git724/git724
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update PRIVACY.md

Browse source
This commit is contained in:
Minecon724 2025-05-06 10:43:12 +02:00
parent 78b71a6f7b
commit 00b7335d33
1 changed files with 34 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

55
PRIVACY.md
View file

@ -1,6 +1,6 @@
### Privacy Policy for git.m724.eu
Effective date: May 4, 2025
Effective date: May 6, 2025
---
@ -8,9 +8,9 @@ Effective date: May 4, 2025
Welcome to git.m724.eu! This Privacy Policy explains how the operator of git.m724.eu ('we', 'us', 'our') collects, uses, stores, and protects your personal information when you use our Git hosting service located at git.m724.eu (the 'Service').
The data controller for the personal data processed through the Service is the operator of git.m724.eu, reachable via the contact details provided at the end of this policy.
The data controller for the personal data processed through the Service is the operator of git.m724.eu, reachable via the contact details provided at the end of this Privacy Policy.
We are committed to protecting your privacy. This policy outlines our practices concerning the data we process and your rights regarding that data.
We are committed to protecting your privacy. This Privacy Policy outlines our practices concerning the data we process and your rights regarding that data.
However, like any online service, we cannot guarantee absolute security or uninterrupted availability. While we make reasonable efforts to maintain the security and availability of the Service, no guarantees are made regarding uptime and security beyond the measures described herein.
@ -18,9 +18,9 @@ However, like any online service, we cannot guarantee absolute security or unint
To provide and operate the Service, we collect the following types of information, which may include Personal Data:
* **Account Information:** When you register, we collect your username, one or more email addresses, and a securely hashed password. You may optionally provide additional profile information such as a display name, avatar, biography, location, or website.
* **Repository Content:** Any data you store in repositories hosted on the Service, including source code, commit history, issues, comments, wiki pages, releases, pull requests, and other project-related content. *Please be aware that this content may contain personal data if you choose to include it.*
* **Git Commit Metadata:** Git commits inherently contain author information (name and email address) within their metadata. This information becomes part of the permanent history of any repository you contribute to.
* **Account Information:** When you register, we collect your username, one or more e-mail addresses, and a securely hashed password. You may optionally provide additional profile information such as a display name, avatar, biography, location, or website. Username, valid e-mail address and password are necessary to create an account; without them you cannot use the Service. All other profile fields are optional.
* **Repository Content:** Any data you store in repositories hosted on the Service, including source code, commit history, issues, comments, wiki pages, releases, pull requests, and other project-related content. *Please note that this content may contain personal data if you choose to include it.*
* **Git Commit Metadata:** Git commits inherently contain author information (name and e-mail address) within their metadata. This information becomes part of the permanent history of any repository you contribute to.
* **Activity & Usage Data:** Information related to your interaction with the Service, such as repository access (clones, fetches, pushes), issue creation/commenting, pull request activity, wiki edits, login times, and IP addresses (primarily for security logging and abuse prevention).
* **Cookies:** As detailed in Section 8.
@ -40,7 +40,7 @@ We do **not** use your personal data for profiling or automated decision-making
We process your personal data based on the following legal grounds:
* **Performance of a Contract (Art. 6(1)(b) GDPR):** Processing necessary to provide the Service you requested when creating an account and using its features.
* **Legitimate Interests (Art. 6(1)(f) GDPR):** Processing for the purposes of securing the Service, preventing abuse, maintaining infrastructure, and defending our legal rights, provided these interests are not overridden by your fundamental rights and freedoms.
* **Legitimate Interests (Art. 6(1)(f) GDPR):** Processing for the purposes of securing the Service, preventing abuse, maintaining infrastructure, and defending our legal rights, provided these interests are not overridden by your fundamental rights and freedoms. We have concluded that our interest in securing the service and preventing abuse is not overridden by your interests or fundamental rights.
* **Legal Obligation (Art. 6(1)(c) GDPR):** Processing necessary to comply with applicable laws and regulations.
* **Consent (Art. 6(1)(a) GDPR):** Where we specifically ask for your consent for processing (e.g., for non-essential cookies, though currently only essential cookies are used as described below).
@ -50,26 +50,30 @@ We do not sell, rent, or trade your personal data with third parties for their m
We share data only in the following limited circumstances:
* **With Service Providers (Data Processors):** We use a third-party provider located in the European Economic Area (EEA) for storing encrypted backups. This provider acts as a data processor, meaning they only process the data on our behalf, under strict confidentiality and security obligations, and based on our instructions. The data is encrypted *before* it leaves our infrastructure using a key managed solely by us.
