GDPR Tracking Issue
Some aspects of Veloren and Veloren's ecosystem are in violation of or are ambiguous in the face of the European Union's General Data Protection Regulation (GDPR). It is desirable to clarify, fix, or otherwise add Terms & Conditions to cover these cases and ensure that we're fully compliant. More generally, improving user privacy and security is also desirable. Further, understanding what we can and can't do is important for pushing forward features such as email-based password recovery for accounts.
Here follows a (possibly incomplete) list of issues that have been noted that may need attention:
- Airshipper
-
Airshipper downloading data from GitLab/Discord CDNs without adequate notification to the user may be in violation of GDPR
-
- Accounts and auth server
-
Add a way to delete accounts -
No process for deleting accounts without password access - alternative proof of identity might be desirable -
Email addresses — even hashed — will likely be considered protected information under GDPR. We want to use them for account recovery so collection & storage of e-mail should go into T&C and appropiate mechanisms for user notification should be set in place.
-
Please add to this list as required.
Edited by Nadja von Reitzenstein Čerpnjak