From 898be65327030d75a3f5b7ebd18a4f7d76a66a85 Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Tue, 24 Oct 2023 23:35:44 -0700
Subject: [PATCH] Update privacy policy for more transparency

---
 web/templates/account/user_notes.html |   6 +-
 web/templates/privacy.html            | 526 ++++++++++++++++++++++++--
 2 files changed, 508 insertions(+), 24 deletions(-)

diff --git a/web/templates/account/user_notes.html b/web/templates/account/user_notes.html
index c4d60f7..361c7fd 100644
--- a/web/templates/account/user_notes.html
+++ b/web/templates/account/user_notes.html
@@ -77,8 +77,10 @@
             </p>
 
             <p>
-                Your notes will not be visible to <strong>{{.User.Username}}</strong> but <em>will</em> be visible
-                to website administrators.
+                Your notes will not normally be visible to <strong>{{.User.Username}}</strong> but <em>will</em> be visible
+                to website administrators. <strong class="has-text-danger">Please be mindful of what you write</strong> in
+                case of the unlikely event that your notes could be legally required to be disclosed to
+                <strong>{{.User.Username}}</strong> sometime in the future.
             </p>
         </div>
 
diff --git a/web/templates/privacy.html b/web/templates/privacy.html
index 7a592d4..d1487ae 100644
--- a/web/templates/privacy.html
+++ b/web/templates/privacy.html
@@ -25,7 +25,7 @@
         </p>
 
         <p>
-            This page was last updated on <strong>July 27, 2023.</strong>
+            This page was last updated on <strong>October 24, 2023.</strong>
         </p>
 
         <p>
@@ -149,12 +149,511 @@
             administrator to verify the report and take action as needed.
         </p>
 
-        <h1 id="direct-messages">Direct Messages</h1>
+        <h1 id="third-parties">Third Parties</h1>
 
         <p>
-            <span class="tag is-success">NEW: July 27 2023 - Clarification added</span>
+            <span class="tag is-success">Added: Oct 24 2023</span>
         </p>
 
