ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ronald Huynen
2026-03-23 21:37:59 +01:00
commit 2547717edb
2193 changed files with 972171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

406
references/gdpr/timebank_cc/2026-01-01/privacy-policy-FULL-en.md Normal file
View File

@@ -0,0 +1,406 @@
# Privacy Policy for Timebank.cc
**Last Updated:** January 1, 2026
## 1. Introduction
Timebank.cc ("we," "our," or "the platform") is committed to protecting your privacy and giving you control over your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
**Our Privacy Principles:**
- We collect only the data necessary for platform functionality
- We never sell or share your data with third parties
- We don't use tracking cookies or external analytics
- We give you full control over your data
- We practice data minimization and privacy by design
- Our platform is built with open source software
- You control what personal data is stored and its precision level
## 2. Data Controller
**Timebank.cc** (legal entity: association Timebank.cc / vereniging Timebank.cc)
Zoutkeetsingel 77
2515 HN Den Haag
The Netherlands
Email: info@timebank.cc
Support: support@timebank.cc
For privacy-related inquiries, contact us at: info@timebank.cc
## 3. What Data We Collect
### 3.1 Account Information
When you create an account, we collect:
- **Username** (publicly visible)
- **Full name**
- **Email address** (for authentication and important notifications)
- **Phone number** (optional, for account recovery as last resort)
- **Password** (encrypted and never stored in plain text)
### 3.2 Profile Information
**You have complete control over what profile information to provide:**
- Profile description
- Skills and interests
- Availability preferences
- Location (you choose the precision level: none, city, region, or custom distance)
- Any other personal information
**Important:** You decide what personal data is stored. The platform will not store any profile information without your explicit choice to provide it.
### 3.3 Transaction Data
To facilitate timebanking, we record:
- Time exchange transactions
- Time credits balance
- Service offerings and requests
- Messages between users (encrypted where technically feasible)
### 3.4 Technical Data
We collect minimal technical information necessary for platform security:
- **IP address of your last login** (for security monitoring, fraud prevention, and account recovery)
- Retained for 180 days, then automatically deleted
- Used only for security purposes and account recovery
- **Online presence data** (for real-time messaging features)
- Online/offline status
- Last seen timestamp
- Recent activity for presence detection (within 5-minute threshold)
- Data is automatically deleted after inactivity or when you log out
- Browser type and version (for compatibility)
- Device type (for responsive design)
- Login timestamps (for security)
- Error logs (for technical maintenance)
**We do NOT collect:**
- Browsing history outside our platform
- Location tracking data
- Social media information
- Data from third-party cookies or trackers
- Any analytics or behavioral data
## 4. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on:
- **Contract Performance (Art. 6(1)(b))**: Processing necessary to provide timebanking services
- **Consent (Art. 6(1)(a))**: For optional features like phone number sharing
- **Legitimate Interests (Art. 6(1)(f))**: For platform security, fraud prevention, and service improvement
- **Legal Obligation (Art. 6(1)(c))**: To comply with legal requirements
## 5. How We Use Your Data
### 5.1 Platform Functionality
- Creating and managing your account
- Facilitating time exchanges between members
- Enabling communication between users via in-platform messaging
- Maintaining time credit balances
- Sending essential platform notifications via email (account security, transaction confirmations)
- Delivering user-to-user messages via email notifications (when enabled by you)
### 5.2 Account Security
- Verifying your identity during registration
- Recovering access to lost accounts (via phone verification)
- Detecting and preventing fraud and abuse
- Ensuring platform security
### 5.3 Platform Improvement
- Analyzing usage patterns (anonymized data only)
- Fixing technical issues
- Improving user experience
- Developing new features
## 6. Data Sharing and Disclosure
### 6.1 Within the Platform
- **Usernames only** are visible to other platform users (and may appear on social media if you create events/posts that are shared)
- **Full names are not** displayed publicly outside the platform or shared on social media
- **Profile information** you choose to share is visible to logged-in members
- **Phone numbers** are only shared if you explicitly grant permission to specific users
- **Transaction history** is visible only to the parties involved
- **Online status** (presence) is visible to other logged-in members to facilitate real-time connections and messaging
- Your online/offline status is shown when you're actively using the platform
- Last seen timestamps help members know when you were last active
- This information is used only for platform messaging features
- No sensitive personal data is exposed through presence tracking
- **Profile visibility** automatically adjusts based on account status:
- Inactive profiles (no login for 2 years) are hidden from search and labeled as inactive
- Profiles with unverified email addresses have limited visibility
- Incomplete profiles have limited visibility until profile information is added
- You control what profile information to make visible
### 6.2 No External Sharing
We do NOT:
- Sell your personal data to anyone
- Share your data with advertisers
- Provide your data to data brokers
- Use external analytics or tracking services
**Search Engine Protection:** We actively prevent search engines from indexing platform content, ensuring your profile and activities are not discoverable through external search engines.
**Social Media Sharing:** Events and posts may be shared on social media platforms by their organizers/creators. When an event or post is shared on social media, the following information becomes visible outside our platform:
- Event or post content
- Username of the organizer/creator
**Important:** Only usernames are shared on social media, never full names. The sharing of events/posts is controlled by the organizer/creator of that content. Regular platform activities, profiles, and transactions are not shared on social media.
