Onion Information
Privacy Policy | Disroot.org
Privacy Statement - v1.5 - February 2024 - About this document - This document has been originally written in English and is the only version for which Stichting Disroot.org can be held accountable. Any translation of this Privacy Statement...
Onion Details
Page Clicks: 0
First Seen: 04/26/2024
Last Indexed: 10/23/2024
Onion Content
Privacy Statement v1.5 - February 2024 About this document This document has been originally written in English and is the only version for which Stichting Disroot.org can be held accountable. Any translation of this Privacy Statement is a community effort to make the information accessible in other languages and should be taken as such, with no other value than merely informative. Definitions used on this Privacy Statement GDPR : General Data Protection Regulation, EU 2016/679 Data : According to the GDPR , data is any information that can be used to identify a person, either directly (real name, phone number, IP address, etc.) or indirectly (any combination of the aforementioned plus device fingerprints, cookies, etc.). In the specific context of the use of our platform, it is the minimum information required for the proper operation of the services provided by Disroot.org as well as the information the user optionally submits on any of them. Services : the set of different software, protocols and standards used to exchange data between web applications. User or you : any person or third party that access and uses the services provided by Disroot.org . Disroot, Disroot.org, we or us : Stichting Disroot.org Platform : the set of services provided by Disroot.org and that are hosted on our servers. Disroot credentials : they are the username and password created and used by the user to log in to the services provided by us. Federated services : services that operate on the basis of so-called federation protocols which enable users who signed up at different services providers to interact with each other. Examples of these services are Nextcloud , Email , Akkoma and XMPP . Brute-force attack : is a cryptographic attack that consists of submitting many passwords or passphrases, hoping to eventually find the right ones. The Data covered by this Privacy Statement This Privacy Statement applies to all services hosted on Disroot.org and its sub-domains. It does not extend to any websites or web services that can be accessed from our platform including, but not limited to, any federated services and social media websites outside Disroot . Federated services are those that interoperate with each other (exchanging information and services) regardless of the provider (e.g. email or open social networks). These services use protocols that necessarily share or transfer data between different providers and therefore such interactions are outside the scope of this Privacy Statement. It is important to note that sharing data with other services providers is a user’s choice (see 1. What data do we collect? ) and is configured by the users in their services settings, including the decision what to share and with whom. 1. What data do we collect? If a user chooses to use any of the services provided by us, the following data will be required and therefore collected by Disroot.org : A valid email address: required for account creation. This email address is deleted from our database after the account has been approved/denied, unless the user chooses during the registration process, to keep it for password reset process. An username and a password: required to identify the account holder and provide the services offered by Disroot.org . Necessary information related to the operation and functioning of the services which may include, for example, IP address, User Agent, etc. More detailed information about this and how we handle it can be found in the Privacy notices per service . When a user makes an online donation to Disroot.org , we collect personal data such as, but not limited to, username (if any), country (in case of extra storage request for tax purposes), transaction IDs or bank account/reference. The purpose for which we use this data is merely administrative (verification of regular donations, accounting management) and is maintained under the same security measures described in the " How do we store your data? " section. Since all the data we collect is previously processed by a third-party payment processor such as PayPal, Patreon or Liberapay, by using these or similar services, their use of your information is based on their terms of service and policies, not ours, so we encourage you to review those policies carefully. Any additional information that the user chooses to supply while using the services provided by us (whether it is chats, posts, emails, etc.). This additional information is optional and with the user's consent. (For more detailed information, please refer to the Detailed privacy notices per service section below) 1.1. What do we do with your data? Our processing of your information is limited to providing the service. We store logs of your activity for a period no longer than 24 hours (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion and monitor the health of the platform. (Detailed information on Privacy notices per service section) 1.2. How do we store your data? To protect your data we use the following security measures: We use disk encryption on all servers to prevent data leak in case the servers are stolen, confiscated or in any way physically tampered with. We provide and require SSL/TLS encryption on all "user-to-server" and "server-to-server" communications on all provided services. We utilize "end-to-end" and/or "server-side" encryption technologies whenever it is made available by services that allow it to provide maximum security for the users. 