# This file lists processing purposes and the personal data gathered by
# Castopod.
# It is intended for hosting providers who want to provide a service
# based on Castopod, helping them to comply with GDPR requirements. Note
# that the services powered by Castopod may collect more data, HTTP logs
# in particular. As a hosting provider, you must inform your users of their
# rights and how their data are used and protected.

purposes:
  - description: |
      Deduplicate number of audio file downloads made by the same listener for
      analytics purposes
    lawfulness: legitimate interest
    data:
      - field: (User IP address + Browser User Agent)
        required: yes
        visibility: none
        description: |
          In order to produce analytics data comparable to the podcasting
          ecosystem standards, the User IP address (REMOTE_ADDR) with the
          browser User Agent (HTTP_USER_AGENT) are stored when an audio file
          is downloaded.
        mitigation: |
          The data (User IP address + Browser User Agent) is never stored in
          plain format.
          The data is concatenated with a cryptographic salt, the current date,
          and the podcast or episode IDs.
          The data is hashed (using sha1) after being concatenated and before
          being stored.
          The data is stored in a cache database (eg. Redis).
          The data expires every day at midnight (server time).
        retention: 24 hours maximum

  - description: Connect users to their accounts
    lawfulness: legitimate interest
    data:
      - field: username
        required: yes
        visibility: authenticated users
        description: |
          The username is used to identify users during the login process.
          The username is only required for users accessing the admin area.
        mitigation: The username does not have to be a real or known identity.
        retention: forever

      - field: user e-mail address
        required: yes
        visibility: administrators
        description: |
          The e-mail address is used for administrative purposes, to identify users
          during the login process and in case of forgotten password.
        retention: forever

      - field: password
        required: yes
        visibility: private
        description: |
          The password is used to check the identity of users during the login
          process.
        mitigation: |
          Only hashes (using the Argon2 key derivation function) of the passwords
          are stored in the database (but they transit over the network).
        retention: forever

  - description: Claim ownership of a podcast
    lawfulness: legitimate interest
    data:
      - field: Podcast e-mail address
        required: yes
        visibility: public
        description: |
          The podcast e-mail address is used to claim podcast ownership on other
          platforms (such as Apple Podcasts).
        mitigation: The e-mail can be generic.
        retention: forever
  - description: Grant access to premium content
    lawfulness: legitimate interest
    data:
      - field: Subscriber's email address
        required: yes
        visibility: administrators
        description: |
          The subscriber's e-mail address is used to provide credentials for
          listening to premium content.
        mitigation: The e-mail can be generic.
        retention: until the subscription ends