CS.RIN.RU - Steam Underground Community

Cool members bookmark the index page.
It is currently Friday, 25 May 2018, 04:21

English | Русский

Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message

Post Post subject: Privacy Policy [last updated: 17.05.18]   
Posted: Thursday, 17 May 2018, 10:48   
User avatar
Joined: Tuesday, 15 Nov 2005, 17:09
Posts: 10859
Privacy Policy
For feedback, questions or any concerns regarding this policy, send a PM to RessourectoR or reply to this post.

This post is intended to inform users on

  • what kind of personal data is collected,
  • how long this data is stored,
  • who can access this data,
  • what users can do to control usage of their data.

17.05.18 - added details to Tapatalk statement
16.05.18 - removed Tapatalk and added statement about data leaks
04.02.18 - updated info on how to request account deletion
25.01.18 - update backup policy: database kept for 7 days
25.01.18 - policy only applies to forum
06.11.17 - removed liveinternet.ru counter
13.10.17 - webserver logs now kept for 7 days and securely deleted
03.04.17 - updated backup policy
02.04.17 - added HTTP referer to server log entries, removed [steaminfo] tag
10.03.17 - added info on Tapatalk emojis (they are always loaded, regardless of user display settings)
21.02.17 - updated tracking counters
29.01.17 - added info on editing posts
24.01.17 - first version


    This post is not legally binding. Improving user privacy and minimizing data collection is an ongoing effort. Due to our unique hosting situation, the practices outlined in this post are subject to change at any time, with or without previous notice. However, I (RessourectoR) promise to do my best to uphold the highest possible data protection standards, and to keep this post up-to-date with current practices. It is the goal of the forum administration to be as transparent as possible in this regard, in order to grant users the fullest feasible control over their personal data.
    Important: This policy only applies to the forum. The main site (https://cs.rin.ru) is hosted on a different server and not maintained by me.

    As of 16.05.2018, the [[Please login to see this link.]] for mobile browsing has been removed. A code review has revealed that it sends private information of forum users every time a push notification is triggered by the submission of (including but not limited to) a post or private message, even if the user does not use the Tapatalk mobile app. The forum addon sent the full IP address, user agent, username, post or PM title and post or PM content, over an unencrypted connection to US-based Tapatalk servers. This is significantly more than required to provide push notifications and seriously undermined the privacy efforts of this forum's administration. In theory, it allows Tapatalk or anyone tapping into Tapatalk server traffic to build personal profiles based on private messages, usernames and IP addresses, without the affected users' knowledge or consent.
    A previous version of this policy contained a remark that removal of Tapatalk was planned when forum upgrades would be rolled out. A significant delay of said upgrades and completely misplaced trust in the Tapatalk developers led to this terrible oversight on our part. Going forward, there will be no board software extensions that send out any user data to third parties ever again.

What data is collected and stored? For how long is it stored?

    Server logs
      The web server logs every HTTP request made to the site. A log entry contains

      • the visitor's full IP address,
      • date and time of the request,
      • the exact URL (which may contain session IDs that identify a user account),
      • the [[Please login to see this link.]], which is essentially the URL of the site where the visitor has clicked a link to this forum,
      • the [[Please login to see this link.]] string (which may contain information about the client's web browser, operating system and some installed programs), if present.

      Server logs are kept for approximately 7 days, after which they are securely deleted.

    IP addresses and user agents
      IP addresses are stored in the forum database indefinitely, but as of January 1st, 2017, the last block (for IPv6 addresses, the last four blocks) is not recorded, and all addresses have been retroactively anonymized in this way. This provides users with plausible deniability, while preserving locational information for security purposes.
      Visitor sessions contain a user agent string (if available) and an anonymized IP address. Inactive sessions expire after one hour, but may be stored indefinitely within backups.

    Forum profile logs
      User profile changes are logged by the forum software. These logs contain anonymized IP addresses, as well as all e-mail addresses and usernames that have ever been associated with a specific account.
      These logs are kept indefinitely, unless the user requests them to be deleted.

    Forum ban lists and ban logs
      Ban lists may contain anonymized IP addresses and e-mail addresses, even belonging to user accounts that no longer exist. Ban lists are cleaned up regularly, but individual entries may be kept indefinitely. Banning and unbanning of usernames, e-mail addresses and anonymized IP addresses are also logged indefinitely.

