Parametrized privacy policy, unified and refined nine/non-nine landing pages (#89)

- move web sources to markdown
- integrate privacy policy template
- create and use chatmail.ini file to driving web-page generation 

Co-authored-by: missytake <missytake@systemli.org>

---------

Co-authored-by: missytake <missytake@systemli.org>

.gitignore

@@ -3,6 +3,11 @@ __pycache__/
 *.py[cod]
 *$py.class
 *.swp
+www/privacy.html*
+www/index.html*
+www/info.html*
+*qr-*.png
+
 
 # C extensions
 *.so

README.md

@@ -1,3 +1,6 @@
+
+<img width="800px" src="www/collage-top.png"/>
+
 # Chatmail instances optimized for Delta Chat apps 
 
 This repository helps to setup a ready-to-use chatmail instance
@@ -22,27 +25,30 @@ after which the initially specified password is required for using them.
 
     export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 
-4. Deploy the chat mail instance to your chatmail server: 
+4. Fill in privacy contact data into the `chatmail.ini` file
+
+5. Deploy the chat mail instance to your chatmail server: 
 
     scripts/deploy.sh 
 
-   This script uses `pyinfra` and `ssh` to setup packages and configure
-   the chatmail instance on your remote server. 
+   This script remotely sets up packages and configures the chatmail provider. 
 
-5. Run `scripts/generate-dns-zone.sh` and 
+6. Run `scripts/generate-dns-zone.sh` and 
    transfer the generated DNS records at your DNS provider
 
 
 ### Home page and getting started for users 
 
-- The `deploy.sh` script deploys a default `index.html` 
-  along with a QR code that users can click to 
-  create accounts on the chatmail provider. 
+The `deploy.sh` script deploys 
 
-- Start a Delta Chat app and create a new account 
-  by typing an e-mail address with an arbitrary username 
-  and `@<your-chatmail-domain>` appended. 
-  Use an at least 10-character random password. 
+- a default `index.html` along with a QR code that users can click to 
+  create accounts on your chatmail provider,
+
+- a default `info.html` that is linked from the home page,
+
+- a default `policy.html` that is linked from the home page. 
+
+All files are generated by the according markdown `.md` file in the `www` directory.
 
 
 ### Ports

chatmail.ini

@@ -0,0 +1,15 @@
+[config]
+
+privacy_postal =
+    Merlinux GmbH, Represented by the managing director H. Krekel,
+    Reichgrafen Str. 20, 79102 Freiburg, Germany
+
+privacy_mail = delta-privacy@merlinux.eu
+
+privacy_pdo =
+    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
+    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
+
+privacy_supervisor =
+    State Commissioner for Data Protection and Freedom of Information of
+    Baden-Württemberg in 70173 Stuttgart, Germany.

deploy-chatmail/pyproject.toml

@@ -7,7 +7,9 @@ name = "deploy-chatmail"
 version = "0.1"
 dependencies = [
   "pyinfra",
+  "pillow",
   "qrcode",
+  "markdown",
 ]
 
 [tool.pytest.ini_options]

deploy-chatmail/src/deploy_chatmail/__init__.py

@@ -2,6 +2,8 @@
 Chat Mail pyinfra deploy.
 """
 import importlib.resources
+import configparser
+import textwrap
 from pathlib import Path
 
 from pyinfra import host
@@ -9,6 +11,9 @@ from pyinfra.operations import apt, files, server, systemd
 from pyinfra.facts.files import File
 from pyinfra.facts.systemd import SystemdEnabled
 from .acmetool import deploy_acmetool
+import markdown
+from jinja2 import Template
+
 
 from .genqr import gen_qr_png_data
 
@@ -302,18 +307,83 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
         mode="755",
     )
 
