Parametrized privacy policy, unified and refined nine/non-nine landing pages (#89)

- move web sources to markdown
- integrate privacy policy template
- create and use chatmail.ini file to driving web-page generation 

Co-authored-by: missytake <missytake@systemli.org>

---------

Co-authored-by: missytake <missytake@systemli.org>

www/default/index.html.j2

@@ -1,31 +0,0 @@
-
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <title>chatmail instance</title>
-</head>
-<body>
-    <h1>Welcome to {{ config.mail_domain }}!</h1>
-    <h2>Getting started</h2>
-    <ol>
-        <li>Install <a href="https://get.delta.chat">https://get.delta.chat</a></li>
-        <li>Scan or Tap on the invite QR code</li>
-        <li>Choose Nickname and Avatar</li>
-        <li>Setup contact with others using <a href="https://delta.chat/en/help#howtoe2ee">
-            guaranteed end-to-end encryption via QR code scans</a>
-        </li>
-    </ol>
-    <a href="DCACCOUNT:https://{{ config.mail_domain }}/cgi-bin/newemail.py">
-        <img class="section" src="qrcode.png" />
-    </a>
-
-    <h2>Constraints</h2>
-    <ul>
-    <li>You can only send encrypted mails to anyone outside {{config.mail_domain }} </li>
-    <li>You may send up to 60 messages per minute</li>
-    <li>Messages are unconditionally removed 40 days after arrival</li>
-    <li>Max storage per user is 100MB</li>
-    </ul>
-</body>
-</html>

www/index.md

@@ -0,0 +1,19 @@
+
+<img width="800px" src="collage-top.png"/>
+
+## Dear [Delta Chat](https://get.delta.chat) users and newcomers, 
+
+Welcome to instant, interoperable and [privacy-preserving](privacy.html) messaging :) 
+
+👉 **Tap** or scan this QR code to get a random `@{{config.mail_domain}}` e-mail address
+
+<a href="DCACCOUNT:https://{{ config.mail_domain }}/cgi-bin/newemail.py">
+    <img width=300 style="float: none;" src="qr-chatmail-invite-{{config.mail_domain}}.png" /></a>
+
+🐣 **Choose** your Avatar and Name
+
+💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
+
+
+## ⚡ Note: this is an experimental service ⚡
+

www/info.md

@@ -0,0 +1,39 @@
+
+<img width="800px" src="collage-info.png"/>
+
+## More information 
+
+### Choosing a chatmail address instead of using a random one
+
+In the Delta Chat account setup 
+you may tap `LOG INTO YOUR E-MAIL ACCOUNT` 
+and fill the two fields like this: 
+
+- `Address`: invent a word with *exactly* nine characters 
+   and append `@{{config.mail_domain}}` to it. 
+
+- `Password`: invent at least 10 characters. 
+
+If the e-mail address is not yet taken, you'll get that account. 
+The first login sets your password. 
+
+
+### Rate and storage limits 
+
+- Un-encrypted messages are blocked to recipients outside
+  {{config.mail_domain}} but setting up contact via [QR invite codes](https://delta.chat/en/help#howtoe2ee) 
+  allows your messages to pass freely to any outside recipients.
+
+- You may send up to 60 messages per minute
+
+- Messages are unconditionally removed 40 days after arriving on the server
+
+- You can store up to [100MB messages on the server](https://delta.chat/en/help#what-happens-if-i-turn-on-delete-old-messages-from-server)
+
+
+### Who are the operators? Which software is running? 
+
+This chatmail provider is run by a small voluntary group of devs and sysadmins,
+who [publically develop chatmail provider setups](https://github.com/deltachat/chatmail).
+Chatmail setups aim to be very low-maintenance, resource efficient and 
+interoperable with any other standards-compliant e-mail service. 

