Qubes Website Privacy Policy

The Privacy Policy page of qubes-os.org says

Usage Data

We may also collect information about how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

It looks like a lot of personal data to me. According to the GDPR you have to tell, for how long these data are stored. I do not see the answer to that.

Another quote:

We may employ third party companies and individuals to facilitate our Service

Can we get a list of currently used third parties?

I suggest to use the following template to better explain how the personal data is handled, both for these forums and for the main Qubes website:

https://www.privacylabel.org/learn/

1 Like

IP address is certainly personal data, “unique device identifiers”
probably so, the rest not imo.
You are assuming that the data is stored, whereas it may be processed
and anonymised immediately.
I agree that this information should be available.

1 Like

It’s just a boilerplate generated privacy policy for the website. We used to use GitHub Pages + Cloudflare. I believe we dropped Cloudflare a long time ago and now just use GitHub Pages.

1 Like

Fair enough, but we are collecting at least IP information (or how are
stats generated), and processing that data.
I would amend the policy to match what actually does happen.
(If some of this is done at the GitHub level, then a link to that
policy will do.)

3 Likes

But the policy already mentions IP addresses, as quoted above, does it not?

If you think some specific amendment should be made, please feel free to submit a PR.

I’m happy to do so, but I do not know what information is gathered
(certainly IP address), what is processed, and for how long it is
retained.
Nor do I know if GitHub (who presumably have access to all the
information in that boilerplate, process or retain any of it. That
should be covered by their statement, and we could refer to it, if this
is the case.

3 Likes

I assume that the Qubes update server also collects the personal data in order to generate this plot, even if you never visit the websites. It should also be explained, for how long the data is stored.

1 Like

I don’t know either. I don’t have access to the infrastructure aside from being able to commit to GitHub repos. All I know I’ve already used to generate the existing Privacy Policy, the issue linked above, and to write these FAQs:

Perhaps @marmarek can provide more information.

1 Like

That’s why I said:
we are collecting at least IP information (or how are stats generated), and processing that data.

There is still no explanation for how long IP addresses are stored and what else is collected.

1 Like

True - it looks as if Qubes gathers IP addresses, processes data
daily but does not retain that data. No indication that Qubes
gathers anything else.
GitHub? That’s a separate issue, outwith Qubes control.

@deeplow You changed the title from “Qubes Privacy Policy” to “Qubes Website Privacy Policy”, but I actually would like to know about both website and Qubes OS policy. Should I create another topic for that? As I mentioned above, in order to make this plot, one has to collect IP addresses and either generate hashes from them or store them for some time. What is being done and are those hashes(?) stored for a month or longer?

This should be mentioned here with a link to GitHub privacy policy. Currently it is very misleading. It’s far from clear to a typical person that qubes-os.org is powered by Github.

Also the following is very concerning. Is this really necessary? To me it looks like a ToS from Facebook or Google which is trying to mislead the users:

Personally identifiable information may include, but is not limited to:
* Usage Data

Are there any limits to data collection at all?

1 Like