<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from various browser attributes. As of June 2024, we maintain two distinct versions of the algorithm, which use different properties as components to generate the hash. These are:</p>
<strong>Version 3 (past, used prior to June 15, 2024)</strong>
<ul>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language</li>
<li>OS name</li>
</ul>
<br />
<strong>Version 4 (current)</strong>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (amount of CPU cores and RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from various browser attributes. As of June 2024, we maintain two distinct versions of the algorithm, which use different properties as components to generate the hash. These are:</p>
<strong>Version 3 (current)</strong>
<strong>Version 3 (past, used prior to June 15, 2024)</strong>
<ul>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language</li>
<li>OS name</li>
</ul>
<br />
<strong>Version 4 (upcoming in a future update)</strong>
<strong>Version 4 (current)</strong>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (amount of CPU cores and RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from various browser attributes. As of June 2024, we maintain two distinct versions of the algorithm, which use different properties as components to generate the hash. These are:</p>
<strong>Version 3 (current, used in current/old design)</strong>
<strong>Version 3 (current)</strong>
<ul>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language</li>
<li>OS name</li>
</ul>
<br />
<strong>Version 4 (upcoming, used in beta/new design)</strong>
<strong>Version 4 (upcoming in a future update)</strong>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (amount of CPU cores and RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from various browser attributes. As of June 2024, we maintain two distinct versions of the algorithm, which use different properties as components to generate the hash. These are:</p>
<strong>Version 3 (current, used in current/old design)</strong>
<ul>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language</li>
<li>OS name</li>
</ul>
<br />
<strong>Version 4 (upcoming, used in beta/new design)</strong>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (CPU, RAM)</li>
<li>Hardware information (amount of CPU cores and RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<h4>Fingerprint v3 (pre-redesign)</h4>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from various browser attributes. As of June 2024, we maintain two distinct versions of the algorithm, which use different properties as components to generate the hash. These are:</p>
<strong>Version 3 (current, used in current/old design)</strong>
<ul>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language</li>
<li>OS name</li>
</ul>
<h4>Fingerprint v4 (post-redesign)</h4>
<br />
<strong>Version 4 (upcoming, used in beta/new design)</strong>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (CPU, RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<h4>Fingerprint v3 (pre-redesign)</h4>
<ul>
<li>Browser version</li>
<li>Browser user agent string</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
<li>Language</li>
<li>OS name</li>
</ul>
<h4>Fingerprint v4 (post-redesign)</h4>
<ul>
<li>Browser identity and version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Language and keyboard layout</li>
<li>Hardware information (CPU, RAM)</li>
<li>Multi-touch support</li>
<li>OS information (name, mobile/desktop)</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to login, it is <strong>irreversible</strong>, unlike account
be removed. Since this removes the email address, which is necessary to log in, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare reverse-proxy, which
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare as a reverse proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to login, it is <strong>irreversible</strong>>, unlike account
be removed. Since this removes the email address, which is necessary to login, it is <strong>irreversible</strong>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare reverse-proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
here:https://www.cloudflare.com/en-gb/privacypolicy/.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found here:https://www.hcaptcha.com/privacy.</li>
<a href="https://www.cloudflare.com/en-us/privacypolicy">here</a>.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found <a href="https://www.hcaptcha.com/privacy">here</a>.</li>
</ul>
</div>
<div class="rule">
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>Passwords are hashed using bcrypt at 2<sup>10</sup> iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to login, it is <strong>irreversible</strong>>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<p>We collect the following information in webserver logs from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<p>These items are collected to ensure the security of the service (see "legimitate interests" in the GDPR), and are deleted after 14 days to balance it with user privacy.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
<li>A browser fingerprint</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<p>Additionally, cookies of users that are logged in will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<p>Because these are required for authentication, user security, or customization, which are all "legitimate interests", we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<p>User-submitted content by users (authenticated or not) may have any or all of the following information collected at the time of submission attached, visible only to site staff:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The IP address</li>