www/nine.testrun.org/index.html

@@ -1,81 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <title>nine.testrun.org - Experimenting with the Future of Email</title>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <style>
-        .wrapper {
-            width: 100%;
-            max-width: 596px;
-            margin: 0 auto;
-        }
-
-        .section {
-            width: 100%;
-            max-width: 596px;
-        }
-
-        .text {
-            box-sizing: border-box;
-            padding: 9px;
-            font-size: 18px;
-            font-family: "Swansea", "Helvetica", sans-serif;
-            color: black;
-        }
-        a {
-            color: black;
-        }
-        h1, h2, h3 {
-            font-size: 18px;
-            font-weight: bold;
-        }
-    </style>
-</head>
-<body>
-    <div class="wrapper">
-        <img class="section" src="collage-top.png" />
-        <div class="section text">
-            <h1>Dear Delta Chat users and newcomers,</h1>
-            <p>
-            welcome to the first public "chat-mail instance",
-            a small and lean e-mail provider for smooth chatting.
-            Install Delta Chat and then
-            Tap or scan this QR code to obtain a random e-mail address:
-            <a href="DCACCOUNT:https://nine.testrun.org/cgi-bin/newemail.py">
-                <img with=300 src="qrcode.png" /></a>
-            </p>
-            <p>
-            Alternatively, you can manually invent an e-mail address:
-            <ul>
-              <li>Tap "LOG INTO YOUR E-MAIL ACCOUNT".</li>
-              <li>Address: invent a word with <i>exactly</i> nine characters
-              and append @nine.testrun.org to it.</li>
-              <li>Password: invent at least 10 characters. The first login sets your password.</li>
-            </ul>
-            If the e-mail address is not yet taken, you'll get that account.
-            </p>
-            <p>
-            <img class="section" src="collage-down.png" />
-
-            <h2>What's behind it, how does it operate?</h2>
-            <p>nine.testrun.org is run
-                by a small group of devs and sysadmins, reachable via root@.
-                They want to keep this instance running at least until end 2024.
-                Current limits:
-            <ul>
-            <li>Un-encrypted mails can not leave the chat-mail instance.</li>
-            <li>Use <a href="https://delta.chat/en/help#howtoe2ee">
-                guaranteed end-to-end encryption via QR code scans</a>
-                to setup contact with users outside of the chat-mail instance.
-            </li>
-            <li>You may send up to 60 messages per minute.</li>
-            <li>Messages are unconditionally removed 40 days after arrival.</li>
-            <li>Max storage per user is 100MB.</li>
-            </ul>
-            <h2>Why are other email providers 1000 times more complicated?</h2>
-            <p>¯\_(ツ)_/¯</p>
-        </div>
-    </div>
-</body>
-</html>

