CS.RIN.RU - Steam Underground Community

Cool members bookmark the index page.
It is currently Thursday, 16 Aug 2018, 00:13

English | Русский

This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message

Post Post subject: Privacy Policy [last updated: 13.07.18]   
Posted: Friday, 13 Jul 2018, 14:05   
User avatar
Joined: Tuesday, 15 Nov 2005, 17:09
Posts: 10985
Privacy Policy
For feedback, questions or any concerns regarding this policy, send a PM to RessourectoR.

This post is intended to inform users on

  • what kind of personal data is collected,
  • for which purposes the data is collected,
  • how long this data is stored,
  • who can access this data,
  • what users can do to control usage of their data.

13.07.18 - removed RIN counter and updated server logs section
30.06.18 - added explanations for data collection purposes, removed third-party analytics and ads, added section on cookies, many small improvements
21.06.18 - major improvements to the data removal and anonymization procedure
17.05.18 - added details to Tapatalk statement
16.05.18 - removed Tapatalk and added statement about data leaks
04.02.18 - updated info on how to request account deletion
25.01.18 - update backup policy: database kept for 7 days
25.01.18 - policy only applies to forum
06.11.17 - removed liveinternet.ru counter
13.10.17 - webserver logs now kept for 7 days and securely deleted
03.04.17 - updated backup policy
02.04.17 - added HTTP referer to server log entries, removed [steaminfo] tag
10.03.17 - added info on Tapatalk emojis (they are always loaded, regardless of user display settings)
21.02.17 - updated tracking counters
29.01.17 - added info on editing posts
24.01.17 - first version

In the following, "personal data" refers to the definition found in [[Please login to see this link.]]. Note that we do not formally adhere to the GDPR, because this site is hosted in Russia and therefore outside of the EU. However, we respect the right to privacy and do our best to comply with any removal or information requests related to personal data.


    This post is not legally binding. Improving user privacy and minimizing data collection is an ongoing effort. Due to our unique hosting situation, the practices outlined in this post are subject to change at any time, with or without previous notice. However, I (RessourectoR) am committed to uphold the highest possible data protection standards and to keep this post up-to-date with current practices. It is my goal to make sure that we collect as little personal data as possible and to be as transparent as possible in this regard, in order to grant users the fullest feasible control over their personal data.
    Important: This policy only applies to the forum. The main site (https://cs.rin.ru) is hosted on a different server and not maintained by me.

    Tapatalk notice
    As of 16.05.2018, the [[Please login to see this link.]] for mobile browsing has been removed. A code review has revealed that it sends private information of forum users every time a push notification is triggered by the submission of (including but not limited to) a post or private message, even if the user does not use the Tapatalk mobile app. The forum addon sent the full IP address, user agent, username, post or PM title and post or PM content, over an unencrypted connection to US-based Tapatalk servers. This is significantly more than required to provide push notifications and seriously undermined the privacy efforts of this forum's administration. In theory, it allows Tapatalk or anyone tapping into Tapatalk server traffic to build personal profiles based on private messages, usernames and IP addresses, without the affected users' knowledge or consent.
    A previous version of this policy contained a remark that removal of Tapatalk was planned when forum upgrades would be rolled out. A significant delay of said upgrades and completely misplaced trust in the Tapatalk developers led to this terrible oversight on our part. Going forward, there will be no board software extensions that send out any user data to third parties ever again.

What data is collected and stored and for what purpose? For how long is it stored?

    Server logs
      The web server logs every HTTP request made to the site. A log entry contains

      • the visitor's full IP address,
      • date and time of the request,
      • the exact URL (which may contain session IDs that identify a user account),
      • the [[Please login to see this link.]], which is essentially the URL of the site where the visitor has clicked a link to this forum,
      • the [[Please login to see this link.]] string (which may contain information about the client's web browser, operating system and some installed programs), if present.

      Furthermore, the mailserver logs e-mail addresses when sending e-mails and the database server logs slow queries that may contain personal data.
      All server logs are kept for approximately 7 days and are then deleted. They are used to track malicious activity in case of a security breach, to ensure that the server works correctly and for generic activity statistics, which are only generated on demand and without analysis of IP addresses or session IDs. These activity reports are not stored permanently.

    IP addresses and user agents
      IP addresses are stored in the forum database indefinitely, but as of January 1st, 2017, the last block (for IPv6 addresses, the last four blocks) is not recorded, and all addresses have been retroactively anonymized in this way. These anonymized IP addresses are used to check for ban evasion and for general security purposes.

      Visitor sessions contain a user agent string (if available) and an anonymized IP address. Inactive sessions expire after one hour, but may be stored indefinitely within backups. Session information is required for successful user login and authentication.

    Forum profile logs
      User profile changes are logged by the forum software by default. These logs contain anonymized IP addresses, as well as all e-mail addresses and usernames that have ever been associated with a specific account.
      These logs are kept indefinitely, unless the user requests them to be deleted. They are used by the staff to recognize users and to provide account recovery support.