    User-submitted data
      All (possibly) confidential data that is actively provided by a user, including but not limited to

      • e-mail addresses,
      • user preferences,
      • private messages,
      • attachments to private messages,
      • posts in private subforums,

      is stored in the forum database indefinitely. Account passwords are hashed with a salted MD5 function and are also stored indefinitely.

      Backups include the database, user avatars and attachments.
      On the web server, unencrypted database backups are stored for up to seven days, after which they are deleted and encrypted copies take their place for approximately one year. The encryption is done with GPG using AES-256, with the RSA decryption key not being stored on the server.
      Off-site, encrypted backups done by me (RessourectoR) are stored indefinitely for the database, and up to one year for avatars and attachments.
      Off-site backups made by the server owner are not encrypted and may be stored indefinitely; this is currently not known.
      All backups made prior to 2017 contain full (non-anonymized) IP addresses.

Who has access to the data?

  • The server owner and the server provider(s) have full access to all data, except for the backup decryption key.
  • I (RessourectoR) have full access to all data; specifically, all encrypted data, and most data that has been deleted from the server since 2007.
  • Forum administrators have access to forum logs, e-mail addresses, user preferences, anonymized IP addresses and session user agents.
  • English, Russian and Junior moderators have access to forum logs, e-mail addresses and anonymized IP addresses.
  • All current staff members have access to private messages that have been reported by users, even if the messages have been deleted by either sender or receiver.
  • All current staff members and some retired staff members have access to encrypted backups. This does not include the decryption key(s). Other trusted individuals may be granted access at the administration's discretion.
  • Upload Crew members have access to forum logs without e-mail addresses or IP addresses.
  • To the best of my knowledge, no one else has access (at least not intentionally).

Who is the data shared with?

    The forum staff, as listed in "Who has access to the data?", will never share any personal information with third parties without explicit permission from the affected user(s). It is theoretically possible that the server owner shares data with third parties, but there is currently no reason to assume this.

    The forum pages contain advertisement and tracking code from the following domains:

    • youlamedia.com (Google AdExchange, [[Please login to see this link.]]),
    • yandex.st (Yandex Share button, [[Please login to see this link.]]),
    • liveinternet.ru / counter.yadro.ru (visitor stats, policy unknown),
    • count.rin.ru / cs.rin.ru/counter (visitor stats, not third-party, policy unknown).

    Pages outside of /forum may contain additional advertisement and tracking code.

    The forum allows users to embed content from other websites, which may be loaded by the visitor's browser, by using BBCodes:

    • [img] for images from arbitrary sites,
    • [youtube] to embed videos from youtube.com.

    All these sites may collect information such as full IP addresses, browser configuration and visited pages. YouTube videos are embedded using the "privacy-enhanced mode" (youtube-nocookie.com), for which Google claims that no information on forum visitors is stored unless they play the video.

What control do users have over their data?

    Users can change their nickname and e-mail address, edit their own posts, delete any of their own posts not followed by replies from other users, and delete private messages. Furthermore, they can request removal of

    • a small number of specific posts,
    • profile or ban logs of previous nicknames and e-mail addresses,
    • their entire account.

    Only accounts with very low post count (below 15 posts) and spambot accounts are eligible for deletion. Whether an account or specific posts are eligible for deletion is decided on a case-by-case basis, usually depending on how disruptive it would be to delete them. When an account is deleted, all data associated with it is removed from the database, except for

    • usernames in message quotes (as also occurs after account renaming),
    • usernames and e-mail addresses in ban lists and ban logs (if applicable),
    • contents of private messages sent to other users that have already been read,
    • the current username, which is contained in a log entry for account deletion.

    Accounts can also be merged, if some kind of proof of ownership is provided.
    Any data removal or account merging requests can be sent to RessourectoR via private message. In your request, please state exactly what you want removed. If you cannot send PMs, create a topic in the "Off Topic" section or post a message to the shoutbox. If your account is banned, you have to register a new account and request a temporary unban in the same way first. This will be improved in the future.

    Users can protect against tracking by blocking scripts from all domains other than cs.rin.ru and by blocking images from count.rin.ru, cs.rin.ru/counter and counter.yadro.ru when visiting the forum. Additionally, images and videos in posts, private messages and signatures can be replaced by links using the display options for images and Flash (even if the videos are not Flash-based).

- End of privacy policy -

Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 0 guests

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Powered by phpBB® Forum Software © phpBB Group