sander/rowsandall
Private
Public Access
1
0
Fork 0
Code Activity

revised privacy policy

Browse Source
This commit is contained in:
Sander Roosendaal
2018-03-08 12:52:38 +01:00
parent ba1893c6bc
commit 5d3e58c1fc
4 changed files with 229 additions and 345 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rowers/interactiveplots.py
View File

@@ -3269,7 +3269,10 @@ def thumbnail_flex_chart(rowdata,id=0,promember=0,
rowdata['xname'] = axlabels[xparam]
rowdata['yname1'] = axlabels[yparam1]
try:
rowdata['yname1'] = axlabels[yparam1]
except KeyError:
rowdata['yname1'] = axlabels[xparam]
if yparam2 != 'None':
rowdata['yname2'] = axlabels[yparam2]
else:

171
rowers/templates/gdpr_optin.html
View File

@@ -20,176 +20,7 @@
</p>
<hr>
<h2>Personal information collection</h2>
<p>
rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams. Names
of team members. (Members who delete their account will be erased from
existing teams.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<p>
The site is only accessible to user of 16 years and older.
</p>
<h2>Data Deletion</h2>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h2>Data Security</h2>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<h2>Data Sharing and access to data</h2>
<p>
Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<p>
By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
depending to the team policy, to other members of the team. When you leave
a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
not can he deactivate or delete your account.
</p>
<p>
This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party.
</p>
<h2>Data portability</h2>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
{% include "privacypolicy.html" %}
<hr>

175
rowers/templates/legal.html
View File

@@ -156,183 +156,10 @@
</div>
<div class="grid_6 omega">
<h2>Privacy Policy</h2>
<h3>Credit</h3>
<p>This document was created using a Contractology template available at
<a href="http://www.freenetlaw.com">http://www.freenetlaw.com.</a>. It was modified to reflect the GDPR requirements.</p>
{% include "privacypolicy.html" %}
<h3>Personal information collection</h3>
<p>
rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams. Names
of team members. (Members who delete their account will be erased from
existing teams.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<p>
The site is only accessible to user of 16 years and older.
</p>
<h3>Data Deletion</h3>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h3>Data Security</h3>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<h3>Data Sharing and access to data</h3>
<p>
Only the data owner can the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<p>
By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
depending to the team policy, to other members of the team. When you leave
a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
not can he deactivate or delete your account.
</p>
<p>
This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party.
</p>
<h3>Data portability</h3>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
</div>

