Verified Commit dd8a9e4d authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Add lawyered PP

parent b0f1ccc6
= Arch Linux Privacy Policy
Version: 2021-07-18
:toc:
:sectnums:
:homepage: https://archlinux.org
== Privacy Policy
The Arch Linux Team (hereinafter referred to as "Arch" or "we") operates the website and its services
available on the Internet at https://archlinux.org/ including the respective sub-directories (hereinafter
referred to as the "website").
With this privacy policy, we would like to inform you which data will be processed in which form when
you visit the website or use its services. Where the GDPR applies, we hereby also comply with our duty
to inform you in accordance with Art. 13 and Art. 14 of the EU-General Data Protection Regulation
(GDPR).
== Controller
The controller for the data processing on our website is
Arch Linux Team
Email: privacy@archlinux.org
== Purposes, legal bases and storage period
=== General use of the platform
The web server of our hosting service provider automatically records the accesses to our website.
Therefore, when you visit our website, you transmit certain technical data to us, namely:
* IP address,
* accessed content,
* information about the transmission,
* date of access,
* the amount of data transmitted,
* the referrer,
* the web browser/user agent.
Where the GDPR applies, the processing of the IP address when establishing a connection is based on
Art. 6 par. 1 lit. b) GDPR to provide the website you requested.
Our host also creates so-called log files to maintain system security, in order to guarantee the security
and integrity of our IT systems. These purposes also represent the legitimate interest for which the
processing is carried out (Art. 6 par. 1 lit. f) GDPR). We store the log files for a period of 91 days and
delete them afterwards.
=== Registering for a user account
Some of our services require that you sign up and create a user account. For this purpose we will
collect and process your user name, email address and a password. We will send you a validation
email to the email address you have provided. Where the GDPR applies, the legal basis for the
processing is Art. 6 para. 1 lit. b) GDPR.
When you use our services we will collect certain information from you and associate it with your
account, such as:
* your password for the forums, wiki, GitLab, or bugtracker,
* your GPG key ID,
* your SSH public key,
* your IRC nickname,
* your IP address,
* your language preference,
* your timezone,
* your geographic coordinates (longitude/latitude),
* your disclosed affiliation(s).
We generally process your personal data for as long as you have an account with us and delete it
afterwards.
== Services of the website
Our website offers you a range of services for which we process certain personal data:
=== Use of the forums
You can read in our forums without giving us any personal data. However, if you wish to participate by
posting entries, we will ask you to sign up for an account. In this case, we will collect your user name,
email address and a captcha question. You are able to select if you wish that other users could see
your email address and if other users shall be able to send you mails via the forums mail function.
Furthermore, you can set location options as time zone and language preference.
We process your data to provide you with the account, the forums and the respective functions. The
captcha question is required to avoid abuse by spammers using automated tools to post their content
and links to many sites. We process your location options and language preferences to provide you
with the according account settings.
When you post comments, we display certain information about your user account next to your post
such as user name, registration date, and country of origin (if you add these personal details in your
user account).
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent forums
according to Art. 6 para. 1 lit. f) GDPR, but we anonymize the author of your entries.
=== Use of the wiki
You can read in our wiki without giving us any personal data. However, if you wish to participate
creating entries, we will ask you to sign up for an account. In this case, we will collect your user name,
email address and a captcha question. You are able to select if you wish that other users could see
your email address and if other users shall be able to send you mails via the wikis mail function.
Furthermore, you can set location options as time zone and language preference.
We process your data to provide you with the account, the wiki and the respective functions. The
captcha question is required to avoid abuse by spammers using automated tools to post their content
and links to many sites. We process your location options and language preferences to provide you
with the according account settings.
When you contribute entries, we display certain information about your user account next to your
entries such as user name, registration date, and country of origin (if you add these personal details in
your user account).
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent wiki
according to Art. 6 para. 1 lit. f) GDPR.
=== Reporting bugs
If you wish to report a bug, we require you to register with us first. When you register a reporting
account, we collect your user name, your real name, email address and optionally jabber ID, your
notifications preferences and time zone. The obligatory registration data are required to enable you to
log in to your account and to use the reporting services. When you report a bug, we display your user
name next to the bug you reported.
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we store your entries based on our legitimate interest of a consistent bug report
according to Art. 6 para. 1 lit. f) GDPR.
