privacy-policy.adoc 16.8 KB
Newer Older
1
2
3
---
title: "Privacy Policy"
---
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
4
5
6
7
8

:toc:
:sectnums:
:homepage: https://archlinux.org

9
10
11
12
= Arch Linux Privacy Policy

Version: 2021-07-18

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
13
14
15
16
17
18
19
20
21
22
23
== Privacy Policy
The Arch Linux Team (hereinafter referred to as "Arch" or "we") operates the website and its services
available on the Internet at https://archlinux.org/ including the respective sub-directories (hereinafter
referred to as the "website").

With this privacy policy, we would like to inform you which data will be processed in which form when
you visit the website or use its services. Where the GDPR applies, we hereby also comply with our duty
to inform you in accordance with Art. 13 and Art. 14 of the EU-General Data Protection Regulation
(GDPR).

== Controller
24
25
The controller for the data processing on our website is the Arch Linux Team.

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Email: privacy@archlinux.org

== Purposes, legal bases and storage period
=== General use of the platform
The web server of our hosting service provider automatically records the accesses to our website.
Therefore, when you visit our website, you transmit certain technical data to us, namely:

* IP address,
* accessed content,
* information about the transmission,
* date of access,
* the amount of data transmitted,
* the referrer,
* the web browser/user agent.

Where the GDPR applies, the processing of the IP address when establishing a connection is based on
Art. 6 par. 1 lit. b) GDPR to provide the website you requested.

Our host also creates so-called log files to maintain system security, in order to guarantee the security
and integrity of our IT systems. These purposes also represent the legitimate interest for which the
processing is carried out (Art. 6 par. 1 lit. f) GDPR). We store the log files for a period of 91 days and
delete them afterwards.

=== Registering for a user account
Some of our services require that you sign up and create a user account. For this purpose we will
collect and process your user name, email address and a password. We will send you a validation
email to the email address you have provided. Where the GDPR applies, the legal basis for the
processing is Art. 6 para. 1 lit. b) GDPR.

When you use our services we will collect certain information from you and associate it with your
account, such as:

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
58
* your password for https://accounts.archlinux.org[the accounts service], https://aur.archlinux.org[AUR], https://bbs.archlinux.org[the forums], https://wiki.archlinux.org[wiki], https://security.archlinux.org[security tracker], https://archlinux.org[archweb], https://gitlab.archlinux.org[GitLab], or https://bugs.archlinux.org[the bugtracker],
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
* your GPG key ID,
* your SSH public key,
* your IRC nickname,
* your IP address,
* your language preference,
* your timezone,
* your geographic coordinates (longitude/latitude),
* your disclosed affiliation(s).

We generally process your personal data for as long as you have an account with us and delete it
afterwards.

== Services of the website
Our website offers you a range of services for which we process certain personal data:

74
=== Forums (https://bbs.archlinux.org/[bbs.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
You can read in our forums without giving us any personal data. However, if you wish to participate by
posting entries, we will ask you to sign up for an account. In this case, we will collect your user name,
email address and a captcha question. You are able to select if you wish that other users could see
your email address and if other users shall be able to send you mails via the forums mail function.
Furthermore, you can set location options as time zone and language preference.

We process your data to provide you with the account, the forums and the respective functions. The
captcha question is required to avoid abuse by spammers using automated tools to post their content
and links to many sites. We process your location options and language preferences to provide you
with the according account settings.

When you post comments, we display certain information about your user account next to your post
such as user name, registration date, and country of origin (if you add these personal details in your
user account).

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent forums
according to Art. 6 para. 1 lit. f) GDPR, but we anonymize the author of your entries.

94
=== Wiki (https://wiki.archlinux.org/[wiki.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
You can read in our wiki without giving us any personal data. However, if you wish to participate
creating entries, we will ask you to sign up for an account. In this case, we will collect your user name,
email address and a captcha question. You are able to select if you wish that other users could see
your email address and if other users shall be able to send you mails via the wikis mail function.
Furthermore, you can set location options as time zone and language preference.

We process your data to provide you with the account, the wiki and the respective functions. The
captcha question is required to avoid abuse by spammers using automated tools to post their content
and links to many sites. We process your location options and language preferences to provide you
with the according account settings.
When you contribute entries, we display certain information about your user account next to your
entries such as user name, registration date, and country of origin (if you add these personal details in
your user account).

