This notice describes how Civilized Discourse Construction Kit, Inc., or CDCK for short, collects and uses personal information. This notice also provides information about the legal rights individuals have concerning their personal information and how you can exercise those rights.
- What is CDCK?
- Who is responsible for data collected about me?
- How does CDCK collect data about me?
- Does CDCK sell my personal information?
- What personal information does CDCK collect, and why?
- Does CDCK use personal information for marketing purposes?
- How can I make choices about data collection?
- Where does CDCK store data about me?
- Does CDCK comply with the EU General Data Protection Regulation?
- How does CDCK safeguard international data transfers after Schrems II?
- Does CDCK comply with the California Consumer Privacy Act?
- Where can I access data about me?
- How can I change or erase data about me?
- Does CDCK make automated decisions based on data about me?
- Does CDCK share data about me with others?
- How does CDCK document compliance for forum hosting customers?
- How can I contact CDCK about privacy?
- What if this privacy notice changes?
What is CDCK?
CDCK is the company home and primary developer of Discourse, open source software for hosting Internet discussion forums. As a company, CDCK hosts forums using Discourse for customers, as well as:
- meta.discourse.org, a discussion forum about Discourse itself,
- discourse.org, a website marketing Discourse and CDCK’s hosting service,
- blog.discourse.org, CDCK’s blog,
- and rubytalk.org, a mirror of the “Ruby-Talk” mailing list for the Ruby programming language.
Who is responsible for data collected about me?
CDCK is the responsible party, or controller, for the data we collect and process for our own purposes. For instance, CDCK is responsible for data about our customers, employees, open source contributors, and visitors to our own websites and forums.
Importantly, CDCK sets only its own privacy practices, not the privacy practices of CDCK customers or others who host forums using our open source software. You should ask all of those involved in administering and hosting Discourse forums that you use for information about their privacy practices.
Privacy inquiries or notices you send to CDCK about forums we host on behalf of our customers will be referred to the appropriate responsible party.
How does CDCK collect data about me?
CDCK collects data about you:
when you browse a forum that CDCK hosts
when you create and use an account on a forum that CDCK hosts
when you post, send private messages, and otherwise participate in a forum that CDCK hosts
when you visit our website at discourse.org
when you sign up for mailing lists and announcements
when you purchase services from us
when you contribute to our open source software
CDCK collects data when you use forums that Discourse hosts, whether you use the forums using a web browser on your own computer, or use CDCK’s Discourse apps for mobile devices.
CDCK does not buy or otherwise receive data about you from data brokers.
Does CDCK sell my personal information or share it to serve behavioral advertising?
No, CDCK does not sell personal information or share it with third parties for the purpose of cross-context behavioral advertising.
What personal information does CDCK collect, and why?
CDCK collects data about visits to forums and to its websites.
CDCK uses data about how you use the website to:
optimize the forum, so that it’s quick and easy to use
diagnose and debug technical errors
defend the forum and CDCK’s websites from abuse and technical attacks
compile statistics on forum and topic popularity
compile statistics on the kinds of software and computers visitors use
CDCK usually stores the data identified above for just a few weeks. In special circumstances, like extended investigations about technical attacks, CDCK may preserve log data longer, for analysis. CDCK stores aggregate statistics about use of the forum for as long as CDCK hosts the forum, but those statistics don’t include data identifiable to you personally.
CDCK collects forum account data.
Many features of forums that CDCK hosts require a forum account. For example, most forums that CDCK hosts require an account to post and reply to topics.
To sign up for a forum account, Discourse requires your name, a user name, and an e-mail address.
CDCK uses your account data to identify you on the forum and to create pages specific to you, such as your profile page. If the forum is public, CDCK publishes your account data according to the forum administrator’s configuration. If the forum is access-restricted, CDCK makes your account data available to everyone who can access the forum, according to the forum administrator’s configuration.
CDCK uses your e-mail address to:
notify you about posts and other activity on the forum
reset your password and help keep your account secure
contact you in special circumstances related to your account
contact you about legal requests, like DMCA takedown requests
You may provide additional data for your account, like a short biography, your location, or your birthday, on the profile settings page for your account. CDCK makes that data available to others who can access the forum. You don’t have to provide this additional information, and you can erase it at any time.
CDCK stores your account data as long as your account remains open.
CDCK collects customer account data.
When you purchase hosting from CDCK, we require certain information from you, including your email address and the information we require to process payments, such as your name and credit card information. We use this information to perform the contract between us, and store it as long as your customer account remains open.
CDCK collects data about posts and other activity on the forum.
CDCK collects the content of your posts, plus data about bookmarks, likes, and links you follow in order to share that data with others, through the forum. If the forum is public, CDCK publishes your activity. If the forum is access-restricted, or access restrictions apply to the specific post, CDCK makes your activity available only to users permitted to see it.
CDCK also collects data about private messages that you send through the forum. CDCK makes private messages available to senders and their recipients, and also to forum administrators.
CDCK stores your posts and other activity as long as your account remains open.
CDCK collects data you give to sign up for mailing lists and announcements.
