From 100cd9a48f96bf3f0cd8f049e1815c83fa22a2d7 Mon Sep 17 00:00:00 2001
From: Sander Roosendaal <roosendaalsander@gmail.com>
Date: Wed, 7 Mar 2018 22:06:27 +0100
Subject: [PATCH] updated legal text on legal page and GDPR opt in page

---
 rowers/templates/gdpr_optin.html | 177 +++++++++++++++++++++++++++-
 rowers/templates/legal.html      | 190 +++++++++++++++++++++++++------
 2 files changed, 330 insertions(+), 37 deletions(-)

diff --git a/rowers/templates/gdpr_optin.html b/rowers/templates/gdpr_optin.html
index 532dd59f..939a307f 100644
--- a/rowers/templates/gdpr_optin.html
+++ b/rowers/templates/gdpr_optin.html
@@ -7,7 +7,6 @@
 {% block content %}
 <div class="grid_12">
   <h2>GDPR Opt-In</h2>
-  <hr>
   <p>
     <b>
       To comply with the European Union General Data Protection Regulation,
@@ -19,9 +18,183 @@
       and remove your account.
     </b>
   </p>
+  <hr>
+
+  <h2>Personal information collection</h2>
+  <p>
+    rowsandall.com may collect and use the following kinds of information:
+    <ul>
+      <li>information about your use of this website
+      <li>information that you provide for the purpose of
+        registering with the website
+      <li>information about transactions carried out over this website
+      <li>information that you provide for the purpose of
+        using this website, for instance heart rate band and weight information.
+      <li>any other information that you send to rowsandall.com
+    </ul>
+    Explicitly, the following information is collected:
+    <ul>
+      <li>User name, email address, encrypted password (PBKDF2 algorithm
+        with a SHA256 Hash and a password stretching mechanism recommended
+        by NIST).
+      <li>Your birth date.
+      <li>Your user consent to these GDPR compliance policies, and the
+        date at which you consented. Without this consent, the site cannot
+        be used.
+      <li>Weight category. With individual workouts, you may record your
+        actual weight during the workout.
+      <li>Your gender, if you decide to provide it.
+      <li>Heart rate zones you define. Only the actual values are stored. We do
+        not keep records of their evolution.
+      <li>Power zones and Functional Threshold power. Only the
+        actual values are stored. We do
+        not keep records of their evolution.
+      <li>Parameter values used to construct your Critical Power curve
+        (OTW and OTE).
+      <li>User preferences, such as the buttons and functionalities
+        defined in the Workflow left
+        panel and right panel.
+      <li>Tokens and their expiry dates used for sharing data with
+        other fitness sites. You can actually revoke these at any time.
+      <li>User preferences as shown on the user settings page
+      <li>Your favorite Flex Charts if defined
+      <li>The teams you are a member of. 
+      <li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
+        based on the workouts you upload, and their evolution during your
+        usage of the site
+      <li>For members on the Coach plan, the names and purposes of teams. Names
+        of team members. (Members who delete their account will be erased from
+        existing teams.)
+      <li>Any rowing courses you uploaded
+      <li>Training targets and training plans
+      <li>Your uploaded workouts, their names, boat type, start time and date,
+        time zone information, total distance, duration, weight, average
+        and maximum heart rate, and references to their locations on third
+        party sites, rigging parameters (if provided),
+        summary information, any notes you made, privacy status and
+        ranking piece status.
+      <li>Stroke data, including, for each stroke, time, heart rate,
+        pace, stroke rate, work per stroke, power, average and peak
+        force, drive length, distance, drive speed, catch and finish angles,
+        slip, wash, peak force angle, effective angle, rhythm,
+        efficiency and distance per stroke, as well as any other
+        data in the data files you shared to rowsandall.com
+      <li>Images created on the site, from your rowing data, or uploaded
+        to the site.
+      <li>Comments you make to your and other people's workouts
+    </ul>
+  </p>
 