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent wiki
according to Art. 6 para. 1 lit. f) GDPR.

113
=== Bug tracker (https://bugs.archlinux.org/[bugs.archlinux.org])
114
115
116
117
You can browse our bug tracker without giving us any personal data. However, if you wish to
report a bug, we require you to register with us first. When you register a reporting account, we
collect your user name, your real name, email address and optionally jabber ID, your notifications
preferences and time zone. The obligatory registration data are required to enable you to log in to
118
119
your account and to use the reporting services. When you report a bug, we display your user name along
with the bug you reported.
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
120
121
122
123
124

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent bug report
according to Art. 6 para. 1 lit. f) GDPR.

125
=== Arch User Repository (https://aur.archlinux.org/[aur.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
You can make use of the package instruction without giving us any personal data. However if you wish
to participate by posting comments or submitting packaging instructions we will ask you to sign up for
an account. When you register with us for a user account, we collect your user name, email address, a
backup email address (optional) and a captcha question. You may choose whether other registered
AUR users can see your email address. If you hide your email address, it is visible to members of the
Arch Linux staff only. Optionally, you may enter your real name, your homepage, IRC nick, PGP key
fingerprint and set location options as time zone and language preference as well as notification
settings.

We require your data to enable you to log in to your account and to use the AUR actively. The captcha
question is required to avoid abuse by spammers using automated tools to post their content and links
to many sites. We will show your personal details next to the packages you submitted. We process
your location options and language preferences to provide you with the according account settings.

When you submit or maintain packages, we display certain information about your user account next to
the respective package such as your user name.

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we retain your user name and email address based on our legitimate interest of a
consistent documentation of the submitted packages, Art. 6 para. 1 lit. f) GDPR.

147
=== GitLab (https://gitlab.archlinux.org/[gitlab.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
148
149
150
151
152
153
154
155
156
157
158
159
160
161
We also use a self-managed GitLab instance available at gitlab.archlinux.org for repository
management, code reviews, issue tracking, activity feeds and wikis. You can read our GitLab public
groups without registration. However, if you wish to participate creating content, we will ask you to sign
up for an account. In this case, we will collect your user name, email address and a captcha question.

We process your data to provide you with the account, the GitLab instance and the respective
functions. The captcha question is required to avoid abuse by spammers using automated tools to post
their content and links to many sites. We process your location options and language preferences to
provide you with the according account settings.

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we retain your user name and email address based on our legitimate interest of a
consistent documentation in our GitLab instance, Art. 6 para. 1 lit. f) GDPR.

162
=== Collaboration pads (https://md.archlinux.org/[md.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
163
164
165
166
167
168
169
170
171
You can use our collaboration pads and contribute in our work. In this case, we collect your email
address, a password and your contributions to the collaboration pads. We process your data to enable
you to participate in our collaboration pads. You can delete your contributions at any time in your
account.

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we will retain your contributions based on our legitimate interest of a consistent
collaboration pad according to Art. 6 para. 1 lit. f) GDPR.

172
=== Mailing lists (https://lists.archlinux.org/[lists.archlinux.org])
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
173
174
175
176
177
178
179
180
181
182
You can subscribe to our mailing lists. In this case, we collect your email address, a password, your
language and other preferences and optionally your name. We process your data to enable you to
participate in our mailing lists. You can unsubscribe at any time on your subscription page.

Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.

=== Arch IRC channels
You can use our Arch IRC channels. To avoid spam you need to be registered in order to join. We
process your personal data to provide you with the IRC channel’s functions. For information on the
registration process, please see our corresponding wiki page at:
nl6720's avatar
nl6720 committed
183
184
https://wiki.archlinux.org/title/Arch_IRC_channels. The IRC channels are provided by
Libera Chat. We have no influence on the processing of your data by Libera Chat. For information on
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
185
186
187
188
189
190
the processing of your personal data, please see https://libera.chat/privacy.