When you fill out and submit a web form to sign up for mailing lists or announcements, CDCK collects the information you put in the form, such as your e-mail address.
CDCK does not collect sensitive personal information.
CDCK does not intentionally collect or process sensitive personal information, such as government identification numbers, information on racial or ethnic origin, political opinions, genetic data, biometric data, health data, or any of the special categories of personal data specified by the GDPR.
CDCK collects data about open source contributors
Contributors to CDCK’s open source software may be asked to provide identifying and contact information such as your name, email address, telephone number, and mailing address. CDCK also collects and stores information concerning your agreement to our contributor license agreement.
CDCK uses this information to maintain the integrity of our software and software licenses, as well as the integrity of the license agreement between CDCK and our contributors. CDCK stores contributor information for as long as related contributions are incorporated into CDCK’s open source software.
HTTP cookies are small bits of data that websites, like Discourse forums, send to your computer when you visit. When you return to those websites, your computer sends the cookies on your computer back to the website.
Discourse.org uses these cookies:
|_ga||No||2 years||Google Analytics cookie used to collect information about visitors|
|_gid||No||24 hours||Google Analytics cookie used to distinguish users|
|_gat||No||1 minute||Google Analytics cookie to throttle request rate|
|_gcl_au||No||2 months||Google advertising conversion tracking|
|__stripe_mid||Yes||1 year||fraud detection for Stripe payments processing|
|__stripe_sid||Yes||30 minutes||fraud detection for Stripe payments processing|
In addition, look at the privacy notice for your specific forum to find out which cookies that forum uses. By default, all Discourse forums use these cookies:
|Yes||Session||remembers your e-mail as you create an account|
|destination_url||Yes||Session||helps redirect you to your requested page after logging in|
|sso_destination_url||Yes||Session||helps redirect you to your request page after single sign on|
|sso_payload||Yes||Session||used during SSO authentication when two-factor authentication is enabled|
|authentication_data||Yes||Next Page View||temporarily stores user information during login flows|
|theme_ids||Yes||1 year||remembers your theme personalization if you don’t tick “Make this my default theme on all my devices”|
|color_scheme_id||Yes||1 year||remembers your color personalization if you don’t tick “Set default colour scheme(s) on all my devices”|
|dark_scheme_id||Yes||1 year||remembers your color personalization if you don’t tick “Set default colour scheme(s) on all my devices”|
|cn||Yes||Session||temporarily stores notification read state|
|_bypass_cache||Yes||Session||allows the server-side cache to be bypassed during login flows|
|_t||Yes||1440 Hours||remembers who you are when you log in|
|_forum_session||Yes||Session||associates an ID, and other security-related information, with your browsing session|
|dosp||Yes||Next Page View||enables client denial of service protection, a security protection|
|text_size||Yes||1 year||remembers default text size when a user wants to change it on only one device|
|cookietest||Yes||Session||checks if cookies are enabled when authentication fails|
|__profilin||No||Session||used by software developers to bypass rack-mini-profiler|
Discourse forums that serve advertisements, such as with the ads plugin, may also set cookies used to track you and serve advertisements.
Your web browser can show you the cookies you have for any website and help you manage them.
Does CDCK use personal information for marketing purposes?
CDCK may use personal information about our customers and prospective customers in order to directly market our own services and inform you about new products and features that we offer. We also use the information you give to sign up for our mailing lists and announcements to send those messages.
You can always opt out of marketing communications from us, and you have the right to object to any processing of your information for marketing purposes.
How can I make choices about data collection?
You can make choices about how data about you is used on the settings page for your account. When a forum uses access restrictions that vary by category, you can choose who will see your post by choosing the appropriate category.
Most web browsers let you make choices about whether to accept cookies, for specific websites or more generally. aboutcookies.org has instructions for many different web browsers. youronlinechoices.eu and aboutads.info have more information specifically about cookies used for advertising.
CDCK does not respond to the Do Not Track HTTP header.
Where does CDCK store data about me?
Does CDCK comply with the EU General Data Protection Regulation?
CDCK respects privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR). Information that GDPR requires CDCK to give can be found throughout this privacy notice, including information on the rights of data subjects.
What are my rights under the GDPR?
The GDPR provides the following rights with respect to personal information about you that we collect or process:
the right to access your personal data
the right to rectification of inaccurate or incomplete personal data
the right to erasure of your personal data
the right to data portability
the right to restrict the processing of your personal data
the right to lodge a complaint with a supervisory authority
Information on how to exercise these rights is provided throughout this notice and linked above. While CDCK strives to make these rights easy to exercise on your own through your account settings, for more complicated inquiries the best option will be to contact us.
How does CDCK safeguard international data transfers after Schrems II?
CDCK relies on the European Commission’s standard contractual clauses for international transfers(SCCs) to legally transfer personal data out of the European Economic Area. Because national security and surveillance laws may be in conflict with European data protection rules, CDCK continually reassesses the practical reach of these laws to ensure our data transfers are adequately safeguarded.
CDCK uses subprocessors with personnel and computers outside the European Union.
