Add terms of service and privacy policy

4 files changed, 241 insertions, 0 deletions

diff --git a/builds.sr.ht/manifest.md b/builds.sr.ht/manifest.md
index 871f42e..a6f7972 100644
--- a/builds.sr.ht/manifest.md
+++ b/builds.sr.ht/manifest.md
@@ -84,6 +84,9 @@ Task names must use only lowercase alphanumeric characters or underscores
 and must be <=128 characters in length. Tasks are executed in the order
 specified.
 
+Each task is run in a separate login session, so if you modify the groups of the
+`build` user they will be effective starting from the subsequent task.
+
 ## triggers
 
 *list* (of *trigger*)
diff --git a/index.md b/index.md
index 2224d54..a992989 100644
--- a/index.md
+++ b/index.md
@@ -50,3 +50,6 @@ places.
     </dd>
   </div>
 </dl>
+
+Please review the sr.ht [terms of service](terms.md) and [privacy
+policy](privacy.md).
diff --git a/privacy.md b/privacy.md
new file mode 100644
index 0000000..3bf468e
--- /dev/null
+++ b/privacy.md
@@ -0,0 +1,112 @@
+If you have any questions, please reach out to Drew DeVault <sir@cmpwn.com> via
+email.
+
+# What we collect and why
+
+The only data we require of your account is your email address; a username of
+your choosing, which must be unique among all users; and a password. Your email
+and username are stored in "plain text". Your password is stored after
+processing with bcrypt, from which the original password cannot be devised
+without a computationally expensive process. However, given your password, we
+can determine that it matches our stored key without expensive processing.  The
+purpose of this step is to ensure that should our database become compromised,
+your original password will be difficult to recover. Regardless, you are
+strongly encouraged to use a unique password for your sr.ht account.
+
+You may choose to to give us additional information, which is shown publicly on
+the site. This includes:
+
+- Your location
+- A URL to any website
+- A short biography
+
+You may omit or provide fictitious data for this information.
+
+You may be required to provide the following information in order to
+successfully operate some parts of the service, some of which may be used to
+uniquely identify you:
+
+- SSH keys
+- PGP keys
+- Two factor authorization keys
+
+You may delete this information at any time by visiting your [account
+details](https://meta.sr.ht). If you provide a PGP key, you may choose to have
+email communications from sr.ht encrypted before being sent to you.
+
+We also obtain some information from your web browser as you use our services
+and store it for up to 30 days:
+
+- Your IP address
+- When you accessed the site
+- What you did on the site
+
+This information is available to you as an [audit
+log](https://meta.sr.ht/security). You are not able to delete this information.
+The purpose of this data collection is to inform both you and sr.ht of any
+unknown activity on your account. If we permitted deletion of this information,
+someone who obtains unauthorized access to your account would be able to delete
+it, too.
+
+We also store various other kinds of information that you explicitly choose to
+give us, including (but not limited to):
+
+- repositories on git.sr.ht
+- tickets on todo.sr.ht
+- build logs and secrets on builds.sr.ht
+
+To faciliate automated access to your account for third-party service or your
+personal use, we also generate and store API keys which can be used to authorize
+use of your account. A portion of these keys are stored in plaintext - not
+enough to gain access to your account, but enough for us to quickly look up your
+account details given the key. The full key is stored only after processing with
+bcrypt, similar to the process used for your password.
+
+If you choose to use our paid services, we will store a token which is used to
+bill your payment method. Information like your credit card number cannot be
+recovered from this token.
+
+We also use cookies to store long-lived authorization data, to remember that
+you're logged into your account between visits without prompting you for your
+password again. We also use cookies to store short-lived information, like the
+fact that we have to tell you on the next page you load that we completed some
+operation sucessfully for you.
+
+## How we share your information with third-parties
+
+Aside from information you choose to make public in the course of your use of
+sr.ht and information you explicitly choose to share with specific
+third parties, none of your information is shared with third parties. We do not
+embed third-party content in our website.
+
+We permit user-generated content to include images from and links to third-party
+sites. On pages displaying this content, information may be sent to these
+third-parties. This information includes:
+
+- Your IP address
+- Information about your web browser, such as whether you use Firefox or Chrome
+- The URL on sr.ht you visited when you saw this content
+
+We are not responsible for any additional information your web browser may send
+to these third parties.
+
+If you use any of our paid services, we will transmit your payment information
+to a third-party payment processor. You will be notified of this before the
+information is transmitted, and given an opportunity to prevent its
+transmission. We will be unable to provide you with paid services if you decline
+to transmit this information.
+
+We may also be required to remit your data upon receiving an order from a court
+of the United States. If permitted by the order, you will be notified if this
+happens.
+
+## How to access and control the information we've collected
+
+You may submit a request via email to Drew DeVault <sir@cmpwn.com> to request an
+archive of the information we've collected about you, or to request that we
+remove any information we've collected about you. 
+
+## Changes to this document
+
+We may make changes to this document with no less than 2 weeks notice. Notice of