-    qr_data = gen_qr_png_data(domain)
+    return need_restart
 
-    files.put(
-        name="Upload QR code for account creation",
-        src=qr_data,
-        dest="/var/www/html/qrcode.png",
-        user="root",
-        group="root",
-        mode="644",
+
+def get_ini_settings(mail_domain, inipath):
+    parser = configparser.ConfigParser()
+    parser.read(inipath)
+    settings = {key: value.strip() for (key, value) in parser["config"].items()}
+    if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
+        for value in settings.values():
+            value = value.lower()
+            if "merlinux" in value or "schmieder" in value or "@testrun.org" in value:
+                raise ValueError(
+                    f"please set your own privacy contacts/addresses in {inipath}"
+                )
+    settings["mail_domain"] = mail_domain
+    return settings
+
+
+def build_htmlj2_from_markdown(source):
+    assert source.exists(), source
+    template_content = open(source).read()
+    if source.stem == "privacy":
+        title = "privacy {{ config.mail_domain }}"
+    elif source.stem == "index":
+        title = "home {{ config.mail_domain }}"
+    elif source.stem == "info":
+        title = "info {{ config.mail_domain }}"
+
+    html = markdown.markdown(template_content)
+    html = (
+        textwrap.dedent(
+            f"""\
+        <!DOCTYPE html>
+        <html>
+        <head>
+            <meta charset="utf-8" />
+            <title>{title}</title>
+            <link rel="stylesheet" href="./water.css">
+        </head>
+        <body>
+    """
+        )
+        + html
+        + "\n"
+        + textwrap.dedent(
+            """\
+        <footer>
+        <a href="index.html">home</a> |
+        <a href="info.html">more info</a> |
+        <a href="privacy.html">privacy</a> |
+        <a href="https://github.com/deltachat/chatmail">-> public development </a>
+        </footer>
+        </body>"""
+        )
     )
 
-    return need_restart
+    target_path = source.with_name(source.stem + ".html.j2")
+    with open(target_path, "w") as f:
+        f.write(html)
+    print(f"wrote {target_path}")
+    return target_path
+
+
+def build_webpages(www_path, config):
+    mail_domain = config["mail_domain"]
+    qr_data = gen_qr_png_data(mail_domain).read()
+    www_path.joinpath(f"qr-chatmail-invite-{mail_domain}.png").write_bytes(qr_data)
+
+    for path in www_path.iterdir():
+        if path.suffix == ".md":
+            path = build_htmlj2_from_markdown(path)
+
+        if path.suffix == ".j2":
+            target = path.with_name(path.name[:-3])
+            template = Template(path.read_text())
+            with target.open("w") as f:
+                f.write(template.render(config=config))
 
 
 def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
@@ -367,6 +437,14 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         packages=["fcgiwrap"],
     )
 
+    pkg_root = importlib.resources.files(__package__)
+    chatmail_ini = pkg_root.joinpath("../../../chatmail.ini").resolve()
+    config = get_ini_settings(mail_domain, chatmail_ini)
+    www_path = pkg_root.joinpath("../../../www").resolve()
+
+    build_webpages(www_path, config)
+    files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz"])
+
     _install_chatmaild()
     debug = False
     dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
@@ -375,22 +453,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(mail_domain)
 
-    # deploy web pages and info if we have them
-    pkg_root = importlib.resources.files(__package__)
-    www_path = pkg_root.joinpath(f"../../../www/{mail_domain}").resolve()
-    if www_path.is_dir():
-        files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz"])
-    else:
-        index_path = www_path.parent.joinpath("default/index.html.j2")
-        files.template(
-            src=index_path,
-            dest="/var/www/html/index.html",
-            user="root",
-            group="root",
-            mode="644",
-            config={"mail_domain": mail_domain},
-        )
-
     systemd.service(
         name="Start and enable OpenDKIM",
         service="opendkim.service",

deploy-chatmail/src/deploy_chatmail/genqr.py

@@ -18,7 +18,8 @@ def gen_qr(maildomain, url):
     # taken and modified from
     # https://github.com/deltachat/mailadm/blob/master/src/mailadm/gen_qr.py
 
-    info = f"{maildomain} invite code"
+    # info = f"{maildomain} invite code"
+    info = ""
 
     # load QR code
     qr = qrcode.QRCode(
@@ -43,7 +44,7 @@ def gen_qr(maildomain, url):
     font_size = 16
     font = ImageFont.truetype(font=ttf_path, size=font_size)
 
-    num_lines = (info).count("\n") + 1
+    num_lines = ((info).count("\n") + 1) if info else 0
 
     size = width = 384
     qr_padding = 6
@@ -51,20 +52,24 @@ def gen_qr(maildomain, url):
     height = size + text_height + qr_padding * 2
 
     image = Image.new("RGBA", (width, height), "white")
-
-    draw = ImageDraw.Draw(image)
-
     qr_final_size = width - (qr_padding * 2)
 
-    # draw text
-    if hasattr(font, "getsize"):
-        info_pos = (width - font.getsize(info.strip())[0]) // 2
-    else:
-        info_pos = (width - font.getbbox(info.strip())[3]) // 2
+    if num_lines:
+        draw = ImageDraw.Draw(image)
 
