|
|
---
title: Privacy policy
# TODO:
# - Clarify that we don't store any information about logged-out users, except
# for their IP address.
# - Improve wording of details about short-lived session cookies.
# - Improve presentation of bcrypt process.
# - Mention information stored from email headers.
# - Clarify s/web browser/client/g
# These changes are batched to reduce the noise upon notifying users.
---
If you have any questions, please reach out to Drew DeVault <sir@cmpwn.com> via
email.
# What we collect and why
The only data we require of your account is your email address; a username of
your choosing, which must be unique among all users; and a password. Your email
and username are stored in "plain text". Your password is stored after
processing with bcrypt, from which the original password cannot be devised
without a computationally expensive process. However, given your password, we
can determine that it matches our stored key without expensive processing. The
purpose of this step is to ensure that should our database become compromised,
your original password will be difficult to recover. Regardless, you are
strongly encouraged to use a unique password for your sr.ht account.
You may choose to give us additional information, which is shown publicly on
the site. This includes:
- Your location
- A URL to any website
- A short biography
You may omit or provide fictitious data for this information.
You may be required to provide the following information in order to
successfully operate some parts of the service, some of which may be used to
uniquely identify you:
- SSH keys
- PGP keys
- Two-factor authorization keys
You may delete this information at any time by visiting your [account
details](https://meta.sr.ht). If you provide a PGP key, you may choose to have
email communications from sr.ht encrypted before being sent to you.
We also obtain some information from your web browser as you use our services
and store it for up to 30 days:
- Your IP address
- When you accessed the site
- What you did on the site
This information is available to you as an [audit
log](https://meta.sr.ht/security). You are not able to delete this information.
The purpose of this data collection is to inform both you and sr.ht of any
unknown activity on your account. If we permitted deletion of this information,
someone who obtains unauthorized access to your account would be able to delete
it, too.
We also store various other kinds of information that you explicitly choose to
give us, including (but not limited to):
- repositories on git.sr.ht
- tickets on todo.sr.ht
- build logs and secrets on builds.sr.ht
To faciliate automated access to your account for third-party service or your
personal use, we also generate and store API keys which can be used to authorize
use of your account. A portion of these keys are stored in plaintext — not
enough to gain access to your account, but enough for us to quickly look up your
account details given the key. The full key is stored only after processing with
bcrypt, similar to the process used for your password.
If you choose to use our paid services, we will store a token which is used to
bill your payment method. Information like your credit card number cannot be
recovered from this token.
We also use cookies to store long-lived authorization data, to remember that
you're logged into your account between visits without prompting you for your
password again. We also use cookies to store short-lived information, like the
fact that we have to tell you on the next page you load that we completed some
operation successfully for you.
## How we share your information with third-parties
Aside from information you choose to make public in the course of your use of
sr.ht and information you explicitly choose to share with specific
third parties, none of your information is shared with third parties. We do not
embed third-party content in our website, with one exception: on the billing
page, we embed a script from [Stripe](https://stripe.com). This measure is taken
to improve your privacy and allows us to avoid directly handling your credit
card information.
We permit user-generated content to include images from and links to third-party
sites. On pages displaying this content, information may be sent to these
third-parties. This information includes:
- Your IP address
- Information about your web browser, such as whether you use Firefox or Chrome
- The URL on sr.ht you visited when you saw this content
We are not responsible for any additional information your web browser may send
to these third parties.
If you use any of our paid services, we will transmit your payment information
to a third-party payment processor. You will be notified of this before the
information is transmitted, and given an opportunity to prevent its
transmission. We will be unable to provide you with paid services if you decline
to transmit this information.
We may also be required to remit your data upon receiving an order from a court
of the United States. If permitted by the order, you will be notified if this
happens.
## How to access and control the information we've collected
You may submit a request via email to Drew DeVault <sir@cmpwn.com> to request an
archive of the information we've collected about you, or to request that we
remove any information we've collected about you.
## Changes to this document
We may make changes to this document with no less than 2 weeks notice. Notice of
these changes will be sent to the email on file for your account.
|