Update privacy policy for more transparency

This commit is contained in:
Noah Petherbridge 2023-10-24 23:35:44 -07:00
parent 0143fd752f
commit 898be65327
2 changed files with 508 additions and 24 deletions

View File

@ -77,8 +77,10 @@
</p> </p>
<p> <p>
Your notes will not be visible to <strong>{{.User.Username}}</strong> but <em>will</em> be visible Your notes will not normally be visible to <strong>{{.User.Username}}</strong> but <em>will</em> be visible
to website administrators. to website administrators. <strong class="has-text-danger">Please be mindful of what you write</strong> in
case of the unlikely event that your notes could be legally required to be disclosed to
<strong>{{.User.Username}}</strong> sometime in the future.
</p> </p>
</div> </div>

View File

@ -25,7 +25,7 @@
</p> </p>
<p> <p>
This page was last updated on <strong>July 27, 2023.</strong> This page was last updated on <strong>October 24, 2023.</strong>
</p> </p>
<p> <p>
@ -149,12 +149,511 @@
administrator to verify the report and take action as needed. administrator to verify the report and take action as needed.
</p> </p>
<h1 id="direct-messages">Direct Messages</h1> <h1 id="third-parties">Third Parties</h1>
<p> <p>
<span class="tag is-success">NEW: July 27 2023 - Clarification added</span> <span class="tag is-success">Added: Oct 24 2023</span>
</p> </p>
<p>
{{PrettyTitle}} does not share data with <strong>ANY</strong> third party company.
The website and chat room (both custom applications built specifically for {{PrettyTitle}}) run on
a single web server. There are <strong>NO</strong> third-party analytics, advertisements, or any
data sharing agreement with any third-party company -- all user data is stored in-house on the
{{PrettyTitle}} web server.
</p>
<p>
The features on {{PrettyTitle}} are designed in a privacy-first manner in order to avoid relying
on any third-party services. For example:
</p>
<ul>
<li>
Collecting coarse location data by IP address is done via the Maxmind GeoIP database -- using
a <strong>local copy</strong> of the database that sits on the {{PrettyTitle}} server, so that
these location lookups can happen "offline" and your IP address is not sent to any third party.
</li>
<li>
On the "Who's Nearby" settings page you have the option to drop a pin on a map as a way to set your
location for other members to search for you. The map widget provides tiles loaded anonymously
from the <a href="https://www.openstreetmap.org">Open Streetmap</a> public API.
</li>
</ul>
<h1 id="data">Data Collection and Use</h1>
<p>
<span class="tag is-success">Added: Oct 24 2023</span>
</p>
<p>
This section will enumerate all of the kinds of data that {{PrettyTitle}} collects and stores
about user accounts and how it is used.
</p>
<h3>Required Account Information</h3>
<p>
The following information is the bare minimum required for all {{PrettyTitle}} user accounts,
why we require it and how it is used.
</p>
<ul>
<li>
<strong>E-mail Address</strong>
<ul>
<li>
<strong>Why it's required:</strong>
We need a way to get in touch with you if needed. You can log in to your account using
your e-mail address, and if you forget your password, you may send a password reset request
via e-mail to your inbox to allow you to regain access to your account.
</li>
<li>
<strong>What it's used for:</strong>
We will rarely send transactional e-mail notifications to the address on file: on account
signup, to verify you control the e-mail address; when your certification photo is approved
or rejected; or when you request a reset for your forgotten password.
</li>
<li>
<strong>Who we share it with:</strong>
Nobody. The author of this website is philosophically opposed to the sharing of e-mail addresses
with third party companies. Your e-mail address will NOT be shared or used for marketing e-mails,
but used only for the aforementioned minimally required website functionality.
</li>
<li>
<strong>See also:</strong> the <a href="#email-addresses">Email Addresses</a>
section of this page, below, for more in-depth information.
</li>
</ul>
</li>
<li>
<strong>Username</strong>
<ul>
<li>
<strong>Why it's required:</strong>
Your username is your unique handle on the website and makes for a better identifier than an ID number.
</li>
<li>
<strong>What it's used for:</strong>
Your username will appear in the URL address bar when visiting your profile page or gallery, and is displayed
on most pages where your account is mentioned, such as in comment threads, the Member Directory, or on the
chat room.
</li>
</ul>
</li>
<li>
<strong>Account Password</strong>
<ul>
<li>
<strong>Why it's required:</strong>
To protect your account from an unauthorized login by somebody else.