+        <p>
+            {{PrettyTitle}} does not share data with <strong>ANY</strong> third party company.
+            The website and chat room (both custom applications built specifically for {{PrettyTitle}}) run on
+            a single web server. There are <strong>NO</strong> third-party analytics, advertisements, or any
+            data sharing agreement with any third-party company -- all user data is stored in-house on the
+            {{PrettyTitle}} web server.
+        </p>
+
+        <p>
+            The features on {{PrettyTitle}} are designed in a privacy-first manner in order to avoid relying
+            on any third-party services. For example:
+        </p>
+
+        <ul>
+            <li>
+                Collecting coarse location data by IP address is done via the Maxmind GeoIP database -- using
+                a <strong>local copy</strong> of the database that sits on the {{PrettyTitle}} server, so that
+                these location lookups can happen "offline" and your IP address is not sent to any third party.
+            </li>
+            <li>
+                On the "Who's Nearby" settings page you have the option to drop a pin on a map as a way to set your
+                location for other members to search for you. The map widget provides tiles loaded anonymously
+                from the <a href="https://www.openstreetmap.org">Open Streetmap</a> public API.
+            </li>
+        </ul>
+
+        <h1 id="data">Data Collection and Use</h1>
+
+        <p>
+            <span class="tag is-success">Added: Oct 24 2023</span>
+        </p>
+
+        <p>
+            This section will enumerate all of the kinds of data that {{PrettyTitle}} collects and stores
+            about user accounts and how it is used.
+        </p>
+
+        <h3>Required Account Information</h3>
+
+        <p>
+            The following information is the bare minimum required for all {{PrettyTitle}} user accounts,
+            why we require it and how it is used.
+        </p>
+
+        <ul>
+            <li>
+                <strong>E-mail Address</strong>
+                <ul>
+                    <li>
+                        <strong>Why it's required:</strong>
+                        We need a way to get in touch with you if needed. You can log in to your account using
+                        your e-mail address, and if you forget your password, you may send a password reset request
+                        via e-mail to your inbox to allow you to regain access to your account.
+                    </li>
+                    <li>
+                        <strong>What it's used for:</strong>
+                        We will rarely send transactional e-mail notifications to the address on file: on account
+                        signup, to verify you control the e-mail address; when your certification photo is approved
+                        or rejected; or when you request a reset for your forgotten password.
+                    </li>
+                    <li>
+                        <strong>Who we share it with:</strong>
+                        Nobody. The author of this website is philosophically opposed to the sharing of e-mail addresses
+                        with third party companies. Your e-mail address will NOT be shared or used for marketing e-mails,
+                        but used only for the aforementioned minimally required website functionality.
+                    </li>
+                    <li>
+                        <strong>See also:</strong> the <a href="#email-addresses">Email Addresses</a>
+                        section of this page, below, for more in-depth information.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Username</strong>
+                <ul>
+                    <li>
+                        <strong>Why it's required:</strong>
+                        Your username is your unique handle on the website and makes for a better identifier than an ID number.
+                    </li>
+                    <li>
+                        <strong>What it's used for:</strong>
+                        Your username will appear in the URL address bar when visiting your profile page or gallery, and is displayed
+                        on most pages where your account is mentioned, such as in comment threads, the Member Directory, or on the
+                        chat room.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Account Password</strong>
+                <ul>
+                    <li>
+                        <strong>Why it's required:</strong>
+                        To protect your account from an unauthorized login by somebody else.
+                    </li>
+                    <li>
+                        <strong>Security details:</strong>
+                        Passwords are hashed using the <a href="https://en.wikipedia.org/wiki/Bcrypt">Bcrypt</a> secure hashing
+                        algorithm with a cost factor tuned to take several milliseconds to compute the hash. Each user password
+                        has a distinct salt, which is randomized on each password reset. Bcrypt is designed to slow down efforts
+                        to brute force guess passwords in the event that a hacker obtained a list of Bcrypt password.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Date of Birth</strong>
+                <ul>
+                    <li>
+                        <strong>Why it's required:</strong>
+                        We want to know that all of our members are legal adults 18 years or older. You birthdate can derive your
+                        age and help to remove ambiguity especially for younger members (into their 20's) in case of any uncertainty.
+                    </li>
+                    <li>
+                        <strong>How you can protect it:</strong>
+                        From the first time the website asks you for your birthdate, there is a checkbox to NOT display your computed
+                        age on your profile page. Checking this box will remove the ability for other members to search for your profile
+                        by age or see how old you are, or by extension, guess when your birthdate may be if they happened to see your
+                        age update on the site.
+                    </li>
+                </ul>
+            </li>
+        </ul>
+
+        <h3>Optional Profile Information</h3>
+
+        <p>
+            The following information is all <strong>optional</strong> for members to fill in, and may be displayed on your
+            profile page or allow members to search for you by these fields (for example, the Member Directory allows to browse
+            members by gender, relationship status, age range, or sexual orientation).
+        </p>
+
+        <ul>
+            <li>
+                <strong>Display Name:</strong>
+                <ul>
+                    <li>
+                        <strong>What it is:</strong>
+                        Your display name is a free-form text box where you can write anything you want to go by, other than your
+                        username. You can use your first name, nickname, or write your username in the capitalization and style
+                        you prefer. If you don't fill out a Display Name, your username is shown in its place.
+                    </li>
+                    <li>
+                        <strong>How it's used:</strong>
+                        On the chat room, your display name can appear next to your username. Your display name also appears
+                        on your profile page and the Member Directory.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Gender:</strong>
+                <ul>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page; members may find you in search when filtering by gender;
+                        when you enter the chat room your profile button may display in a color-coded blue, pink or purple
+                        color based on your category of chosen gender (male-presenting, female-presenting, or non-binary).