+these changes will be sent to the email on file for your account.
diff --git a/terms.md b/terms.md
new file mode 100644
index 0000000..f809d3f
--- /dev/null
+++ b/terms.md
@@ -0,0 +1,123 @@
+These are the terms of service for sr.ht; please read them before using sr.ht.
+
+If you have any questions, please reach out to Drew DeVault <sir@cmpwn.com> via
+email.
+
+## tl;dr
+
+- You need to be old enough to have an account and you are responsible for
+  your account. We can cut you off at any time.
+- Use our services in good faith and don't get us in trouble.
+- You grant us enough rights to your content to provide our services.
+- We can terminate service at any time.
+- Some services may require payment.
+- We'll email you before these terms change.
+
+For full details, read on.
+
+## Definitions
+
+The "services" are any software, application, product, or service provided by
+sr.ht. Collectively they are also referred to as the "network".
+
+"sr.ht", "we", and "us" refers to sr.ht and its authorized agents.
+
+The "user", "you", and "your" refers to any individual or organization which
+accesses our services.
+
+"Content" refers to any content displayed by our services, including but not
+limited to text, source code, images, data, and so on. "User generated content"
+refers to content created or uploaded by our users. "Your content" refers to
+content you created or own.
+
+## Account Terms
+
+Accounts are only available to users who are 13 years of age or older, or the
+minimum age for accessing internet services in their country, whichever is
+older. You must also be a human, accounts registered through automated means
+are not permitted. Accounts utilized by an automated process are permitted, so
+long as the initial account registration was manually performed by a human.
+
+You are responsible for your account, any activity performed with it, and the
+security of your account credentials.
+
+Your account may be disabled without notice at any time, temporarily or
+permanently, for any reason.
+
+We require an email address to register an account. This email address must be
+kept up-to-date and we must be able to reach you for official communication at
+this address. If we are unable to reach you, your account may be terminated.
+
+## Permissible use
+
+You must obey all local and US laws in the course of using the service. You will
+not utilize the service to transmit or store content which is unlawful. The
+following additional types of content are explicitly prohibited:
+
+- explicit sexual content
+- malware in executable form; or in source form without obvious disclaimers
+  describing the legal and practical risks of use
+- any content which utilizes our platform for malware delivery or activation
+- content which infringes on any copyright, patent, or trademark you do not own
+
+You must not deliberately use the services for the purpose of:
+
+- impacting service availability for other users
+- obtaining or disclosing private information of other users
+- impersonating any person other than yourself or organizations you are
+  authorized to represent
+- spamming, unsolicited advertising, or solicitation
+
+You may use automated tools to obtain public information from the services for
+the purposes of archival or open-access research. You may not use this data for
+recruiting, solicitation, or profit.
+
+## Content rights
+
+You are solely responsible for any content you provide to the service. Upon
+upload, you grant sr.ht a non-exclusive and indefinite license to use and
+display your content in ways required for the appropriate operation of our
+services. If you make your content public through privacy tools on our services,
+you grant other users of the network the right to view and use your content
+through the tools provided by our services.
+
+You may grant additional rights on your content, for example by providing a
+LICENSE or COPYING file in git repositories hosted on git.sr.ht.
+
+You may request an archive of all of your content on the service by writing an
+email to Drew DeVault <sir@cmpwn.com> and allowing up to 2 weeks for an archive
+to be prepared.
+
+## Service availability
+
+We may disable or terminate all or part of our services, permanently or
+temporarily, at any time with or without notice.
+
+This software is provided by the copyright holders and contributors "as is" and
+any express or implied warranties, including, but not limited to, the implied
+warranties of merchantability and fitness for a particular purpose are
+disclaimed. In no event shall the copyright holder or contributors be liable for
+any direct, indirect, incidental, special, exemplary, or consequential damages
+(including, but not limited to, procurement of substitute goods or services;
+loss of use, data, or profits; or business interruption) however caused and on
+any theory of liability, whether in contract, strict liability, or tort
+(including negligence or otherwise) arising in any way out of the use of this
+software, even if advised of the possibility of such damage.
+
+## Payments
+
+Some services require payment for service, or for different degrees of service.
+When you request paid services, you are billed immediately for the displayed
+term. These services will be remitted to you at the displayed price, which will
+not change during the payment term. If you authorize us to automatically renew
+your service at the end of the term, you will be notified at least 1 week in
+advance of renewal when the price has changed during the previous payment term.
+
+No refunds are given for partial service or when you request your services are
+downgraded. In the event that your services are downgraded, you are billed the
+reduced price at the start of the next billing term.
+
+## Changes to these terms
+
+We may make changes to these terms with no less than 2 weeks notice. Notice of
+changes to these terms will be sent to the email on file for your account.