<li>The browser fingerprint</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
<li>The page that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
, we require some basic information at the time of account creation, as follows:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
<li>an email address, shown only to site staff and used only as a means of contact for account control (verification emails, password reset emails, and account unlock emails)</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
<p>We also store your IP address and browser fingerprint whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
<h2>Information shared with third-party services</h2>
<p>We use a few services for security purposes which use personal information. These are as follows:</p>
<ul>
<li>To protect against Denial-of-Service attacks or similar abuse of our service, we use Cloudflare reverse-proxy, which
uses browser fingerprints and cookies. The Cloudflare Privacy Policy can be found
here:https://www.cloudflare.com/en-gb/privacypolicy/.</li>
<li>To protect against spam, hCaptcha is used. Their privacy policy can be found here:https://www.hcaptcha.com/privacy.</li>
</ul>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>),
without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
<h2>Information sharing with other parties</h2>
<p>Besides services we rely on for security purposes, we only share personal information with third parties in response to
court orders.</p>
<p>We display certain statistics about how users use Derpibooru (for example, about uploads), without any personal or
personally-identifying information.</p>
<p>Many forms of user-submitted content (such as comments or uploads) are viewable by anyone, and as such, may be accessed
freely by third parties, including search engines. If a person's personal information is put in such content, we may
remove if it we deem it to be too sensitive; inform us if you believe something has been shared that is sensitive.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<h2>Complaints and account Personally-Identifiable Information wiping</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
If you have concerns or objections about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
<p>If you wish to have all stored personal information related to an account removed, you can submit a request for a wipe
of personally-identifiable information (PII). If approved (that is, if we do not believe we have a legitimate interest
in keeping the information around, such as to preserve evidence of site abuse), the account will be deactivated (can no
longer be logged in to) and all personally-identifying information on it, as well as on content submitted with it, will
be removed. Since this removes the email address, which is necessary to login, it is <strong>irreversible</strong>>, unlike account
deactivation on its own.</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/stats">about uploads</a>),
<a href="/pages/stats">about uploads</a>),
without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>),
<a href="/stats">about uploads</a>),
without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
</div>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>),
without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.utc(2018, 7, 11, 0, 30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>),
without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<a href="mailto:ops@derpibooru.org">ops@derpibooru.org</a>
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018, 7, 11, 0, 30))) %>
<%= ::Temple::Utils.escape_html((friendly_time Time.utc(2018, 7, 11, 0, 30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018, 07, 11, 00, 30))) %>
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018, 7, 11, 0, 30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,07,11,00,30))) %>
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018, 07, 11, 00, 30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,07,11,00,30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,07,11,00,30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,06,01,00,30))) %>
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,07,11,00,30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
<p>Our advertising network, Project Wonderful, may see your IP address, but nothing else.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,06,01,00,30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The visitor's browser type</li>
<li>The browser user agent string</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser's user agent string, as provided by the browser</li>
<li>The browser user agent string</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
<p>Our advertising network, Project Wonderful, may see your IP address, but nothing else.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>
<% content_for(:robots, true)
%><h1>Derpibooru Privacy Policy</h1>
<p>
The privacy policy was last updated
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,05,18,00,30))) %>
<%= ::Temple::Utils.escape_html((friendly_time Time.new(2018,06,01,00,30))) %>
</p>
<p>We may update this document in the future, and will provide a site notice when we do.</p>
