Privacy policy

Thank you for your interest in our privacy policy. This policy contains information about how we process your personal data and about your rights according to the European GDPR (General Data Protection Regulation). References below to “we” or “us” refer to the operator of this website. Our website and this privacy policy are provided in accordance with Czech and/or European law.

Scope

The following privacy policy is valid for:


Short version of our privacy policy

  • By default, our web server processes your IP address, and maybe user agent string. We don’t log any personal data in this case.
  • Log files are automatically encrypted after 1 day, and stored in encrypted format for 10 days.
  • Your rights according to the European GDPR are defined in Articles 15–21 and 77 GDPR.
  • In case of any questions related to this privacy policy, feel free to contact us.

Contact details

This website and its web server are operated by private individuals domiciled in different European states. Our server is physically located in Germany.

Controller in terms of the GDPR is:

řítyR bukaJ
ynačosyV ,aharP 00 091
cilbupeR hcezC
Contact details

If you decide to contact us, you agree that we process your personal data (e.g. name, e-mail address) voluntarily transmitted by you. The legal basis for the processing of your personal data in this case is Article 6(1) a GDPR.


Contents


Definitions

There are several definitions in the GDPR. The most important definitions are:

  • ‘personal data’ means any information relating to an identified or identifiable natural person
  • ‘processing’ means any operation […] on personal data […] such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Examples for “personal data” are your name, your username(s), your address, your e-mail address, (sometimes) your IP address and more sensitive data like your religious and sexual orientation. Especially IP addresses can also represent corporate data (for instance, when you access websites using your corporate internet access) or they can be anonymous (for instance, when you use Tor to access websites).

The term “processing” can be considered as an umbrella term for everything we do with your personal data.


Personal data we process

When you visit our website, your IP address and maybe user agent (e.g. information about your web browser and/or operating system) are automatically processed by our web server. This is technically necessary since your client requests resources from our web server. Then, our web server needs your IP address to send packets to your client. By default, we do not process any other personal data of you.

Logging

Our web server writes information about each client-side request to so-called log files. We use these log files as explained below. The legal basis for the processing of your personal data is Article 6(1) f GDPR. Our web server automatically encrypts all log files after one day using public-key cryptography. The encrypted log files are automatically deleted after 10 days.

Logging of normal requests

In case of normal requests (for technical people: HTTP status codes 200, 302, 304), we only log:

  • timestamp ([31/Dec/2016:12:01:10 +0100])
  • HTTP status code (200)
  • bytes transmitted (3271)
  • first line of request for each request/HTTP version ("GET /index.xml HTTP/2.0")

We use this data to monitor the amount of requests.

We do not log your IP address, user agent, referrer, or other personal data in this case.

Logging of abnormal requests

In case of abnormal requests (for technical people: all HTTP status codes except 200, 302, 304), we only log:

  • timestamp ([31/Dec/2016:12:01:10 +0100])
  • HTTP status code (200)
  • bytes transmitted (3271)
  • first line of request for each request/HTTP version ("GET /index.xml HTTP/2.0")
  • user agent (Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0)

We use this data to detect broken links, technical errors, and suspicious access attempts.

We do not log your IP address, referrer, or other personal data in this case.

Logging of blocked requests

In case of repeated attempts to access blacklisted files, or other attack-like behavior, a web application firewall logs the following data:

  • timestamp ([31/Dec/2016:12:01:10 +0100])
  • full client-side request, full server-side response
  • IP address (123.123.123.123)
  • user agent (Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0)

We use this data to audit blocked requests and unblock legitimate users, if necessary. Blocked IP addresses are stored for 14 days.


Personal data third parties process for us

  • netcup GmbH, Germany: netcup provides our (web) server. netcup may log access attempts (IP address, user agent) for all its customers to detect DDoS attacks, and so on. The legal basis for the processing of your personal data is Article 6(1) f GDPR. We concluded a data processing agreement according to Article 28 GDPR with netcup GmbH. Read their privacy policy.
  • Proton Technologies AG, Switzerland: ProtonMail provides our mail server. It isn’t necessary to send us any e-mails to access our blog/content. If you decide to contact us, you agree that we/ProtonMail process your personal data (e.g. name, e-mail address). The legal basis for the processing of your personal data is Article 6(1) a GDPR. Read their privacy policy.
  • Report-URI Ltd., England/Wales: Report-URI provides error logging for the following HTTP headers/events: Expect-CT, Expect-Staple, Network Error Logging, Content Security Policy, and XSS Protection. Errors occur when your client (e.g. your web browser) doesn’t support certain security-relevant HTTP headers, or when an attacker/web browser add-on modifies content client-side (e.g. in your web browser). In case of such errors, your client may send an error report, which contains technical information about the error, to Report-URI. While these error reports don’t contain personal data, Report-URI processes your IP address when it receives an error report. However, Report-URI doesn’t store personal data, and logged reports don’t contain personal data. We use logged error reports to detect attack-like behavior and technical, client-side errors when readers access our blog. The legal basis for the processing of your personal data is Article 6(1) f GDPR. Read their privacy policy.

Accessing our website using dat protocol

Besides “traditional” HTTPS, we allow interested readers to access our content via the “dat” protocol. dat is a peer-to-peer protocol, offering a decentralized experience. It comes with built-in encryption and several other advantages.

However, as normal for peer-to-peer protocols, content can be freely re-shared by every client. This means that there is no central server, and all clients connect directly to each other. By doing so, your dat client may disclose your IP address and user agent to unknown third parties. If you don’t want this, simply access our web server via HTTPS.


Your rights (Articles 15–20 GDPR)

According to the Articles 15 to 20 of the GDPR, you have several rights concerning your personal data processed by us:

  • Art. 15: Right of access
  • Art. 16: Right to rectification
  • Art. 17: Right to erasure
  • Art. 18: Right to restriction of processing
  • Art. 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Art. 20: Right to data portability

Besides your IP address (and maybe user agent) which is automatically transmitted by your client and only used for responding to its requests, we do not process personal data of you. Since there is no need for us to identify you when you normally access our website, we aren’t obliged to maintain, acquire or process additional information in order to identify you for the sole purpose of complying with the GDPR.

This means that (according to Article 11 GDPR) Articles 15 to 20 don’t apply except where you, for the purpose of exercising your rights mentioned above, provide additional information enabling your identification.

Right to object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point e or f of Article 6(1) GDPR, including profiling based on those provisions. We no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims. This doesn’t affect the lawfulness of processing based on consent before its withdrawal (point c of Article 13(2) GDPR).

Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

For further information about our security measures, read our security notes.


Changelog

  • Feb 11, 2019: Moved hosting provider to a new section. Added scope.
  • Feb 9, 2019: Added changelog. Updated location of server operator. Added detailed information how we log client-side requests, and which personal data is stored. Added short version of the policy. Added information about accessing our website via dat protocol.
  • May 24, 2018: Updated privacy policy for European GDPR.