1.3. How do we backup your data? In order to allow attempt at recovery from data loss disaster situations, we create backups on remote server owned by Stichting Disroot.org. We backup data on daily basis and store them for period of 4 days. 2. What we do not do with your data We do not collect any other data than what is needed to provide you the service. We do not, in any way, process, analyze your behavior or personal characteristics to create profiles about you or your usage of the services. We have no advertisements or business relationships with advertisers. We do not sell your data to any third party. We do not share your data to any third party unless in case of federated services which requires certain data to be shared in order to operate (e.g. other email service provider needs to know your email address to be able to deliver emails). We do not require any additional information that is not crucial for the operation of the service (we do not ask for phone numbers, private personal data, home address). We do not read/look nor process your personal data, emails, files, etc., stored on our servers unless needed for providing the service, troubleshooting purposes or under suspicion of breaking our Terms Of Services in which case we ask for prior permission from you or inform you afterwards of all actions taken against the account in the transparency report addressed to account holder. 3. Where the data is stored? We store all data in our own servers , located in a data center in the Netherlands . 4. Detailed privacy notices per service 4.1. Disroot Email ( https://webmail.disroot.org ) This service requires login with Disroot credentials. All emails, unless encrypted by the user (with GnuPG/PGP, for example) are stored unencrypted on our servers. IP addresses of currently logged in users via IMAP/POP3 protocols are stored as long as the device is logged in the server (per each device logged in) . Server logs, which store information such as, but not limited to, your username and your IP address, from and to email addresses, IP addresses of servers the emails come in or go out to, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues. Given that email works on a federated protocol, when interacting with email addresses hosted on third party servers (e.g. Gmail.com, Posteo.org), data is sent to other independently operated and owned servers in the network over which we have no control. 4.2. Disroot Cloud ( https://cloud.disroot.org ) This service requires login with Disroot credentials. All files sent to the cloud are encrypted with a key-pair created based on the user password to add an extra level of security. Note, however, that the keys are stored on the server, which compromises the level of security to some degree (e.g.: if an attacker knows your password and obtain the encryption key-pair, can decrypt the data). However, no "Master Key" does exist on our setup, which means the Admins cannot decrypt any file stored on the cloud without knowing user's password prior. Excluding the files, everything else (calendars, contacts, news, tasks, bookmarks, etc.) is stored unencrypted in a database, unless an application provides external encryption (none so far). This is a limitation of the software we are utilizing for this service (Nextcloud). Server logs, which store information such as, but not limited to, your IP address, your username, an app currently used, error messages and User Agent, are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues. 4.3. Disroot XMPP Chat ( https://webchat.disroot.org ) This service requires login with Disroot credentials. The roster (your XMPP contact list) is stored on the server's database. Chat history is stored on the server in the same form as on the chat itself, meaning unencrypted chat is stored in plain-text and encrypted chat is stored encrypted. Additionally, the chat history, if not specified by the user on per chatroom basis, is stored on the server for a period of 1 month. You can decide to not have any history stored on the server per chat. Server logs, which store information such as, but not limited to, your IP address and your username are stored for a period of 24 hours after which they are deleted from the server. No backup of log files is created. Logs are kept to prevent brute-force attacks on accounts and to provide quick insight when debugging issues. Given that XMPP is a federated protocol, when interacting with users or chat-rooms hosted on third party servers, data is sent to other independently operated and owned servers in the network over which we have no control. Files uploaded to the server are stored as is (plain-text or encrypted) for a period of 1 month. If using Movim , all the articles and comments published by you on our services are stored on the server. Using the Movim configuration panel you can choose to leave the instance. If you do so, all the data related to your XMPP account will be destroyed. 4.4. Disroot Search ( https://search.disroot.org ) This service does not require login or prov