GDPR/Privacy Policy Template

From XMPP WIKI
Revision as of 02:03, 17 December 2020 by Neustradamus (talk | contribs)
Jump to navigation Jump to search

This is a WIP and is going to be moved to a git repository.

Privacy Policy

{{ date }}

The {{ domain }} service is processing, storing and forwarding personal information about you as follows, in accordance with the EU GDPR. By using the server, you agree with the described processing of your data.

Data Processing

This section describes how the {{ domain }} service processes your personal information internally.

Information Associated with your Account

The following information is needed to provide the service to you (Art. 6.1b) and is stored as long as your account exists:

  • Login credentials are stored in encrypted form and never shared with other parties.
  • Your account identifier (Jabber ID) is only shared with XMPP users and services that you interact with.
  • Your contact list (roster, chatroom bookmarks) is not shared with other parties, except when you give explicit permission (XEP-0321: Remote Roster Management).
  • Your availability information (presence) is kept in memory and automatically shared with your contacts and the chatrooms you enter, and might be shared with other XMPP services that you are using (e.g. transports). The date and time of your last login is stored alongside your account to identify inactive accounts.
  • The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts (Art. 6.1f). IP addresses of identified spammer accounts will be shared with other server operators to prevent further abuse.

User Content

Content that you send or that is sent to you, is stored on your behalf, so that you can access it from all of your clients (Art. 6.1b):

  • Messages sent to you while you are offline are stored until you connect or your account is deleted.
  • Message archives of the messages you send and receive are stored for 14 days, if you have enabled XEP-0313: Message Archive Management.
  • Uploaded files are stored for 30 days (some clients cache messages, but not files, so those are kept for a longer time).
  • Chatroom history is stored according to the configuration of the respective chatroom, and might be made public by other participants.
  • Your public profile information (vCard) and avatar image is stored alongside the account and can be queried by users who know your Jabber ID.

Server Logs

To ensure proper operation of the service, including network and information security, server logs are stored for 14 days (Recital 49 of the EU GDPR). The server log contain, among other data:

  • Message meta-data (sender, receiver, type of message).
  • Message content of messages automatically flagged as potential spam. These messages might undergo manual review.
  • Connection information, including IP addresses and timestamps.
  • Internal processing information.

Data Sharing

The main goal of the XMPP network is to get your messages to your contacts, and vice versa. To achieve that, data and meta-data is transmitted to the servers of the respective users, as far as this is required to deliver the messages (Art. 6.1b).

Other XMPP Services

Content that you send to other servers is subject to their respective data protection policies. The processing on these servers might not be covered by the high data protection standards you expect, especially if the servers are located outside of the EU (Art. 49.1b).

Your Online Status

If you join chatrooms or add other users to your contact list, those users (and the operators of their servers) will be automatically informed about:

  • When you come online,
  • when you go offline, and
  • your availability status and message.

You can opt out from this by unsubscribing these contacts from your contact list.

Your Public Profile

Your public profile information (vCard) and avatar image can be queried by users who know your Jabber ID.

Push Services

If you enable push notifications (e.g. on a mobile client), the data that is required to perform the push notification (typically a device ID and message meta data) is transmitted to the respective push service provider (Art. 6.1b, Art. 49.1b). This processing is subject to the data protection policies of the respective provider.

Rectification and Erasure

You can access, change and delete the following information stored about you with a compliant XMPP client, after logging in with your Jabber ID:

  • your contact list and chatroom bookmarks
  • your vCard and avatar
  • your offline messages
  • your message archives

For all other kinds of personal data processed by the {{ domain }} service, please contact the representative below.

To obtain information about data processed and stored on other XMPP services, please contact their respective representative.

Representative

The representative for all purposes of data protection is:

{{ contact_details }}

You need to identify as the holder of a given Jabber ID to obtain any information about it.

If you deem the conditions of this service as unacceptable, or have other concern, you have the right to complain to a {{ Data_Protection_Authority }}.