* **With Service Providers (Data Processors):**
- A third-party provider is located in Germany for storing encrypted backups. Backups are encrypted at the source. The encryption key never leaves our own servers.
- E-mails are routed through MXroute LLC, USA. The transfer is made pursuant to EU Commission Decision 2021/914 (Standard Contractual Clauses, module 3), supplemented by additional technical safeguards (end-to-end TLS, mandatory MFA on the MXroute account).
- DNS provider is deSEC e.V., Germany
- HTTPS and SSH traffic is proxied through a machine hosted by Skhron OÜ, Estonia
* **For Legal Reasons:** We may disclose your information if required to do so by law, subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or the safety of the public or any person.
### 6. Data Retention
We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
* **Account Data:** Your profile information (username, email addresses, avatar, bio, etc.) and hashed password are retained as long as your account is active. This data is deleted upon account deletion.
* **Account Data:** Your profile information (username, e-mail addresses, avatar, bio, etc.) and hashed password are retained as long as your account is active. This data is deleted upon account deletion.
* **Repository Data:** Repositories you own and their contents (code, issues, releases, etc.) are retained as long as the repository exists on the Service.
* **Activity Data & Contributions:** Data related to your activity (issues, comments, pull requests, wiki edits, etc.) and code contributions (commits) are handled as described under "Deleting Your Account" to maintain the integrity and history of projects.
* **Activity Data & Contributions:** Data related to your activity (issues, comments, pull requests, wiki edits, etc.) and code contributions (commits) are handled as described under "Deleting Your Account" to maintain the integrity and history of projects. Raw access logs (IP, User-Agent, timestamp) are kept for up to 30 days for security and troubleshooting, then deleted, unless required for evidence of abuse.
* **Backup Data:** Encrypted backups containing snapshots of data may be retained for up to **3 months**. This data is isolated, not used for operational purposes, and securely destroyed after the retention period expires.
### 7. Deleting Your Account
You can delete your account at any time while logged in via your [account settings](/user/settings/account). When you request account deletion:
1. **Profile Deletion:** Your personal profile information (username, linked email addresses, avatar, bio, etc.) and hashed password will be permanently deleted from our active systems.
1. **Profile Deletion:** Your personal profile information (username, linked e-mail addresses, avatar, bio, etc.) and hashed password will be permanently deleted from our active systems.
2. **Content Disassociation:** Content you generated (like issues, comments, **the record of pull requests you opened or reviewed**) will generally be retained but **disassociated from your account**. The content itself remains visible, but it will no longer be directly linked to your username and will typically be attributed to a generic "Deleted User" placeholder. **Please note that while the pull request record itself is disassociated, the underlying Git commits referenced by the pull request retain their original author metadata as described below.** Once disassociated, this content is generally no longer considered personal data directly linked to your deleted account within the Service.
3. **Commit Unlinking:** Your Git commits within repositories hosted on the Service will be **unlinked** from your deleted user account within the Service's interface. \
**(!) Important Note on Git Commit Metadata:** While your *Service account* is deleted and commits are unlinked from it in our interface, the author name and email address embedded within the Git commit metadata itself **remains permanently** part of the repository's history. This is a fundamental aspect of how Git works and is outside the control of the Service once a commit is pushed. This metadata persists even if the pull request record linking it to your account is removed (as per point 2). If you have privacy concerns about this, configure your local Git client appropriately (e.g., using a work or noreply email address) *before* making and pushing commits.
**(!) Important Note on Git Commit Metadata:** While your *Service account* is deleted and commits are unlinked from it in our interface, the author name and e-mail address embedded within the Git commit metadata itself **remains permanently** part of the repository's history. This is a fundamental aspect of how Git works and is outside the control of the Service once a commit is pushed. This metadata persists even if the pull request record linking it to your account is removed (as per point 2). If you have privacy concerns about this, configure your local Git client appropriately (e.g., using a work or noreply e-mail address) *before* making and pushing commits.
4. **Repository Ownership:** Repositories owned solely by your account will be permanently deleted unless you transfer ownership to another user or organization *before* deleting your account.
Residual copies of your deleted personal data may remain in our encrypted backup systems for up to 3 months before being permanently destroyed, as described in the Data Retention section.
@ -82,7 +86,12 @@ We use cookies for essential functionality:
* **Persistent Login ("Remember Me"):** If you check the "Remember this device" option when logging in, a cookie will be stored for **up to 31 days** to keep you logged in across sessions.