    Forum ban lists and ban logs
      Ban lists may contain e-mail addresses, even if respective user accounts no longer exist. Ban lists are cleaned up regularly, but individual entries may be kept indefinitely. Banning and unbanning of usernames, e-mail addresses and anonymized IP addresses are also logged indefinitely.

    User-submitted data
      All (possibly) confidential data that is actively provided by a user, including but not limited to

      • e-mail addresses,
      • user preferences,
      • private messages,
      • attachments to private messages,
      • posts in private subforums,

      is stored in the forum database indefinitely, unless the user requests removal. Account passwords are hashed with a salted MD5 function and are also stored indefinitely.

      Cookies are small text files that are stored on your computer and contain information used by sites you visit. We use cookies only to provide persistent user sessions and auto-login.

      Backups include the database, user avatars and attachments.
      On the web server, unencrypted database backups are stored for up to seven days, after which they are deleted and encrypted copies take their place for approximately one year. The encryption is done with GPG using AES-256, with the RSA decryption key not being stored on the server.
      Off-site, encrypted backups done by me (RessourectoR) are stored indefinitely for the database, and up to one year for avatars and attachments.
      Off-site backups made by the server owner are not encrypted and may be stored indefinitely; this is currently not known.
      Backups contain most personal data that was later removed, but are only kept strictly for archival purposes. All backups made prior to 2017 contain full (non-anonymized) IP addresses.

Who has access to the data?

  • The server owner and the server provider(s) have full access to all data, except for the backup decryption key.
  • I (RessourectoR) have full access to all data; specifically, all encrypted data, and most data that has been deleted from the server since 2007.
  • Forum administrators have access to forum logs, e-mail addresses, user preferences, anonymized IP addresses and session user agents.
  • English, Russian and Junior moderators have access to forum logs, e-mail addresses and anonymized IP addresses.
  • All current staff members have access to private messages that have been reported by users, even if the messages have been deleted by either sender or receiver.
  • All current staff members and some retired staff members have access to encrypted backups. This does not include the decryption key(s). Other trusted individuals may be granted access at the administration's discretion.
  • Upload Crew members have access to forum logs without e-mail addresses or IP addresses.
  • To the best of my knowledge, no one else has access (at least not intentionally).

Who is the data shared with?

    The forum staff, as listed in "Who has access to the data?", are obliged to never share any personal information with anyone outside of the staff without explicit consent from the affected user(s). It is theoretically possible that the server owner shares data with third parties, but there is no reason to assume this.

    Prior to 25.06.18, forum pages contained advertisement and tracking code from third-party sites including, but not limited to, youlamedia.com, liveinternet.ru, counter.yadro.ru and yandex.st.
    Prior to 13.07.18, forum pages contained a tracking counter from count.rin.ru.
    Pages outside of /forum may contain additional advertisement and tracking code.

    The forum allows users to embed content from other websites, which may be loaded by the visitor's browser, by using BBCodes:

    • [img] for images from arbitrary sites,
    • [youtube] to embed videos from youtube.com.

    All these sites may collect information such as full IP addresses and browser configuration. YouTube videos are embedded using the "privacy-enhanced mode" (youtube-nocookie.com), for which Google claims that no information on forum visitors is stored unless they play the video.

What control do users have over their data?

    Users are able to

    This means that users can remove all personal information that account deletion without posts deletion would remove as well, except for profile logs. We do not delete accounts without good reason, unless they have a very low post count (below 15 posts), in order to retain the user's contributions to the community. Furthermore, users can request advanced removal of personal data from

    • profile, ban, and other forum logs (usernames, e-mail addresses),
    • ban lists (usernames, e-mail addresses),
    • username mentions and quotes in posts and private messages,
    • specific posts,
    • specific private messages in other users' inboxes,
    • reports of specific posts and private messages.

    The already anonymized IP addresses cannot be traced back to individual persons and therefore are not personal data on their own. To our best knowledge, this covers all possible occurences of personal data in our database beyond a user's profile, if such information was provided by you or is publically visible on the forum. If you have reason to believe that other users have entered your sensitive personal information anywhere on this forum beyond the above listed possibilities, let us know and we will attempt to remove it. We may refuse such a request at our discretion, if it requires violating the privacy of other users. Please note that while deleting accounts without deleting posts is technically possible, it does not achieve better privacy than anonymization as laid out above.

    Accounts can also be merged, if some kind of proof of ownership is provided.
    Any inquiries pertaining to user privacy can be sent to RessourectoR via private message. In your removal requests, please state exactly what you want removed. If you request your account to be deleted, we will refer you to this privacy policy. If you cannot send PMs, create a topic in the "Off Topic" section or post a message to the shoutbox. If your account is banned, you have to register a new account and request a temporary unban in the same way first. This will be improved in the future.

    Users can protect against tracking by blocking scripts from all domains other than cs.rin.ru, in case any such scripts are added by the server owner or by intruders. Additionally, images and videos in posts, private messages and signatures can be replaced by links using the display options for images and Flash (even if the videos are not Flash-based).

- End of privacy policy -

Display posts from previous:  Sort by  
This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 1 guest

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Powered by phpBB® Forum Software © phpBB Group