Privacy Policy

TD;LR

We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.

 

1. What information we collect and why

Information from server logs

Like nearly every website we collect the following information (in web server logs) from every visitor:

  • The visitor Internet Protocol (IP) address
  • The date and time of the request
  • The page that was requested
  • The browser user agent string

These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.

2. Information in cookies

Our cookies for any users of the service may contain:

  • A unique session token
  • User preference for website layout customization. eg. darkmode
  • One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)
  • A browser fingerprint (see below)

Additionally, cookies of users that are logged into the service may contain:

  • An encrypted authentication secret unique to the user to persist their login

These data are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use these cookies.

3. Information in user-submitted content

User-submitted content is considered to collectively refer to any content that you may submit to the site

User-submitted content by users (authenticated or not) may contain any or all the following information:

  • The IP address at the time of submission
  • The browser user agent string
  • The page that initiated the submission

These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.

 

4. Browser fingerprints

Browser fingerprints are a tool used to enhance user expierence of the service. Fingerprints are generated anonymously but not stored.  

  • Browser version
  • Screen width, height, and color depth
  • Timezone offset

5. Information from users with accounts

If you create an account we require some basic information at the time of account creation. You will be asked to provide:

  • a username, shown on your profile.
  • a password, stored only as a cryptographic hash.
  • an email address, used only for sending password resets or account verification.

We also store your IP address whenever you log in for security and moderation reasons. 

6. Information that we do not collect

We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it as a dox attempt. Please inform us if you believe shared information is too sensitive.

This is especially important because information shared in public user-submitted content may/could be indexed by search engines or used by third parties without your consent.

7. Information that may potentially be shared with third parties

We do not in any way share individual account information with third parties unless legally compelled to do so.

Most of the site is public-facing, and third parties may access and use it. Please see part 6 if you find any personal information. 

8. How we secure your information

We take all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.

While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) . Between your device and our servers, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.

HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to us. We use a restrictive Content Security Policy (CSP) to protect against page hijacking and information leakage to third parties.

Passwords are hashed using bcrypt at 210 iterations with a 128-bit per-user salt.

No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make our best effort.

Resolving complaints

If you have concerns about the way we are handling your personal information, please let us know immediately. You may contact us via email directly admin@ponepaste.org