=== Submitting packages to the Arch User Repository (AUR)
You can make use of the package instruction without giving us any personal data. However if you wish
to participate by posting comments or submitting packaging instructions we will ask you to sign up for
an account. When you register with us for a user account, we collect your user name, email address, a
backup email address (optional) and a captcha question. You may choose whether other registered
AUR users can see your email address. If you hide your email address, it is visible to members of the
Arch Linux staff only. Optionally, you may enter your real name, your homepage, IRC nick, PGP key
fingerprint and set location options as time zone and language preference as well as notification
settings.
We require your data to enable you to log in to your account and to use the AUR actively. The captcha
question is required to avoid abuse by spammers using automated tools to post their content and links
to many sites. We will show your personal details next to the packages you submitted. We process
your location options and language preferences to provide you with the according account settings.
When you submit or maintain packages, we display certain information about your user account next to
the respective package such as your user name.
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we retain your user name and email address based on our legitimate interest of a
consistent documentation of the submitted packages, Art. 6 para. 1 lit. f) GDPR.
=== GitLab
We also use a self-managed GitLab instance available at gitlab.archlinux.org for repository
management, code reviews, issue tracking, activity feeds and wikis. You can read our GitLab public
groups without registration. However, if you wish to participate creating content, we will ask you to sign
up for an account. In this case, we will collect your user name, email address and a captcha question.
We process your data to provide you with the account, the GitLab instance and the respective
functions. The captcha question is required to avoid abuse by spammers using automated tools to post
their content and links to many sites. We process your location options and language preferences to
provide you with the according account settings.
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we retain your user name and email address based on our legitimate interest of a
consistent documentation in our GitLab instance, Art. 6 para. 1 lit. f) GDPR.
=== Using our collaboration pads
You can use our collaboration pads and contribute in our work. In this case, we collect your email
address, a password and your contributions to the collaboration pads. We process your data to enable
you to participate in our collaboration pads. You can delete your contributions at any time in your
account.
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. In case you
delete your account, we will retain your contributions based on our legitimate interest of a consistent
collaboration pad according to Art. 6 para. 1 lit. f) GDPR.
=== Participating in mailing lists
You can subscribe to our mailing lists. In this case, we collect your email address, a password, your
language and other preferences and optionally your name. We process your data to enable you to
participate in our mailing lists. You can unsubscribe at any time on your subscription page.
Where the GDPR applies, the legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.
=== Arch IRC channels
You can use our Arch IRC channels. To avoid spam you need to be registered in order to join. We
process your personal data to provide you with the IRC channel’s functions. For information on the
registration process, please see our corresponding wiki page at:
https://wiki.archlinux.org/index.php/Arch_IRC_channels. The IRC channels are provided by
Libera.Chat. We have no influence on the processing of your data by Libera.Chat. For information on
the processing of your personal data, please see https://libera.chat/privacy.
== Contact
We offer you the opportunity to contact us via email. We will then process your email address and, if
applicable, your name, a subject and the content of your request to answer your enquiry due to our
legitimate interests (Art. 6 para. 1 lit. f) GDPR).
We will store your enquiry until we have answered it and fulfilled your request and delete it afterwards
unless legal provisions prevent deletion. Where the GDPR applies, we may store data in accordance
with Art. 6 para. 1 lit. f) GDPR where it is necessary for the purpose of providing evidence or to comply
with legal retention periods in accordance with Art. 6 para. 1 lit. c) GDPR. If the request is made within
the framework of an existing or prospective contractual relationship with us, the storage period shall be
based on the underlying contractual relationship.
== Donations
You can donate to Arch Linux as a member project of the Software in the Public Interest, Inc. (SPI) as
non-profit corporation using via Click&Pledge or via SPI directly using PayPal or Credit Card payment.
For further information, please see the SPI donation website at: https://www.spi-inc.org/donations/. We
publish the past donors on the website https://archlinux.org/donate/.
This processing is based on your consent (Art. 6 Abs. 1 lit. a) GDPR) until your withdrawal or until we
end this publication of past donors. You have the right to withdraw consent at any time, without
affecting the lawfulness of processing based on consent before its withdrawal e.g. by sending us an
email.
== Storage period
Unless explicitly stated otherwise, we will process and store your personal data for as long as it is
required for the respective purpose and delete it thereafter.
