revsuine.xyz/content/privacy_policy.md

+++
draft = false
title = 'Privacy Policy'

[params]
  showWordCount = false
+++

This is a privacy policy notice for anyone who happens to use any of the services I use.

# For all services

My server is a VPS with full disk encryption. This means that, if the disk is seized, e.g. by law enforcement, your
data will be unreadable to them. However, if the VPS host wishes to, they can dump the decryption keys from RAM and
read my disk. For most user services I host, there will be additional encryption at rest, including such that data is
never decrypted server-side.

The server is hosted in Romania.

I make local backups of server data which I physically possess. These backups are always on LUKS-encrypted drives (i.e.
same disclaimer as above about being unreadable should they be seized) stored in Britain. I reserve the right to keep
my backups for as long as I like, so any data you have deleted on my server may still exist in backups. If you have
accidentally uploaded sensitive data to my server which you want scrubbed, [contact me](/contact) and I will do my best
to remove it from backups. Please don't rely on this to delete data though, and just don't upload anything to my server
that absolutely can't persist.

My server uses fail2ban with a ban length of 1 day, so your IP address may be stored for a day if fail2ban bans you.

# Sharing data

If I am not forced to by law, I will never share the data of anyone who uses my hosted services with any third party.
Try not to use my server for anything that could get the cops on me, but in the event that I am approached by law
enforcement with a legally valid data access request/warrant/etc, I will do everything I safely can to avoid handing
over data, up to and including shutting down the service in question. This is no guarantee that I wouldn't comply if my
own safety/liberty/etc were at risk though, therefore you should not take it as a given that data stored on this server
cannot be shared if law enforcement is interested.

I will not go out of my way to read anyone's private data (e.g. email addresses on accounts), but if it is unencrypted,
I may stumble across it while doing server maintenance, reading logs, etc. If you have public data on my server, I may
access it from the public web as a member of the public.

# Web services

My web server is nginx. I log web requests without any identifying information. I log:

* Timestamps
* The type of request
* The resource accessed
* The status of the request

My logging config is:

```conf
log_format main '[$time_local] "$request" '
                '$status $body_bytes_sent ';
```

Logs are rotated with logrotate with the following logrotate config:

```logrotate
/var/log/nginx/*.log {
        missingok
        sharedscripts
        postrotate
                /etc/init.d/nginx --quiet --ifstarted reopen
        endscript
}
```

I also log errors.

# [My static website (revsuine.xyz)](https://revsuine.xyz/)

My static website does not collect data about you beyond nginx logging. It uses JavaScript for prism.js syntax
highlighting, and for the drop-down menu on mobile. To see the JavaScript usage, look at [the GitHub repo for the
theme](https://github.com/search?q=repo%3Apanr%2Fhugo-theme-terminal++language%3AJavaScript&type=code). The site works
completely fine without JavaScript.

This website does not use cookies, tracking pixels, or anything of the sort.

# [Nextcloud (cloud.revsuine.xyz)](https://cloud.revsuine.xyz/)

Server-side encryption is enabled, meaning I can view an index of your files, but not read their content. End-to-end
encryption is also enabled.

I log errors, which may contain client IP addresses.

# [Forgejo (git.revsuine.xyz)](https://git.revsuine.xyz/)

There is no additional encryption at rest for anything hosted on Forgejo, so you shouldn't upload anything to my
Forgejo instance you don't want me to see. I can say I won't look at your private repos, but you'd have to take my word
for it, and I am *able* to look at them if I want to.

# Changes

This privacy policy was first written in 2024 and will be kept up-to-date. I reserve the right to update this privacy
policy whenever I like.
content/privacy_policy.md, layouts/partials/footer.html: added privacy policy 2024-11-25 17:06:11 +00:00			`+++`
			`draft = false`
			`title = 'Privacy Policy'`
content/privacy_policy.md: remove word count 2024-11-25 17:08:52 +00:00
			`[params]`
			`showWordCount = false`
content/privacy_policy.md, layouts/partials/footer.html: added privacy policy 2024-11-25 17:06:11 +00:00			`+++`

			`This is a privacy policy notice for anyone who happens to use any of the services I use.`

			`# For all services`

			`My server is a VPS with full disk encryption. This means that, if the disk is seized, e.g. by law enforcement, your`
			`data will be unreadable to them. However, if the VPS host wishes to, they can dump the decryption keys from RAM and`
			`read my disk. For most user services I host, there will be additional encryption at rest, including such that data is`
			`never decrypted server-side.`

