Privacy policy template for privately-ran Misago forums

While GDPR applies primarily to the companies or natural persons using their site with economic intent, the increasing number of services that you may want to use (like Facebook Login) are also requiring you to provide privacy policy for your site. This is why I've decided to come up with an template for people to easily fill in the blanks and use as privacy policy for their Misago sites.

Note: If you are actual company or your site is ran with economic intent, don't use this template. Pay the lawyer or ask your legal to create the policy for your business. I'm taking no liability or warranty for this. Full stop.

So if you want to run internet forum about cats or books or your favorite games, the early draft of template is available here:

github.com/rafalp/misago-privacy-policy-examples/blob/master/PRIVACY-POLICY.md

It covers most of things that privacy policy should cover, but it omits the parts that GDPR expects the companies to also include in their privacy policies, namely their designated data inspector or right to lodge a complaint. But like I've said, if you are natural person running gaming discussion without any ads or other monetization, the GDPR doesn't apply to you.

Pull-requests and suggestions are welcome.

Discussed the draft with people smarter than me and apparently explicit list of situations when data is recorded is considered mistake, as it now means that you have to update it (and notify about changes) every time you add or remove features recording the IP Address.

Template updated accordingly.

I've kept iterating on the template, and while it took me a while, I'm now mostly happy with it.

The key items of focus:

GDPR requires you to identify who is data administrator, how they may be contacted and under which jurisdiction they may fall (results of admins location and data location). My privacy policy ticks this off via following buts:

To don't get too specific Privacy Policy says that site is gathering personal data because its social site networking people interested in something. We explain which data is required (username, email, IP address), and which is optional (everything else you make a part of content you publish on the site).

Privacy policy also explains that we are registered IP to stop eventual abuse of site. It also includes bit about how long the data is stored (until it or the user account its associated with is deleted).

We also explain how e-mail address is used (to send notifications and let users maintain control of their account).

There's also short bit that tells user that anything they put on site besides their e-mail address and IP address is public, and email/IP are accessible by site staff.

I've also added bit about cookies, and as little bonus this bit contains passage about usage of Google Analytics.

Lastly the privacy policy provides mandatory part about rights granted to user such as right to know how data is processed, be forgotten, etc, and informs user that they can learn about all their rights by reading the GDPR, and that they ma exert those rights through options site makes available to them or by contacting the admin.

I'm now contemplating adding generic passage about how personal data on the site is being secure or protected or stuff like that. Feels like thats only mark not covered by my privacy policy template.