We provide this information according to the EU Regulation 2016/679 (GDPR) for those who consult the website https://community.nicfab.it. Note that this information applies only to that website and not to other websites that the user may consult through links.
Information to be provided according to Article 13 of the GDPR.
At the outset, it should be clear that the administrator of a Lemmy instance is obliged, in their capacity as data controller, to provide information to the data subject according to Article 13 of the GDPR.
The data controller is Nicola Fabiano (privacy [at] nicfab.it).
What data is collected.
Regarding this point, we must distinguish two steps.
(a) Registration in the community: username, password, and email;
(b) Access to the community and user activities: IP address, username, password, and email.
Registration in the community
We can schematize the account creation process in three steps.
First step - When users create their account, they must choose a nickname and provide an email address. That is the only data voluntarily provided by the user. The nickname chosen by the user should not be the user’s first and last name but a shortened name, nickname, or pseudonym. In this case, it will not be possible to associate the username with the identity of the user, who would be unidentified or even identifiable. It could happen, however, that the user, at the time of registration, uses a username that is already widely known on the network, so much to make it identifiable. The same reasoning also applies to the email address if the user uses one so-called “non-speaking” that does not allow the identification of that person. In any case, the username and email address, individually or jointly, constitute personal data. Once the registration process is completed, the system sends an email to the user who requested registration, inviting them to confirm the request by clicking on a link.
Second Step - Having carried out the procedures described in the previous point, the user stays waiting for validation of the registration request by the instance administrator (i.e., the server).
Third step - The system, via the platform’s web interface, notifies the Lemmy instance administrator that a registration request has been made and presents only the username and not the email address. The administrator can approve or not approve the registration request. If the administrator approves the user’s request, the user’s data (username and email) are recorded in the database on the server.
The user data (username, password, and email) are recorded in the database, and specifically, the passwords are “hashed” (i.e., transformed into alphanumeric strings using the hash function).
Access to the community and user activities
Having completed the account creation process, the user can log in (Login) to the community through the browser, and then the IP address is acquired.
Each user is responsible for the content they intend to post on the Lemmy community.
In that phase, the personal data of users collected are the username, password, email address, and IP address.
Who can access the data and for what activities.
The server administrator (instance) can read data of the activities performed on the community recorded on the server and precisely in the database or log files (username, email, IP address, community web address, type of activity - technically GET or POST).
The administrator only accesses users’ personal data for strictly technical reasons (system analysis, updating application packages, maintenance needs).
We should point out that access to users’ personal data, whether in the database or logs, is a specific activity that is not generally performed except to resolve particular conflicts or errors.
The purposes of the processing.
The purpose is to consult this website or interact by posting content, comments, or creating other communities.
Accessing this website, and requesting to register as a user, means the user gave consent.
Hence, the processing of personal data is based on consent - according to article 6, par. 1, letter a) of EU Regulation 2016/679 - expressed by the user by browsing this website and its consultation, thus accepting this information.
Consent is optional, and the user can withdraw at any time by request sent by email to privacy [at] nicfab.it, specifying that, in this case, whether the user does not consent, they cannot consult this website, either register or remain as a registered user.
Furthermore, the purposes are also related to server maintenance and system and application upgrades; in that case, the legal basis is the legitimate interest according to Article 6, letter f) of the EU Regulation 2016/679.
Legal basis for the processing
The processing of personal data is necessary to pursue the legitimate interest of the data controller to provide information about studies and research, according to art. 6, par. 1, letter f) of EU Regulation 2016/679, in compliance with the provisions of the same Regulation.
Processing of data
The user (data subject) can access this website and navigate through a web browser. Some data are necessary for surfing the Internet and could identify users through processing and association with data held by third parties. In particular, we intend to refer to the IP addresses or domain names of the computers used by users connecting to this website, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, etc. We could use these data uniquely for anonymous statistical information on the use of the website and check its correct functioning and are deleted immediately after processing. We could use data for any responsibility in the hypothesis of computer crimes connected to this website. Data relating to those who have submitted requests to NicFab using the tools on this website are stored for no more than seven days, however, for the time necessary to provide the answers and for any need to ascertain part of the judicial authority.
