Add information relating to GDPR

pterodactyl / documentation

Pterodactyl's documentation is open source! This repository contains the documentation for installing and updating both the panel and the daemon.

MIT License

152 stars 936 forks source link

Add information relating to GDPR #4

Open schrej opened 6 years ago

schrej commented 6 years ago

We should have a section in the documentation with GDPR related information for people hosting the panel. The panel is using ReCAPTCHA by default for example, and that requires to be mentioned in the Privacy Policy. We can then also include information on what kind of information the panel collects (cookies, ips?, email) so people know what they have to mention in their Privacy Policy.

This should not be a full privacy policy, just information on what to include/mention in it.

Cookies
IP logging
LocalStorage?
ReCAPTCHA
Gravatar (E-Mail Address!!)

lancepioch commented 6 years ago

I agree and think it's important to help our panel users support and follow EU's GDPR and related privacy laws. I have some questions hopefully that are helpful:

If the cookies only contain the encrypted session data, then does it count as personally identifiable information (PII)? Same for the localstorage.
Are we storing IP addresses? Can this be toggleable if so?
Don't the ReCaptcha and Gravatar services have their own policies? Do we just have to link to them or do we also have to include a copy of them? Can we just make the services toggleable?

PII to be included (and deletable/removable):

Names
Emails
IP Addresses

schrej commented 6 years ago

Good point regarding the services: ReCaptcha is toggleable already, Gravatar should be easy enough. And yes we should link to their Policies of course. I had them on the list because it's easy to forget that they're there.

DaneEveritt commented 6 years ago

I'm thinking of removing the gravatar stuff as well as first last name anyways, but we should still document that since we're using it on prior versions.

@lancepioch I think the cookies being encrypted doesn't change anything. They're encrypted to the user, but still readable by the server. But they also don't contain any PII as far as I can remember.

lancepioch commented 5 years ago

Do we actually need to do anything extra besides updating the privacy policy @schrej ?

schrej commented 5 years ago

Hmm, not really sure about that. I'm not an expert on GDPR either. Also, we certainly shouldn't write up a privacy policy for the panel. I was talking about providing information that helps to write a privacy policy: What data does the panel collect and for what reason. Additionally we could consider the amount of data the panel is collecting and whether we can reduce it, but I guess it's pretty minimal as it is. We should also maybe add a "This website uses cookies" banner, that can be enabled. The text should also be editable.