www/privacy.md

@@ -0,0 +1,321 @@
+<img width="800px" src="collage-privacy.png"/>
+
+# Privacy Policy for {{ config.mail_domain }} 
+
+We want to show you in a fair and transparent way
+what personal data is processed by us.
+We follow a strict privacy-by-design approach
+and try to avoid processing your data in the first place,
+but as you may know,
+the internet, 
+and in particular sending e-mail messages,
+does not work without data.
+Still,
+it's only fair that you know at all times
+what personal data is processed
+when you use our service.
+
+If you have any remaining questions about data protection, please contact us. 
+
+## 1. Name and contact information 
+
+Responsible for the processing of your personal data is:
+```
+{{ config.privacy_postal }}
+```
+
+E-mail: {{ config.privacy_mail }}
+
+We have appointed a data protection officer:
+
+```
+{{ config.privacy_pdo }}
+```
+
+## 2. Processing when using chat e-mail services
+
+We provide e-mail services optimized for the use from [Delta Chat](https://delta.chat) apps 
+and process only the data necessary
+for the setup and technical execution of the e-mail dispatch.
+The purpose of the processing is to
+read, write, manage, delete, send, and receive emails.
+For this purpose,
+we operate server-side software
+that enables us to send and receive e-mail messages.
+Allowing the use of the e-mail service,
+we process the following data and details:
+
+- Outgoing and incoming messages (SMTP) are stored for transit 
+  on behalf of their users until the message can be delivered.
+
+- E-Mail-Messages are stored for the recipient and made accessible via IMAP protocols,
+  until explicitly deleted by the user or until a fixed time period is exceeded,
+  (*usually 4-8 weeks*).
+
+- IMAP and SMTP protocols are password protected with unique credentials for each account.
+
+- Users can retrieve or delete all stored messages 
+  without intervention from the operators using standard IMAP client tools.
+
+### 3.1 Account setup
+
+Creating an account happens in one of two ways on our mail servers: 
+
+- with a QR invitation token 
+  which is scanned using the DeltaChat app
+  and then the account is created.
+
+- by letting Delta Chat otherwise create an account 
+  and register it with a {{ config.mail_domain }} mail server. 
+
+In either case, we process the newly created email address.
+No phone numbers,
+other email addresses,
+or other identifiable data
+is currently required.
+The legal basis for the processing is
+Art. 6 (1) lit. b GDPR,
+as you have a usage contract with us
+by using our services.
+
+## 3.2 Processing of E-Mail-Messages
+
+In addition,
+we will process data
+to keep the server infrastructure operational
+for purposes of e-mail dispatch
+and abuse prevention.
+
+- Therefore,
+  it is necessary to process the content and/or metadata
+  (e.g., headers of the email as well as smtp chatter)
+  of E-Mail-Messages in transit. 
+
+- We will keep logs of messages in transit for a limited time.
+  These logs are used to debug delivery problems and software bugs.
+
+In addition,
+we process data to protect the systems from excessive use.
+Therefore, limits are enforced:
+
+- rate limits
+
+- storage limits
+
+- message size limits
+
+- any other limit neccessary for the whole server to function in a healthy way
+  and to prevent abuse.
+
+The processing and use of the above permissions
+are performed to provide the service.
+The data processing is necessary for the use of our services,
+therefore the legal basis of the processing is
+Art. 6 (1) lit. b GDPR,
+as you have a usage contract with us
+by using our services.
+The legal basis for the data processing
+for the purposes of security and abuse prevention is
+Art. 6 (1) lit. f GDPR.
+Our legitimate interest results
+from the aforementioned purposes.
+We will not use the collected data
+for the purpose of drawing conclusions
+about your person.
+
+
+## 3. Processing when using our Website
+
+When you visit our website,
+the browser used on your end device
+automatically sends information to the server of our website.
+This information is temporarily stored in a so-called log file.
+The following information is collected and stored
+until it is automatically deleted
+(*usually 7 days*):
+
+- used type of browser,
+
+- used operating system, 
+
+- access date and time as well as
+
+- country of origin and IP address, 
+
+- the requested file name or HTTP resource,
+
+- the amount of data transferred,
+
+- the access status (file transferred, file not found, etc.) and
+
+- the page from which the file was requested.
+
+This website is hosted by an external service provider (hoster).
+The personal data collected on this website is stored
+on the hoster's servers.
+Our hoster will process your data
+only to the extent necessary to fulfill its obligations
+to perform under our instructions.
+In order to ensure data protection-compliant processing,
+we have concluded a data processing agreement with our hoster.
+
+The aforementioned data is processed by us for the following purposes:  
+
+- Ensuring a reliable connection setup of the website,
+
+- ensuring a convenient use of our website,
+
+- checking and ensuring system security and stability, and
+
+- for other administrative purposes.
+
+The legal basis for the data processing is
+Art. 6 (1) lit. f GDPR.
+Our legitimate interest results
+from the aforementioned purposes of data collection.
+We will not use the collected data
+for the purpose of drawing conclusions about your person.