* **Security (CSRF Protection):** To help prevent Cross-Site Request Forgery attacks, ensuring actions you take on the site are genuinely initiated by you. This cookie is typically deleted when you close your browser.
These cookies are necessary for the secure and proper functioning of the Service. You can manage or disable cookies through your web browser settings, but doing so may impair the functionality of the Service (e.g., you may not be able to log in).
No third-party analytics or cross-site tracking or ads occurs.
Because we only use cookies that are strictly necessary for the secure and proper functioning of the Service, no separate cookie consent banner is shown.
You can manage or disable cookies through your web browser settings, but doing so may impair the functionality of the Service (e.g., you may not be able to log in).
### 9. Data Security
@ -90,16 +99,16 @@ We implement technical and organizational measures to protect your personal data
* Secure network firewall configuration.
* Regular software updates and patching.
* Hashing of sensitive data like passwords using strong algorithms.
* Hashing of passwords using argon2.
* Servers located in a physically secure, controlled environment.
* Regular, encrypted backups stored securely (as described in Section 5).
* Use of encryption (HTTPS/TLS) for data transmission.
**Data Breach Notification:** In the unlikely event of a data breach that affects your personal information and is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. Notification will typically be sent to the **primary** email address associated with your account and may also include a prominent notice on the Service, where feasible and in accordance with applicable law.
**Data Breach Notification:** In the unlikely event of a data breach that affects your personal information and is likely to result in a high risk to your rights and freedoms, we will notify you (where the criteria of Art. 34 are met) without undue delay. Notification will typically be sent to the **primary** e-mail address associated with your account and may also include a prominent notice on the Service, where feasible and in accordance with applicable law.
### 10. Data Storage Location
The primary servers for the Service are located in **Poland**. Encrypted backups are stored with a third-party provider within the **European Economic Area (EEA)**.
Application and repository data of the Service is stored in **Poland**. Encrypted backups are stored with a third-party provider within the **European Economic Area (EEA)**. Operational e-mail data are processed in the USA under SCCs.
### 11. Your Rights
@ -111,9 +120,11 @@ Under applicable data protection laws (including the GDPR), you have certain rig
* **Right to Restrict Processing:** You can request that we limit the processing of your personal data under certain conditions.
* **Right to Object to Processing:** You can object to processing based on our legitimate interests.
* **Right to Data Portability:** You can request to receive your personal data in a structured, commonly used, and machine-readable format, or request its transfer to another controller, where technically feasible.
* **Right to Lodge a Complaint:** You have the right to lodge a complaint with a relevant data protection supervisory authority (e.g., the President of the Personal Data Protection Office (UODO) in Poland, if applicable).
* **Right to Lodge a Complaint:** You have the right to lodge a complaint with a relevant data protection supervisory authority.
To exercise these rights (other than direct profile editing or account deletion), please contact us using the details below. We may need to request specific information from you to help us confirm your identity before processing your request.
To exercise these rights (other than direct profile editing or account deletion), please contact us using the details below. We may need to request specific information from you to help us confirm your identity before processing your request. We respond within one month, extendable by two under Art. 12 §3.
You may lodge a complaint with the supervisory authority for Poland ([UODO](https://uodo.gov.pl/)) or your local supervisory authority.
Regarding the **Right to Data Portability**, your primary data (repository content) can typically be retrieved by cloning your repositories using standard Git tools.
@ -123,12 +134,14 @@ The Service is not intended for or directed at individuals under the age of 16.
### 13. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. We will indicate changes by updating the "Effective date" at the top of this policy. For significant changes, we may also provide notice through the Service interface or via email. We encourage you to review this policy periodically.
We reserve the right to modify this Privacy Policy at any time. We will indicate changes by updating the "Effective date" at the top of this Privacy Policy. For significant changes, we may also provide notice through the Service interface or via e-mail. We encourage you to review this Privacy Policy periodically.
You can also subscribe to notifications about changes to this file via its [RSS feed](/git724/git724/rss/branch/master/PRIVACY.md).
### 14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via email:
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via e-mail:
`privacy` [at] `m724.eu`
`privacy` [at] `m724.eu` ([PGP key available here](https://git.m724.eu/git724/git724/raw/branch/master/misc/m724%20privacy@m724.eu-%280x9BA61E3B0E44DF8A%29-public.asc))
No Data Protection Officer is appointed, as the criteria in Art. 37 GDPR are not met.