# This file lists processing purposes and the personal data gathered by
# Castopod.
# It is intended for hosting providers who want to provide a service
# based on Castopod, helping them to comply with GDPR requirements. Note
# that the services powered by Castopod may collect more data, HTTP logs
# in particular. As a hosting provider, you must inform your users of their
# rights and how their data are used and protected.

purpose: Connect users to their accounts
lawfulness: legitimate interest

data: username
required: yes
visibility: authenticated users
description:
    The username is used to identify users during the login process.
    The username is only required for users accessing the admin area.
mitigation:
    The username does not have to be a real or known identity.

data: user e-mail address
required: yes
visibility: administrators
description:
    The e-mail address is used for administrative purposes, to identify users
    during the login process and in case of forgotten password.

data: password
required: yes
visibility: private
description:
    The password is used to check the identity of users during the login
    process.
mitigation:
    Only hashes (using the Argon2 key derivation function) of the passwords
    are stored in the database (but they transit over the network).

purpose: Claim ownership of a podcast
lawfulness: legitimate interest

data: Podcast e-mail address
required: yes
visibility: public
description:
    The podcast e-mail address is used to claim podcast ownership on other
    platforms (such as Apple Podcasts).
mitigation:
    The e-mail can be generic.