== Categories of recipients
We use external service providers if we are unable to provide services ourselves or if it is not
reasonable to do so. These external service providers are primarily providers of IT services, such as
our hosting service provider Hetzner (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen,
Germany).
== General rights of data subjects
The GDPR guarantees you certain rights, which you can assert against us - if the legal requirements
are met.
=== Art. 15 GDPR - Right of access
You have the right to obtain confirmation from us as to
whether personal data relating to you are being processed and, if so, what these data are and the
detailed circumstances of the processing.
=== Art. 16 GDPR - Right of rectification
You have the right to ask us to rectify incorrect personal
data concerning you immediately. You also have the right to request the completion of incomplete
personal data, including by means of a supplementary declaration, taking into account the
purposes of the processing.
=== Art. 17 GDPR - Right to deletion
You have the right to demand that we delete any personal data relating to you immediately.
=== Art. 18 GDPR - Right to restriction of processing
You have the right to request us to restrict processing.
=== Art. 20 GDPR - Right to data portability
You have the right, in the event of processing based
on consent or for the fulfilment of a contract, to receive the personal data concerning you which
you have provided us with in a structured, common and machine-readable format and to transfer
this data to another responsible party without hindrance from us or to have the data transferred
directly to the other responsible party, insofar as this is technically feasible.
=== Art. 77 GDPR in conjunction with Section 19 BDSG - Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority at
any time, in particular in the Member State in which you are resident, your place of work or place
of the alleged infringement if you consider that the processing of personal data relating to you
infringes data protection law.
== In particular right to object and right to withdraw consent
=== Art. 21 GDPR - Right to object
You have the right to object at any time, for reasons arising
from your particular situation, to the processing of personal data concerning you which is
necessary on the basis of a legitimate interest on our part or in order to carry out a task in the
public interest, or which is carried out in the exercise of official authority.
If you object, we will no longer process your personal data unless we can prove compelling
legitimate grounds for processing that override your interests, rights and freedoms, or unless the
processing serves to assert, exercise or defend legal claims.
If we process your personal data for direct marketing purposes, you have the right to object to the
processing at any time. If you object to processing for direct marketing purposes, we will no
longer process your personal data for these purposes.
In order to exercise your right of objection, you can, for example, send us an email to the email
address mentioned above.
=== Withdrawal of consent
If you have given us your informed consent, you have the right to withdraw your consent at any time. In this case, all data processing that we have carried out until
your withdrawal remains lawful.
== Obligation to provide data
You have no contractual or legal obligation to provide us with personal data. However, we then might
not be able to offer you the requested services.
== The existence of automated decision-making (including profiling)
We will not make you subject to any automated decision-making, including profiling in accordance with
Art. 22 para. 1 and 4 GDPR, which has legal effects on you or affects you.
== Internet-specific data processing and cookies
On some sub-directories of our website, cookies are set in your browser. Cookies are small text files
that are stored on your hard drive and are assigned to the browser you are using. The provider who
sets the cookie can collect certain information through the cookie. The only purpose of the cookies set
on our website is to enable you to use the website and its functions safely. The legal basis for the
processing is our legitimate interests in the aforementioned purpose according to Art. 6 para. 1 lit. f)
GDPR. The cookies are necessary for the services you have requested. The following cookies are set:
|===
|Name |Domain |Purpose |Retention period|Technology
|Flyspray
|bugs.archlinux.org
|Login Session
|Session
|http-Cookie
|flyspray_project
|bugs.archlinux.org
|Default project selection
|1 month
|http-Cookie
|tasklist_type
|bugs.archlinux.org
|Tasklist Selection
|Session
|http-Cookie
|csrftoken
|archlinux.org
|Django Cross-Site Request Forgery protection
|1 year
|http-Cookie
|sessionid
|archlinux.org
|Login Session
|2 weeks
|http-Cookie
|flux_cookie_*
|bbs.archlinux.org
|Login Handling
|2 weeks
|http-Cookie
|AURLANG
|aur.archlinux.org
|Selected Language
|1 month
|http-Cookie
|AURSID
|aur.archlinux.org
|Login Session
|1 month
|http-Cookie
|AURTZ
|aur.archlinux.org
|Current Timezone
|1 month
|http-Cookie
|archwiki_session
|wiki.archlinux.org
|Current Session
|Session
|http-Cookie
|archwikiToken
|wiki.archlinux.org
|Login Session
|6 month
|http-Cookie