Data communicated by users
The optional, explicit, and voluntary sending of electronic mail to the addresses indicated on this site involves the acquisition of the sender’s address necessary for the replies and any other personal data contained in the message. These data are processed to respond to messages sent and handle any related requests. Failure to provide personal data for communications with NicFab or send any requests will prevent evading them. We store data for the time strictly necessary for the purposes related to data processing.
The only cookies present are only functional ones and, therefore, no profiling or tracking activities.
What are cookies?
Cookies (small text files that the visited website sends to your device, where they are then stored to be re-transmitted to the same website at the next visit) can be permanent or session, “First-party” (site or domain of origin), or “Third-party” (from third parties). Persistent cookies consist of a text file sent from a web server to a web browser. Once stored by the browser, it remains valid until the scheduled expiration date (unless the visitor deletes it before the time mentioned above). Session cookies expire at the end of the session or when the user closes the web browser. “First-party” cookies are those set by this site; “Third-party” cookies are of a different domain than this one, and they are set up because they use functions managed by third parties. Our website uses the following cookies:
Session cookies (which are not stored permanently on the user’s computer and disappear when the browser is closed) and are strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow safe browsing and efficiency of the site. Session cookies used on this site avoid using other technologies that could compromise the privacy of users’ browsing and do not allow the acquisition of personal data.
It is, however, possible for the user to set cookies from the “Preferences” of the browser used and eventually automatically refuse the receipt of cookies by activating the appropriate option: the non-use of technical cookies, however, could involve technical difficulties of interaction with this website.
You can find instructions for disabling cookies on the following web pages:
In the case of sharing the content of this website on other platforms, the collection and use of information by third parties unrelated to this site are governed by their privacy policies to which we invite you to refer; we report references to the leading social platforms:
We do not communicate personal data collected from this website following its consultation to recipients or categories of recipients.
Period for storing personal data
Apart from what is specified above, the data collected by this website during its operation are stored for the time strictly necessary for the activities specified. The data will be deleted or anonymised at the expiry date unless there are no further purposes for storing the same. For analytics purposes (statistics), we use Matomo but on the condition that you have agreed to this by providing consent once you have reached this site.
Transferring personal data to a third country or international organisation
The data controller, the administrator of Lemmy’s instance, does not transfer data outside the European Economic Area (EEA) if Lemmy is installed on the server located within the European Economic Area.
We feel it is appropriate to clarify this further.
Users registered on an instance are always solely responsible for their activities by creating communities or publishing posts or comments.
There is no transfer outside the SEE when registered users on an instance within the same EEA perform activities on the same server (instance). For example, our instance (https://community.nicfab.it) is located in Italy and thus within the EEA. If users registered on our instance perform activities on our server, there is no data transfer outside the EEA. Similarly, there is no data transfer outside the EEA even if registered users on our instance subscribe, publish posts, or comments on other instances - for example - located outside the EEA. Indeed, in the latter case, our instance administrator can access the logs and see only the domain (and thus not even the full URL of the community on which activities are performed) and its IP address. No further user data is transferred outside the EEA by the administrator or automatically by the Lemmy platform. The user should be aware that their username in the form “@username@domainofcommunity” (e.g., in our case, @firstname.lastname@example.org) will be visible in the community in which they have intervened (e.g., to publish posts or comments).
There will be no transfer of data outside the EEA even if the user intends to create a community on the existing Lemmy instance within the same EEA.
All of this is because it is a proper function of the fediverse’s system and the ActivityPub protocol used by Lemmy.
Visitors’ or users’ data are processed lawfully and correctly by adopting appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Your data in the communication session with this website are protected by a Secure Sockets Layer (SSL) certificate that uses a cryptographic presentation protocol, encrypting the information. In addition to the controller, in some cases, authorized persons may have access to the data as involved in the organization of the website or external subjects (such as third-party technical service providers, hosting providers).
Data subjects’ rights
Users (data subject) of this website may exercise the rights according to Articles 15 to 22 of EU Regulation 2016/679. You can lodge all requests to exercise these rights by writing to privacy [at] nicfab.it
Right to lodge a complaint
Whether a data subject considers that the processing of personal data relating to him or her as performed via this website infringes the Regulation, he or she has the right to lodge a complaint with the Garante according to Article 77 of the EU Regulation 2016/679.