IANAL but I think Guix needs a privacy policy for both its website and
the Guix software in general.

Attached is a patch for the website that also documents data use by
Guix and Guix System.  Maybe I’ve overdone some parts and probably
something important is missing.

In particular, the GDPR requires IP addresses to be deleted from logs
after a reasonable time.  I think but am not sure the current process
for nginx is to delete only when the log files become too big.  A more
suitable policy must be implemented and the users must be told about
it, I think.  See <https://gdpr-info.eu/art-13-gdpr/>.

In general I think it is better to have an incomplete policy than to
have none.

Comments?

Regards,
Florian