sander/rowsandall
Private
Public Access
1
0
Fork 0
Code Activity

updated legal text on legal page and GDPR opt in page

Browse Source
This commit is contained in:
Sander Roosendaal
2018-03-07 22:06:27 +01:00
parent 1a87d72a8d
commit 100cd9a48f
2 changed files with 330 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
rowers/templates/gdpr_optin.html
View File

@@ -7,7 +7,6 @@
{% block content %}
<div class="grid_12">
<h2>GDPR Opt-In</h2>
<hr>
<p>
<b>
To comply with the European Union General Data Protection Regulation,
@@ -19,9 +18,183 @@
and remove your account.
</b>
</p>
<hr>
<h2>Personal information collection</h2>
<p>
rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams. Names
of team members. (Members who delete their account will be erased from
existing teams.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<p>
This paragraph will contain the data policy
The site is only accessible to user of 16 years and older.
</p>
<h2>Data Deletion</h2>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h2>Data Security</h2>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<h2>Data Sharing and access to data</h2>
<p>
Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<p>
By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
depending to the team policy, to other members of the team. When you leave
a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
not can he deactivate or delete your account.
</p>
<p>
This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party.
</p>
<h2>Data portability</h2>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
<hr>
<p>
To start or continue using the site, please give your consent by clicking on the green Opt In button below.
</p>
<p>

190
rowers/templates/legal.html
View File

@@ -159,61 +159,181 @@
<h3>Credit</h3>
<p>This document was created using a Contractology template available at
<a href="http://www.freenetlaw.com">http://www.freenetlaw.com.</a>.</p>
<a href="http://www.freenetlaw.com">http://www.freenetlaw.com.</a>. It was modified to reflect the GDPR requirements.</p>
<h3>Personal information collection</h3>
<p>rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul></p>
<h3>Personal information collection</h3>
<p>
rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams. Names
of team members. (Members who delete their account will be erased from
existing teams.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<h3>Using personal information</h3>
<p>
The site is only accessible to user of 16 years and older.
</p>
<p>rowsandall.com may use your personal information to:
<ul>
<li>administer this website
<li>personalize this website for you
<li>enable your access to and use of the website services
<li>publish information about you on the website
<li>supply to you services that you purchase
</ul></p>
<h3>Data Deletion</h3>
<p>Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes, the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement. </p>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com may disclose your personal information to the extent that it is required to do so by law, in connection with any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h3>Securing your data</h3>
<h3>Data Security</h3>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. </p>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>rowsandall.com will store all the personal information you provide</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<h3>Cross-border data transfers</h3>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>Information that rowsandall.com collects may be stored and processed in and transferred between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.</p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<p>In addition, personal information that you submit for publication on the website will be published on the internet and may be available around the world.</p>
<p>You agree to such cross-border transfers of personal information.</p>
<h3>Data Sharing and access to data</h3>
<h3>Updating this statement</h3>
<p>
Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>rowsandall.com may update this privacy policy by posting a new version on this website. </p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>You should check this page occasionally to ensure you are familiar with any changes. </p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<h3>Other websites</h3>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>This website connects to other websites. By clicking the <q>connect</q> button (link, or equivalent) you agree to share information between rowsandall.com and the other website.</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<p>
By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
depending to the team policy, to other members of the team. When you leave
a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
not can he deactivate or delete your account.
</p>
<p>
This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party.
</p>
<p>rowsandall.com is not responsible for the privacy policies or practices of any third party.</p>
<h3>Data portability</h3>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
</div>
{% endblock content %}
{% endblock content %}