Looks nice, but: The GDPR is not the only legislation that applies to us. For services hosted in France for instance, there is a legal obligation to keep logs for at least one year (not sure exactly who that applies to). There could be something similar in Germany where berlin is located. I think some of the wording is vague. Does "can be used to identify" mean we will use the IP to identify the person (is it the reason we process this data?) Or is it something that we could technically do, but refuse to do? Le 4 octobre 2020 11:34:19 GMT-04:00, "pelzflorian (Florian Pelz)" a écrit : >IANAL but I think Guix needs a privacy policy for both its website and >the Guix software in general. > >Attached is a patch for the website that also documents data use by >Guix and Guix System. Maybe I’ve overdone some parts and probably >something important is missing. > >In particular, the GDPR requires IP addresses to be deleted from logs >after a reasonable time. I think but am not sure the current process >for nginx is to delete only when the log files become too big. A more >suitable policy must be implemented and the users must be told about >it, I think. See . > >In general I think it is better to have an incomplete policy than to >have none. > >Comments? > >Regards, >Florian