|archwikiUserID
|wiki.archlinux.org
|Caches the current user id
|6 month
|http-Cookie
|archwikiUserName
|wiki.archlinux.org
|Caches the current username
|6 month
|http-Cookie
|Session
|security.archlinux.org
|Current Session
|Session
|http-Cookie
|connect.sid
|md.archlinux.org
|Login Session
|1 month
|http-Cookie
|_gitlab_session
|gitlab.archlinux.org
|Current Session
|Session
|http-Cookie
|AUTH_SESSION_ID
|gitlab.archlinux.org
|Current auth provider Session
|Session
|http-Cookie
|KEYCLOAK_IDENTITY
|gitlab.archlinux.org
|Current auth provide id
|Session
|http-Cookie
|known_sign_in
|gitlab.archlinux.org
|GitLab Session handling
|2 weeks
|http-Cookie
|remember_user_token
|gitlab.archlinux.org
|Setting if the user should be remembered
|1 week
|http-Cookie
|AUTH_SESSION_ID_LEGACY
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|AUTH_SESSION_ID
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|KC_RESTART
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|KEYCLOAK_IDENTITY_LEGACY
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|KEYCLOAK_IDENTITY
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|KEYCLOAK_REMEMBER_ME
|accounts.archlinux.org
|Remember the current user
|1 year
|http-Cookie
|OAuth_Token_Request_State
|accounts.archlinux.org
|Login Handling
|Session
|http-Cookie
|===
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
This is revision 1, effective since ISO DATE HERE.
Arch Linux Privacy Policy
=========================
This policy describes how Arch Linux collects, uses, protects and discloses user information
collected by Arch Linux services, and provides information about the choices you have regarding the
ways in which your personal information is manipulated.
The scope of this privacy policy extends to all public as well as internal services operated by
Arch Linux, including in particular all web services provided on the `archlinux.org` domain and its
subdomains.
For convenience, Arch Linux is referred to in this document as "Arch".
_Table of contents_:
[[_TOC_]]
Our commitment to privacy and data security
-------------------------------------------
Arch values your privacy. To better protect your privacy, we have provided this policy explaining
our information practices and the choices you can make about the way your personal information is
collected, used and disclosed.
Arch staff members and service administrators are familiar with our privacy policy guidelines. Our
websites enforce [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
(TLS), which encrypts the communication channel you use when you send your personal information to
our websites. Arch is committed to provide its services from secure systems to prevent unauthorized
access to your personal information.
The information we collect
--------------------------
This privacy policy applies to all information collected by or submitted to Arch services,
including personal data. "Personal data" is data that can be used to identify an individual.
Arch collects certain information for statistical and security purposes whenever you access an Arch
service. This includes standard information that web browsers typically make available to the web
servers, notably:
- the pages you visited on our websites,
- the date and time you access a website,
- the name and version of your browser,
- your public IP address.
Arch collects personal data when:
- you create a user account,
- you post comments on the boards, AUR, bug tracker or mailing lists,
- you create content on the wiki,
- you submit packages to the AUR.
Arch may also collect personal data from individuals (with their consent) who participate and/or
contribute to Arch. The types of personal data collected may include (but are not limited to):
- your first and last name,
- your username,
- your country code,
- your e-mail address,
- any information that Arch collects online from you and maintains in association with your account,
such as:
- your system password for the forums, wiki, or bug tracker,
- your GPG key ID,
- your SSH public key,
- your IRC nickname,
- your IP address,
- your language preference,
- your timezone,
- your geographic coordinates (longitude/latitude),
- your disclosed affiliation(s).
Publicly available personal data
--------------------------------
Some personal data attached to Arch accounts is made public by default _if you opt to include it in
your profile_. Specifically:
- your GPG key ID (if defined);
- your location (if defined)
- your website, blog, or other affiliations (if defined).
If you wish for this information to be kept private, you can opt-out of displaying this information
publicly in your account profile. If you choose to opt-out, Arch will still have access to this
information, but it will not be displayed to others, and will be considered private.
Using (processing) your personal data
-------------------------------------
Arch uses the personal data you provide to:
- create and maintain your accounts;
- identify and authenticate you;
- attribute data and content you produce directly and indirectly in our public-facing services;
- answer your questions;
- send you information;
- for research activities, such as the production of statistical reports (such aggregated
information is not used to contact the subjects of the report).
