sessioncommunities.online/sites/privacy/index.php

<?php
	/**
	 * \file
	 * Generate privacy policy page.
	 *
	 * If you're hosting your own version of the site, please replace this file!
	 */

	require_once '+getenv.php';

	$HIGHLIGHTED_FIELDS = ["ip", "datetime", "resource", "status", "bytes", "referer", "user-agent"];
?>
<!DOCTYPE html>
<html lang="en">
	<head>
		<?php include "+components/page-head.php" ?>


		<title>Privacy — sessioncommunities.online</title>
		<meta name="description" content="<?php
		?>This page covers the Privacy Policy of sessioncommunities.online <?php
		?>and the data sessioncommunities.online collects when you browse the site. It's not a lot!">
		<meta property="og:title" content="Privacy — sessioncommunities.online">
		<meta property="og:description" content="Read our transparent account of what data sessioncommunities.online collects when you browse the site.">
		<meta property="og:type" content="article">

		<link rel="stylesheet" href="/css/common-dark.css">
		<style>
			label, label a { text-decoration: underline dotted white 1px; text-underline-offset: 0.2em; }
<?php foreach ($HIGHLIGHTED_FIELDS as $field): ?>
			#show-<?=$field?>:hover ~ :is(p, pre) :is(label[for="show-<?=$field?>"], label[for="show-<?=$field?>"] *),
<?php endforeach; ?>
			:not(*) { color: red; }
		</style>
	</head>
	<body>
		<h1>Privacy</h1>

		<marquee><h2>"We care about your privacy." — Abraham Lincoln</h2></marquee>

		<p>We don't <strong>make an effort</strong> to collect any data from you.<p>

		<p>What we <strong>do</strong> have is automatic server logs (<em>which most sites can't be bothered to de-identify anyway</em>).</p>

		<p>Server logs look like this: (<em>Hover for details</em>)</p>

<?php foreach ($HIGHLIGHTED_FIELDS as $field): ?>
		<input type="checkbox" class="hidden" id="show-<?=$field?>">
<?php endforeach; ?>

		<pre><label for="show-ip" title="De-identified IP address">155.71.106.0</label> - - <label for="show-datetime" title="Time of visit">[27/Jan/2041:14:05:22 +0000]</label> <label for="show-resource" title="Requested resource and method">"GET / HTTP/2.0"</label> <label for="show-status" title="Status returned by the server">200</label> <label for="show-bytes" title="Size of server response">41322</label> <label for="show-referer" title="Site which referred the user to us">"https://duckduckgo.com/"</label> <label for="show-user-agent" title="User Agent Header">"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"</label></pre>


		<p>
			In other words, they contain the visiting
			<label for="show-ip"><a target="_blank" href="https://en.wikipedia.org/wiki/IP_address">IP address</a></label>
			(we de-identify those by setting the last octet to zero),
			<label for="show-datetime">time of visit</label>,
			<label for="show-resource">resource requested</label> (<span class="code">/</span> stands for "main page"),
			<label for="show-status"><a target="_blank" href="https://en.wikipedia.org/wiki/List_of_HTTP_status_codes">HTTP status code</a></label>,
			<label for="show-bytes"># of bytes transferred to user</label>,
			<label for="show-referer"><a target="_blank" href="https://en.wikipedia.org/wiki/HTTP_referer">Referer</a></label>
			(usually the site you came from),
			and <label for="show-user-agent">
				<a target="_blank" target="_blank" href="https://en.wikipedia.org/wiki/User-Agent_header#Use_in_client_requests">User Agent</a>
			</label> (how your browser presents itself).
		</p>

		<p>
			We also collect and retain error logs for 3 days, including a full IP address.
			These are generated when our server has a wonderful day and shoots itself in the foot, and are not used for analytics.
		</p>

		<h2>Who has access to your data</h2>

		<p>
			Only <a target="_blank" href="https://codeberg.org/gravel/gravel">@gravel</a>, <a target="_blank" href="https://github.com/mdPlusPlus/">@SomeGuy</a> and the server provider have access to the server logs.
		</p>

		<p>
			Whenever we feel like it (<em>legal terminology</em>), we share aggregate visitor data over a non-identifying time period with interested parties. Examples of aggregate visitor data: Total site visits, distribution of operating systems and browsers used to access our site, distribution of referer sites, and common failed requests (such as for unsupported standards).
		</p>

		<h2>What requested resources tell us about you</h2>

		<p>
			Without any precautions, we'd be able to deanonymize your Session ID after you open a Community's details, join it, and post a message.
			Why? Because right before your message, we would see your IP address requesting the Community's icons.
		</p>
		<p>
			In order to prevent this deanonymization vector, the page requests all Community icons and QR codes upon load,
			thus blinding us to which Community details you view.
			These Community resources are then cached in your browser and don't trigger additional requests when you view a Community's details.
		</p>
		<p>
			To ensure that this protection does not expire following the 1 hour cache period, we refresh the cache periodically.
			Unfortunately, this also means we get a ping for each hour you leave the site open.
		</p>

		<p>
			<strong>If you've disabled JavaScript in your browser</strong>, modals won't open — these protections are therefore not needed.
			However, without JavaScript, <strong>QR codes are shown in a new tab</strong> when clicked. This results in a request and log entry with your IP address on our server.
		</p>

		<h2>Cookies</h2>

		<p>We don't use 'em. <a href="/support/" style="text-decoration: inherit; color: inherit;">🍪</a></p>

		<h2>So, you scrolled all the way down here.</h2>

		<p>The cookie emoji will take you to the donation page. Try it!</p>

		<?php include "+components/footer.php"; ?>

	</body>
</html>