Privacy

Introduction

The most important stuff first: The best privacy is, not to collect and store unnecessary data. Where no data is, there is nothing to protect. Thus this web page does not use any external or internal analysis tools and no direct embedding of external content. The blog software WordPress only sets cookies when you login.

This blog is a blog for people of members of a guild in the computer role-playing game PlaneShift, who want to receive tips and further information by authenticating with their user account. It also provides a comment function for logged in users. On login WordPress creates some cookies to remember who logged in. Only I can create user accounts, there is no public user registration.

To provide a user account for you, I need a user name. I don´t need a mail address or any other information in your user profile. Additionally to that you can comment on articles and in case I grant you the necessary permissions also edit or even create new articles. WordPress also stores these comments and content in a database on the server. On request I delete your user profile, optionally including all your comments and other contents up to the extent this is still traceable. On request I also just delete a certain comment from you.

I receive feedback and questions via comment in the blog, chat in the game itself or on IRC or via mail. In case you send a mail additionally to your mail address you transfer additional information like for example the mail servers which transferred the mail. I do not offer a newsletter.

Because of the way serving web pages operates, the server which delivers these web pages receives the IP address of your computer or the IP address your provider assigned to your internet access, the retrieved URL and some other data which I detail later on.

Contact information

This privacy policy applies to the date processing for https://thefamily.lichtvoll.de. You can contact me at:

thefamily@lichtvoll.de

For the purpose of in-game immersion I do not provide my real name here. For the purpose of transparency you can find it on my personal page imprint – it is easy enough to find anyway.

Data collection and data processing of individual related data including purpose of usage

The legal foundation for data collection and data processing is article 6 paragraph 1 sentence 1 letter f of GDPR. I have legitimate interest in processing the data according to the purposes mentioned below.

Visiting the website

On visiting the website your browser transfers certain information to the server, which could be used to identify you. Among them are the IP address of your computer or the IP address your provider uses for your internet access.

You can not avoid this. You can either use a proxy that makes your access anonymous, but then the provider of this proxy will receive these information. The webserver I use for this website logs this data like this:

Stored data:
The called domain, the IP address of the computer requesting the page or the IP address your provider uses for your internet access, date and time of the request, the accessed URL, the URL from which you clicked the link (Referrer), the browser you use (User Agent), the requested action (for example GET for requesting web page data).
Purpose:
To ensure a smooth connection to and a smooth operation of the website, to ensure system security and stability, for further administrative tasks like finding links that point to a missing page.
Deleted after:
2 days
Example:
44.88.99.99 - - [25/May/2018:09:41:13 +0200] "GET /about-us/ HTTP/1.1" 200 7764 "https://thefamily.lichtvoll.de/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" (IP address changed)

Contacting via mail

I receive feedback and questions via comment in the blog or via mail. When you send a mail I receive the mail address you specified when sending it. You do not need to provide your full name. Also you can use a temporary mail address.

Because of how the mail system works each mail includes further informations in the mail header, like the hostnames and IP addresses of all mailservers who transferred the mail. The mail server I use also logs the date and time as well as the IP address and the hostname of the server which delivers the mail to it.

Stored data:
Sender of the mail according to From:-header, hostname and IP adresse of the server which delivers the mail, time and date, the unique identifier of the mail (Message-ID).
Purpose:
Ensure a smooth operation, take measures against spammers, further administrative tasks like finding out whether the server rejected a legitimate mail as spam.
Deleted after:
7 days
Example (except):
May 24 21:56:36 mailserver postfix/smtpd[12184]: connect from vger.kernel.org[209.132.180.67] […]

May 24 21:56:36 mailserver postfix/cleanup[12186]: 76A19328AB3: message-id=<[…]>>

May 24 21:56:36 mailserver postfix/qmgr[2865]: 76A19328AB3: from=<linux-kernel-owner@vger.kernel.org>, size=2776, nrcpt=2 (queue active)

(Changed hostname of my mail server to mailserver)

Login as user

To provide a user account to you, I need a user name. I do not require a mail address, cause I changed WordPress not to require one. Further information in your profile are also optional.

In case you do not specify a mail address, you cannot restore your password by yourself. But you can contact me with mail, in game or via IRC and ask me to provide a new password to you. In case you do not specify a mail address I only inform you through the website in case of a data breach.