Sharing your personal data
--------------------------
Unless you consent, Arch will never process or share the personal data you provide to us except as
described below.
Arch may share your personal data with third parties under any of the following circumstances:
- Your publicly available personal data in the Arch account system, as described above, is
accessible by anyone unless you, as the account holder, opt out as already described in this
privacy policy.
- As required by law (such as responding to a valid subpoena, warrant, audit, or agency action,
or to prevent fraud).
- For research activities, including the production of statistical reports (such aggregated
information is used to describe our services and is not used to contact the subjects of the
report).
Receiving e-mail
----------------
Arch may send you e-mail about your account, to communicate with you about your accounts, or in
response to your questions. For your protection, Arch may contact you in the event that we find an
issue that requires your immediate attention. Arch processes your personal data in these cases to
fulfill and comply with its contractual obligations to you, to provide the services you have
requested, and to ensure the security of your account.
Cookies and other browser information
-------------------------------------
Arch's online services automatically capture IP addresses. We use IP addresses to help diagnose
problems with our servers, to administer our websites, and to help ensure the security of your
interaction with our services. Your IP address is used to help identify you and your location, in
order to provide you data and content from our services as quickly as possible. It is in the
interests of the Arch community to maximize the efficiency and effectiveness of its services for
all users.
As part of offering and providing customizable and personalized services, Arch websites use cookies
to store and sometimes track information about you. A cookie is a small amount of data that is sent
to your browser from a web server and stored on your computer's hard drive. All websites provided
by Arch where you are prompted to log in or that are customizable require your browser to accept
cookies.
Generally, we use cookies to:
1. Remind us of who you are and to access your account information (stored on our computers) in
order to provide a better and more personalized service. This cookie is set when you register or
"sign in" and is modified when you "sign out" of our services.
2. Estimate audience size. Each browser accessing an Arch website is given a unique cookie that is
used to determine the extent of recurrent usage and usage by a registered user versus by an
unregistered user.
3. Measure certain traffic patterns, which areas of Arch's network of websites you have visited,
and your visiting patterns in the aggregate. We use this research to understand how our
infrastructure needs to scale to meet demand.
If you do not want your personal information to be stored by cookies, you can configure your
browser so that it always rejects these cookies or asks you each time if you accept them or not.
However, you must understand that the use of cookies may be necessary to provide certain services
(see 1. above), and choosing to reject cookies will reduce the performance and functionality of the
service. Your browser documentation includes instructions explaining how to enable, disable or
delete cookies at the browser level (usually located in the "Help", "Tools" or "Edit" facility).
Public forums reminder
----------------------
Arch makes its public services, including [wiki](https://wiki.archlinux.org/),
[IRC chat rooms](https://wiki.archlinux.org/title/Arch_IRC_channels),
[bulletin boards](https://bbs.archlinux.org/), [mailing lists](https://lists.archlinux.org/),
[bug tracker](https://bugs.archlinux.org/), [AUR](https://aur.archlinux.org/) and a
[GitLab instance](https://gitlab.archlinux.org/), available to its users. Please remember that _any
information_ that is disclosed in these areas becomes __public information__. Exercise caution when
deciding to disclose your personal data. Although we value individual ideas and encourage free
expression, Arch reserves the right to take necessary action to preserve the integrity of these
areas, such as removing any posting that is vulgar or inappropriate. See our
[Code of conduct](code-of-conduct.md) for what is acceptable behavior.
It is in the interest of the Arch community to provide all users an accurate record of data and
content provided in the public forums it maintains and uses; to maintain the integrity of that data
and content for historical, scientific, and research purposes; and to provide an environment for
the free exchange of ideas relevant and constructive to the development and propagation of open
source software.
About links to other sites
--------------------------
Arch websites contain links to other sites. Arch does not control the information collection of
sites that can be reached through links from Arch websites. If you have questions about the data
collection procedures of linked sites, please contact those sites directly.
Your rights under GDPR in the EEA
---------------------------------
Where the [EU General Data Protection Regulation](
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)
2016/679 ("GDPR") applies to the processing of your personal data, especially when you access an
Arch service from a country in the European Economic Area ("EEA"), you have the following rights,
subject to some limitations, against Arch:
- The right to access your personal data;
- The right to rectify the personal data we hold about you;
- The right to erase your personal data;
- The right to restrict our use of your personal data;