Help wanted for GDPR compliance

So Quaddicted and QuakeWiki need a privacy policy and all that. I could use some help from anyone experienced or enthusiastic about that. Post here if you are willing to invest time and sweat into it and prepare to hold my hand. I would create a new subforum for coordination if needed. Thanks!

This is a serious, scary issue and I need competent help on it. Otherwise it will be good bye to these sites to protect my personal safety.

I assume you are not running Quaddicted as a business. All I see is information for businesses. I’d be happy to pitch in $ for you to hire a consultant.

An interactive “self assessment”

Feel free to look at the and perhaps contact Quasar.

I’ll definitely second what Gez said. For the Doom Wiki, we have basically copied the WMF’s privacy policy, with a couple of additions we felt were necessary due to differences between the way we run things and the way they do (for example, they don’t allow video embedding from YouTube on Wikipedia, so that’s an example of something we need to spell out).

Thanks you guys! I’ll try to adapt the Doom Wiki page for Quake Wiki but I guess we also need all that cookie warning stuff?

For Quaddicted it’s more complicated, considering the file archive where personal details can be in every zip, etc… :\

Any personal information placed in the text files for the mods that are archived there was volunteered by the people who wrote the text file and send it for archiving there. It’s entirely under users’ control. Worst case, allow people to contact you to edit hosted files to remove information they’d want to see removed, if they cannot already update the files by themselves. From what I see on the public browsing interface, the “author” field can be pretty much anything (including a team name), the “homepage” field doesn’t have to be filled, and none of the other fields appear to contain personal information.

Could someone else please take a look at Doom Wiki’s policy and adapt it for Quake Wiki? Just add the page there and make sure it applies. Ask if you need information about logs and such.

For Quaddicted I don’t think it is as easy as Gez suggests. I don’t know enough about GDPR and the fear-mongering about it is widespread. File editing is never going to happen with me, nor would I remove releases or information from their readme files.

I’ll probably follow some other sites’ approach and block European IPs as potential countermeasure next month as interim solution. :frowning:

Blocking users on a site like this sounds like an overreaction.
We’ll have to do some digging - maybe there’s some official place to ask?

As far as I know, the following things may be of concern:
]IP logging (or other means of tracking/identifying general users) - has been deactivated for years here/]
]Email adresses - for the forum/DB accounts, not publically visible/]
]Personal information in releases/readmes - sometimes real names and email addresses; however, the files were uploaded voluntarily by the authors (and moreso they are only mirrored on Quaddicted); this may not count as collection of personal data by the site?/]
]Third-party sites accessing/logging user data - e.g. embedded stuff like ads (no such thing here) or social media buttons which afaik are regular links on this site, with locally hosted images./]
]Monetary aspects possibly? - e.g. the donation button, I don’t really know if it’s relevant/]
]Transparency statement - some sort of legal notice (“Impressum”) and information on what kind of data is stored; needs to be easily accessible, ideally from every page/]
]Right to be forgotten - should be feasible in terms of forum/DB interaction, accounts and comments can be deleted upon request; as for the releases themselves, maybe the exceptions in apply?/]
]Right to request a list of stored personal data - probably nothing to worry about since all data minus the email address is publically visable anyway (and could be compiled into a single document with some manual work if someone should actually submit such a request)/]

I noticed there are now disclaimer popups about the use of cookies on many sites. I checked and it seems Quaddicted sets a cookie on first visit, too. Is it possible to only generate a cookie once a user logs in?

Thank you for your input!

Nope, the server logs, it is just not visible to anyone but me.

Still collected and stored.

Definitely still is collection.

There should be almost zero external requests happening. If there are, please tell me and I will neuter them.


I will not publish my private address to the web. It was hard enough to get it removed from WHOIS scrapers some years ago. Maybe we would need to form an e.V.?

Manually on request seems reasonable, I agree. I don’t understand the legalese in that linked document nor can I properly judge Quaddicted (in its whole) in that regard.

Manually on request seems reasonable, I agree.

I don’t know which components set which cookies and when. There is DokuWiki (could be converted to static pages and then dropped), FluxBB (handling auth and the forum, could be dropped too if absolutely necessary as well :(( ) and my own ugly code. I don’t think I could set up a sufficient system about cookies.

I answered to all of these in the context of Quaddicted. QuakeWiki should be fairly easy in comparison, as it is a standard MediaWiki and thanks to DoomWiki there is a readily available policy template to use.

Not an Impressum as such, but a page that details what kind of data is stored and for what purpose.

As far as I see, the site as such isn’t much of a problem. There aren’t any hidden systems or scripts that sumbit data, and the forum accounts are an opt-in type of thing. The filebase is what we don’t know about, but come to think of it, it isn’t really much different from e.g. tech sites that host tools by various authors (think etc). Doesn’t seem like they shut down their download sections, so how do they handle the GDPR?

fwiw, here is what the Internet Archive says about GDPR in its faq:

I am in contact with someone, let’s hope they can walk me through the important bits. :slight_smile:

IA is a proper archive, they have special legal protection and abilities (see e.g. their ROM hosting).

Thank you Spirit
Really hope you can open your gates again for Europe.

Thanks! Shouldn’t be much of an issue really. We just need to figure out what is needed and implement/write that.


I respectfully request regular updates via Twitter or func_msgboard on this issue please. You have a lot of people worried that a valuable community resource is going to go away for good. People have offered financial help for legal advice or host to files on their own time and with their own resources.

More information and updates would be welcome. Maybe get the conversation going now that you have ppl’s attention? One person has taken it upon themselves to create a mirror of the files and felt that it was okay to do so based on your prior posts here:

Or at least some guidance for what the community should do as an alternative at this time.

that’s a link to a practically already done privacy policy. It’s for wordpress but, plenty of it probably applies to you here. Just go to each section a reword it to suit you. Done. Shame you aren’t on wordpress because, wordpress wrote my privacy policy for me.

On financial support “Thanks, but money is not the issue. What’s needed is someone willing and capable of dealing with it all.”

On hosting I can just say it mad me sad to see that people rather rip Quaddicted apart instead of helping Quaddicted comply with laws.

Sorry, I thought I had posted a tweet with @quaddicted about the current status. Did that now! →
I am not going back to func_msgboard or terrafusion.
I am idling in #qc. Maybe we could do some concentrated discussion round some day about the roadmap for Quaddicted with people interested in collaborating? I would love to replace the current setup with something open and distributed.

I am quite irritated that people start building copies without even reaching out to me. Feels like my call for help went unheard and people are happy* to drop the sites in a heartbeat. Just to make one thing clear, the archives we built are in no danger whatsoever.

  • Tell me what is needed for GDPR exactly for the entirety of Quaddicted. E.g. “the site uses cookies” → “write $this”. (I am in contact with someone who offered to walk me through it, so this might be solved and just a matter of time, we will see.)
  • Adapt the Doom Wiki solutions to Quake Wiki.

About Quaddicted being a business or not, I rather err on the business site. There are no financial interests, there are no ads (there were some in the distant past but yuck). But at least in Germany the question is tricky. From what I know (IANAL) the site might be in competition with other, commercial sites and thus be judged (and sued) as such. A “competitor” could “sue” for non-compliance to GDPR and summon hell onto me:

  • I mean it’s clear that the review/db is not up for how people keep releasing things but no one wanted to collaborate on a better system so far, for years

Gypsy: Thanks, but not applicable.

edit: Added business bit.