### 6.3 Legal Requirements
We may disclose data only when:
- Required by law (court order, legal obligation)
- Necessary to protect rights, safety, or property
- In case of suspected illegal activity
In such cases, we will notify you unless legally prohibited.
### 6.4 Service Providers
We use minimal essential service providers who operate under strict data processing agreements:
**Hosting:** Greenhost.nl (The Netherlands)
- Location: EU-based (Netherlands), ensuring GDPR compliance
- Greenhost is a privacy-focused and sustainable hosting provider committed to internet freedom
- Data Processing Agreement (DPA) in place as required by GDPR Article 28
- More information: https://greenhost.net/internet-freedom/
**Email Service:** Greenhost.nl email service (The Netherlands)
- Provided by same hosting provider (Greenhost.nl)
- Location: EU-based (Netherlands)
- Data Processing Agreement (DPA) in place
- Privacy-focused email infrastructure
**What is a Data Processing Agreement (DPA)?**
A DPA is a legally binding contract required by GDPR Article 28 between us and our service providers. It ensures that:
- Service providers only process your data on our instructions
- Your data is handled according to GDPR standards
- Service providers implement appropriate security measures
- Service providers cannot use your data for their own purposes
- We can audit their data handling practices
- Data is only used for providing the specific services we contracted
All service providers are GDPR-compliant and process data only on our instructions under formal Data Processing Agreements.
## 7. International Data Transfers
Your data is stored within the European Union (Netherlands) through our EU-based hosting provider, Greenhost.nl. This means your data benefits from strong EU data protection laws and does not require additional safeguards for international transfers.
We do not transfer personal data outside the EU. If we must transfer data outside the EU in the future, we will ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Other legally approved mechanisms
You will be notified of any changes to our data storage location.
## 8. Data Retention
We retain your personal data only as long as necessary:
- **Active accounts**: Data retained while your account is active and you continue using the platform
- **Inactive accounts**: Automated deletion process after 2 years of inactivity:
- After 2 years (730 days) with no login: First warning email sent
- After 2 years + 30 days: Second warning email sent
- After 2 years + 60 days: Final warning email sent
- After 2 years + 90 days: Profile and personal data automatically deleted, transaction/message data anonymized
- **Account deletion requests**: When you delete your account, data is retained for 30 days (allowing recovery if deletion was accidental), then permanently deleted
- **IP address logs**:
- Automatically deleted after 180 days
- **Transaction records**: Retained in anonymized form after account deletion or inactivity (for platform integrity and dispute resolution)
- **Messages**: Retained while account is active; anonymized after inactivity period or account deletion
After the 30-day account deletion period, all personal identifiers are permanently removed from our systems. All cleanup processes are fully automated via scheduled tasks.
## 9. Your Rights Under GDPR
You have the following rights:
### 9.1 Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
### 9.2 Right to Rectification (Art. 16)
Correct inaccurate or incomplete data.
### 9.3 Right to Erasure / "Right to be Forgotten" (Art. 17)
Request deletion of your personal data (subject to legal retention requirements).
**Account Deletion Process:**
- You can delete your account at any time through your account settings
- Data is retained for 30 days to allow recovery if deletion was accidental
- After 30 days, all personal identifiers are permanently removed
- Transaction and message data is anonymized (removing all identifying information)
- **Time credit balances:** You may optionally donate your remaining balance to an organization of your choice before deletion, otherwise the balance is removed from circulation
- Deletion is irreversible after the 30-day period
### 9.4 Right to Restriction of Processing (Art. 18)
Limit how we use your data in certain circumstances.
### 9.5 Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.
### 9.6 Right to Object (Art. 21)
Object to processing based on legitimate interests.
### 9.7 Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time for consent-based processing.
### 9.8 Right to Lodge a Complaint
File a complaint with your national data protection authority.
**To exercise your rights:**
- **Data export**: Use the automated export tool in your account dashboard to download all your data (transaction history as CSV, profile data in structured format)
- **Account deletion**: Use the self-service deletion option in your account settings
- **Other requests**: Contact us at [privacy@timebank.cc]
Most rights can be exercised directly through your account dashboard without needing to contact us.
## 10. Cookies and Tracking
### 10.1 Our Cookie Policy
We use **only strictly necessary cookies** required for platform functionality:
- **Session cookies**: To keep you logged in securely
- **Security cookies**: To protect against unauthorized access and CSRF attacks
- **Preference cookies**: To remember your chosen settings
**We do NOT use:**
- Analytics cookies
- Advertising cookies
- Tracking cookies
- Third-party cookies of any kind
- Social media cookies
- Profiling cookies
### 10.2 No Cookie Banner Required
Because we use only essential cookies that are strictly necessary for the platform to function, we do not require cookie consent under GDPR. No cookie banner is displayed.
### 10.3 Cookie Control
You can delete cookies through your browser settings at any time. However, disabling essential cookies will prevent you from logging in and using the platform.