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Pronouns:</strong>
+                <ul>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page and search result card on the Member Directory.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>City:</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        The "City" field is a free-form text box and you can write as little or as much as you want.
+                        It is not tied or validated to be location data and is not used to derive your location at all.
+                    </li>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page and search result card on the Member Directory.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Job:</strong>
+                <ul>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page only.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>(Sexual) Orientation:</strong>
+                <ul>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page and search result card on the Member Directory.
+                        Members may find you in search when filtering by orientation.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Relationship Status:</strong>
+                <ul>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page and search result card on the Member Directory.
+                        Members may find you in search when filtering by relationship status.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Relationship Type:</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        This is an optional qualifying field that describes your type of relationship:
+                        monogamous, open.
+                    </li>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page and search result card on the Member Directory.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>About Me:</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        This is a free-form essay-style field where you can write a few sentences or
+                        paragraphs about yourself.
+                    </li>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page only.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Interests, Music/Movies:</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        These are free-form essay-style fields where you can write a few sentences or
+                        paragraphs about yourself.
+                    </li>
+                    <li>
+                        <strong>How it's used:</strong>
+                        It is displayed on your profile page only.
+                    </li>
+                </ul>
+            </li>
+        </ul>
+
+        <h3>Other User Information</h3>
+
+        <p>
+            This section covers other information that the website may store in relation to your user account.
+        </p>
+
+        <ul>
+            <li>
+                <strong>Messages (website)</strong>
+                <ul>
+                    <li>
+                        If you send or receive Direct Messages with other members on the website, these
+                        are stored in the database. See <a href="#direct-messages">Direct Messages</a> for
+                        in-depth information.
+                    </li>
+                    <li>
+                        The <strong>chat room</strong> does not have any database storage at all and Direct
+                        Messages on chat are not retained or stored.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Likes</strong>
+                <ul>
+                    <li>
+                        As you click on "Like" buttons around the website, these are stored in the database
+                        as sets of "user ID, table name, table ID" triplets (for example, to store an entry about
+                        which photo ID or comment ID has been liked).
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Comments</strong> you have posted on forum threads or photos.
+            </li>
+            <li>
+                <strong>Friends, Blocks, &amp; Private Photo Grants</strong>
+                <ul>
+                    <li>
+                        Friend lists, blocked users, and private photo grants are stored in relationship tables
+                        that associate a "source user ID" and "target user ID" to link the connection between
+                        accounts with an implied direction (e.g.: private photos are granted to somebody, or shared
+                        by somebody).
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Notifications &amp; Subscriptions</strong>
+                <ul>
+                    <li>
+                        Notifications are generated by user activity on the website, for example clicking the "Like"
+                        button on a photo will notify the owner of that photo about the like. Each user account has
+                        their own feed of notifications, shown only to themselves.
+                    </li>
+                    <li>
+                        Subscriptions are comment threads that will notify other parties (other than the owner of the
+                        thing being commented on) when further comments are added. Commenting on a photo or forum thread
+                        will subscribe you to be notified about future comments (by other people) on that same thread. You
+                        can opt-out of subscriptions using a link at the top of each comment thread, and the opt-out will
+                        be remembered. Alternatively, you may also opt-in to comment threads that you did not comment on by
+                        using the same link at the top of the thread.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Forum Threads</strong>
+                <ul>
+                    <li>
+                        If you start a topic in the Forum, a Thread is created that holds some basic metadata
+                        about your topic (such as its title or 'explicit' setting). Threads have an associated
+                        "first comment" which is the message you wrote to start the thread.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Polls &amp; Poll Votes</strong>
+                <ul>
+                    <li>
+                        Forum threads may support an attached poll. If you vote on a poll, your vote is recorded
+                        in terms of your user ID to the poll ID and the choice you picked. Information about votes
+                        is not displayed on the website front-end, and is only used to tally up the count of votes
+                        for each of the presented options.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>User Notes</strong>
+                <ul>
+                    <li>
+                        Users may write private notes to themselves about one another, for example to
+                        remember a topic that was discussed on the chat room. This data may be revealed to
+                        the subject of the note as part of a Data Access Request.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Feedback &amp; Reports</strong>
+                <ul>
+                    <li>
+                        {{PrettyTitle}} provides a feedback and reporting system so users may notify the site admin
+                        about objectionable content or behavior they witness on the site. Feedback items often record
+                        the user ID who posted the feedback, and a pointer to a user ID, photo ID, comment ID, or so on
+                        depending on what the subject of the report was about. Feedback generated by or about a user will
+                        be made available to that user as part of a Data Access Request.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>User Location</strong>
+                <ul>
+                    <li>
+                        {{PrettyTitle}} has one database table that stores up to a single geolocation for user