</li>
<li>
<strong>Security details:</strong>
Passwords are hashed using the <a href="https://en.wikipedia.org/wiki/Bcrypt">Bcrypt</a> secure hashing
algorithm with a cost factor tuned to take several milliseconds to compute the hash. Each user password
has a distinct salt, which is randomized on each password reset. Bcrypt is designed to slow down efforts
to brute force guess passwords in the event that a hacker obtained a list of Bcrypt password.
</li>
</ul>
</li>
<li>
<strong>Date of Birth</strong>
<ul>
<li>
<strong>Why it's required:</strong>
We want to know that all of our members are legal adults 18 years or older. You birthdate can derive your
age and help to remove ambiguity especially for younger members (into their 20's) in case of any uncertainty.
</li>
<li>
<strong>How you can protect it:</strong>
From the first time the website asks you for your birthdate, there is a checkbox to NOT display your computed
age on your profile page. Checking this box will remove the ability for other members to search for your profile
by age or see how old you are, or by extension, guess when your birthdate may be if they happened to see your
age update on the site.
</li>
</ul>
</li>
</ul>
<h3>Optional Profile Information</h3>
<p>
The following information is all <strong>optional</strong> for members to fill in, and may be displayed on your
profile page or allow members to search for you by these fields (for example, the Member Directory allows to browse
members by gender, relationship status, age range, or sexual orientation).
</p>
<ul>
<li>
<strong>Display Name:</strong>
<ul>
<li>
<strong>What it is:</strong>
Your display name is a free-form text box where you can write anything you want to go by, other than your
username. You can use your first name, nickname, or write your username in the capitalization and style
you prefer. If you don't fill out a Display Name, your username is shown in its place.
</li>
<li>
<strong>How it's used:</strong>
On the chat room, your display name can appear next to your username. Your display name also appears
on your profile page and the Member Directory.
</li>
</ul>
</li>
<li>
<strong>Gender:</strong>
<ul>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page; members may find you in search when filtering by gender;
when you enter the chat room your profile button may display in a color-coded blue, pink or purple
color based on your category of chosen gender (male-presenting, female-presenting, or non-binary).
</li>
</ul>
</li>
<li>
<strong>Pronouns:</strong>
<ul>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page and search result card on the Member Directory.
</li>
</ul>
</li>
<li>
<strong>City:</strong>
<ul>
<li>
<strong>What this is:</strong>
The "City" field is a free-form text box and you can write as little or as much as you want.
It is not tied or validated to be location data and is not used to derive your location at all.
</li>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page and search result card on the Member Directory.
</li>
</ul>
</li>
<li>
<strong>Job:</strong>
<ul>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page only.
</li>
</ul>
</li>
<li>
<strong>(Sexual) Orientation:</strong>
<ul>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page and search result card on the Member Directory.
Members may find you in search when filtering by orientation.
</li>
</ul>
</li>
<li>
<strong>Relationship Status:</strong>
<ul>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page and search result card on the Member Directory.
Members may find you in search when filtering by relationship status.
</li>
</ul>
</li>
<li>
<strong>Relationship Type:</strong>
<ul>
<li>
<strong>What this is:</strong>
This is an optional qualifying field that describes your type of relationship:
monogamous, open.
</li>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page and search result card on the Member Directory.
</li>
</ul>
</li>
<li>
<strong>About Me:</strong>
<ul>
<li>
<strong>What this is:</strong>
This is a free-form essay-style field where you can write a few sentences or
paragraphs about yourself.
</li>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page only.
</li>
</ul>
</li>
<li>
<strong>Interests, Music/Movies:</strong>
<ul>
<li>
<strong>What this is:</strong>
These are free-form essay-style fields where you can write a few sentences or
paragraphs about yourself.
</li>
<li>
<strong>How it's used:</strong>
It is displayed on your profile page only.
</li>
</ul>
</li>
</ul>
<h3>Other User Information</h3>
<p>
This section covers other information that the website may store in relation to your user account.
</p>
<ul>
<li>
<strong>Messages (website)</strong>
<ul>
<li>
If you send or receive Direct Messages with other members on the website, these
are stored in the database. See <a href="#direct-messages">Direct Messages</a> for
in-depth information.
</li>
<li>
The <strong>chat room</strong> does not have any database storage at all and Direct
Messages on chat are not retained or stored.
</li>
</ul>
</li>
<li>
<strong>Likes</strong>
<ul>
<li>
As you click on "Like" buttons around the website, these are stored in the database
as sets of "user ID, table name, table ID" triplets (for example, to store an entry about
which photo ID or comment ID has been liked).
</li>
</ul>
</li>
<li>
<strong>Comments</strong> you have posted on forum threads or photos.
