Consumer Rights Wiki:Privacy policy: Difference between revisions

(2 intermediate revisions by the same user not shown)

Line 40:

* '''Username''' - Stored indefinitely, or until account deletion request

* '''Email address''' - Stored indefinitely, or until account deletion request

* '''Hashed password''' - Stored indefinitely, or until account deletion request

* '''Hashed and salted password''' - Stored indefinitely, or until account deletion request

===3.2 Contribution Data===

Line 78:

! Justification

|-

| Account data (username, email, password)

| Account data (username, email, hashed and salted password)

| Indefinitely until deletion request

| Necessary to perform contract

Line 132:

==5. International Data Transfers==

Our servers are hosted by Hetzner ~~and DigitalOcean~~ in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:

Our servers are hosted by Hetzner in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:

* '''EU-US Data Privacy Framework''': Our hosting providers participate in the EU-US Data Privacy Framework, ensuring adequate protection for your personal data

Line 178:

|-

| '''Hetzner'''

| Server infrastructure, web application data

| Server infrastructure, web application data, user data, backups

| US/EU

| Primary hosting infrastructure

|-

~~| '''DigitalOcean'''~~

~~| Database (all user accounts, contributions), file storage, system backups~~

~~| USA~~

~~| Database hosting, storage, backup services~~

|-

| '''CloudFlare'''

Line 220:

Line 215:

Our website infrastructure and web application are hosted on servers provided by Hetzner.

Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data~~. Note that primary user data and databases are stored with DigitalOcean~~.

Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data.

Purpose of processing: provision of hosting infrastructure for the web application, ensuring system availability and performance.

Line 234:

Line 229:

Please read Hetzner's [https://www.hetzner.com/legal/privacy-policy full privacy policy] for more information.

====7.1.3 ~~Privacy statement for the service DigitalOcean====~~

====7.1.3 Privacy statement for the service CloudFlare====

~~Our primary database, file storage, and backup services are provided by DigitalOcean. All user accounts, contribution data, and system backups are stored on DigitalOcean infrastructure.~~

Processed data categories: All user account data (usernames, emails, hashed passwords), complete contribution history and edit data, uploaded files and media, database queries and storage, full system backups (daily and monthly), server usage metrics, processor and memory usage data, storage capacity data.

Purpose of processing: primary database hosting for all user data, file and media storage, automated backup services for disaster recovery, and related services necessary for website operation and data persistence.

~~The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).~~

~~Legitimate interests: strong economic interest in reliable and functioning operation of the database systems, data persistence, and backup infrastructure.~~

~~Data are transmitted: to the data processor DigitalOcean Holdings, Inc., 101 6th Ave, New York, NY 10013, USA (https://www.digitalocean.com).~~

This may also mean a transfer of personal data to a country outside the European Union. The data are transferred to the USA on the basis of Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, since the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).

~~Please read DigitalOcean's [https://www.digitalocean.com/legal/privacy-policy full privacy policy] for more information.~~

~~====7.1.4~~ Privacy statement for the service CloudFlare====

Our website uses CloudFlare services for content delivery, security, and performance optimization. CloudFlare processes analytics and security-related data, but does not have access to user account data or personal information stored in our databases.

Line 276:

Line 253:

We implement appropriate technical and organizational measures to protect personal data, including:

* ~~Encryption~~ of passwords

* Hashing and salting of passwords

* Regular security updates

* Access controls and authentication

@@ Line 40: / Line 40: @@
 * '''Username''' - Stored indefinitely, or until account deletion request
 * '''Email address''' - Stored indefinitely, or until account deletion request
-* '''Hashed password''' - Stored indefinitely, or until account deletion request
+* '''Hashed and salted password''' - Stored indefinitely, or until account deletion request
 ===3.2 Contribution Data===
@@ Line 78: / Line 78: @@
 ! Justification
 |-
-| Account data (username, email, password)
+| Account data (username, email, hashed and salted password)
 | Indefinitely until deletion request
 | Necessary to perform contract
@@ Line 132: / Line 132: @@
 ==5. International Data Transfers==
-Our servers are hosted by Hetzner and DigitalOcean in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:
+Our servers are hosted by Hetzner in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:
 * '''EU-US Data Privacy Framework''': Our hosting providers participate in the EU-US Data Privacy Framework, ensuring adequate protection for your personal data
@@ Line 178: / Line 178: @@
 |-
 | '''Hetzner'''
-| Server infrastructure, web application data
+| Server infrastructure, web application data, user data, backups
 | US/EU
 | Primary hosting infrastructure
-|-
-| '''DigitalOcean'''
-| Database (all user accounts, contributions), file storage, system backups
-| USA
-| Database hosting, storage, backup services
 |-
 | '''CloudFlare'''
@@ Line 220: / Line 215: @@
 Our website infrastructure and web application are hosted on servers provided by Hetzner.
-Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data. Note that primary user data and databases are stored with DigitalOcean.
+Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data.
 Purpose of processing: provision of hosting infrastructure for the web application, ensuring system availability and performance.
@@ Line 234: / Line 229: @@
 Please read Hetzner's [https://www.hetzner.com/legal/privacy-policy full privacy policy] for more information.
-====7.1.3 Privacy statement for the service DigitalOcean====
+====7.1.3 Privacy statement for the service CloudFlare====
-Our primary database, file storage, and backup services are provided by DigitalOcean. All user accounts, contribution data, and system backups are stored on DigitalOcean infrastructure.
-Processed data categories: All user account data (usernames, emails, hashed passwords), complete contribution history and edit data, uploaded files and media, database queries and storage, full system backups (daily and monthly), server usage metrics, processor and memory usage data, storage capacity data.
-Purpose of processing: primary database hosting for all user data, file and media storage, automated backup services for disaster recovery, and related services necessary for website operation and data persistence.
-The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).
-Legitimate interests: strong economic interest in reliable and functioning operation of the database systems, data persistence, and backup infrastructure.
-Data are transmitted: to the data processor DigitalOcean Holdings, Inc., 101 6th Ave, New York, NY 10013, USA (https://www.digitalocean.com).
-This may also mean a transfer of personal data to a country outside the European Union. The data are transferred to the USA on the basis of Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, since the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).
-Please read DigitalOcean's [https://www.digitalocean.com/legal/privacy-policy full privacy policy] for more information.
-====7.1.4 Privacy statement for the service CloudFlare====
 Our website uses CloudFlare services for content delivery, security, and performance optimization. CloudFlare processes analytics and security-related data, but does not have access to user account data or personal information stored in our databases.
@@ Line 276: / Line 253: @@
 We implement appropriate technical and organizational measures to protect personal data, including:
-* Encryption of passwords
+* Hashing and salting of passwords
 * Regular security updates
 * Access controls and authentication