-    draw.multiline_text(
-        (info_pos, size - qr_padding // 2), info, font=font, fill="black", align="right"
-    )
+        # draw text
+        if hasattr(font, "getsize"):
+            info_pos = (width - font.getsize(info.strip())[0]) // 2
+        else:
+            info_pos = (width - font.getbbox(info.strip())[3]) // 2
+
+        draw.multiline_text(
+            (info_pos, size - qr_padding // 2),
+            info,
+            font=font,
+            fill="black",
+            align="right",
+        )
 
     # paste QR code
     image.paste(

tests/test_helpers.py

@@ -0,0 +1,39 @@
+import textwrap
+
+from deploy_chatmail import build_htmlj2_from_markdown, get_ini_settings
+
+
+def test_markdown(tmp_path):
+    path = tmp_path.joinpath("privacy.md")
+    path.write_text("# privacy policy")
+    build_htmlj2_from_markdown(path)
+    output = path.with_name("privacy.html.j2")
+    assert output.exists()
+    print(output.read_text())
+
+
+def test_get_settings(tmp_path):
+    inipath = tmp_path.joinpath("chatmail.ini")
+    inipath.write_text(
+        textwrap.dedent(
+            """\
+        [config]
+
+        privacy_postal =
+            address-line1
+            address-line2
+
+        privacy_mail = privacy@example.org
+
+        privacy_pdo =
+            address-line3
+    """
+        )
+    )
+    d = get_ini_settings("x.testrun.org", inipath)
+    assert d["privacy_postal"] == "address-line1\naddress-line2"
+    assert d["privacy_mail"] == "privacy@example.org"
+    assert d["privacy_pdo"] == "address-line3"
+    assert d["mail_domain"] == "x.testrun.org"
+
+

www/default/index.html.j2

@@ -1,31 +0,0 @@
-
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <title>chatmail instance</title>
-</head>
-<body>
-    <h1>Welcome to {{ config.mail_domain }}!</h1>
-    <h2>Getting started</h2>
-    <ol>
-        <li>Install <a href="https://get.delta.chat">https://get.delta.chat</a></li>
-        <li>Scan or Tap on the invite QR code</li>
-        <li>Choose Nickname and Avatar</li>
-        <li>Setup contact with others using <a href="https://delta.chat/en/help#howtoe2ee">
-            guaranteed end-to-end encryption via QR code scans</a>
-        </li>
-    </ol>
-    <a href="DCACCOUNT:https://{{ config.mail_domain }}/cgi-bin/newemail.py">
-        <img class="section" src="qrcode.png" />
-    </a>
-
-    <h2>Constraints</h2>
-    <ul>
-    <li>You can only send encrypted mails to anyone outside {{config.mail_domain }} </li>
-    <li>You may send up to 60 messages per minute</li>
-    <li>Messages are unconditionally removed 40 days after arrival</li>
-    <li>Max storage per user is 100MB</li>
-    </ul>
-</body>
-</html>

www/index.md

@@ -0,0 +1,19 @@
+
+<img width="800px" src="collage-top.png"/>
+
+## Dear [Delta Chat](https://get.delta.chat) users and newcomers, 
+
+Welcome to instant, interoperable and [privacy-preserving](privacy.html) messaging :) 
+
+👉 **Tap** or scan this QR code to get a random `@{{config.mail_domain}}` e-mail address
+
+<a href="DCACCOUNT:https://{{ config.mail_domain }}/cgi-bin/newemail.py">
+    <img width=300 style="float: none;" src="qr-chatmail-invite-{{config.mail_domain}}.png" /></a>
+
+🐣 **Choose** your Avatar and Name
+
+💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
+
+
+## ⚡ Note: this is an experimental service ⚡
+

