Element-web: Add link to "Privacy Policy" and "Imprint" for GDPR

Hi @rubo77 - thanks for your message!

My understanding was that Riot wouldn't need a privacy policy because it doesn't collect any (non-anonymized data). I don't actually know whether we _need_ to advertise that the server (and in the case of https://riot.im, Cloudflare) will log IP addresses for the purposes of mitigating DDoS attacks, etc. (if you could link to references in the regulation that would help my understanding), however I do agree that it is worth calling out - every user of https://riot.im should know that it isn't collecting their data - I'll write something up ASAP.

I also wasn't aware that we needed a visible link on every page (and if you can link to regulation here I'd be particularly appreciative), though I can certainly see the value and it wouldn't be too tricky to add. I'd like us to include both the Riot "no data is captured" notice _and_ the notice from the relevant homeserver (where applicable).

Finally, I'm afraid I'm not sure what the _Imprint_ is - this could be a translation issue - does it refer to the Terms and Conditions?

Thanks again for your help!

@lampholder Yes you need to inform the visitor about EVERY personal data your server collects. You don't need consent if it's technically necessary, but you need to inform. About server logs and about the cloudflare cookie (Art.13 no 1 c-e GDPR).

Impressum/Imprint: See https://en.wikipedia.org/wiki/Impressum :-). This has always been mandatory in D, AU, CH, GB (!). Now all this is ruled by Art.13 no 1 a GDPR.

Those informations have to be visible on every page according to national regulations in D, AU and CH. The links are ususally placed in the page footer. So riot needs 2 more buttons: Privacy policy and Impressum.

And the riot privacy policy should contain a link to the users home servers privacy policy and the riot impressum a link to the users home servers impressum. Just in case that somebody would consider these as Joint Controllers, Art. 26 GDPR. And to help users to easily find that stuff.

I guess, this is related to the Cookie-Policy link like in this commit https://github.com/vector-im/riot-web/commit/05e0e842d6aca188ecad64d7f2064b3de168be86

I think we can make a quick change to meet the spirit of this by adding the links to the Riot policies in the settings page.

My reading of Art 13. 1 GDPR is just that we do need to keep people comprehensively informed - not that this needs declaring on every page. Not that I'm against our putting it on the room view of the app, but it would require some thought to design properly.

Something like this:

The Riot docs should all come from the Riot config.
The homeserver docs should all come from the homeserver via an API

As with most of my requests: options to disable please (due to it not applying for our instance) :)

Absolutely - I don't know what the neatest way to implement that is (is the list of Riot.im docs configured in the config.json? If there are no docs do we hide the whole section? Something better without getting too fiddly?)

Associated Riot meta issue: https://github.com/vector-im/riot-meta/issues/191

Regarding this' being optional, we might not want the display of the homeserver's policies to be optional, since that's something every user should really see (and it's arguably not the business of the client to hide it).

Well it'd be optional if the HS itself replies with an empty list of policies
Same goes for config.json if the list is not there/empty the section could be hidden

so in Travis' case, if his HS and riot both have none configured magically it disappears

Including this info into the settings might be a quick and dirty fix but our law would consider this to be "hidden". Legally required info has to be obvious: directly visible from the interface. Please work on including at least one separate button in the interface which could link to "Impressum and privacy information".

I think it must be a button too, but I hope it may be really small, because no-one needs it every day

Can it be dismissed from The user side? I really dont want unnessesary Information on a Chat Client. If I search things like this I take a look either in the Synapse room or on the Website of the one building the Software so in this case about.riot.im

Related: #1158

There's also a "Home" button which I have never used and will never use - but I'm still not asking for a possibility to remove it. This information is not for a tech-savvy guy like you @MTRNord but for the "average user" who has no idea what matrix is and what it does.

Anyway, what's so annoying about another button? Riot already has 5 in a row and there's space for a sixth one. While you're at it, remove that unnessesary blank left margin and there's space for 7 buttons ... just an idea.
Looking at this I'm wondering why the community button is outside ... That would be another possibility - use the blank left margin and move all the buttons vertically over the community button.

Still having a footer in a chat app for links I read once in my life if ever is on the top 3 of things I hate having in chat apps but well I can always fork stuff :)

I think all unnecessary links should be hidden behind one menu link

As I think not everyone understood what I meant: I am ok with a banner like the cookie banner that pops up after login and after that doesnt come back. I am also ok with a section inside the settings page. I am NOT ok with a bunch of links on the main "talking" page of riot as that page is supposed to be distraction free in my opinion so a footer is a huge no go for me

By my understanding of GDPR and UK law, the proposed solution (of displaying in the 'settings' section the riot.im privacy notice and t's and c's when configured in config.json, and the homeserver docs when provided by the homeserver) is, I think, fine.

In Germany, Austria and Swizerland, I understand that there is a law requiring this information be accessible from the front page.

So I think we've got two separate tasks:

• [ ] add the 'ABOUT THIS SERVICE' section to the settings section, as per the mockup
• [ ] add a Germany/Austria/Swizerland-specific config option that adds these items to the front page for anyone running Riot.im web instances in these regions

The alternative is to have the impressum, etc. on the main 'talking' page of the app for everyone - I would only be happy with this if it were _very_ carefully designed so as not to add unnecessary visual noise, and I think this would be very difficult to do with the current design, so my guess would be that we'll go for the approach above for now.

I'm trying to revisit the matrix.org and vector.im privacy regulations just now and I still can't find them via the web interface - neither settings nor button has anything - riotweb 0.16.4.

I wanted to recommend Matrix to some other project for integration but in this state sadly I can't.

@lampholder what's the status of this? Admittedly, I haven't read the history but I think we've accomplished what is required?

Yeah, I'm satisfied that the important part of this has been achieved, at least for every country except Germany/Austria/Swizerland.

I'll make a separate issue to track something specific for those countries.

For the record - the links live in the Legal section of the Help & About tab in settings.

@lampholder would you point out
where to find the Issue for the Solution for DE/AU/... and

FYI: A sample for config.json how to add legal information can be found here
https://riot.im/develop/config.json

@benkees https://github.com/vector-im/riot-web/issues/8891 tracks the specialised work for DE / AU / CH.