Privacy and security policy

The content of this policy may be adjusted at any point.

General

The operator of the service has no interest in collecting your personal data or tracking your activities on the service. Any data collected is to maintain the security and funtionality of the service.

Reasonable efforts are made to secure the service infrastructure as well as the functionality provided by the service.

Data

Service location

The service is operated from the UK and where possible infrastucture and data resides in the UK.

More specific information is provided in the breakdowns below.

Sale of data

Personal data and data relating to usage of the service is not sold or provided to any third party.

Collection and processing of data

The collection of data relating to usage of the service is as limited as possible within the constraints of:

• providing a secure service
• providing a functional service.

User IP address (client IP address) is seen and used by the service, and service suppliers, in order to function.

Beyond the statements immediately above, data about service usage is not persisted unless otherwise stated in a sub-section dedicated to a service component as broken down below.

DNS

All authoriative DNS for the service is provided by Bunny DNS. Bunny DNS provides logging features but these are not enabled.

The feed

The feed is published to Bunny Storage and served by Bunny CDN. Bunny CDN provides logging features which are enabled however the "remove one octet" option is used remove the last octet of the IP.

Information available in the CDN logs is:

• HTTP status code
• Whether the cache was hit or not
• Timestamp
• Client IP address (last octet removed)
• User agent string
• Size of HTTP response
• HTTP path
• Estimate of client country (determined by IP address)
• An identifier generated by Bunny CDN for that specific request.

This information is used to help determine the health of the service based on cache hits, HTTP responses, and understanding the amount of traffic being received.

Search

Search is a server side service that uses dynamic components to receive and process requests in order to generate a response to the search performed.

Search queries strings are not logged.

User IP address is used for rate limiting and is collected (logged) for the sole purporse of service security (anti-abuse). These are necessary activities.

To limit abuse of the service rate limiting using client IP address against a sliding window. This should not negatively impact a legitimate user of the service. When a rate limit is hit, a HTTP 529 response and/or a user friendly message will also make it obvious that a limit has been hit. On hitting a limit waiting 30 minutes should allow the service to be used again.

Responses are generated based on the search strings entered by the user and the filters applied by the user.

Responses from the service are logged to allow for monitoring of service health. Response logs are kept for up to 10 days (240) hours. The response data logged is:

• Timestamp
• HTTP Response Code
• Number of search results responded with or any errors returned
• IP address
• The amount of time taken to generate the response.

Suppliers

This service relies on the following suppliers:

• Bunny
  • Bunny DNS
  • Bunny Storage
  • Bunny CDN
• DigitalOcean
  • LBaaS (uses LetsEncrypt, they do the TLS offloading and send traffic via HTTP to backend servers)
  • Droplets (backend servers are droplets)
  • Spaces (used for backups and other internal service object storage)
• LetsEncrypt

as well as numerous free and open source software (FOSS) and other free to use software including:

• Fedora Linux
• NGINX
• Python.