www/info.md

@@ -0,0 +1,39 @@
+
+<img width="800px" src="collage-info.png"/>
+
+## More information 
+
+### Choosing a chatmail address instead of using a random one
+
+In the Delta Chat account setup 
+you may tap `LOG INTO YOUR E-MAIL ACCOUNT` 
+and fill the two fields like this: 
+
+- `Address`: invent a word with *exactly* nine characters 
+   and append `@{{config.mail_domain}}` to it. 
+
+- `Password`: invent at least 10 characters. 
+
+If the e-mail address is not yet taken, you'll get that account. 
+The first login sets your password. 
+
+
+### Rate and storage limits 
+
+- Un-encrypted messages are blocked to recipients outside
+  {{config.mail_domain}} but setting up contact via [QR invite codes](https://delta.chat/en/help#howtoe2ee) 
+  allows your messages to pass freely to any outside recipients.
+
+- You may send up to 60 messages per minute
+
+- Messages are unconditionally removed 40 days after arriving on the server
+
+- You can store up to [100MB messages on the server](https://delta.chat/en/help#what-happens-if-i-turn-on-delete-old-messages-from-server)
+
+
+### Who are the operators? Which software is running? 
+
+This chatmail provider is run by a small voluntary group of devs and sysadmins,
+who [publically develop chatmail provider setups](https://github.com/deltachat/chatmail).
+Chatmail setups aim to be very low-maintenance, resource efficient and 
+interoperable with any other standards-compliant e-mail service. 

www/nine.testrun.org/index.html

@@ -1,81 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <title>nine.testrun.org - Experimenting with the Future of Email</title>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <style>
-        .wrapper {
-            width: 100%;
-            max-width: 596px;
-            margin: 0 auto;
-        }
-
-        .section {
-            width: 100%;
-            max-width: 596px;
-        }
-
-        .text {
-            box-sizing: border-box;
-            padding: 9px;
-            font-size: 18px;
-            font-family: "Swansea", "Helvetica", sans-serif;
-            color: black;
-        }
-        a {
-            color: black;
-        }
-        h1, h2, h3 {
-            font-size: 18px;
-            font-weight: bold;
-        }
-    </style>
-</head>
-<body>
-    <div class="wrapper">
-        <img class="section" src="collage-top.png" />
-        <div class="section text">
-            <h1>Dear Delta Chat users and newcomers,</h1>
-            <p>
-            welcome to the first public "chat-mail instance",
-            a small and lean e-mail provider for smooth chatting.
-            Install Delta Chat and then
-            Tap or scan this QR code to obtain a random e-mail address:
-            <a href="DCACCOUNT:https://nine.testrun.org/cgi-bin/newemail.py">
-                <img with=300 src="qrcode.png" /></a>
-            </p>
-            <p>
-            Alternatively, you can manually invent an e-mail address:
-            <ul>
-              <li>Tap "LOG INTO YOUR E-MAIL ACCOUNT".</li>
-              <li>Address: invent a word with <i>exactly</i> nine characters
-              and append @nine.testrun.org to it.</li>
-              <li>Password: invent at least 10 characters. The first login sets your password.</li>
-            </ul>
-            If the e-mail address is not yet taken, you'll get that account.
-            </p>
-            <p>
-            <img class="section" src="collage-down.png" />
-
-            <h2>What's behind it, how does it operate?</h2>
-            <p>nine.testrun.org is run
-                by a small group of devs and sysadmins, reachable via root@.
-                They want to keep this instance running at least until end 2024.
-                Current limits:
-            <ul>
-            <li>Un-encrypted mails can not leave the chat-mail instance.</li>
-            <li>Use <a href="https://delta.chat/en/help#howtoe2ee">
-                guaranteed end-to-end encryption via QR code scans</a>
-                to setup contact with users outside of the chat-mail instance.
-            </li>
-            <li>You may send up to 60 messages per minute.</li>
-            <li>Messages are unconditionally removed 40 days after arrival.</li>
-            <li>Max storage per user is 100MB.</li>
-            </ul>
-            <h2>Why are other email providers 1000 times more complicated?</h2>
-            <p>¯\_(ツ)_/¯</p>
-        </div>
-    </div>
-</body>
-</html>

