Deletion of your personal data

Could you please help me with this…

Your IP address and the name of your Internet service provider, which we only store for security reasons, will be deleted after seven days. Otherwise, we delete your personal data as soon as the purpose for which we have collected and processed the data ceases to apply. Beyond this time period, data storage only takes place to the extent made necessary by the legislation, regulations or other legal provisions to which we are subject in the EU or by legal provisions in third-party countries if these have an appropriate level of data protection. Should it not be possible to delete data in individual cases, the relevant personal data are flagged to restrict their further processing.

This is the policy for the European Union. It states that your IP and ISP name’s data get deleted after seven days. This is a security measure. This is likely found in the privacy policy?

Is this something that Discourse follows ?

Yes, that is found in Privacy policy | Discourse - Civilized Discussion

Hi @rajput7707. Could you please clarify what you are asking about? We’ll help if we can.

@maiki :
We want to know if Discourse is deleting/anonymizing user’s IP and ISP data from all the places within 7 days of user deletion.

That’s not even remotely true. First, there is no such thing as 7 days limit. It must do as quickly as possible. And how fast is quickly — it depends, but general guideline is 30 days. Secondly, there is no need to delete ISP and/or even IP. Only that is needed is erase personal data. That’s it. And it is not included logs of web-servers.

Well, guess I have to stop believing in this stuff. It looks like I have been brainwashed by the author of this post.

No, that is the maximum time after a request from the user to delete any data.
This is not what is mentioned in the standard ToS.

It should be retained as short as possible, but there is a consideration between the interest of the system administrator (for instance for purposes of spam control or DDoS prevention) and the interest of the users.

An IP address is Personally identifiable information which is subject to the GDPR.

No it isnt. There is no time limit. It must be done in resonable time. Sure countries can have own rules and laws, but it is not from EU.

No it is not and has never been. It start to be if someone tries use it to identify an person. Do you see the difference? When an admin deletes user account IP is just numbers without any change to know a person.

Recital 59 of the GDPR:

The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month (…)

No, if it is tied to other personal information such as a name or email address.

Article 4 of the GDPR:, emphasis mine

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;**