+
+## 4. Transfer of Data
+
+Your personal data
+will not be transferred to third parties
+for purposes other than those listed below:
+
+a) you have given your express consent
+in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,  
+
+b) the disclosure is necessary for the assertion, exercise or defence of legal claims
+pursuant to Art. 6 (1) sentence 1 lit. f GDPR
+and there is no reason to assume that you have
+an overriding interest worthy of protection
+in the non-disclosure of your data,  
+
+c) in the event that there is a legal obligation to disclose your data
+pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR,
+as well as  
+
+d) this is legally permissible and necessary
+in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR
+for the processing of contractual relationships with you,  
+
+e) this is carried out by a service provider
+acting on our behalf and on our exclusive instructions,
+whom we have carefully selected (Art. 28 (1) GDPR)
+and with whom we have concluded a corresponding contract on commissioned processing (Art. 28 (3) GDPR),
+which obliges our contractor,
+among other things,
+to implement appropriate security measures
+and grants us comprehensive control powers.
+
+## 5. Rights of the data subject
+
+The rights arise from Articles 12 to 23 GDPR.
+Since no personal data is stored on our servers,
+even in encrypted form,
+there is no need to provide information
+on these or possible objections.
+A deletion can be made
+directly in the Delta Chat email messenger.
+
+a) request information about your personal data processed by us
+in accordance with Art. 15 GDPR.
+In particular,
+you can request information about the processing purposes,
+the category of personal data,
+the categories of recipients to whom your data have been or will be disclosed,
+the planned storage period,
+the existence of a right to rectification, erasure, restriction of processing or objection,
+the existence of a right of complaint,
+the origin of your data if it has not been collected by us,
+as well as the existence of automated decision-making including profiling
+and, if applicable,
+meaningful information about its details;  
+
+b) in accordance with Art. 16 of the GDPR,
+immediately request the correction
+of inaccurate or incomplete personal data stored by us;  
+
+c) pursuant to Article 17 of the GDPR,
+to request the erasure of your personal data stored by us,
+unless the processing is necessary
+for the exercise of the right to freedom of expression and information,
+for compliance with a legal obligation,
+for reasons of public interest,
+or for the establishment, exercise or defence of legal claims;  
+
+d) pursuant to Art. 18 GDPR,
+to request the restriction of the processing of your personal data,
+insofar as the accuracy of the data is disputed by you,
+the processing is unlawful,
+but you object to its erasure
+and we no longer require the data,
+but you need it for the assertion, exercise or defence of legal claims
+or you have objected to the processing pursuant to Art. 21 GDPR;  
+
+e) pursuant to Art. 20 GDPR,
+to receive your personal data that you have provided to us
+in a structured, common and machine-readable format
+or to request that it be transferred to another controller;  
+
+f) in accordance with Art. 7 (3) of the GDPR,
+to revoke your consent given to us at any time.
+This has the consequence that we may no longer continue the data processing
+based on this consent in the future; and  
+
+g) complain to a supervisory authority
+in accordance with Article 77 of the GDPR.
+As a rule,
+you can contact the supervisory authority of your usual place of residence
+or workplace
+or our registered office for this purpose.
+The supervisory authority responsible for our place of business
+is the `{{ config.privacy_supervisor }}`.
+
+If you have any questions or complaints, please feel free to contact us by email:  
+{{ config.privacy_mail }}
+
+
+### 5.1 Right to object
+
+If your personal data is processed on the basis of our legitimate interests
+in accordance with Art. 6 (1) lit. f GDPR,
+you have the right to object to the processing of your personal data
+in accordance with Art. 21 GDPR,
+provided that there are grounds for this based on your particular situation
+or the objection is directed against direct advertising.
+In the latter case,
+you have a general right of objection,
+which will be implemented by us
+without specifying a particular situation.
+
+If you wish to exercise your right of objection,
+simply send an e-mail to: {{ config.privacy_mail }}
+
+### 5.2 Right to withdraw
+
+If your personal data is processed on the basis of your consent
+in accordance with Art. 6 (1) lit. a GDPR
+(e.g. via the mailing list),
+you can withdraw your consent at any time
+and without any disadvantages.
+As a result,
+we may no longer continue the data processing
+that was based on this consent for the future.
+However,
+the withdrawal of your consent
+does not affect the lawfulness of the processing
+carried out on the basis of the consent until the withdrawal.
+
+If you wish to make use of your right of withdrawal,
+simply send an e-mail to: {{ config.privacy_mail }}
+
+## 6. Validity of this privacy policy 
+
+This data protection declaration is valid
+as of *December 2023*.
+Due to the further development of our service and offers
+or due to changed legal or official requirements,
+it may become necessary to revise this data protection declaration from time to time.
+
+