====== User Privacy ======

By default, VuFind collects some user information in order to support user-facing features and to make the user experience more convenient. Configuration options are available to control exactly how much user data is stored.

===== Privacy Mode =====

If privacy is your first priority, you can turn on VuFind's privacy mode, controlled by the privacy setting in the [Authentication] section of [[configuration:files:config.ini|config.ini]]. When this setting is turned on, no user data will be permanently stored, but user-oriented features like saved favorite lists and comments cannot be supported. See the comments in the configuration file for more details. :!: This feature was introduced in VuFind 3.0.

===== Right to Be Forgotten =====

Even if you do not turn on privacy mode, you can still allow users to remove their own accounts by turning on the account_deletion setting in the [Authentication] section of [[configuration:files:config.ini|config.ini]]. :!: This feature was introduced in VuFind 5.0.

===== Controlling Storage of User Data ======

The data fields stored in VuFind's database vary depending on the authentication method specified in the [Authentication] section of [[configuration:files:config.ini|config.ini]]. In some cases (such as CAS, LDAP and Shibboleth), additional configuration is used to map which fields are populated, and this can be used to greatly limit the amount of identifiable information found in VuFind's user table.

===== Password Security =====

VuFind supports the unencrypted storage of user credentials in the database. This is useful for backward compatibility when migrating from pre-2.0 versions of VuFind, but its use under any other circumstances is **STRONGLY** discouraged. When you set up VuFind using the web-based installation process, the "security" check will automatically set up password hashing and encryption for you.

When hashing and encryption is enabled, note that user passwords and ILS credentials are handled differently:

==== User Passwords ====

VuFind only stores password data when it is configured to use an internal authentication mechanism (i.e. its own database). In this case, passwords are stored as non-reversible hashes (unless the discouraged plain text configuration is enabled). When external authentication is used (e.g. LDAP, Shibboleth, etc.) no password information is stored by VuFind.

==== ILS Credentials ====

When an ILS (Integrated Library System) is integrated with VuFind, VuFind stores the user's ILS credentials in order to facilitate convenient access to ILS functionality without repeatedly prompting for a secondary login. Unless configured otherwise, these credentials are stored in an encrypted format in the database, and are only decrypted by VuFind on demand in order to access ILS functionality.

===== Cookie Consent =====

Starting with VuFind 9.0 it is possible to enable a [[configuration:cookie_consent|Cookie Consent]] prompt.

===== Privacy Policy =====

Starting with VuFind 9.0 there's a template for a static privacy policy page at themes/bootstrap3/templates/content/privacy.phtml. It also includes the code required to display current cookie consent information, and is by default linked to from the cookie consent prompt. You can copy and modify the file and create language versions as required. See [[configuration:static_pages|Static Pages]] for more information.