Looks nice, but:

The GDPR is not the only legislation that applies to us. For services hosted in France for instance, there is a legal obligation to keep logs for at least one year (not sure exactly who that applies to). There could be something similar in Germany where berlin is located.

I think some of the wording is vague. Does "can be used to identify" mean we will use the IP to identify the person (is it the reason we process this data?) Or is it something that we could technically do, but refuse to do?

Le 4 octobre 2020 11:34:19 GMT-04:00, "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> a écrit :
IANAL but I think Guix needs a privacy policy for both its website and
the Guix software in general.

Attached is a patch for the website that also documents data use by
Guix and Guix System. Maybe I’ve overdone some parts and probably
something important is missing.

In particular, the GDPR requires IP addresses to be deleted from logs
after a reasonable time. I think but am not sure the current process
for nginx is to delete only when the log files become too big. A more
suitable policy must be implemented and the users must be told about
it, I think. See <https://gdpr-info.eu/art-13-gdpr/>.

In general I think it is better to have an incomplete policy than to
have none.

Comments?

Regards,
Florian