Is there a Privacy Policy for the app?

[jeff-luszcz]

Having a Privacy Policy for the app would be helpful (especially since Twitter API Key access is required)

[lucahammer]

What would you want to have included?

What's currently on my mind:

• The Twitter keys are stored in the client in an encrypted cookie that is transferred only over an secured connection.
• The decryption key and Twitter app key is stored in an environment variable on the server. Access to the Twitter account is only possible with all three of them.
• No information that identifies individuals is stored on the server. No account data either. The only thing that is cached is the information about domains. If they are part of the fediverse, which software they run and some other information, that's available through /.well-known/nodeinfo on each instance.
• Some data is stored in the local storage of the client. For example the fediverse auth code. That isn't encrypted at the moment. The feature is still experimental and not available on the main server.
• Fedifinder is hosted on Glitch which is part of fastly. They collect some usage data: https://glitch.com/legal/privacy

[jeff-luszcz]

Looks good, thanks

Some other similar tools have also detailed what information is stored in any Server Logs, how long that information is stored, etc..

What information, if any, is taken from the users Twitter Profile (e.g. phone number, location). Does any of the profile information end up in server logs even if not put into data structures Is Direct Message information accessed? If so, what and how and how stored, deleted

Many thanks again for the tool and the work on this issue!

[lucahammer]

Because of how glitch.com works, I don't have control over their server logs, but I can look into mine. Currently, only fatal errors are logged on the production environment as far as I know.

Fedifinder does not have access to direct messages or phone number or mail addresses that aren't in the public profile. It only retrieves user id, username, display name, description, public location field, url field, pinned tweet and public metrics (following count, follower count). None of that is stored on the server, but only sent to the client where it gets processed.