</li>
<li>
<strong>Friends, Blocks, &amp; Private Photo Grants</strong>
<ul>
<li>
Friend lists, blocked users, and private photo grants are stored in relationship tables
that associate a "source user ID" and "target user ID" to link the connection between
accounts with an implied direction (e.g.: private photos are granted to somebody, or shared
by somebody).
</li>
</ul>
</li>
<li>
<strong>Notifications &amp; Subscriptions</strong>
<ul>
<li>
Notifications are generated by user activity on the website, for example clicking the "Like"
button on a photo will notify the owner of that photo about the like. Each user account has
their own feed of notifications, shown only to themselves.
</li>
<li>
Subscriptions are comment threads that will notify other parties (other than the owner of the
thing being commented on) when further comments are added. Commenting on a photo or forum thread
will subscribe you to be notified about future comments (by other people) on that same thread. You
can opt-out of subscriptions using a link at the top of each comment thread, and the opt-out will
be remembered. Alternatively, you may also opt-in to comment threads that you did not comment on by
using the same link at the top of the thread.
</li>
</ul>
</li>
<li>
<strong>Forum Threads</strong>
<ul>
<li>
If you start a topic in the Forum, a Thread is created that holds some basic metadata
about your topic (such as its title or 'explicit' setting). Threads have an associated
"first comment" which is the message you wrote to start the thread.
</li>
</ul>
</li>
<li>
<strong>Polls &amp; Poll Votes</strong>
<ul>
<li>
Forum threads may support an attached poll. If you vote on a poll, your vote is recorded
in terms of your user ID to the poll ID and the choice you picked. Information about votes
is not displayed on the website front-end, and is only used to tally up the count of votes
for each of the presented options.
</li>
</ul>
</li>
<li>
<strong>User Notes</strong>
<ul>
<li>
Users may write private notes to themselves about one another, for example to
remember a topic that was discussed on the chat room. This data may be revealed to
the subject of the note as part of a Data Access Request.
</li>
</ul>
</li>
<li>
<strong>Feedback &amp; Reports</strong>
<ul>
<li>
{{PrettyTitle}} provides a feedback and reporting system so users may notify the site admin
about objectionable content or behavior they witness on the site. Feedback items often record
the user ID who posted the feedback, and a pointer to a user ID, photo ID, comment ID, or so on
depending on what the subject of the report was about. Feedback generated by or about a user will
be made available to that user as part of a Data Access Request.
</li>
</ul>
</li>
<li>
<strong>User Location</strong>
<ul>
<li>
{{PrettyTitle}} has one database table that stores up to a single geolocation for user
accounts. It is for the "Who's Nearby?" feature, which is <strong>opt-in</strong> and users
are given a choice of how they want to share their location: automatically based on your IP
address, via the Web Location API, or by dropping a pin on a map yourself to set your location
to anywhere you want.
</li>
<li>
The user location table stores up to <strong>one</strong> latitude/longitude coordinate for a user
account, with the precision truncated to 2 (two) decimal places to defend against triangulation attacks.
</li>
<li>
User locations are NOT revealed to other members on the site, only the rough distance away (to a resolution
of miles and kilometers).
</li>
<li>
No historical location data is collected: if a user refreshes their location, we update the
stored latitude/longitude to the new values.
</li>
<li>
Users may turn off the "Who's Nearby?" feature at any time, and their stored location data
is immediately erased from the database.
</li>
<li>
See more location-related details under "Device Information," below.
</li>
</ul>
</li>
<li>
<strong>Two Factor Authentication</strong>
<ul>
<li>
<strong>What it is:</strong>
Two-Factor Authentication (2FA) is an opt-in feature to help better protect user accounts,
by requiring an authentication device as part of the sign-in process in addition to your
account password. It uses the industry standard Time-based One-Time Password (TOTP) algorithm.
</li>
<li>
<strong>How it's secured:</strong>
The TOTP secret key (encoded in the QR code when you set up two-factor auth) is stored
<strong>encrypted at rest</strong> in the database to protect the secret in case of a database compromise.
Your one-time backup recovery codes are also stored, encrypted at rest in the database.
</li>
</ul>
</li>
</ul>
<h3>Device Information</h3>
<p>
This section covers how we use information about your device, such as your IP address.
</p>
<ul>
<li>
<strong>IP Address</strong>
<ul>
<li>
<strong>How we collect it:</strong>
Your IP address may appear as part of standard web server logs as you access and browse the
website - for example in HTTP access logs captured by our <a href="https://nginx.org">NGINX</a>
reverse proxy server. Your IP address in these logs is <strong>NOT</strong> associated with your
user account.