Your user profile:

Saved data:
Your username, your password and your agreement to this privacy policy at a minimum. Optionally on top: All further information you can specify in your profile like for preferred language, your first name and surname, your website and biographical information about you. I ask you not to provide your real name in the provide. Just use the name of one character you play in PlaneShift in case you choose to fill in these fields. Please also do not specify any other information that are sensitive to you.
Purpose:
Provide access to information about game tips and about the guild to a specific group of users. Provide a way to enter additional information about the game or the guild and to communicate with one another.
Deleted after:
Until you ask me to delete your account.
Example (excerpt):
Example for WordPress profile

On request I delete your user account optionally including all your comments and articles.

In case you login as user WordPress sets some cookies, to remember your login.Without these cookies, you would need to login on every new access. When you do not log in, WordPress does not set cookies.

Cookies are information your browser stores as name-value pairs. You can forbid setting of cookies in your browser, but then you cannot login anymore. Many browsers optionally delete all cookies on quitting. As far as I saw WordPress just sets session cookies anyway. For Firefox, Chromium and Chrome you can install the plugin Cookie Autodelete which deleted cookies after closing the last tab of a website in the browser.

Comments

You can comment pages or blog posts. On request I delete all or certain comments from you.

Your comments:

Saved data:
Your user name, the comment text, time and date of the comment (in local time and in UTC), your mail address in case you specified one in your user profile, the IP address of your computer or the IP address your provider uses for your internet access, information about your browser (User Agent) as well as a karma value.
Purpose:
Providing the comment function, protection against abuse or spam. The used WordPress version does not allow disabling saving mail address, IP address, User Agent and karma value completely.
Deleted after:
Until I delete your comments. I implemented a cron job which deletes mail and IP addresses, User Agent and karma value every hour from the database.

Secure operation of the server

The server which delivers this website, the database and the mail server also provided some further services which are not intended for public usage, like SSH for administrating it, POP3 or IMAP for access to mail accounts.

My server logs accesses to this non-public services. I use these logs in case of an attack to protect the server and the data it stores as well as to initiate legal measures if necessary.

Giving data to others

I only provide your data an third parties in the following cases:

  • In case of your explicit consent (Article 6 paragraph 1 sentence 1 letter a GDPR). By using the service I provide, you agree that Proact Deutschland GmbH provides the hosting of this server.
  • In case it is necessary to defend legal claims and there is no predominant interest on your side that needs to be protected (Article 6 paragraph 1 sentence 1 letter f GDPR).
  • In case I am legally obliged to transfer data (Article 6 paragraph 1 sentence 1 letter c GDPR).

Your rights

According to the General Data Protection Regulation (GDPR) you have the following rights:

Right to information
Right to information what data I have stored about you, where it came from, who I transferred them to and the purpose of usage as well as a copy of the data (Article 15 GDPR).
Right to rectification
Right to request rectifiction or erasure of your personal data that is inaccurate (Article 16 GDPR).
Right to erasure (right to be forgotten)
Right to request deletion of your data in certain circumstances like in case it is not necessary to store them anymore, storing the data is not allowed by law, you object to processing your data and there are no other legal requirements to store the data (Article 17 GDPR).
Right to restrict processing
In certain circumstanced you have the right to request restriction of processing of your personal data (Article 18 GDPR).
Right to data portability
Right to receive your personal data in a machine readable format as long as this does not contradict the rights and freedom of other persons (Article 20 GDPR).
Right to object
To revoke your permission to process your data. I am required to stop processing your data then. In this case I delete your user account and all your data (Article 7 GDPR).

To object against processing your data according to a legitimate interest according to Article 6 Paragraph 1 Sentence 1 Letter f GDPR in case there are reasons due to your personal situation or without giving such reasons in case the objection is against direct advertisement or profiling or tracking (Article 21 GDPR).

Right for the help of a supervisory authority
Right for the help of a supervisory authority (Article 77 GDPR). You find this authority near your living or working place or near the location of the data processing, for example: das Bayerische Landesamt für Datenschutzaufsicht.

Data security

The entire data processing is done by a server which the company Proact Deutschland GmbH hosts for me.

I secure the server according to the newest technical standard as far as I know it. I inform myself about news regarding server and data security and adapt protection measure if required.

Some of the measure I took are:

  • TLS encryption with algorithms that are deemed secure (cipher suite).
    • The mail server uses these as long as the sending or receiving mail server supports them. In case the server does not support these, the mail is transferred in plain text!
    • Only web browsers that support strong enough encryption can access the web page.
  • I secured the administrative access via SSH according to best practice recommendations.
  • Installing security updates timely.
  • No usage of insecure third party sources.
  • Measures against brute force attacks.
  • I made the JSON API of WordPress inaccessible.

Changes to this policy

I adapt this policy an new legal requirements or new function on this website if required. You can find the most current version of it on this website. You can print it or save it as PDF (for example by using a PDF printer driver).

Current state: May 2018.