From e8076820c968f36429c73b9821a323d6fbdf0a1d Mon Sep 17 00:00:00 2001
From: Benjamin Bellamy <ben@podlibre.org>
Date: Wed, 9 Mar 2022 16:09:02 +0000
Subject: [PATCH] docs(gdpr): add GDPR.txt file following the gdpr-txt.org spec

---
 GDPR.txt | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 GDPR.txt

diff --git a/GDPR.txt b/GDPR.txt
new file mode 100644
index 0000000000..9cce01c3d5
--- /dev/null
+++ b/GDPR.txt
@@ -0,0 +1,48 @@
+# This file lists processing purposes and the personal data gathered by
+# Castopod.
+# It is intended for hosting providers who want to provide a service
+# based on Castopod, helping them to comply with GDPR requirements. Note
+# that the services powered by Castopod may collect more data, HTTP logs
+# in particular. As a hosting provider, you must inform your users of their
+# rights and how their data are used and protected.
+
+purpose: Connect users to their accounts
+lawfulness: legitimate interest
+
+data: username
+required: yes
+visibility: authenticated users
+description:
+    The username is used to identify users during the login process.
+    The username is only required for users accessing the admin area.
+mitigation:
+    The username does not have to be a real or known identity.
+
+data: user e-mail address
+required: yes
+visibility: administrators
+description:
+    The e-mail address is used for administrative purposes, to identify users
+    during the login process and in case of forgotten password.
+
+data: password
+required: yes
+visibility: private
+description:
+    The password is used to check the identity of users during the login
+    process.
+mitigation:
+    Only hashes (using the Argon2 key derivation function) of the passwords
+    are stored in the database (but they transit over the network).
+
+purpose: Claim ownership of a podcast
+lawfulness: legitimate interest
+
+data: Podcast e-mail address
+required: yes
+visibility: public
+description:
+    The podcast e-mail address is used to claim podcast ownership on other
+    platforms (such as Apple Podcasts).
+mitigation:
+    The e-mail can be generic.
-- 
GitLab