Privacy Information
This page explains what APBoard3 stores and uses when you visit or use this forum. It is written for normal users. It describes the current technical behaviour of APBoard3 on this installation and should be replaced or completed by the site operator before a public production launch.
Responsible party
Christin Löhner
Hofgärtenstr. 13
72172 Sulz am Neckar
Germany
Server access and log data
When you open a page, the web server processes technical request data. This can include your IP address, date and time, requested URL, referrer, browser user agent, response status, and transferred data volume. This data is needed to deliver the site, investigate errors, and protect the service from abuse.
APBoard3 itself also uses the client IP address in a few security-related places. Login attempts are rate-limited by IP address. The online list stores the current visitor state for a short time; for that purpose APBoard3 anonymizes IP addresses before storing them in the online table. IPv4 addresses are shortened to the network by replacing the last octet with 0. IPv6 addresses are reduced to a network prefix.
Cookies and sessions
APBoard3 uses technically necessary cookies. They are required for login, form protection, and normal forum use.
- PHPSESSID: the PHP session cookie. It stores a random session identifier in your browser. It is marked Secure and HttpOnly and uses SameSite=Lax.
- apb[hash]: the APBoard login token. It contains a random server-side session token, not your password and not your public user hash. It is marked Secure and HttpOnly and uses SameSite=Lax.
- apb[lt]: a login timestamp used together with the APBoard login session.
A normal login lasts about 24 hours. If you choose "remember me", the login can last up to 365 days on that device. Server-side session records contain the user ID, the random token, creation time, last-seen time, and expiry time. Expired sessions are rejected and cleaned up automatically.
Account data
If you register, APBoard3 stores the data needed to create and manage your account. This includes your email address, hashed password after activation, public name, language, selected style, user group, registration time, activation status, last login time, notification settings, and internal user identifiers.
During registration APBoard3 sends an activation email. The activation link uses a separate one-time token stored in the password reset table. Activation tokens expire after 48 hours. Password reset and activation tokens are separate from public profile identifiers.
Profile data and privacy settings
You can add profile information such as birthday, postal code, city, country, gender, quote, about-me text, signature, homepage, Matrix, Mastodon, Friendica, Facebook, YouTube, and Instagram. You decide whether to fill these fields.
APBoard3 includes privacy settings for profile fields. Each field can be set to one of three levels:
- Hidden: other users do not see the field.
- Logged-in users only: guests do not see the field; logged-in users may see it.
- Public: the field can be shown to anyone who can open the page.
These settings affect public profiles, member lists, online lists, and the user information shown next to posts. A separate Post Display setting controls which allowed fields appear beside your forum posts. If a field is hidden in Privacy Settings, Post Display cannot make it visible.
Forum posts, replies, likes, subscriptions, and private areas
When you write topics or replies, APBoard3 stores the content, author, timestamps, board/topic relation, and related metadata. Depending on the feature, APBoard3 can also store likes, topic subscriptions, notification preferences, and private-message data. Content you publish in a public forum area can be visible to other users or guests according to the board permissions set by the site operator.
Uploads and images
If you upload files or images, APBoard3 stores the file and upload metadata such as owner, original filename, generated filename, file size, extension, MIME type, creation time, and download count. User uploads are stored in a user-specific upload directory.
Image uploads are checked by MIME type and extension. Images are processed through the server image library before storage where the feature requires it. This strips unnecessary embedded data and avoids storing raw image uploads blindly. Pinboard teaser images are stored as generated JPEG files after server-side processing.
Pinboard posts
Your profile can include pinboard posts. A pinboard post can contain a title, optional subtitle, teaser text, teaser image, full content, publication status, creation time, and update time. Published pinboard posts can be shown on your profile and on their own detail page.
Security measures
APBoard3 uses CSRF tokens for forms, server-side session tokens for logins, generic login error messages to reduce account enumeration, login rate limiting by IP address, host-header validation, security response headers, and HTML sanitizing for rich text fields. Uploaded images are checked and re-encoded where appropriate.
Analytics, ads, and third-party tracking
The current APBoard3 codebase does not include advertising scripts, marketing trackers, or third-party analytics integrations. Static assets such as CSS, JavaScript, icons, and TinyMCE are served by this installation. If a site operator later adds analytics or third-party embeds, this privacy information must be updated.
APBoard3 can send email for registration, activation, password flows, subscriptions, and notifications, depending on your settings and the site configuration. Email delivery requires processing your email address and the message content needed for that notification.
Your choices
- You can change profile and account settings in the user menu.
- You can reduce visible profile data in Privacy Settings.
- You can control which allowed fields appear beside your posts in Post Display.
- You can disable or adjust notification settings where the forum provides these options.
- You can log out to remove the active login cookies from your browser.
