feat: scrub user data in Sentry config and update imprint

jkrumm · May 16, 2024 · 3592c44 · 3592c44
1 parent 83cc217
commit 3592c44
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 5 deletions.
diff --git a/sentry.client.config.ts b/sentry.client.config.ts
@@ -18,6 +18,19 @@ Sentry.init({
   // Setting this option to true will print useful information to the console while you're setting up Sentry.
   debug: env.NEXT_PUBLIC_NODE_ENV === 'development',
 
+  // Removes personal data from the event to ensure privacy regulations from GDPR
+  beforeSend(event) {
+    if (event.user) {
+      delete event.user.email;
+      delete event.user.ip_address;
+      delete event.user.geo;
+    }
+    if (event.request?.headers) {
+      delete event.request.headers;
+    }
+    return event;
+  },
+
   // TODO: think about Session Replay
 
   // replaysOnErrorSampleRate: 1.0,

diff --git a/sentry.edge.config.ts b/sentry.edge.config.ts
@@ -2,9 +2,10 @@
 // The config you add here will be used whenever one of the edge features is loaded.
 // Note that this config is unrelated to the Vercel Edge Runtime and is also required when running locally.
 // https://docs.sentry.io/platforms/javascript/guides/nextjs/
-import * as Sentry from '@sentry/nextjs';
 import { env } from 'fpp/env';
 
+import * as Sentry from '@sentry/nextjs';
+
 Sentry.init({
   enabled: env.NEXT_PUBLIC_NODE_ENV !== 'development',
 
@@ -17,4 +18,17 @@ Sentry.init({
 
   // Setting this option to true will print useful information to the console while you're setting up Sentry.
   debug: false,
+
+  // Removes personal data from the event to ensure privacy regulations from GDPR
+  beforeSend(event) {
+    if (event.user) {
+      delete event.user.email;
+      delete event.user.ip_address;
+      delete event.user.geo;
+    }
+    if (event.request?.headers) {
+      delete event.request.headers;
+    }
+    return event;
+  },
 });
diff --git a/sentry.server.config.ts b/sentry.server.config.ts
@@ -1,9 +1,10 @@
 // This file configures the initialization of Sentry on the server.
 // The config you add here will be used whenever the server handles a request.
 // https://docs.sentry.io/platforms/javascript/guides/nextjs/
-import * as Sentry from '@sentry/nextjs';
 import { env } from 'fpp/env';
 
+import * as Sentry from '@sentry/nextjs';
+
 Sentry.init({
   enabled: env.NEXT_PUBLIC_NODE_ENV !== 'development',
 
@@ -16,4 +17,17 @@ Sentry.init({
 
   // Setting this option to true will print useful information to the console while you're setting up Sentry.
   debug: false,
+
+  // Removes personal data from the event to ensure privacy regulations from GDPR
+  beforeSend(event) {
+    if (event.user) {
+      delete event.user.email;
+      delete event.user.ip_address;
+      delete event.user.geo;
+    }
+    if (event.request?.headers) {
+      delete event.request.headers;
+    }
+    return event;
+  },
 });
diff --git a/src/pages/imprint.tsx b/src/pages/imprint.tsx
@@ -42,10 +42,25 @@ const Imprint: NextPage = () => {
           </div>
           <div>
             <h1>Privacy Policy</h1>
+            <h2>Summary (TL;DR)</h2>
+            We are highly committed to protecting your privacy. We collect
+            anonymized website usage analytics to improve our services and
+            ensure compliance with the General Data Protection Regulation
+            (GDPR). We do not use cookies or store any personally identifiable
+            information (PII). Any data collected by us or third-party systems
+            is scrubbed, encrypted, and anonymized. Detailed policies are
+            provided below.
+            <br />
+            As an open-source project, we are transparent about our practices
+            and welcome any questions or concerns. Please use our contact form
+            to reach out. We are happy to provide further information.
+            <br />
+            <br />
+            <h2>Detailed Privacy Policy</h2>
             We collect <strong>anonymized website usage analytics</strong> to
             enhance our services and user experience, ensuring our full
-            compliance with the General Data Protection Regulation (GDPR),
-            without employing cookies or other continuous tracking technologies.
+            compliance with the GDPR, without employing cookies or other
+            continuous tracking technologies.
             <br />
             The data we accumulate includes{' '}
             <strong>generic device details</strong> (such as type, OS, browser),
@@ -100,14 +115,40 @@ const Imprint: NextPage = () => {
             in the room.
             <br />
             <br />
+            We utilize <strong>Sentry</strong> for error tracking to improve our
+            services.{' '}
+            <a
+              href="https://sentry.io/trust/privacy/gdpr-best-practices/"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              We configured Sentry
+            </a>{' '}
+            to be fully GDPR compliant and ensuring the security and privacy of
+            data. You can read more about their privacy practices here:{' '}
+            <a
+              href="https://sentry.io/trust/privacy/"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              {/* eslint-disable-next-line react/no-unescaped-entities */}
+              Sentry's Privacy Policy
+            </a>
+            . In our implementation, we ensure that no PII is sent to Sentry.
+            Our configuration and implementation removes user details (request
+            headers, user context and ip address) before sending an error event
+            to Sentry to maintain our commitment to GDPR compliance.
+            <br />
+            <br />
             Personal details offered through our <strong>
               contact form
             </strong>{' '}
             (name and email), in agreement with GDPR definitions, are managed
             with utmost confidentiality and used solely for responding to your
             inquiries. We will seek your consent prior to using this data for
             any unrelated purpose. Moreover, we do not use any third-party
-            services for our contact form, which could store your data.
+            services for our contact form, which could access or store your
+            data.
             <br />
             <br />
             Our website runs on a proprietary <strong>database</strong> system
@@ -127,6 +168,26 @@ const Imprint: NextPage = () => {
             compliance.
             <br />
             <br />
+            <h2>Data Retention</h2>
+            We ensure that all Ably channels are automatically closed and
+            deleted after 5 minutes of inactivity or when the last user leaves.
+            Our analytics are fully GDPR compliant and are anonymized in such a
+            {/* eslint-disable-next-line react/no-unescaped-entities */}
+            way that they cannot be linked back to any individual's identity, IP
+            address, email, or username. Therefore, we typically do not aim to
+            delete the analytics data since it is already anonymized and poses
+            no risk to user privacy.
+            <br />
+            <br />
+            <h2>User Rights Under GDPR</h2>
+            You have the right to access, rectify, or delete any data we hold
+            about you. Since we do not store any personally identifiable
+            information, we or third-party tools do not hold any data in this
+            regard. However, we are open to deleting even the anonymized data if
+            requested. Please reach out to us using our contact form for such
+            requests.
+            <br />
+            <br />
             <h1 id="license">Project License</h1>
             The project is licensed under the GNU Affero General Public License
             v3.0 (AGPLv3). This license ensures that derivative work will be