Digipage by La Digitale

Data Protection Notice ---------------------- Last updated: 25/10/2024 ### 1\. Who we are sur.lesrails.fr (hereafter “we”, “us” or “the service”) is a non-profit service that provides Gotosocial social media accounts to the Users (“you”). For the purpose of connecting and interacting with other Gotosocial or Fediverse accounts, sur.lesrails.fr processes personal data from its users and users of other instances with whom they interact. This data protection notice describes what kind of personal data we process and on what legal basis, how long we keep it and why, as well as your rights with respect to your data. Please do not hesitate to [contact us via email](mailto:dyzzie@kittens.army) to for any question you might have with regard to this document or the processing of your personal data. ### 2\. Data protection summary We dedicate our Gotosocial instance sur.lesrails.fr to the Users. Our small team in Paris provides the non-profit service on a voluntary basis to offer privacy-friendly micro-blogging accounts that our users typically employ for networking, socialising and discussing ideas train nerdery. GoToSocial does not provide its own webclient, but implements the Mastodon client API. No cookies are therefore kept in your browser. For security and debugging purposes, our server logs and stores visitor IP addresses for a maximum of 14 days. After that time, all IP addresses are removed. sur.lesrails.fr processes profile data in the form of posts (toots), subscriptions (following), subscribers (follower), content appreciations (likes) and promotions (boosts) for publication in the context of profile and post pages. For registered users we process your profile data to deliver the service. For users of other instances, we store and display public profile data and rely here on our legitimate interest until they object and in any case when they delete their post or other data (unsubscribe, unlike, unboost). If you contact sur.lesrails.fr via email or a (private) post, we use any personal data that your message may contain (such as your email address or name) only to respond to your message. We archive your message for at most 12 months. You are of course free to use a nickname and a pseudonymous email address. We process messages from our registered users to deliver the service and rely for users of other instances on their consent. We may also process messages to comply with our legal obligations. The following information is provided according to Articles 12, 13 and 14 of the [GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC). ### 3\. Data protection notice For the purposes of this notice: **“User”** means the natural person who interacts with sur.lesrails.fr directly via the website or indirectly via third-party applications compatible with ActivityPub. **“Registered user”** means the users with a Gotosocial/ActivityPub profile. **“Profile data”** means their posts (toots), subscriptions (following), subscribers (follower) content appreciations (likes) and promotions (boosts), bookmarks and profile settings. **“Subscribers”** mean the accounts who follow a registered user. **“Subscriptions”** mean the accounts followed by a registered user. **Scope and purpose of the processing** This data protection notice applies to the processing of personal data for the provision of the microblogging service sur.lesrails.fr. It offers information on what personal data is processed and how it is processed, and on your data subject rights. **Responsible for the processing** The data controller is sur.lesrails.fr in its capacity as the provider of the service. #### Processing of personal data Personal data processed by sur.lesrails.fr is accessible to its administration team and, where necessary, to moderators on a need-to-know basis to ensure a secure operation. User content is published or delivered according to the user settings. For the provision of the service, sur.lesrails.fr employs the data processors listed below that process personal data linked to the service solely on the written instruction from sur.lesrails.fr: * Server hosting from [Pulseheberg](https://pulseheberg.com) * Email notifications delivery from [La Contre-Voie](https://lacontrevoie.fr) * Email mailbox from [La Contre-Voie](https://lacontrevoie.fr) **(a) Website Visitors** The sur.lesrails.fr website and APIs process the IP addresses and other metadata (as specified below) of its visitors. When accessing the service, an encrypted connection to its web server is established. To display the content correctly on the visitor’s computer or other terminal devices, the following data is processed in accordance with the HTTP and TCP/IP protocol: * IP address of the visitor’s internet connection * Operating system and operating system version of the visitor’s terminal * Web browser and browser version * Date of access to the website * HTTP cookie ‘\_Gotosocial\_session’ (for the duration of the website visit) This is required for the request, processing, and display of profile data and other content on the service. After each page visit, some of the data are stored in the account profile (if logged in) and