and backup services are provided by DigitalOcean. All user accounts, contribution data, and system backups are stored on DigitalOcean infrastructure.
 
Processed data categories: All user account data (usernames, emails, hashed passwords), complete contribution history and edit data, uploaded files and media, database queries and storage, full system backups (daily and monthly), server usage metrics, processor and memory usage data, storage capacity data.
 
Purpose of processing: primary database hosting for all user data, file and media storage, automated backup services for disaster recovery, and related services necessary for website operation and data persistence.
 
The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).
 
Legitimate interests: strong economic interest in reliable and functioning operation of the database systems, data persistence, and backup infrastructure.
 
Data are transmitted: to the data processor DigitalOcean Holdings, Inc., 101 6th Ave, New York, NY 10013, USA (https://www.digitalocean.com).
 
This may also mean a transfer of personal data to a country outside the European Union. The data are transferred to the USA on the basis of Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, since the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).
 
Please read DigitalOcean's [https://www.digitalocean.com/legal/privacy-policy full privacy policy] for more information.
 
====7.1.4 Privacy statement for the service CloudFlare====


Our website uses CloudFlare services for content delivery, security, and performance optimization. CloudFlare processes analytics and security-related data, but does not have access to user account data or personal information stored in our databases.
Our website uses CloudFlare services for content delivery, security, and performance optimization. CloudFlare processes analytics and security-related data, but does not have access to user account data or personal information stored in our databases.
Line 217: Line 253:


We implement appropriate technical and organizational measures to protect personal data, including:
We implement appropriate technical and organizational measures to protect personal data, including:
* Encryption of passwords
* Hashing and salting of passwords
* Regular security updates
* Regular security updates
* Access controls and authentication
* Access controls and authentication
Line 256: Line 292:
For any questions about this Privacy Policy or our data practices, please contact:
For any questions about this Privacy Policy or our data practices, please contact:


**Data Protection Contact**  
'''Data Protection Contact'''  
Email: [email protected]   
Email: [email protected]   
FULU Foundation   
FULU Foundation   
Retrieved from "https://consumerrights.wiki/w/Consumer_Rights_Wiki:Privacy_policy"