You may want to read <https://www.debian.org/legal/privacy>. It does not mention Debian's website explicitly, but the last paragraph reads as follows.
> Service related logging > > In addition to the explicitly listed services above the Debian infrastructure > logs details about system accesses for the purposes of ensuring service > availability and reliability, and to enable debugging and diagnosis of issues > when they arise. This logging includes details of mails sent/received through > Debian infrastructure, web page access requests sent to Debian infrastructure, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > and login information for Debian systems (such as SSH logins to project > machines). None of this information is used for any purposes other than > operational requirements and it is only stored for 15 days in the case of web > server logs, 10 days in the case of mail log and 4 weeks in the case of > authentication/ssh logs. It is not GDPR-compliant, but someone raised the issue in the campaign for the latest DPL election [1] and it looks like it won't be addressed in the foreseeable future. [2] [1] https://lists.debian.org/debian-vote/2024/04/msg00024.html [2] https://lists.debian.org/debian-vote/2024/04/msg00037.html -- Ceppo