git724/git724
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
git724/PRIVACY.md
Minecon724 00b7335d33 Update PRIVACY.md
2025-05-06 10:43:12 +02:00

14 KiB
Raw Permalink Blame History

Privacy Policy for git.m724.eu

Effective date: May 6, 2025

1. Introduction

Welcome to git.m724.eu! This Privacy Policy explains how the operator of git.m724.eu ('we', 'us', 'our') collects, uses, stores, and protects your personal information when you use our Git hosting service located at git.m724.eu (the 'Service').

The data controller for the personal data processed through the Service is the operator of git.m724.eu, reachable via the contact details provided at the end of this Privacy Policy.

We are committed to protecting your privacy. This Privacy Policy outlines our practices concerning the data we process and your rights regarding that data.

However, like any online service, we cannot guarantee absolute security or uninterrupted availability. While we make reasonable efforts to maintain the security and availability of the Service, no guarantees are made regarding uptime and security beyond the measures described herein.

2. Information We Collect

To provide and operate the Service, we collect the following types of information, which may include Personal Data:

  • Account Information: When you register, we collect your username, one or more e-mail addresses, and a securely hashed password. You may optionally provide additional profile information such as a display name, avatar, biography, location, or website. Username, valid e-mail address and password are necessary to create an account; without them you cannot use the Service. All other profile fields are optional.
  • Repository Content: Any data you store in repositories hosted on the Service, including source code, commit history, issues, comments, wiki pages, releases, pull requests, and other project-related content. Please note that this content may contain personal data if you choose to include it.
  • Git Commit Metadata: Git commits inherently contain author information (name and e-mail address) within their metadata. This information becomes part of the permanent history of any repository you contribute to.
  • Activity & Usage Data: Information related to your interaction with the Service, such as repository access (clones, fetches, pushes), issue creation/commenting, pull request activity, wiki edits, login times, and IP addresses (primarily for security logging and abuse prevention).
  • Cookies: As detailed in Section 8.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To Provide and Operate the Service: Authenticating users, hosting repositories, enabling collaboration features (issues, pull requests, etc.), and managing accounts.
  • To Maintain Security: Monitoring for and preventing fraudulent or malicious activity, ensuring the stability and security of the infrastructure, troubleshooting issues.
  • To Communicate With You: Sending essential service-related notifications (e.g., security alerts, password resets, significant policy changes) and responding to your support requests or inquiries.
  • To Comply with Legal Obligations: Responding to lawful requests from public authorities, if required.

We do not use your personal data for profiling or automated decision-making that produces legal effects concerning you or similarly significantly affects you.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you requested when creating an account and using its features.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Processing for the purposes of securing the Service, preventing abuse, maintaining infrastructure, and defending our legal rights, provided these interests are not overridden by your fundamental rights and freedoms. We have concluded that our interest in securing the service and preventing abuse is not overridden by your interests or fundamental rights.
  • Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable laws and regulations.
  • Consent (Art. 6(1)(a) GDPR): Where we specifically ask for your consent for processing (e.g., for non-essential cookies, though currently only essential cookies are used as described below).

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data with third parties for their marketing purposes.

We share data only in the following limited circumstances:

  • With Service Providers (Data Processors):
    • A third-party provider is located in Germany for storing encrypted backups. Backups are encrypted at the source. The encryption key never leaves our own servers.
    • E-mails are routed through MXroute LLC, USA. The transfer is made pursuant to EU Commission Decision 2021/914 (Standard Contractual Clauses, module 3), supplemented by additional technical safeguards (end-to-end TLS, mandatory MFA on the MXroute account).
    • DNS provider is deSEC e.V., Germany
    • HTTPS and SSH traffic is proxied through a machine hosted by Skhron OÜ, Estonia
  • For Legal Reasons: We may disclose your information if required to do so by law, subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or the safety of the public or any person.

6. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Account Data: Your profile information (username, e-mail addresses, avatar, bio, etc.) and hashed password are retained as long as your account is active. This data is deleted upon account deletion.
  • Repository Data: Repositories you own and their contents (code, issues, releases, etc.) are retained as long as the repository exists on the Service.
  • Activity Data & Contributions: Data related to your activity (issues, comments, pull requests, wiki edits, etc.) and code contributions (commits) are handled as described under "Deleting Your Account" to maintain the integrity and history of projects. Raw access logs (IP, User-Agent, timestamp) are kept for up to 30 days for security and troubleshooting, then deleted, unless required for evidence of abuse.
  • Backup Data: Encrypted backups containing snapshots of data may be retained for up to 3 months. This data is isolated, not used for operational purposes, and securely destroyed after the retention period expires.

