forked from ecoevo-social/docs.ecoevo.social
-
Notifications
You must be signed in to change notification settings - Fork 0
/
privacy_policy.qmd
234 lines (184 loc) · 11.4 KB
/
privacy_policy.qmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
---
title: Privacy Policy
---
## Data Protection Notice
Last updated: 26/11/2022
### 1. Who we are
ecoevo.social (hereafter "we", "us" or "the service") is a non-profit
[donation-based](https://opencollective.com/ecoevosocial){target="_blank"}
service that provides Mastodon social
media accounts to the ecology and evolution community ("you"). For the
purpose of connecting and interacting with other Mastodon or Fediverse
accounts, ecoevo.social processes personal data from its users and users of
other instances with whom they interact. This data protection notice
describes what kind of personal data we process and on what legal basis, how
long we keep it and why, as well as your rights with respect to your data.
Please do not hesitate to
[contact us via email](mailto:ecoevo.social@gmail.com)
for any question you might have with regard to this
document or the processing of your personal data.
### 2. Data protection summary
We dedicate our Mastodon instance ecoevo.social to the ecology and evolution
community. Our small team in Davis, CA, USA provides the non-profit
[donation-based](https://opencollective.com/ecoevosocial){target="_blank"}
service on a voluntary basis to offer
privacy-friendly micro-blogging accounts that our users typically employ for
networking, socialising and discussing ideas networking around the subjects
of biological ecology and evolution.
For the purpose of ensuring a secure interaction, the website of
ecoevo.social stores the cookie "_mastodon_session" with an identifier in
the browser of registered and unregistered website visitors until they close
their browser. For registered website visitors, the cookie "_session_id"
stores their login status until logout. Based on user consent, the website
stores as well push notification settings in the browser. For security and
debugging purposes, our server logs and stores visitor IP addresses for a
maximum of 90 days (per masto.host terms of services).
After that time, all IP addresses are removed.
ecoevo.social processes profile data in the form of posts (toots),
subscriptions (following), subscribers (follower), content appreciations
(likes) and promotions (boosts) for publication in the context of profile
and post pages. For registered users we process your profile data to deliver
the service. For users of other instances, we store and display public
profile data and rely here on our legitimate interest until they object and
in any case when they delete their post or other data (unsubscribe, unlike,
unboost).
If you contact ecoevo.social via email or a (private) post, we use any
personal data that your message may contain (such as your email address or
name) only to respond to your message. We archive your message for at most
12 months. You are of course free to use a nickname and a pseudonymous email
address. We process messages from our registered users to deliver the
service and rely for users of other instances on their consent. We may also
process messages to comply with our legal obligations.
The following information is provided according to Articles 12, 13 and 14 of the
[GDPR](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG toc=OJ:L:2016:119:TOC){target="_blank"}.
### 3. Data protection notice
For the purposes of this notice:
**"User"** means the natural person who interacts with
ecoevo.social directly via the website or indirectly via third-party
applications compatible with ActivityPub.
**"Registered user"** means the users with a
Mastodon/ActivityPub profile.
**"Profile data"** means their posts (toots), subscriptions
(following), subscribers (follower) content appreciations (likes) and
promotions (boosts), bookmarks and profile settings.
**"Subscribers"** mean the accounts who follow a registered user.
**"Subscriptions"** mean the accounts followed by a registered user.
**Scope and purpose of the processing** This data protection
notice applies to the processing of personal data for the provision of the
microblogging service ecoevo.social. It offers information on what personal
data is processed and how it is processed, and on your data subject rights.
**Responsible for the processing** The data controller is
ecoevo.social in its capacity as the provider of the service.
#### Processing of personal data
Personal data processed by ecoevo.social is accessible to its administration
team and, where necessary, to moderators on a need-to-know basis to ensure a
secure operation. User content is published or delivered according to the
user settings. For the provision of the service, ecoevo.social employs the
data processors listed below that process personal data linked to the
service solely on the written instruction from ecoevo.social:
- Server hosting from [masto.host, Leiria, Portugal](https://masto.host){target="_blank"}
- Email notifications delivery from [mailgun, San Antonio, TX, USA](https://www.mailgun.com/){target="_blank"}
- Donations processing from [Open Collective](https://opencollective.com){target="_blank"} together with [Stripe Inc, Ireland](https://stripe.com){target="_blank"}
**(a) Website Visitors**
The ecoevo.social website and APIs process the IP addresses and other
metadata (as specified below) of its visitors. When accessing the service,
an encrypted connection to its web server is established. To display the
content correctly on the visitor's computer or other terminal devices, the
following data is processed in accordance with the HTTP and TCP/IP protocol:
- IP address of the visitor's internet connection
- Operating system and operating system version of the visitor"s terminal
- Web browser and browser version
- Date of access to the website
- HTTP cookie "_mastodon_session" (for the duration of the website visit)
This is required for the request, processing, and display of profile data and
other content on the service. After each page visit, some of the data are
stored in the account profile (if logged in) and server logs. These logs
serve the purpose of maintenance and security of the server and personal
data herein is deleted after a maximum of 90 days. Furthermore, the website employs the
cookie "_session_id" to store the login status of registered users until
logout or until a year after the last website visit. The website also stores
the notifications settings in the browser. This processing is based on
Article 6 (1) (b) of the GDPR ("processing is necessary for the performance
of a contract"). This includes processing carried out in order to comply
with the necessary technical and organisational protection measures.