CDCK has personnel in the United States, Australia, and other non-EU countries without EU adequacy decisions under GDPR. These people need access to forum personal data in order to keep forums running, address security concerns, respond to privacy-related requests from users, field technical support requests, and otherwise assist customers.
CDCK no longer participates in Privacy Shield, following its invalidation as an adequate safeguard for EU-US data transfers.
CDCK’s standard data processing addendum incorporates the standard contractual clauses.
CDCK is very likely subject to section 702 of the Foreign Intelligence Surveillance Act in the United States, a law that the European Court of Justice has found inadequately protects the rights and freedoms of data subjects.
CDCK has never received any order or request for personal data under FISA 702 or any similar national security or surveillance law of any other country. CDCK is not subject to any court order or legal obligation that would prevent it from disclosing the existence or non-existence of such an order or request.
CDCK has adopted a policy for how we will respond to those orders and requests, in case we ever receive one. CDCK will suspend processing, notify any customer for forums we host for others, minimize disclosure, and resist disclosure of personal data, all as the law allows.
Does CDCK comply with the California Consumer Privacy Act?
CDCK complies with its obligations under the California Consumer Privacy Act (CCPA). CDCK does not sell your personal information within the meaning of that law. Information on CCPA user rights — such as accessing or deleting your personal information — can be found throughout this privacy notice. So can information about specific CCPA consumer rights, like requesting disclosure about information CDCK collects and requesting deletion of your personal information.
CDCK is not presently a “business” for the purposes of the CCPA, but we may act as a service provider for CCPA businesses when we host forums on behalf of customers. We offer a standard Service Provider Agreement for CCPA business customers.
Where can I access data about me?
You can see your account data at any time by visiting your account page on the forum. Your account page also lists your posts and other activity on the forum.
Your account activity page also includes a link to download all of your activity in standard comma-separated values format.
If you do not have account with us but have a data access request, please contact us.
How can I change or erase data about me?
You can change your account data at any time by visiting the profile settings page for your account. The settings for a particular forum may also allow you to close your account, on the settings page for your account. Closing your account starts a process of erasing or anonymizing CDCK’s records of data you provided for your account. Forum administrators can also erase and anonymize accounts.
Depending on the settings for your particular forum, you may also be able to edit, anonymize, or erase your posts. When you edit posts, CDCK will keep all versions of your posts. Forum administrators can view old versions of posts, and optionally make them visible to other forum visitors.
Does CDCK make automated decisions based on data about me?
CDCK classifies posts as spam automatically.
CDCK uses data about your posts and other activity on many forums to make automated decisions about whether your posts to meta.discourse.org and most forums that CDCK hosts are spam. When Akismet decides that a post is likely spam, the forum refuses to accept the post.
If you think a post has been wrongly blocked or removed, contact an administrator of your forum. They can override the decision that a post was spam.
CDCK uses data about posts and activity to set trust levels automatically.
Depending on how administrators of your forum configure the forum, the forum may use data about your posts and activity to award you badges and calculate a trust level for your account. Your trust level may affect how you can participate in the forum, such as whether you can upload images, as well as give you access to moderation and management powers in the forum. Your trust level therefore reflects forum administrators’ confidence in you, and their willingness to delegate community management functions, like moderation.
If you think your trust level has been set incorrectly, contact an administrator of your forum. They can manually adjust the trust level of your account.
Does CDCK share data about me with others?
CDCK shares account data with others as mentioned in the section about account data.
CDCK shares data about your posts and other forum activity with others as mentioned in the section about forum data.
CDCK uses the subprocessors listed on our subprocessors page when providing forums on behalf of our customers. We may also share personal data with the service providers we use in order to transact with customers, host our website, deliver content, secure our services, store data, host and manage our open source project, market our services, and provide customer support. These service providers include:
- Akismet, for spam filtering
- Amazon Web Services, for storage
- GitHub, for open source development
- Google, for analytics and storage
- Stripe, for processing payments
How does CDCK document compliance for forum hosting customers?
CDCK provides a standard data processing addendum for European Union General Data Protection Regulation compliance on request. The addendum incorporates the non-EU/non-EEA processor standard contractual clauses of Commission Decision 2010/87/EU for any regulated transfers.
CDCK also provides a standard addendum for compliance with the California Consumer Privacy Act on request.
How can I contact CDCK about privacy?
You can send questions, requests, and complaints to:
Civilized Discourse Construction Kit, Inc email@example.com
European Users with questions or complaints about GDPR compliance should also address CDCK’s representative in the Union via email at firstname.lastname@example.org or via mail to
M. Régis Hanol Civilized Discourse Construction Kit, Inc 78 Allée Primavera Centre UBIDOCA, 15232 Pringy 74370 ANNECY FRANCE
For complaints under GDPR, European Union users may lodge complaints with their local data protection supervisory authorities.
How can I find out about changes?
This version of CDCK’s privacy questions and answers took effect February 9, 2023.
CDCK will post the next version at https://meta.discourse.org/privacy. CDCK may change how it announces changes in future versions.
In the meantime, CDCK may update its contact information without announcing a change. Please refer to https://meta.discourse.org/privacy for the latest contact information at any time.