			`The server is hosted in Romania.`

			`I make local backups of server data which I physically possess. These backups are always on LUKS-encrypted drives (i.e.`
			`same disclaimer as above about being unreadable should they be seized) stored in Britain. I reserve the right to keep`
			`my backups for as long as I like, so any data you have deleted on my server may still exist in backups. If you have`
			`accidentally uploaded sensitive data to my server which you want scrubbed, [contact me](/contact) and I will do my best`
			`to remove it from backups. Please don't rely on this to delete data though, and just don't upload anything to my server`
			`that absolutely can't persist.`

			`My server uses fail2ban with a ban length of 1 day, so your IP address may be stored for a day if fail2ban bans you.`

			`# Sharing data`

			`If I am not forced to by law, I will never share the data of anyone who uses my hosted services with any third party.`
			`Try not to use my server for anything that could get the cops on me, but in the event that I am approached by law`
			`enforcement with a legally valid data access request/warrant/etc, I will do everything I safely can to avoid handing`
			`over data, up to and including shutting down the service in question. This is no guarantee that I wouldn't comply if my`
			`own safety/liberty/etc were at risk though, therefore you should not take it as a given that data stored on this server`
			`cannot be shared if law enforcement is interested.`

			`I will not go out of my way to read anyone's private data (e.g. email addresses on accounts), but if it is unencrypted,`
			`I may stumble across it while doing server maintenance, reading logs, etc. If you have public data on my server, I may`
			`access it from the public web as a member of the public.`

			`# Web services`

			`My web server is nginx. I log web requests without any identifying information. I log:`

			`* Timestamps`
			`* The type of request`
			`* The resource accessed`
			`* The status of the request`

			`My logging config is:`

			```conf
			`log_format main '[$time_local] "$request" '`
			`'$status $body_bytes_sent ';`
			```

			`Logs are rotated with logrotate with the following logrotate config:`

			```logrotate
			`/var/log/nginx/*.log {`
			`missingok`
			`sharedscripts`
			`postrotate`
			`/etc/init.d/nginx --quiet --ifstarted reopen`
			`endscript`
			`}`
			```

			`I also log errors.`

			`# [My static website (revsuine.xyz)](https://revsuine.xyz/)`

			`My static website does not collect data about you beyond nginx logging. It uses JavaScript for prism.js syntax`
content/privacy_policy.md: s/Javascript/JavaScript/ 2024-11-25 17:18:28 +00:00			`highlighting, and for the drop-down menu on mobile. To see the JavaScript usage, look at [the GitHub repo for the`
content/privacy_policy.md, layouts/partials/footer.html: added privacy policy 2024-11-25 17:06:11 +00:00			`theme](https://github.com/search?q=repo%3Apanr%2Fhugo-theme-terminal++language%3AJavaScript&type=code). The site works`
			`completely fine without JavaScript.`

			`This website does not use cookies, tracking pixels, or anything of the sort.`

content/privacy_policy.md: s/Javascript/JavaScript/ 2024-11-25 17:18:28 +00:00			`# [Nextcloud (cloud.revsuine.xyz)](https://cloud.revsuine.xyz/)`
content/privacy_policy.md, layouts/partials/footer.html: added privacy policy 2024-11-25 17:06:11 +00:00
			`Server-side encryption is enabled, meaning I can view an index of your files, but not read their content. End-to-end`
			`encryption is also enabled.`

			`I log errors, which may contain client IP addresses.`

content/privacy_policy.md: s/Javascript/JavaScript/ 2024-11-25 17:18:28 +00:00			`# [Forgejo (git.revsuine.xyz)](https://git.revsuine.xyz/)`
content/privacy_policy.md, layouts/partials/footer.html: added privacy policy 2024-11-25 17:06:11 +00:00
			`There is no additional encryption at rest for anything hosted on Forgejo, so you shouldn't upload anything to my`
			`Forgejo instance you don't want me to see. I can say I won't look at your private repos, but you'd have to take my word`
			`for it, and I am able to look at them if I want to.`

			`# Changes`

			`This privacy policy was first written in 2024 and will be kept up-to-date. I reserve the right to update this privacy`
			`policy whenever I like.`