</li>
<li>
<strong>How we store it:</strong>
{{PrettyTitle}} does <strong>NOT</strong> deliberately store your IP address anywhere
in our application database -- we can see no reason for doing so.
</li>
</ul>
</li>
<li>
<strong>IP Address-based Geolocation</strong>
<ul>
<li>
<strong>What this is:</strong>
Some features of {{PrettyTitle}} will use your coarse (city-level) location that is obtained
via an offline copy of the <a href="https://www.maxmind.com/en/home">Maxmind</a> GeoIP database which
resides on the server. Maxmind publishes the GeoIP database that contains lookup information for
all ranges of IP addresses on the Internet. {{PrettyTitle}} has an offline copy of this database
so that location lookups can happen locally, without your IP address being shared with any third
party.
</li>
<li>
<strong>How it is used:</strong>
Within the context of certain specific web requests to the site, your IP address is used
to look up coarse location information by using an offline copy of the Maxmind GeoIP database
which resides on the web server:
<ul>
<li>
When entering the chat room: the website will send you into the chat room with a
country flag emoji and your coarse location (to two levels of subdivision) to
display next to your username on chat. For example: "United States, Oregon" or
"Canada, British Columbia."
</li>
<li>
If you <strong>opt-in</strong> to share your location for the "Who's Nearby?"
feature to allow other members to search for you by distance, one of the available
options to provide your location is by using the GeoIP database which is based
on your IP address. Your location would then be updated when you visit the Member
Search Directory or your dashboard (home) page on the site.
</li>
</ul>
</li>
</ul>
</li>
<li>
<strong>Web Location API Geolocation</strong>
<ul>
<li>
<strong>What this is:</strong>
If you opt-in to share your location for the "Who's Nearby?" feature, one of your
choices how to share your location is to use the Web Location API, where nonshy.com
will ask your web browser for permission to access its location. This will often be
backed by a GPS device or WiFi-based location source on your device.
</li>
<li>
<strong>How it is used:</strong>
If you opt-in and choose to use this location source, the {{PrettyTitle}} website will
ask for your location <strong>only</strong> on your Location Settings page, when you
want to update or refresh your location. It is used for the "Who's Nearby?" feature to
allow you to locate other members by distance to yourself.
</li>
<li>
<strong>How you can control it:</strong>
You can visit your Location Settings at any time and opt-out of the "Who's Nearby?"
feature, or change your location source (e.g. to GeoIP based or drop a pin on a map
yourself). If you turn off "Who's Nearby?" your stored location data is immediately
erased from the server.
</li>
</ul>
</li>
</ul>
<h1 id="direct-messages">Direct Messages</h1>
<p> <p>
Please behave honorably in your use of Direct Messages, whether on the main website or inside Please behave honorably in your use of Direct Messages, whether on the main website or inside
the chat room. The global <a href="/tos">website rules</a> apply. {{PrettyTitle}} admins do NOT the chat room. The global <a href="/tos">website rules</a> apply. {{PrettyTitle}} admins do NOT
@ -228,7 +727,7 @@
the thread from your partner's view. This is communicated in a pop-up before you delete the DM thread. the thread from your partner's view. This is communicated in a pop-up before you delete the DM thread.
</p> </p>
<h1>Email Addresses</h1> <h1 id="email-addresses">Email Addresses</h1>
<p> <p>
All members begin signup by verifying control of an e-mail inbox. On this website, your e-mail All members begin signup by verifying control of an e-mail inbox. On this website, your e-mail
@ -279,7 +778,7 @@
controls on your Settings page to control such a feature. controls on your Settings page to control such a feature.
</p> </p>
<h1>Cookies</h1> <h1 id="cookies">Cookies</h1>
<p> <p>
This website uses <strong>functional cookies only</strong> and does not run any advertisements This website uses <strong>functional cookies only</strong> and does not run any advertisements
@ -304,23 +803,6 @@
account on this website. account on this website.
</li> </li>
</ul> </ul>
<h3>Analytics Software</h3>
<p>
In the future we MAY deploy self-hosted analytics software to help understand how the
website is being used and identify any pain points that users may be running into. This
would probably be <a href="https://matomo.org/" target="_blank">Matomo analytics</a>,
a free and open source program that would run on the same web servers as this website,
so that analytics data does NOT leave this site and go to a third party such as Google
or Facebook.
</p>
<p>
The author of this website is a privacy &amp; security nut and he respects <em>your</em>
privacy as well. Matomo Analytics is GDPR compliant, automatically respects your web
browser's "Do Not Track" header and can be opted out of.
</p>
</div> </div>
</div> </div>
{{end}} {{end}}