   <p>
-    This paragraph will contain the data policy
+    The site is only accessible to user of 16 years and older. 
+  </p>
+
+  <h2>Data Deletion</h2>
+
+  <p>All the data mentioned in the previous section are stored in files
+    and in a database, hosted on our hosting provider's servers. Our
+    hosting provider is creating backups of those data. The database backups
+    are retained for 7 days. File backups are retained for 30 days. However,
+    the file names or content do not contain any links to the users. The
+    link to the file is stored under the user data in the database, so once
+    a database entry is removed, there is no way to link a file with data
+    to a particular user.
+  </p>
+  <p>
+    When a user requests deletion of the data, his account and all data linked to his account
+    are removed from the database and the files are deleted. This includes all data mentioned in the
+    previous section. In backups, database entries will be removed after 7 days and files after
+    30 days. 
+  </p>
+
+  <p>Data deletion can be initiated by the user through the button on the user settings page.</p>
+
+  <h2>Data Security</h2>
+
+  <p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
+    mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
+    CSRF middleware.</p>
+
+  <p>
+    We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
+    are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
+    As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
+    is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
+    through POST requests to prevent them from being visible in URL data.
+  </p>
+
+  <p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
+    misuse or alteration of your personal information. </p>
+
+  <p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
+    to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
+    inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
+    instructions are received within 7 days of contacting you, your account and all your data will be removed.
+  </p>
+
+
+  <h2>Data Sharing and access to data</h2>
+
+  <p>
+    Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
+    or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
+    our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
+  </p>
+
+  <p>
+    Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
+    the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
+    Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
+  </p>
+
+  <p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
+    may disclose your personal information to the extent that it is required to do so by law, in connection with
+    any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
+
+  
+  <p>
+    Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
+    "private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
+    your own data, so there is no way for other people to track your workouts, unless you share them.
+  </p>
+
+  <p>
+    Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
+    between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
+    In addition, personal information that you submit for publication on the website will be published on the internet and
+    may be available around the world.
+    You agree to such cross-border transfers of personal information.
+  </p>
+  
+  <p>
+    By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
+    share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
+    depending to the team policy, to other members of the team. When you leave
+    a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
+    workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
+    permission to edit workout data
+    on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
+    edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
+    settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
+    favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
+    not can he deactivate or delete your account.
+  </p>
+  
+  <p>
+    This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
+    equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
+    policies or practices of any third party. 
+  </p>
+
+  <h2>Data portability</h2>
+
+  <p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
+    through links in the downloaded workout data file.</p>
+
+  <hr>
+
+  <p>
+    To start or continue using the site, please give your consent by clicking on the green Opt In button below.
   </p>
 
   <p>
diff --git a/rowers/templates/legal.html b/rowers/templates/legal.html
index 37951f1b..6a4b3d35 100644
--- a/rowers/templates/legal.html
+++ b/rowers/templates/legal.html
@@ -159,61 +159,181 @@
 <h3>Credit</h3>
 
 <p>This document was created using a Contractology template available at 
-<a href="http://www.freenetlaw.com">http://www.freenetlaw.com.</a>.</p>
+<a href="http://www.freenetlaw.com">http://www.freenetlaw.com.</a>. It was modified to reflect the GDPR requirements.</p>
 
-<h3>Personal information collection</h3>
 
-<p>rowsandall.com may collect and use the following kinds of information:
-<ul>
-<li>information about your use of this website
-<li>information that you provide for the purpose of registering with the website
-<li>information about transactions carried out over this website
-<li>information that you provide for the purpose of using this website, for instance heart rate band and weight information.
-<li>any other information that you send to rowsandall.com
-</ul></p>
+  <h3>Personal information collection</h3>
+  <p>
+    rowsandall.com may collect and use the following kinds of information:
+    <ul>
+      <li>information about your use of this website
+      <li>information that you provide for the purpose of
+        registering with the website
+      <li>information about transactions carried out over this website
+      <li>information that you provide for the purpose of
+        using this website, for instance heart rate band and weight information.
+      <li>any other information that you send to rowsandall.com
+    </ul>
+    Explicitly, the following information is collected:
+    <ul>
+      <li>User name, email address, encrypted password (PBKDF2 algorithm
+        with a SHA256 Hash and a password stretching mechanism recommended
+        by NIST).
+      <li>Your birth date.
+      <li>Your user consent to these GDPR compliance policies, and the
+        date at which you consented. Without this consent, the site cannot
+        be used.
+      <li>Weight category. With individual workouts, you may record your
+        actual weight during the workout.
+      <li>Your gender, if you decide to provide it.
+      <li>Heart rate zones you define. Only the actual values are stored. We do
+        not keep records of their evolution.
+      <li>Power zones and Functional Threshold power. Only the
+        actual values are stored. We do
+        not keep records of their evolution.
+      <li>Parameter values used to construct your Critical Power curve
+        (OTW and OTE).
+      <li>User preferences, such as the buttons and functionalities
+        defined in the Workflow left
+        panel and right panel.
+      <li>Tokens and their expiry dates used for sharing data with
+        other fitness sites. You can actually revoke these at any time.
+      <li>User preferences as shown on the user settings page
+      <li>Your favorite Flex Charts if defined
+      <li>The teams you are a member of. 
+      <li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
+        based on the workouts you upload, and their evolution during your
+        usage of the site
+      <li>For members on the Coach plan, the names and purposes of teams. Names
+        of team members. (Members who delete their account will be erased from
+        existing teams.)
+      <li>Any rowing courses you uploaded
+      <li>Training targets and training plans
+      <li>Your uploaded workouts, their names, boat type, start time and date,
+        time zone information, total distance, duration, weight, average
+        and maximum heart rate, and references to their locations on third
+        party sites, rigging parameters (if provided),
+        summary information, any notes you made, privacy status and
+        ranking piece status.
+      <li>Stroke data, including, for each stroke, time, heart rate,
+        pace, stroke rate, work per stroke, power, average and peak
+        force, drive length, distance, drive speed, catch and finish angles,
+        slip, wash, peak force angle, effective angle, rhythm,
+        efficiency and distance per stroke, as well as any other
+        data in the data files you shared to rowsandall.com
+      <li>Images created on the site, from your rowing data, or uploaded
+        to the site.
+      <li>Comments you make to your and other people's workouts
+    </ul>
+  </p>
 