www/privacy.md

@@ -0,0 +1,321 @@
+<img width="800px" src="collage-privacy.png"/>
+
+# Privacy Policy for {{ config.mail_domain }} 
+
+We want to show you in a fair and transparent way
+what personal data is processed by us.
+We follow a strict privacy-by-design approach
+and try to avoid processing your data in the first place,
+but as you may know,
+the internet, 
+and in particular sending e-mail messages,
+does not work without data.
+Still,
+it's only fair that you know at all times
+what personal data is processed
+when you use our service.
+
+If you have any remaining questions about data protection, please contact us. 
+
+## 1. Name and contact information 
+
+Responsible for the processing of your personal data is:
+```
+{{ config.privacy_postal }}
+```
+
+E-mail: {{ config.privacy_mail }}
+
+We have appointed a data protection officer:
+
+```
+{{ config.privacy_pdo }}
+```
+
+## 2. Processing when using chat e-mail services
+
+We provide e-mail services optimized for the use from [Delta Chat](https://delta.chat) apps 
+and process only the data necessary
+for the setup and technical execution of the e-mail dispatch.
+The purpose of the processing is to
+read, write, manage, delete, send, and receive emails.
+For this purpose,
+we operate server-side software
+that enables us to send and receive e-mail messages.
+Allowing the use of the e-mail service,
+we process the following data and details:
+
+- Outgoing and incoming messages (SMTP) are stored for transit 
+  on behalf of their users until the message can be delivered.
+
+- E-Mail-Messages are stored for the recipient and made accessible via IMAP protocols,
+  until explicitly deleted by the user or until a fixed time period is exceeded,
+  (*usually 4-8 weeks*).
+
+- IMAP and SMTP protocols are password protected with unique credentials for each account.
+
+- Users can retrieve or delete all stored messages 
+  without intervention from the operators using standard IMAP client tools.
+
+### 3.1 Account setup
+
+Creating an account happens in one of two ways on our mail servers: 
+
+- with a QR invitation token 
+  which is scanned using the DeltaChat app
+  and then the account is created.
+
+- by letting Delta Chat otherwise create an account 
+  and register it with a {{ config.mail_domain }} mail server. 
+
+In either case, we process the newly created email address.
+No phone numbers,
+other email addresses,
+or other identifiable data
+is currently required.
+The legal basis for the processing is
+Art. 6 (1) lit. b GDPR,
+as you have a usage contract with us
+by using our services.
+
+## 3.2 Processing of E-Mail-Messages
+
+In addition,
+we will process data
+to keep the server infrastructure operational
+for purposes of e-mail dispatch
+and abuse prevention.
+
+- Therefore,
+  it is necessary to process the content and/or metadata
+  (e.g., headers of the email as well as smtp chatter)
+  of E-Mail-Messages in transit. 
+
+- We will keep logs of messages in transit for a limited time.
+  These logs are used to debug delivery problems and software bugs.
+
+In addition,
+we process data to protect the systems from excessive use.
+Therefore, limits are enforced:
+
+- rate limits
+
+- storage limits
+
+- message size limits
+
+- any other limit neccessary for the whole server to function in a healthy way
+  and to prevent abuse.
+
+The processing and use of the above permissions
+are performed to provide the service.
+The data processing is necessary for the use of our services,
+therefore the legal basis of the processing is
+Art. 6 (1) lit. b GDPR,
+as you have a usage contract with us
+by using our services.
+The legal basis for the data processing
+for the purposes of security and abuse prevention is
+Art. 6 (1) lit. f GDPR.
+Our legitimate interest results
+from the aforementioned purposes.
+We will not use the collected data
+for the purpose of drawing conclusions
+about your person.
+
+
+## 3. Processing when using our Website
+
+When you visit our website,
+the browser used on your end device
+automatically sends information to the server of our website.
+This information is temporarily stored in a so-called log file.
+The following information is collected and stored
+until it is automatically deleted
+(*usually 7 days*):
+
+- used type of browser,
+
+- used operating system, 
+
+- access date and time as well as
+
+- country of origin and IP address, 
+
+- the requested file name or HTTP resource,
+
+- the amount of data transferred,
+
+- the access status (file transferred, file not found, etc.) and
+
+- the page from which the file was requested.
+
+This website is hosted by an external service provider (hoster).
+The personal data collected on this website is stored
+on the hoster's servers.
+Our hoster will process your data
+only to the extent necessary to fulfill its obligations
+to perform under our instructions.
+In order to ensure data protection-compliant processing,
+we have concluded a data processing agreement with our hoster.
+
+The aforementioned data is processed by us for the following purposes:  
+
+- Ensuring a reliable connection setup of the website,
+
+- ensuring a convenient use of our website,
+
+- checking and ensuring system security and stability, and
+
+- for other administrative purposes.
+
+The legal basis for the data processing is
+Art. 6 (1) lit. f GDPR.
+Our legitimate interest results
+from the aforementioned purposes of data collection.
+We will not use the collected data
+for the purpose of drawing conclusions about your person.