server logs. These logs serve the purpose of maintenance and security of the server and personal data herein is deleted after 14 days. Furthermore, the website employs the cookie ‘\_session\_id’ to store the login status of registered users until logout or until a year after the last website visit. The website also stores the notifications settings in the browser. This processing is based on Article 6 (1) (b) of the GDPR (‘processing is necessary for the performance of a contract’). This includes processing carried out in order to comply with the necessary technical and organisational protection measures. **(b) Contributors from third-party services** sur.lesrails.fr processes personal data when users of third-party services with ActivityPub support interact with its accounts. To enrich public profile pages with profile data, the following data is processed in accordance with the requirements of the ActivityPub protocol: * IP address of the third-party service * Name of the user’s terminal software * Display name, account name, and profile picture * Current date and time * Profile data Private messages are not end-to-end encrypted and are therefore in principle accessible to the sur.lesrails.fr administrators. This processing is necessary to provide a federated Gotosocial instance and therefore based on Article 6 (1) (f) GDPR (‘processing is in our legitimate interest’) with the exception of personal data that is not required such as the display name and profile picture, the processing of which is based on Article 6 (1) (a) GDPR (‘consent’). sur.lesrails.fr stores profile data from subscriptions from compatible third-party services until it receives via that service or directly from the user a request for deletion or objection (unsubscribe, unlike, unboost). **(c) Registered users** sur.lesrails.fr limits registrations to users it assumes to be part of the Users. sur.lesrails.fr reserves the right to refuse the provision of the service to any given user for any reason. To set up accounts and manage them subsequently, the following data from registered users is processed: * Display name, account name, profile picture and header image * Login credentials consisting of an email address * Account description/biography * Content (toots), promoted, and appreciated content * Private messages (sent and received) * Subscriptions and their recent content * Logged-in sessions (terminal software, time and date, IP address) If registered users post profile data, the previous section applies accordingly. Note that updating subscribers and posting profile data (including profile mentions) requires disclosure of personal data to the service of the recipients. Depending on their Gotosocial server’s geographic location, the disclosure can possibly involve international data transfers that are outside of sur.lesrails.fr’s control. The registered user’s name and display name, profile picture and header, description, subscriptions, the own and promoted content, the content of their subscriptions, as well as their given feedback is published on their profile page. This processing is based on Article 6 (1) (b) of the GDPR (‘processing is necessary for the performance of a contract’) with the exception of personal data that is not required such as the display name and profile picture, the processing of which is based on Article 6 (1) (a) GDPR (‘consent’). Profile data is retained until the account is deleted. Registered users are responsible for the use of their accounts and their own compliance with the GDPR as separate controllers when they post personal data of other people. **(d) Contacting us by email** If you contact sur.lesrails.fr via email or a Gotosocial private message, any personal data that your message may contain (such as your email address or name) will only be used to respond to your message and may be stored as part of an email archive. You are of course free to use a nickname and a pseudonymous email address. Such personal data will be deleted after 12 months. #### Exercise your rights You have the right to request from us access to and rectification or erasure of your personal data or restriction of processing concerning you or, where applicable, the right to object to processing or the right to data portability. Where applicable, you also have the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal. Please find more information on your rights on the website of the [European Commission](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-are-my-rights_en). You have, in any case, the right to lodge a complaint with the [data protection authority](https://edpb.europa.eu/about-edpb/about-edpb/members_en) as a supervisory authority. ### Acknowledgments These terms are based on the [terms initially published by eupolicy.social](https://eupolicy.social/terms) and made more accessible by the [Gotosocial Privacy Policy Generator](http://blog.riemann.cc/projects/Gotosocial-privacy-policy-generator/) in its version v1.1 as of 22/11/2022. This text is free to be adapted and remixed under the terms of the [CC-BY (Attribution 4.0 International) license](https://creativecommons.org/licenses/by/4.0/).