-<h3>Using personal information</h3>
+  <p>
+    The site is only accessible to user of 16 years and older. 
+  </p>
 
-<p>rowsandall.com may use your personal information to:
-<ul>
-<li>administer this website
-<li>personalize this website for you
-<li>enable your access to and use of the website services
-<li>publish information about you on the website
-<li>supply to you services that you purchase
-</ul></p>
+  <h3>Data Deletion</h3>
 
-<p>Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes, the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement. </p>
+  <p>All the data mentioned in the previous section are stored in files
+    and in a database, hosted on our hosting provider's servers. Our
+    hosting provider is creating backups of those data. The database backups
+    are retained for 7 days. File backups are retained for 30 days. However,
+    the file names or content do not contain any links to the users. The
+    link to the file is stored under the user data in the database, so once
+    a database entry is removed, there is no way to link a file with data
+    to a particular user.
+  </p>
+  <p>
+    When a user requests deletion of the data, his account and all data linked to his account
+    are removed from the database and the files are deleted. This includes all data mentioned in the
+    previous section. In backups, database entries will be removed after 7 days and files after
+    30 days. 
+  </p>
 
-<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com may disclose your personal information to the extent that it is required to do so by law, in connection with any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
+  <p>Data deletion can be initiated by the user through the button on the user settings page.</p>
 
-<h3>Securing your data</h3>
+  <h3>Data Security</h3>
 
-<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. </p>
+  <p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
+    mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
+    CSRF middleware.</p>
 
-<p>rowsandall.com will store all the personal information you provide</p>
+  <p>
+    We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
+    are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
+    As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
+    is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
+    through POST requests to prevent them from being visible in URL data.
+  </p>
 
-<h3>Cross-border data transfers</h3>
+  <p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
+    misuse or alteration of your personal information. </p>
 
-<p>Information that rowsandall.com collects may be stored and processed in and transferred between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.</p>
+  <p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
+    to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
+    inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
+    instructions are received within 7 days of contacting you, your account and all your data will be removed.
+  </p>
 
-<p>In addition, personal information that you submit for publication on the website will be published on the internet and may be available around the world.</p>
 
-<p>You agree to such cross-border transfers of personal information.</p>
+  <h3>Data Sharing and access to data</h3>
 
-<h3>Updating this statement</h3>
+  <p>
+    Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
+    or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
+    our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
+  </p>
 
-<p>rowsandall.com may update this privacy policy by posting a new version on this website.  </p>
+  <p>
+    Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
+    the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
+    Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
+  </p>
 
-<p>You should check this page occasionally to ensure you are familiar with any changes.  </p>
+  <p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
+    may disclose your personal information to the extent that it is required to do so by law, in connection with
+    any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
 
-<h3>Other websites</h3>
+  
+  <p>
+    Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
+    "private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
+    your own data, so there is no way for other people to track your workouts, unless you share them.
+  </p>
 
-<p>This website connects to other websites. By clicking the <q>connect</q> button (link, or equivalent) you agree to share information between rowsandall.com and the other website.</p>
+  <p>
+    Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
+    between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
+    In addition, personal information that you submit for publication on the website will be published on the internet and
+    may be available around the world.
+    You agree to such cross-border transfers of personal information.
+  </p>
+  
+  <p>
+    By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
+    share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
+    depending to the team policy, to other members of the team. When you leave
+    a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
+    workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
+    permission to edit workout data
+    on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
+    edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
+    settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
+    favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
+    not can he deactivate or delete your account.
+  </p>
+  
+  <p>
+    This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
+    equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
+    policies or practices of any third party. 
+  </p>
 
-<p>rowsandall.com is not responsible for the privacy policies or practices of any third party.</p>
+  <h3>Data portability</h3>
+
+  <p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
+    through links in the downloaded workout data file.</p>
 
 
 
 </div>
-    {% endblock content %}
\ No newline at end of file
+    {% endblock content %}