+                        accounts. It is for the "Who's Nearby?" feature, which is <strong>opt-in</strong> and users
+                        are given a choice of how they want to share their location: automatically based on your IP
+                        address, via the Web Location API, or by dropping a pin on a map yourself to set your location
+                        to anywhere you want.
+                    </li>
+                    <li>
+                        The user location table stores up to <strong>one</strong> latitude/longitude coordinate for a user
+                        account, with the precision truncated to 2 (two) decimal places to defend against triangulation attacks.
+                    </li>
+                    <li>
+                        User locations are NOT revealed to other members on the site, only the rough distance away (to a resolution
+                        of miles and kilometers).
+                    </li>
+                    <li>
+                        No historical location data is collected: if a user refreshes their location, we update the
+                        stored latitude/longitude to the new values.
+                    </li>
+                    <li>
+                        Users may turn off the "Who's Nearby?" feature at any time, and their stored location data
+                        is immediately erased from the database.
+                    </li>
+                    <li>
+                        See more location-related details under "Device Information," below.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Two Factor Authentication</strong>
+                <ul>
+                    <li>
+                        <strong>What it is:</strong>
+                        Two-Factor Authentication (2FA) is an opt-in feature to help better protect user accounts,
+                        by requiring an authentication device as part of the sign-in process in addition to your
+                        account password. It uses the industry standard Time-based One-Time Password (TOTP) algorithm.
+                    </li>
+                    <li>
+                        <strong>How it's secured:</strong>
+                        The TOTP secret key (encoded in the QR code when you set up two-factor auth) is stored
+                        <strong>encrypted at rest</strong> in the database to protect the secret in case of a database compromise.
+                        Your one-time backup recovery codes are also stored, encrypted at rest in the database.
+                    </li>
+                </ul>
+            </li>
+        </ul>
+
+        <h3>Device Information</h3>
+
+        <p>
+            This section covers how we use information about your device, such as your IP address.
+        </p>
+
+        <ul>
+            <li>
+                <strong>IP Address</strong>
+                <ul>
+                    <li>
+                        <strong>How we collect it:</strong>
+                        Your IP address may appear as part of standard web server logs as you access and browse the
+                        website - for example in HTTP access logs captured by our <a href="https://nginx.org">NGINX</a>
+                        reverse proxy server. Your IP address in these logs is <strong>NOT</strong> associated with your
+                        user account.
+                    </li>
+                    <li>
+                        <strong>How we store it:</strong>
+                        {{PrettyTitle}} does <strong>NOT</strong> deliberately store your IP address anywhere
+                        in our application database -- we can see no reason for doing so.
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>IP Address-based Geolocation</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        Some features of {{PrettyTitle}} will use your coarse (city-level) location that is obtained
+                        via an offline copy of the <a href="https://www.maxmind.com/en/home">Maxmind</a> GeoIP database which
+                        resides on the server. Maxmind publishes the GeoIP database that contains lookup information for
+                        all ranges of IP addresses on the Internet. {{PrettyTitle}} has an offline copy of this database
+                        so that location lookups can happen locally, without your IP address being shared with any third
+                        party.
+                    </li>
+                    <li>
+                        <strong>How it is used:</strong>
+                        Within the context of certain specific web requests to the site, your IP address is used
+                        to look up coarse location information by using an offline copy of the Maxmind GeoIP database
+                        which resides on the web server:
+                        <ul>
+                            <li>
+                                When entering the chat room: the website will send you into the chat room with a
+                                country flag emoji and your coarse location (to two levels of subdivision) to
+                                display next to your username on chat. For example: "United States, Oregon" or
+                                "Canada, British Columbia."
+                            </li>
+                            <li>
+                                If you <strong>opt-in</strong> to share your location for the "Who's Nearby?"
+                                feature to allow other members to search for you by distance, one of the available
+                                options to provide your location is by using the GeoIP database which is based
+                                on your IP address. Your location would then be updated when you visit the Member
+                                Search Directory or your dashboard (home) page on the site.
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <strong>Web Location API Geolocation</strong>
+                <ul>
+                    <li>
+                        <strong>What this is:</strong>
+                        If you opt-in to share your location for the "Who's Nearby?" feature, one of your
+                        choices how to share your location is to use the Web Location API, where nonshy.com
+                        will ask your web browser for permission to access its location. This will often be
+                        backed by a GPS device or WiFi-based location source on your device.
+                    </li>
+                    <li>
+                        <strong>How it is used:</strong>
+                        If you opt-in and choose to use this location source, the {{PrettyTitle}} website will
+                        ask for your location <strong>only</strong> on your Location Settings page, when you
+                        want to update or refresh your location. It is used for the "Who's Nearby?" feature to
+                        allow you to locate other members by distance to yourself.
+                    </li>
+                    <li>
+                        <strong>How you can control it:</strong>
+                        You can visit your Location Settings at any time and opt-out of the "Who's Nearby?"
+                        feature, or change your location source (e.g. to GeoIP based or drop a pin on a map
+                        yourself). If you turn off "Who's Nearby?" your stored location data is immediately
+                        erased from the server.
+                    </li>
+                </ul>
+            </li>
+        </ul>
+
+        <h1 id="direct-messages">Direct Messages</h1>
+
         <p>
             Please behave honorably in your use of Direct Messages, whether on the main website or inside
             the chat room. The global <a href="/tos">website rules</a> apply. {{PrettyTitle}} admins do NOT
@@ -228,7 +727,7 @@
             the thread from your partner's view. This is communicated in a pop-up before you delete the DM thread.
         </p>
 