<div class="walloftext">
<div class="rule">
<h2>The short version</h2>
<p>We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.</p>
</div>
<div class="rule">
<h2>What information Derpibooru collects and why</h2>
<p>
<strong>Information from webserver logs</strong>
</p>
<p>We collect the following information (in webserver logs) from every visitor:</p>
<ul>
<li>The visitor Internet Protocol (IP) address</li>
<li>The date and time of the request</li>
<li>The page that was requested</li>
<li>The visitor's browser type</li>
</ul>
<p>These items are collected to ensure the security of the service, and are deleted after 14 days to balance our "legitimate interest" (as mentioned in the GDPR) of security with user privacy.</p>
<br />
<p>
<strong>Information in cookies</strong>
</p>
<p>Our cookies for any users of the service may contain this information:</p>
<ul>
<li>The unique session token for the website</li>
<li>User preference for loading high-resolution images</li>
<li>User preference for loading video previews of animated images</li>
<li>User preference for website layout customization</li>
<li>User preference for filtering settings</li>
<li>One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)</li>
<li>A browser fingerprint (see below)</li>
</ul>
<p>Additionally, cookies of users that are logged into the service will contain this information:</p>
<ul>
<li>An encrypted authentication secret unique to the user to persist their login</li>
</ul>
<p>We might add to this list in the future as needed.</p>
<p>These are required for authentication, user security, or customization, which are all "legitimate interests" as above, and thus we cannot ask for consent to use cookies.</p>
<br />
<p>
<strong>Information in user-submitted content</strong>
</p>
<p>User-submitted content is considered by Derpibooru to collectively refer to any content that you may submit to the site, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.</p>
<p>User-submitted content by users (authenticated or not) may contain any or all the following information:</p>
<ul>
<li>The IP address at the time of submission</li>
<li>The browser fingerprint at the time of submission (see below)</li>
<li>The browser version, as provided by the browser</li>
<li>The browser's user agent string, as provided by the browser</li>
<li>The page on Derpibooru that initiated the submission</li>
</ul>
<p>These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party.</p>
<br />
<p>
<strong>Browser fingerprints</strong>
</p>
<p>Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint. They are irretrievably hashed (by a browser script) from the following attributes:</p>
<ul>
<li>Browser version</li>
<li>Screen width, height, and color depth</li>
<li>Timezone offset</li>
<li>Browser support for storage API</li>
<li>Browser plugins</li>
</ul>
</div>
<div class="rule">
<h2>Information from users with accounts</h2>
<p>
If you
<strong>create an account</strong>
we require some basic information at the time of account creation. You will be asked to provide:
</p>
<ul>
<li>a username, shown on your profile and non-anonymous user-submitted content</li>
<li>a password, stored only as a cryptographic hash</li>
<li>an email address, used only for sending password resets or account unlocking instructions</li>
</ul>
<p>We also store your IP address whenever you log in for security reasons.</p>
</div>
<div class="rule">
<h2>Information that Derpibooru does not collect</h2>
<p>We do not intentionally collect personal information, but users may include it in user-submitted content. We will remove personal information if we deem it too sensitive. Inform us if you believe shared information is too sensitive.</p>
<p>This is especially important because information shared in public user-submitted content may be indexed by search engines or used by third parties without your consent.</p>
</div>
<div class="rule">
<h2>Information that may potentially be shared with third parties</h2>
<p>
We do not in any way share individual account information with third parties except in response to court orders. We make public certain statistics about how users use Derpibooru (for example,
<a href="/pages/stats">about uploads</a>
), without personally-identifying information.
</p>
<p>Most of Derpibooru is public-facing, and third parties may access and use it.</p>
<p>Our advertising network, Project Wonderful, may see your IP address, but nothing else.</p>
</div>
<div class="rule">
<h2>How we secure your information</h2>
<p>Derpibooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.</p>
<p>While in transit, your data are always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.</p>
<p>HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Derpibooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, an image proxy server to avoid leaking user IP address information from embedded images on the site, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and an frame policy to prevent clickjacking.</p>
<p>Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.</p>
<p>No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort.</p>
</div>
<div class="rule">
<h2>Resolving complaints</h2>
<p>
If you have concerns about the way Derpibooru is handling your personal information, please let us know immediately. You may contact us by emailing us directly at
<%= ::Temple::Utils.escape_html((link_to 'ops@derpibooru.org', 'mailto:ops@derpibooru.org')) %>
.
</p>
</div>
</div>