Qubes Privacy Policy

The Privacy Policy page of qubes-os.org says

Usage Data

We may also collect information about how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

It looks like a lot of personal data to me. According to the GDPR you have to tell, for how long these data are stored. I do not see the answer to that.

Another quote:

We may employ third party companies and individuals to facilitate our Service

Can we get a list of currently used third parties?

I suggest to use the following template to better explain how the personal data is handled, both for these forums and for the main Qubes website:

https://www.privacylabel.org/learn/

IP address is certainly personal data, “unique device identifiers”
probably so, the rest not imo.
You are assuming that the data is stored, whereas it may be processed
and anonymised immediately.
I agree that this information should be available.

It’s just a boilerplate generated privacy policy for the website. We used to use GitHub Pages + Cloudflare. I believe we dropped Cloudflare a long time ago and now just use GitHub Pages.

Fair enough, but we are collecting at least IP information (or how are
stats generated), and processing that data.
I would amend the policy to match what actually does happen.
(If some of this is done at the GitHub level, then a link to that
policy will do.)

2 Likes

But the policy already mentions IP addresses, as quoted above, does it not?

If you think some specific amendment should be made, please feel free to submit a PR.

I’m happy to do so, but I do not know what information is gathered
(certainly IP address), what is processed, and for how long it is
retained.
Nor do I know if GitHub (who presumably have access to all the
information in that boilerplate, process or retain any of it. That
should be covered by their statement, and we could refer to it, if this
is the case.

2 Likes

I assume that the Qubes update server also collects the personal data in order to generate this plot, even if you never visit the websites. It should also be explained, for how long the data is stored.

I don’t know either. I don’t have access to the infrastructure aside from being able to commit to GitHub repos. All I know I’ve already used to generate the existing Privacy Policy, the issue linked above, and to write these FAQs:

Perhaps @marmarek can provide more information.

That’s why I said:
we are collecting at least IP information (or how are stats generated), and processing that data.