223
rowers/templates/privacypolicy.html Normal file
View File

@@ -0,0 +1,223 @@
<h2>Personal information collection</h2>
<p>
At rowsandall.com we take your privacy very seriously. IN order to provide access
to the service we must collect and store some personal information about you.
</p>
<p>
Childen under 16 years of age are not permitted to access the services provided
by rowsandall.com. By agreeing to this privacy policy you are also agreeing
that you are 16 years of age or older.
</p>
<p>
What is collected? Rowsandall.com may collect and use the following kinds of information:
<ul>
<li>information about your use of this website
<li>information that you provide for the purpose of
registering with the website
<li>information about transactions carried out over this website
<li>information that you provide for the purpose of
using this website, for instance heart rate band and weight information.
<li>any other information that you send to rowsandall.com
</ul>
</p>
<p>
Basic profile information is collected from you when you create your account including your full
name and email address. As you use the site, information about the users, workouts,
charts and other resources you interact with will also be stored and linked to
your profile information.
</p>
<p>
Explicitly, the following information is collected:
<ul>
<li>User name, email address, encrypted password (PBKDF2 algorithm
with a SHA256 Hash and a password stretching mechanism recommended
by NIST).
<li>Your birth date.
<li>Your user consent to these GDPR compliance policies, and the
date at which you consented. Without this consent, the site cannot
be used.
<li>Weight category. With individual workouts, you may record your
actual weight during the workout.
<li>Your gender, if you decide to provide it.
<li>Heart rate zones you define. Only the actual values are stored. We do
not keep records of their evolution.
<li>Power zones and Functional Threshold power. Only the
actual values are stored. We do
not keep records of their evolution.
<li>Parameter values used to construct your Critical Power curve
(OTW and OTE).
<li>User preferences, such as the buttons and functionalities
defined in the Workflow left
panel and right panel.
<li>Tokens and their expiry dates used for sharing data with
other fitness sites. You can actually revoke these at any time.
<li>User preferences as shown on the user settings page
<li>Your favorite Flex Charts if defined
<li>The teams you are a member of.
<li>Estimated four minute, 2k and 1 hour ergometer and OTW power values,
based on the workouts you upload, and their evolution during your
usage of the site
<li>For members on the Coach plan, the names and purposes of teams. Names
of team members. (Members who delete their account will be erased from
existing teams.)
<li>Any rowing courses you uploaded
<li>Training targets and training plans
<li>Your uploaded workouts, their names, boat type, start time and date,
time zone information, total distance, duration, weight, average
and maximum heart rate, and references to their locations on third
party sites, rigging parameters (if provided),
summary information, any notes you made, privacy status and
ranking piece status.
<li>Stroke data, including, for each stroke, time, heart rate,
pace, stroke rate, work per stroke, power, average and peak
force, drive length, distance, drive speed, catch and finish angles,
slip, wash, peak force angle, effective angle, rhythm,
efficiency and distance per stroke, as well as any other
data in the data files you shared to rowsandall.com
<li>Images created on the site, from your rowing data, or uploaded
to the site.
<li>Comments you make to your and other people's workouts
</ul>
</p>
<h2>Who can I contact?</h2>
<p>
The data protection officer for rowsandall.com is Sander Roosendaal and he may be contacted
at support@rowsandall.com.
</p>
<h2>Data Deletion</h2>
<p>If you have previously consented to allow rowsandall.com to store and process your personal
data in accordance with this privacy policy, and you wish to withdraw your conent,
you can do one of the following:
<ul>
<li>Send an email to support@rowsandall.com requesting to withdraw consent and remove your data
<li>Delete your account using the red button on the user settings page.
</ul>
</p>
<p>All the data mentioned in the previous section are stored in files
and in a database, hosted on our hosting provider's servers. Our
hosting provider is creating backups of those data. The database backups
are retained for 7 days. File backups are retained for 30 days. However,
the file names or content do not contain any links to the users. The
link to the file is stored under the user data in the database, so once
a database entry is removed, there is no way to link a file with data
to a particular user.
</p>
<p>
When a user requests deletion of the data, his account and all data linked to his account
are removed from the database and the files are deleted. This includes all data mentioned in the
previous section. In backups, database entries will be removed after 7 days and files after
30 days.
</p>
<p>Data deletion can be initiated by the user through the button on the user settings page.</p>
<h2>Data Security</h2>
<p>The site uses SSL to encrypt data transferred between the server and the client (web browers,
mobile apps, third party sites). Any forms are secured from Cross Site Request Forgery (CSRF) using Django's
CSRF middleware.</p>
<p>
We have a double defense against reading or editing of personal data. First, we ensure that all "protected" views
are only visible to logged-in users. Only logged-in users have buttons leading to the private parts of the site.
As a second step, protecting against guessing of URL, before serving data from the database, we check explicitly that the data
is owned by the user in question, redirecting unauthorized requests to a "Permission Denied" page. Private data is collected
through POST requests to prevent them from being visible in URL data.
</p>
<p>rowsandall.com will take reasonable technical and organisational precautions to prevent the loss,
misuse or alteration of your personal information. </p>
<p>In case of loss, misuse or alteration of your personal information, we will inform you without undue delay and take measures
to prevent further misuse. In particular, we will deactivate your account, which will not delete the data but make them
inaccessible even for people who obtained the password (including yourself). We will await your instructions. If no
instructions are received within 7 days of contacting you, your account and all your data will be removed.
</p>
<h2>Who is my data shared with?</h2>
<p>
Only the data owner and the site administrator can edit and/or delete the data. Per our data policy, the site administrator will not alter
or delete any data owned by users, unless requested so. As data are not stored on servers that are physically owner by us, or by
our hosting provider, but we use rented server space, we are technically sharing the information to agents or sub-contractors.
</p>
<p>
Where rowsandall.com discloses your personal information to its agents or sub-contractors for these purposes,
the agent or sub-contractor in question will be obligated to use that personal information in accordance with the terms of this privacy statement.
Our hosting provider is based in the European Union and is bound by the same GDPR regulation as we are.
</p>
<p>In addition to the disclosures reasonably necessary for the purposes identified elsewhere above, rowsandall.com
may disclose your personal information to the extent that it is required to do so by law, in connection with
any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights.</p>
<p>
Workout data and charts based on workout data can be shared to anyone by sharing the URL. Workouts have an option to be set to
"private", in which case the data are not visible to anyone except the owner. The site is not searchable for data other than
your own data, so there is no way for other people to track your workouts, unless you share them.
</p>
<p>
Cross-border data transfers. Information that rowsandall.com collects may be stored and processed in and transferred
between any of the countries in which rowsandall.com operates to enable the use of the information in accordance with this privacy policy.
In addition, personal information that you submit for publication on the website will be published on the internet and
may be available around the world.
You agree to such cross-border transfers of personal information.
</p>
<p>
By accepting an "invitation" to become a member of a team, or by requesting to become part of a team, you agree to automatically
share all your workout data (including workouts done prior to becoming a member of the team) to the team manager (coach) and,
depending to the team policy, to other members of the team. When you leave
a team, all your workout data will immediately become invisible to those who had access to it during your team membership, including
workouts that cover the period of time when you were member of the team. As a member of a team, you grant the team manager
permission to edit workout data
on your behalf, including the creation of charts and cross workout analysis. You also grant the team manager permission to
edit your heart rate and power settings, as well as functional threshold information and the account information accessible on your
settings page under the header "Account Information". The team manager is not able to access or change your passwords, team memberships,
favorite charts, export settings, workflow layout, or secret tokens. Also, the team manager is not able to download all your data,
not can he deactivate or delete your account.
</p>
<p>
This site offers the possiblity to synchronize your data with other fitness sites. By clicking on the share or connect button (link, or
equivalent) you agree to share information between rowsandall.com and the other website. Rowsandall.com is not responsible for the privacy
policies or practices of any third party. Sharing the data to third party sites is at your own risk and you should ensure that the third party
has suitable GDPR compliant measures in place.
</p>
<h2>Inactive Users - accounts are deleted after 18 months</h2>
<p>
If a user is not active on the site for 12 months, we will make deactivate the account. After 18 months, the account is deleted.
</p>
<h2>Duration of consent</h2>
<p>
The data will be retained for the duration of the owner's membership, or 18 months after the user's last activity on the site.
</p>
<h2>Data portability</h2>
<p>Through the "download your data" link on the user settings page, each user can download all workout data. Stroke data can be downloaded
through links in the downloaded workout data file.</p>
<p>Your personal data are shown on the user settings page. Send an email to support@rowsandall.com if you wish to obtain a full record of all the personal data
relating to you that has been collected in accordance with this privacy policy.
</p>