Privacy-Policy

[tclaus]

This is a draft for a German privacy policy statement for the insporation* app. It follows checklists from here https://www.e-recht24.de/artikel/hardware-software/10475-datenschutzerklaerung-fuer-apps.html and here https://www.dr-datenschutz.de/datenschutzerklaerung-apps-inhalt-form-und-muster/

Basically the app only stores the userID and a token and sends or receives Data to Pods. Only data the app requests is photo and camera. The privacy policy reflects this fact.

Discussion welcome.

[tclaus]

If this is Ok - it might be translated at least into English language.

[jhass]

What do comparable projects do for this?

[tclaus]

I checked some Mastodon-based apps (mostly private projects)

Like the Amaroq policy (https://www.iubenda.com/privacy-policy/8066189) (payed, found after I made this) This may be another good source for a privacy.

Found small snippets: http://toot.c3.cx/terms.txt Found 404 (https://tootleformastodon.appspot.com/privacy_policy) Found https://www.fediapp.com/privacy/ Found https://pragmaticcode.com/privacy/

No Copy-Paste solution for insporation. But I think we cached most aspects.

[jhass]

This definitely needs to be in English.

Some more examples from the wild (Play Store):

• https://conversations.im/privacy.html (XMPP client)
• https://www.xabber.com/policy/ (XMPP client)
• https://k9mail.app/privacy (Mail client)
• https://github.com/M66B/FairEmail/blob/master/PRIVACY.md (Mail client)
• https://gitlab.com/eneiluj/moneybuster/blob/master/PRIVACY.md (IHateMoney client)
• https://oeffi.schildbach.de/privacy_policy_de.txt (third party public transport client)
• https://www.westnordost.de/streetcomplete/privacy.html (OpenStreetMap "editor")

I really like the simplicity some of the these take, directly explaining that there simply is no non-local data handling done by the app; that any data handling is subject to services you already signed up to otherwise; without getting into any unnecessary legalese about any data handling that's not happening in the first place.

Many of these seem to come from an era where people felt it was important to justify permissions requested by an app. That seems no longer relevant these days as critical permissions have been moved to runtime permissions with better opportunities for the app the deliver those justifications. So I would not follow us.

I would even be happy with something as simple as the MoneyBuster and FairEmail examples linked above.

[tclaus]

This definitely needs to be in English. Definitive - and in German. (and to be every precisely: In every language the app is localized)

I would even be happy with something as simple as the MoneyBuster and FairEmail examples linked above.

Like it also to keep it simple, but for the EU Market EU laws ("Telemediengestz") must be fulfilled. Thats not a list of what the App does not. (FairMail is in this meaning a totally fail)

With this in mind https://conversations.im/privacy.html and https://www.xabber.com/policy/ are making a good job.

I think current draft also is not missing anything essential: Its mentioned what data is used, that data is transferred to a Pod and what the app has acces to (photos),why and that a user can stop this any time.

Is there anything what should be altered in the current draft? (English version will than be a translation of the German one)

[jhass]

By that argument this also needs to fulfill the US market's (including the Californian Privacy Act) standards, the UK ones, the Chinese ones, the Australien ones, etc etc and is a "total fail" in that.

[jhass]

And even following your argument, I don't see how we're a "elektronischer Informations- und Kommunikationsdienst". We're not providing any service for communication, we're not providing any service for information. We're merely giving access to a third party that does. Did you sign a privacy policy before starting your webbrowser? I don't think the TMG applies to us.

[jhass]

Definitive - and in German. (and to be every precisely: In every language the app is localized)

Why? By what policy or law?

[tclaus]

not necessarily.. Somebody needs to take responsibility in the stores that's Me and you. "In Verkehr bringen". To be honest I don't care much about Chinese or California law, but I like to be as legal as it still makes sense..

The App on the other hand transfers data to a pod and stores itself no data. But it still has access to camera and photo library (remember the privacy statements in the app which leads to a crash as long it was missing)

So I agree to shorten the draft privacy statement to left over what is needed and sinnvoll.

[jhass]

remember the privacy statements in the app which leads to a crash as long it was missing

That's justifications, not policies/terms. It's a requirement made by the platform, not the law. Let's not mix that up with each other.

Even having to provide a privacy policy is something the platforms mandate from everybody, simply because it's simpler for them and shifts liability away from them. Not because it's mandated by law for what we provide. You will find many older apps on the Play Store without a privacy policy, before Google enforced providing one.

[tclaus]

Definitive - and in German. (and to be every precisely: In every language the app is localized)

Why? By what policy or law?

Just because the (iOS) Appstore has localized URL-Fields for this. But I am happy with one language. The Law wants here: : § 13 Abs. 1 Satz 1 TMG "Der Dienstanbieter.. bla bla.. in allgemein verständlicher Form zu unterrichten"

For me that might be natural language - if possible. Not Süd-Samisch. (A Norge dialect)

[tclaus]

So let's tackle this down to the document: It has 27lines - can we shorten anything to left over what is really need?

[jhass]

KISS?

# Privacy policy

insporation\* is a client software for the decentralized social network diaspora\*. 

Sensitive user information is only used to perform the basic functionality of the app, 
connecting to a previously registered account on a server of the diaspora\* network. 
Any user data is only provided by this server, send to this server or remains stored locally. 
insporation\* does not automatically collect and send data to the developers of the app or any third party.

[tclaus]

Like the KISS attempt. But I would still prefer for transparency reasons to mention that access to Photos and Camera may be required and why:

Privacy policy

insporation* is a client software for the decentralized social network diaspora*.

Sensitive user information is only used to perform the basic functionality of the app, connecting to a previously registered account on a server of the diaspora* network. Any user data is only provided by this server, send to this server or remains stored locally. insporation* does not automatically collect and send data to the developers of the app or any third party. insporation* may requests access to photos and camera to create posts.

?

[jhass]

I don't see how that's not covered by "any user data", but oh well...

# Privacy policy

insporation\* is a client software for the decentralized social network diaspora\*. 

Sensitive user information is only used to perform the basic functionality of the app, 
connecting to a previously registered account on a server of the diaspora\* network. 
Any user data is only provided by this server, send to this server or remains stored locally. 
This includes any pictures accessed or created from the application.
insporation\* does not automatically collect and send data to the developers of the app or any third party.

Listing what it may do without telling the story of what is done with the result seems pretty pointless for a privacy policy. This is not a feature listing.

[tclaus]

OK, I can live with it.

[tclaus]

(By the way: "Any user Data" would frighten me.. Adressbook? Browser History? Foreign Mail recipients? ((Facebook did read Mail adresses a time ago)), etc. Its not a bad idea to minimize data needed and to speak about this)

[jhass]

The sentence is "Any user data is [...]", not "All user data is [...]".