-        <h1>Email Addresses</h1>
+        <h1 id="email-addresses">Email Addresses</h1>
 
         <p>
             All members begin signup by verifying control of an e-mail inbox. On this website, your e-mail
@@ -279,7 +778,7 @@
             controls on your Settings page to control such a feature.
         </p>
 
-        <h1>Cookies</h1>
+        <h1 id="cookies">Cookies</h1>
 
         <p>
             This website uses <strong>functional cookies only</strong> and does not run any advertisements
@@ -304,23 +803,6 @@
                 account on this website.
             </li>
         </ul>
-
-        <h3>Analytics Software</h3>
-
-        <p>
-            In the future we MAY deploy self-hosted analytics software to help understand how the
-            website is being used and identify any pain points that users may be running into. This
-            would probably be <a href="https://matomo.org/" target="_blank">Matomo analytics</a>,
-            a free and open source program that would run on the same web servers as this website,
-            so that analytics data does NOT leave this site and go to a third party such as Google
-            or Facebook.
-        </p>
-
-        <p>
-            The author of this website is a privacy &amp; security nut and he respects <em>your</em>
-            privacy as well. Matomo Analytics is GDPR compliant, automatically respects your web
-            browser's "Do Not Track" header and can be opted out of.
-        </p>
     </div>
 </div>
 {{end}}