== Contact
We offer you the opportunity to contact us via email. We will then process your email address and, if
applicable, your name, a subject and the content of your request to answer your enquiry due to our
legitimate interests (Art. 6 para. 1 lit. f) GDPR).
191

192
We will store your enquiry as long as we have lawful bases for processing the data. Where the GDPR applies, we may store data in accordance
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
unless legal provisions prevent deletion. Where the GDPR applies, we may store data in accordance
with Art. 6 para. 1 lit. f) GDPR where it is necessary for the purpose of providing evidence or to comply
with legal retention periods in accordance with Art. 6 para. 1 lit. c) GDPR. If the request is made within
the framework of an existing or prospective contractual relationship with us, the storage period shall be
based on the underlying contractual relationship.

== Donations
You can donate to Arch Linux as a member project of the Software in the Public Interest, Inc. (SPI) as
non-profit corporation using via Click&Pledge or via SPI directly using PayPal or Credit Card payment.
For further information, please see the SPI donation website at: https://www.spi-inc.org/donations/. We
publish the past donors on the website https://archlinux.org/donate/.

This processing is based on your consent (Art. 6 Abs. 1 lit. a) GDPR) until your withdrawal or until we
end this publication of past donors. You have the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its withdrawal e.g. by sending us an
email.

== Storage period
Unless explicitly stated otherwise, we will process and store your personal data for as long as it is
required for the respective purpose and delete it thereafter.

== Categories of recipients
We use external service providers if we are unable to provide services ourselves or if it is not
reasonable to do so. These external service providers are primarily providers of IT services, such as
our hosting service provider Hetzner (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen,
Germany).

== General rights of data subjects
The GDPR guarantees you certain rights, which you can assert against us - if the legal requirements
are met.

=== Art. 15 GDPR - Right of access
You have the right to obtain confirmation from us as to
whether personal data relating to you are being processed and, if so, what these data are and the
detailed circumstances of the processing.

=== Art. 16 GDPR - Right of rectification
You have the right to ask us to rectify incorrect personal
data concerning you immediately. You also have the right to request the completion of incomplete
personal data, including by means of a supplementary declaration, taking into account the
purposes of the processing.

=== Art. 17 GDPR - Right to deletion

You have the right to demand that we delete any personal data relating to you immediately.

=== Art. 18 GDPR - Right to restriction of processing

You have the right to request us to restrict processing.

=== Art. 20 GDPR - Right to data portability
You have the right, in the event of processing based
on consent or for the fulfilment of a contract, to receive the personal data concerning you which
you have provided us with in a structured, common and machine-readable format and to transfer
this data to another responsible party without hindrance from us or to have the data transferred
directly to the other responsible party, insofar as this is technically feasible.

=== Art. 77 GDPR in conjunction with Section 19 BDSG - Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority at
any time, in particular in the Member State in which you are resident, your place of work or place
of the alleged infringement if you consider that the processing of personal data relating to you
infringes data protection law.

== In particular right to object and right to withdraw consent
=== Art. 21 GDPR - Right to object
You have the right to object at any time, for reasons arising
from your particular situation, to the processing of personal data concerning you which is
necessary on the basis of a legitimate interest on our part or in order to carry out a task in the
public interest, or which is carried out in the exercise of official authority.

If you object, we will no longer process your personal data unless we can prove compelling
legitimate grounds for processing that override your interests, rights and freedoms, or unless the
processing serves to assert, exercise or defend legal claims.

If we process your personal data for direct marketing purposes, you have the right to object to the
processing at any time. If you object to processing for direct marketing purposes, we will no
longer process your personal data for these purposes.

In order to exercise your right of objection, you can, for example, send us an email to the email
address mentioned above.

=== Withdrawal of consent
If you have given us your informed consent, you have the right to withdraw your consent at any time. In this case, all data processing that we have carried out until
your withdrawal remains lawful.

== Obligation to provide data
You have no contractual or legal obligation to provide us with personal data. However, we then might
not be able to offer you the requested services.

== The existence of automated decision-making (including profiling)
We will not make you subject to any automated decision-making, including profiling in accordance with
Art. 22 para. 1 and 4 GDPR, which has legal effects on you or affects you.

== Internet-specific data processing and cookies
On some sub-directories of our website, cookies are set in your browser. Cookies are small text files
that are stored on your hard drive and are assigned to the browser you are using. The provider who
sets the cookie can collect certain information through the cookie. The only purpose of the cookies set
on our website is to enable you to use the website and its functions safely. The legal basis for the
processing is our legitimate interests in the aforementioned purpose according to Art. 6 para. 1 lit. f)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
292
GDPR. The cookies are necessary for the services you have requested.