7. Deleting Your Account

You can delete your account at any time while logged in via your account settings. When you request account deletion:

  1. Profile Deletion: Your personal profile information (username, linked e-mail addresses, avatar, bio, etc.) and hashed password will be permanently deleted from our active systems.
  2. Content Disassociation: Content you generated (like issues, comments, the record of pull requests you opened or reviewed) will generally be retained but disassociated from your account. The content itself remains visible, but it will no longer be directly linked to your username and will typically be attributed to a generic "Deleted User" placeholder. Please note that while the pull request record itself is disassociated, the underlying Git commits referenced by the pull request retain their original author metadata as described below. Once disassociated, this content is generally no longer considered personal data directly linked to your deleted account within the Service.
  3. Commit Unlinking: Your Git commits within repositories hosted on the Service will be unlinked from your deleted user account within the Service's interface.
    (!) Important Note on Git Commit Metadata: While your Service account is deleted and commits are unlinked from it in our interface, the author name and e-mail address embedded within the Git commit metadata itself remains permanently part of the repository's history. This is a fundamental aspect of how Git works and is outside the control of the Service once a commit is pushed. This metadata persists even if the pull request record linking it to your account is removed (as per point 2). If you have privacy concerns about this, configure your local Git client appropriately (e.g., using a work or noreply e-mail address) before making and pushing commits.
  4. Repository Ownership: Repositories owned solely by your account will be permanently deleted unless you transfer ownership to another user or organization before deleting your account.

Residual copies of your deleted personal data may remain in our encrypted backup systems for up to 3 months before being permanently destroyed, as described in the Data Retention section.

8. Cookies

We use cookies for essential functionality:

  • Session Management: To keep you logged in during your visit. This cookie is typically deleted when you close your browser.
  • Persistent Login ("Remember Me"): If you check the "Remember this device" option when logging in, a cookie will be stored for up to 31 days to keep you logged in across sessions.
  • Security (CSRF Protection): To help prevent Cross-Site Request Forgery attacks, ensuring actions you take on the site are genuinely initiated by you. This cookie is typically deleted when you close your browser.

No third-party analytics or cross-site tracking or ads occurs.

Because we only use cookies that are strictly necessary for the secure and proper functioning of the Service, no separate cookie consent banner is shown.

You can manage or disable cookies through your web browser settings, but doing so may impair the functionality of the Service (e.g., you may not be able to log in).

9. Data Security

We implement technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Secure network firewall configuration.
  • Regular software updates and patching.
  • Hashing of passwords using argon2.
  • Servers located in a physically secure, controlled environment.
  • Regular, encrypted backups stored securely (as described in Section 5).
  • Use of encryption (HTTPS/TLS) for data transmission.

Data Breach Notification: In the unlikely event of a data breach that affects your personal information and is likely to result in a high risk to your rights and freedoms, we will notify you (where the criteria of Art. 34 are met) without undue delay. Notification will typically be sent to the primary e-mail address associated with your account and may also include a prominent notice on the Service, where feasible and in accordance with applicable law.

10. Data Storage Location

Application and repository data of the Service is stored in Poland. Encrypted backups are stored with a third-party provider within the European Economic Area (EEA). Operational e-mail data are processed in the USA under SCCs.

11. Your Rights

Under applicable data protection laws (including the GDPR), you have certain rights regarding your personal data. These may include:

  • Right to Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can request correction of inaccurate or incomplete personal data. (Much of your profile data can be edited directly in your account settings).
  • Right to Erasure ('Right to be Forgotten'): You can request the deletion of your personal data, subject to certain limitations (e.g., data needed for legal compliance or the persistence of anonymized/unlinked content as described in Section 7). Account deletion fulfills most aspects of this right.
  • Right to Restrict Processing: You can request that we limit the processing of your personal data under certain conditions.
  • Right to Object to Processing: You can object to processing based on our legitimate interests.
  • Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format, or request its transfer to another controller, where technically feasible.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a relevant data protection supervisory authority.

To exercise these rights (other than direct profile editing or account deletion), please contact us using the details below. We may need to request specific information from you to help us confirm your identity before processing your request. We respond within one month, extendable by two under Art. 12 §3.

You may lodge a complaint with the supervisory authority for Poland (UODO) or your local supervisory authority.

Regarding the Right to Data Portability, your primary data (repository content) can typically be retrieved by cloning your repositories using standard Git tools.

12. Children's Privacy

The Service is not intended for or directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete such information promptly.

13. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. We will indicate changes by updating the "Effective date" at the top of this Privacy Policy. For significant changes, we may also provide notice through the Service interface or via e-mail. We encourage you to review this Privacy Policy periodically.

You can also subscribe to notifications about changes to this file via its RSS feed.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via e-mail:

privacy [at] m724.eu (PGP key available here)

No Data Protection Officer is appointed, as the criteria in Art. 37 GDPR are not met.