+
+## 4. Transfer of Data
+
+Your personal data
+will not be transferred to third parties
+for purposes other than those listed below:
+
+a) you have given your express consent
+in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,  
+
+b) the disclosure is necessary for the assertion, exercise or defence of legal claims
+pursuant to Art. 6 (1) sentence 1 lit. f GDPR
+and there is no reason to assume that you have
+an overriding interest worthy of protection
+in the non-disclosure of your data,  
+
+c) in the event that there is a legal obligation to disclose your data
+pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR,
+as well as  
+
+d) this is legally permissible and necessary
+in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR
+for the processing of contractual relationships with you,  
+
+e) this is carried out by a service provider
+acting on our behalf and on our exclusive instructions,
+whom we have carefully selected (Art. 28 (1) GDPR)
+and with whom we have concluded a corresponding contract on commissioned processing (Art. 28 (3) GDPR),
+which obliges our contractor,
+among other things,
+to implement appropriate security measures
+and grants us comprehensive control powers.
+
+## 5. Rights of the data subject
+
+The rights arise from Articles 12 to 23 GDPR.
+Since no personal data is stored on our servers,
+even in encrypted form,
+there is no need to provide information
+on these or possible objections.
+A deletion can be made
+directly in the Delta Chat email messenger.
+
+a) request information about your personal data processed by us
+in accordance with Art. 15 GDPR.
+In particular,
+you can request information about the processing purposes,
+the category of personal data,
+the categories of recipients to whom your data have been or will be disclosed,
+the planned storage period,
+the existence of a right to rectification, erasure, restriction of processing or objection,
+the existence of a right of complaint,
+the origin of your data if it has not been collected by us,
+as well as the existence of automated decision-making including profiling
+and, if applicable,
+meaningful information about its details;  
+
+b) in accordance with Art. 16 of the GDPR,
+immediately request the correction
+of inaccurate or incomplete personal data stored by us;  
+
+c) pursuant to Article 17 of the GDPR,
+to request the erasure of your personal data stored by us,
+unless the processing is necessary
+for the exercise of the right to freedom of expression and information,
+for compliance with a legal obligation,
+for reasons of public interest,
+or for the establishment, exercise or defence of legal claims;  
+
+d) pursuant to Art. 18 GDPR,
+to request the restriction of the processing of your personal data,
+insofar as the accuracy of the data is disputed by you,
+the processing is unlawful,
+but you object to its erasure
+and we no longer require the data,
+but you need it for the assertion, exercise or defence of legal claims
+or you have objected to the processing pursuant to Art. 21 GDPR;  
+
+e) pursuant to Art. 20 GDPR,
+to receive your personal data that you have provided to us
+in a structured, common and machine-readable format
+or to request that it be transferred to another controller;  
+
+f) in accordance with Art. 7 (3) of the GDPR,
+to revoke your consent given to us at any time.
+This has the consequence that we may no longer continue the data processing
+based on this consent in the future; and  
+
+g) complain to a supervisory authority
+in accordance with Article 77 of the GDPR.
+As a rule,
+you can contact the supervisory authority of your usual place of residence
+or workplace
+or our registered office for this purpose.
+The supervisory authority responsible for our place of business
+is the `{{ config.privacy_supervisor }}`.
+
+If you have any questions or complaints, please feel free to contact us by email:  
+{{ config.privacy_mail }}
+
+
+### 5.1 Right to object
+
+If your personal data is processed on the basis of our legitimate interests
+in accordance with Art. 6 (1) lit. f GDPR,
+you have the right to object to the processing of your personal data
+in accordance with Art. 21 GDPR,
+provided that there are grounds for this based on your particular situation
+or the objection is directed against direct advertising.
+In the latter case,
+you have a general right of objection,
+which will be implemented by us
+without specifying a particular situation.
+
+If you wish to exercise your right of objection,
+simply send an e-mail to: {{ config.privacy_mail }}
+
+### 5.2 Right to withdraw
+
+If your personal data is processed on the basis of your consent
+in accordance with Art. 6 (1) lit. a GDPR
+(e.g. via the mailing list),
+you can withdraw your consent at any time
+and without any disadvantages.
+As a result,
+we may no longer continue the data processing
+that was based on this consent for the future.
+However,
+the withdrawal of your consent
+does not affect the lawfulness of the processing
+carried out on the basis of the consent until the withdrawal.
+
+If you wish to make use of your right of withdrawal,
+simply send an e-mail to: {{ config.privacy_mail }}
+
+## 6. Validity of this privacy policy 
+
+This data protection declaration is valid
+as of *December 2023*.
+Due to the further development of our service and offers
+or due to changed legal or official requirements,
+it may become necessary to revise this data protection declaration from time to time.
+
+