**(b) Contributors from third-party services**
ecoevo.social processes personal data when users of third-party services with
ActivityPub support interact with its accounts. To enrich public profile
pages with profile data, the following data is processed in accordance with
the requirements of the ActivityPub protocol:
- IP address of the third-party service
- Name of the user's terminal software
- Display name, account name, and profile picture
- Current date and time
- Profile data
Private messages are not end-to-end encrypted and are therefore in principle
accessible to the ecoevo.social administrators.
This processing is necessary to provide a federated Mastodon instance and
therefore based on Article 6 (1) (f) GDPR ("processing is in our legitimate
interest") with the exception of personal data that is not required such as
the display name and profile picture, the processing of which is based on
Article 6 (1) (a) GDPR ("consent"). ecoevo.social stores profile data from
subscriptions from compatible third-party services until it receives via
that service or directly from the user a request for deletion or objection
(unsubscribe, unlike, unboost).
**(c) Registered users**
ecoevo.social limits registrations to users it assumes to be part of the
ecology and evolution community. ecoevo.social reserves the right to refuse
the provision of the service to any given user for any reason. To set up
accounts and manage them subsequently, the following data from registered
users is processed:
- Display name, account name, profile picture and header image
- Login credentials consisting of an email address
- Account description/biography
- Content (toots), promoted, and appreciated content
- Private messages (sent and received)
- Subscriptions and their recent content
- Logged-in sessions (terminal software, time and date, IP address)
If registered users post profile data, the previous section applies
accordingly. Note that updating subscribers and posting profile data
(including profile mentions) requires disclosure of personal data to the
service of the recipients. Depending on their Mastodon server's geographic
location, the disclosure can possibly involve international data transfers
that are outside of ecoevo.social's control.
The registered user's name and display name, profile picture and header,
description, subscriptions, the own and promoted content, the content of
their subscriptions, as well as their given feedback is published on their
profile page.
This processing is based on Article 6 (1) (b) of the GDPR ("processing is
necessary for the performance of a contract") with the exception of personal
data that is not required such as the display name and profile picture, the
processing of which is based on Article 6 (1) (a) GDPR ("consent"). Profile
data is retained until the account is deleted.
Registered users are responsible for the use of their accounts and their own
compliance with the GDPR as separate controllers when they post personal
data of other people.
**(d) Donations via Open Collective**
Users can make donations for the operation of ecoevo.social via
[Open Collective](https://opencollective.com){target="_blank"},
which processes personal data according to their own data protection notice.
**(e) Contacting us by email**
If you contact ecoevo.social via email or a Mastodon private message, any
personal data that your message may contain (such as your email address or
name) will only be used to respond to your message and may be stored as part
of an email archive. You are of course free to use a nickname and a
pseudonymous email address. Such personal data will be deleted after 12
months.
#### Exercise your rights
You have the right to request from us access to and rectification or erasure
of your personal data or restriction of processing concerning you or, where
applicable, the right to object to processing or the right to data
portability. Where applicable, you also have the right to withdraw your
consent at any time. Please note that withdrawing your consent does not
affect the lawfulness of processing based on consent before its withdrawal.
Please find more information on your rights on the website of the
[European Commission](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-are-my-rights_en){target="_blank"}.
You have, in any case, the right to lodge a complaint with the
[data protection authority](https://edpb.europa.eu/about-edpb/about-edpb/members_en){target="_blank"}
as a supervisory authority.
### Acknowledgments
These terms are based on the
[terms initially published by eupolicy.social](https://eupolicy.social/terms){target="_blank"}
and made more accessible by the
[Mastodon Privacy Policy Generator](https://blog.riemann.cc/projects/mastodon-privacy-policy-generator/){target="_blank"}
in its version v1.1 as of 22/11/2022. This text is free to be adapted and remixed under the terms of the
[CC-BY (Attribution 4.0 International) license](https://creativecommons.org/licenses/by/4.0/){target="_blank"}.