Update the privacy policy

MIT's lawyers want us to use a significantly more verbose privacy policy
-- let's apply some changes based upon the requested template.

ws/templates/privacy/home.html

@@ -14,10 +14,13 @@ <h2>Privacy Controls</h2>
       </ul>
   </div>
   <div class="col-md-9 col-md-pull-3">
-    <h3>Your Right to Privacy</h3>
-    <p class="lead">
-      At MITOC, we take privacy very seriously.
+    <h3>Privacy Statement</h3>
+
+    <p>
+    MITOC is committed to supporting the privacy of all who participate in the club.
+    This Privacy Statement explains how we handle and use the personal information we collect about anyone who uses this site.
     </p>
+
     <p>
       We strive to collect the least amount of information necessary and give you
       control over how that data is used.
@@ -30,7 +33,26 @@ <h3>Your Right to Privacy</h3>
     </p>
     <hr>
 
-    <h3>Cookies</h3>
+    <h3>What personal information we collect</h3>
+    <p>
+      While specific information may vary for particular individuals, we may collect,
+      use, store and transfer different kinds of personal information about you.
+      We collect your name, email address, emergency contact information. We also collect
+      a record of which trips you sign up for, as well as a record of which you
+      participate on. You have the option to also supply information about your
+      car, any emergency information you wish to share with leaders.
+    </p>
+    <p>
+      You can <a href="{% url 'privacy_settings' %}">manage the data you share</a>
+      and/or <a href="{% url 'privacy_download' %}">download data MITOC stores about you</a>.
+    </p>
+
+    <h3>How we collect personal information about you</h3>
+    <p>
+      The personal information we collect is generally supplied by you when using this site.
+    </p>
+
+    <h4>Cookies</h4>
     <p>
       We place a very small cookie in your browser when you use this site.
       The cookie is used only to manage your session. This cookie keeps you logged
@@ -45,12 +67,15 @@ <h3>Cookies</h3>
       </ul>
     </p>
 
-
-    <h3>Sharing Information</h3>
+    <h3>How we use your personal information</h3>
     <p>
       Related: <a href="{% url 'help-personal_info' %}">Personal Information, Privacy</a>
     </p>
 
+    <p>
+      We use your personal information for a number of legitimate purposes all in support of the Institute and its mission.
+    </p>
+
     <p>
       When you attend a MITOC trip, we supply trip leaders with the details of any
       <a href="https://mitoc.mit.edu/rentals">MITOC items that you may have rented from the office</a>.
@@ -77,10 +102,15 @@ <h3>Sharing Information</h3>
       Only trip leaders can see your medical information. No other participants can see your medical information.
     </p>
 
+    <p>
+      If you have concerns about any of these purposes, or how we communicate with you, please <a href="{% url 'contact' %}">contact us</a>.
+      We will always respect a request by you to stop processing your personal information (subject to our legal obligations).
+    </p>
 
-    <h3>Third Parties</h3>
-    By using this site, you share some information with the following
-    companies/services:
+    <h3>When we share your personal information</h3>
+    <p>
+      By using this site, you share some information with the following companies/services:
+    </p>
 
     <h4>Sentry</h4>
     <p>
@@ -90,7 +120,8 @@ <h4>Sentry</h4>
       report. For example, Sentry stores what kind of browser you were using
       and which page you were viewing at the time of the unexpected error. This
       information helps us understand of the issue and resolve the underlying
-      problem. You are encouraged to read about your rights in
+      problem. Information that Sentry collects is automatically deleted after
+      a number of weeks. You are encouraged to read about your rights in
       <a href="https://sentry.io/privacy/">Sentry's privacy policy</a>.
     </p>
 
@@ -123,6 +154,86 @@ <h4>DocuSign &amp; CyberSource</h4>
       </ul>
     </p>
 
+    <h3>How your information is stored and secured</h3>
+    <p>
+      MIT uses risk-assessed administrative, technical and physical security
+      measures to protect your personal information. Your information lives in
+      a Postgres database (behind a Virtual Private Cloud) administered by
+      Amazon Web Services. Direct database access is restricted to MITOC's
+      elected webmasters.
+    </p>
+
+    <h3>How long we keep your personal information</h3>
+    <p>
+      We automatically remove all participant-supplied medical information
+      after 6 months of activity. You can remove most profile information at
+      any time. Legal waivers, any monetary payments to the club, and
+      any participation on past trips are retained indefinitely.
+    </p>
+
+    <h3>Rights for Individuals in the European Economic Area (EEA) or United Kingdom (UK)</h3>
+    <p>
+      You have the right in certain circumstances to (1) access your personal
+      information; (2) to correct or erase information; (3) restrict processing; and
+      (4) object to communications, direct marketing, or profiling. To the extent
+      applicable, the EEA’s General Data Protection Regulation (GDPR) provides
+      further information about your rights. You also have the right to lodge
+      complaints with your national or regional data protection authority.
+    </p>
+
+    <p>
+      If you are inclined to exercise these rights, we request an opportunity
+      to discuss with you any concerns you may have. To protect the personal
+      information we hold, we may also request further information to verify
+      your identity when exercising these rights. Upon a request to erase
+      information, we will maintain a core set of personal data to ensure we do
+      not contact you inadvertently in the future, as well as any information
+      necessary for MIT archival purposes. We may also need to retain some
+      financial information for legal purposes, including US IRS compliance. In
+      the event of an actual or threatened legal claim, we may retain your
+      information for purposes of establishing, defending against or exercising
+      our rights with respect to such claim.
+    </p>
+
+    <p>
+      By providing information directly to MIT, you consent to the transfer of
+      your personal information outside of the European Economic Area to the
+      United States. You understand that the current laws and regulations of
+      the United States may not provide the same level of protection as the
+      data and privacy laws and regulations of the EEA.
+    </p>
+
+    <p>
+      You are under no statutory or contractual obligation to provide any
+      personal data to us. The controller for your personal information is MIT.
+    </p>
+
+    <p>
+      If you are in the EEA or UK and wish to assert any of your applicable GDPR
+      rights, please contact <a href="[email protected]">[email protected]</a>.
+      You may also contact MIT’s representatives listed below:
+    </p>
+
+    <h4>MIT Representative in the European Economic Area</h4>
+      <p>
+        <em><a href="[email protected]">J-PAL Europe</a></em>:
+        48 Boulevard Jourdan, 75014 Paris, France
+      </p>
+    </ul>
+
+    <h4>MIT Representative in the United Kingdom</h4>
+    <p>
+      <em>MIT Press UK</em>:
+      71 Queen Victoria Street, London, United Kingdom, EC4V 4BE
+    </p>
+
+    <h3>Updates to this policy</h3>
+    <p>
+      We may change this Privacy Statement from time to time. If we make any
+      significant changes in the way we treat your personal information we will
+      make this clear on our MIT websites or by contacting you directly.
+    </p>
+
     <hr>
 
     <h3>Questions?</h3>