## 11. Security Measures
We implement industry-standard security practices:
- **Encryption**: Data encrypted in transit (TLS/SSL) and at rest
- **Access controls**: Strict internal access policies
- **Session timeouts**: Automatic logout after inactivity based on profile type to protect against unauthorized access:
- User profiles: 120 minutes of inactivity
- Organization profiles: 60 minutes of inactivity
- Bank profiles: 30 minutes of inactivity
- Admin profiles: 360 minutes of inactivity
- **Regular security audits**: Routine vulnerability assessments
- **Secure authentication**: Password hashing with modern algorithms
- **Two-factor authentication**: Optional 2FA via authenticator app (such as Google Authenticator, Authy) for enhanced security
- **Incident response**: Procedures for data breach notification within 72 hours (GDPR Art. 33)
## 12. Open Source Commitment
**Timebank.cc is built entirely with open source software.** This means:
- **Transparency**: Anyone can review the code for security and privacy
- **Community auditing**: Security researchers can identify and report vulnerabilities
- **No hidden functionality**: What you see is what you get - no secret tracking or data collection
- **Trust through verification**: You don't have to take our word for it - verify our privacy claims by reviewing the code
- **Community-driven**: Improvements and security patches benefit from community contributions
Our commitment to open source demonstrates our dedication to transparency and user privacy.
## 13. Children's Privacy
Timebank.cc requires users to be at least **18 years old**. During registration, all users must confirm they meet this age requirement via a mandatory checkbox.
We do not knowingly collect data from anyone under 18. If we discover we have inadvertently collected personal data from someone under 18, we will delete it immediately. Parents or guardians can report underage accounts to info@timebank.cc.
## 14. Phone Number Use
### 14.1 Purpose
Phone numbers are optional and used solely for:
- Account recovery as a last resort if you lose access to your account
- Voluntary display on your profile as a communication method with other platform users (only if you choose to enable this)
### 14.2 Two-Factor Authentication
We offer two-factor authentication (2FA) via **authenticator apps** (such as Google Authenticator, Authy, 1Password, etc.), not via SMS or phone-based verification. This provides better security and does not require a phone number.
### 14.3 Privacy Protection
- Phone numbers are **never shared outside the platform** or with third parties
- Phone numbers are **never shared with other service providers** or data processors
- Phone numbers are visible to other platform users **only if you explicitly choose** to display them on your profile
- We do not send SMS messages or verification codes to your phone
- We do not use your phone number for marketing or communications
### 14.4 User Control
- Phone number is optional
- You can add or remove it at any time in your account settings
- You can choose whether to display it on your profile
- Removing your phone number does not affect 2FA (which uses authenticator apps)
## 15. Changes to This Policy
We may update this Privacy Policy to reflect changes in:
- Platform features
- Legal requirements
- Privacy practices
**We will notify you of material changes through:**
- Email notification
- Prominent notice on the platform
- Requiring re-acceptance for significant changes
Previous versions will be archived at [URL].
## 16. Data Protection Officer
[If required] You can contact our Data Protection Officer at:
[DPO name]
[Email]
[Address]
## 17. Contact Us
For privacy questions or to exercise your rights:
**General inquiries:** info@timebank.cc
**Support:** support@timebank.cc
**Address:**
Timebank.cc
Zoutkeetsingel 77
2515 HN Den Haag
The Netherlands
**Response time:** We aim to respond within 30 days (GDPR requirement)
**Languages:** This privacy policy and our platform are available in English, Dutch, French, Spanish, and German.
## 18. Supervisory Authority
If you believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en
---
## Appendix: Data Processing Activities
For transparency, here's a summary of our data processing:
| Purpose | Data Types | Legal Basis | Retention |
|---------|-----------|-------------|-----------|
| Account creation | Email, username, password | Contract | Active account + 30 days after deletion |
| Platform communication | Messages, timestamps | Contract | Active + 2 years inactivity (with warnings), then anonymized |
| Account recovery | Phone number (optional) | Consent | Until removed by user |
| Security & fraud prevention | IP address (last login) | Legitimate interest | 180 days |
| Transaction records | Time credits, exchange details | Contract | Active + 2 years inactivity (with warnings), then anonymized |
| Profile data | User-controlled personal info | Contract/Consent | Active + 2 years inactivity (with warnings), then deleted |
---
**By using Timebank.cc, you acknowledge that you have read and understood this Privacy Policy.**
---
## Why Timebank.cc is Different
At Timebank.cc, privacy isn't an afterthought—it's foundational to everything we do:
- **Open Source**: Our code is transparent and auditable by anyone
- **No Tracking**: We don't use analytics, cookies, or trackers that follow you
- **You Control Your Data**: Decide what to share and how precise your information is
- **Auto-Delete**: Inactive data doesn't sit forever—it's automatically cleaned up
- **Easy Export**: Download your data anytime, no questions asked
- **Easy Delete**: One-click account deletion, no runaround
- **Sustainable Hosting**: We use Greenhost.nl, a privacy-focused and sustainable hosting provider committed to internet freedom
- **EU-Based**: Your data stays in the Netherlands, protected by strong EU privacy laws
We believe time banking should be built on trust, and trust starts with respecting your privacy.