Privacy policy
This privacy policy explains clearly the types of personal data RISC OS Open may collect about you when you interact with us. It also explains how we will store and handle that data and keep it safe.
Lawful bases
In 2018, new legislation was introduced within Europe, called the General Data Protection Regulations (GDPR) which prescribe a limited number of justifications under which we may collect and process your data, called “lawful bases”. Below are the lawful bases we use when collecting and processing your personal data.
Consent
In specific situations, we can collect and process your data with your consent. For example, with our external mailing lists.
Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations. For example, the ROOL store, the registered developer (DDE) database and the allocations database.
Legal compliance
If the law requires us to, we may need to collect and process your data.
Legitimate interests
In specific situations, we will require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running RISC OS Open and providing a service to the RISC OS community and which does not materially impact your rights, freedom or interests.
What are your rights?
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases.
- The correction of your personal data when incorrect, out of date or incomplete.
- That we stop any consent-based processing of your personal data after you withdraw that consent.
Your personal data and our website
Web site Hub accounts
The RISC OS Open web site is built using Ruby On Rails applications. These require the use of “cookies”. There is more information here on exactly how we use these.
Some of the applications we use…
- “Typo” (running the news pages)
- “Beast” (running the Forum pages)
- “Collaboa” (running the Subversion browser and ticket management system)
- “Instiki” (running the wiki)
…allow people to make comments, forum posts, edit wiki pages and so-on without logging on. This raises the risk of our website receiving large volumes of unsolicited advertising material (“spam”). To help prevent this, the RISC OS Open site asks users to create an account for actions involving sending information to the site rather than just reading it. If all you want to do is read things, you do not need to create an account.
Accounts are created using a specially written application called “Hub”. The Hub database stores the e-mail address, real name and password that you provide, along with some state management information that relates to your Hub account but not the personal details within that account. From the control panel you can manage your account, including deleting it entirely. When you delete an account, all data within it is removed, including the record of your name and e-mail address. We do not retain this information within the account database for any purpose, though your name may still be associated with other parts of the site, as described below.
Forum, news comments, ticket comments, wiki pages and bounty contributions
When you comment upon, edit or perform any of the above actions using a web site account, usually your name will be associated with the information that you write. The name comes from the real name stored in your account. It is important to be aware that as you send information to the site, you potentially associate your name with quite a lot of things; comments and forum posts are fairly straightforward, but wiki page edits can be more involved. Changes you make within any wiki pages become part of the ongoing editing history of those pages and potentially persist for all time.
When you delete your RISC OS Open Web site (“Hub”) account, forum posts, page edits and so-on are not automatically deleted. In the highly unlikely event that you decide you want all information relating to yourself (including references to your name) completely removed from the web site, please contact RISC OS Open directly.
CVS, subversion and git repositories
By contributing to our public source code repositories, an ‘author’ name and (in the case of git) email address is typically associated with the submission, which becomes a part of the published history of that repository. Once a submission has been published, it is not possible to remove it from the history of the repository.
The RISC OS Open store
When you place an order, we may share your personal data with trusted third parties. For example, we may need to share your name and contact details with a courier in order to fulfil your order. We provide only the information they require to perform their specific services.
Server logs
The GDPR rules consider IP addresses in things like web server logs part of personally identifiable information. RISC OS Open stores web server logs for a period of up to seven days in case server application debugging is needed. These do include the IP addresses of requests handled by the web server. After seven days, log data is deleted, with no backup or record kept.
Information security
Any attempt to sign into the site, or use the site while signed in, can only be done over a secure (HTTPS) connection. Passwords are stored encrypted / salted in our database and only within the Hub system. Plain text passwords are never stored or logged anywhere.
Your logged in sessions with the web site expire. After around 15 minutes of inactivity on the RISC OS Open site, if anyone (including yourself) tries to access the site again, they will find that the authorisation data has been cleared and they will be asked to log in again.
As with all of the software driving the RISC OS Open web site, the source code to the Hub application, the HubSsoLib supporting library and the Hub authorisation server is Open Source and code reviews by suitably skilled members of the community are invited to help us to ensure that there are no bugs in this software. If you are technically minded and wish to conduct your own security audit of the software, please look at the Subversion repository.
Your personal data in RISC OS
RISC OS is the name of the computer operating system maintained by RISC OS Open and which you can download from our site free of charge. We do not require you to sign up to our website in order to download RISC OS. There is no requirement to provide personal information when installing RISC OS and while in use, RISC OS does not capture any telemetry relating to your use of the software, personal or anonymous, nor does it return any information to RISC OS Open in the background (or otherwise).
Your personal data and the RISC OS allocations database
RISC OS Open maintains an allocations database on behalf of our development community. When you request an allocation of a unique name or number from our allocations service by email, we record your name and contact details from the email’s headers (and/or from the contact details included in your attached Request file) in a confidential database to identify you as the owner of that allocation. This information is stored indefinitely unless you specifically contact us to inform us that the allocation is no longer required. You can also opt to make your allocations public, but the default behaviour is for them to be treated as confidential.
Information sharing
RISC OS Open Limited will not share your personal information with any third parties for any reason, except for the purposes of fulfilling orders through the ROOL store or to comply with legal process in the UK in the unlikely event that law enforcement authorities require us to provide information on all or part of our account database’s content.
We will not send you unsolicited e-mail messages using the e-mail address you supply. E-mail messages will be sent in response to account management activities (e.g. to activate an account when you are signing up, or to help you reset your password if you forget it) or if you explicitly choose to receive notifications of certain events (e.g. replies to a forum post you made).
To help protect you from bulk public address harvesting software, your account e-mail address is not by default exposed on any of the pages on this web site that can be read without verified, secure login. Only the real name that you associate with your account will be used. You may nonetheless choose in certain interfaces on the site to provide an e-mail address; this will variously be hex encoded, JavaScript encoded or, possibly, left in the clear (e.g. if you include it in a wiki page verbatim). In any event, your e-mail address is only used if you choose to supply it.
Further information
If you have any questions that have not been covered, please write to us at dpo@riscosopen.org. For reference, this is our record at the United Kingdom Information Commissioner’s Office: https://ico.org.uk/ESDWebPages/Entry/Z1852763.