On Fri, Jun 03, 2016 at 04:21:35PM -0400, Martin Owens wrote:
Dear collaborators,
Here is the draft version of the inkscape website's privacy policy. Please have a look at it and note changes in responses here.
https://inkscape.org/en/about/privacy/
It should cover why we need user information, what we might do with it and how we would want to protect it.
Thanks for your help, this should be the last missing legal document from our website. (hopefully)
Best Regards, Martin Owens
Sure here's a few suggested changes:
of the https://inkscape.com website (“Site”).
Probably we should also link at the top to privacy policies of OSUOSL and maybe of the Software Conservancy? Both those organizations seem relevant to our processes.
We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, fill out a form, respond to a survey, and in connection with other activities, services, features or resources we make available on our Site.
This sentence feels a bit choppy, would this flow better?
We may collect personal identification information from a User in a variety of ways, including activities, services, and resources such as, but not limited to: visiting our site, filling out forms, and responding to surveys.
Perhaps the "activities, services, and resources" bit could be dropped to make it more concise, I'm not sure what that adds exactly.
Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the country and default language and other similar information.
I'm not sure the differentiation between general and technical information is necessary. Maybe simplify this a bit to:
Non-personal identification information may include the browser name, the type of computer, operating system, country, default language, and similar information.
Our Site uses “cookies” to enhance User experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.
Grammar is a bit horky here, how about:
Our Site uses “cookies” to enhance the User's experience. The User’s web browser places cookies on their hard drive for record-keeping and tracking purposes. The User may set their web browser to refuse cookies, or to alert them when cookies are being sent. If they do so, note that some parts of the Site may not function properly.
Or else rephrase it to use 'you' and 'your' instead of 'the User'. But either way, the document should use the address consistently throughout.
I'm betting we know more specifically what will break if cookies aren't in use (e.g. all logged in functionality), and we could strengthen this section by indicating a little more explicitly what will break.
How we use collected information
The "We may use ..." could be dropped and just make each item start with "To ..." This will be more concise and readable IMHO.
How we protect your information
This section gives kind of a non-answer, "We protect your information using great information protection methods." :-)
How are passwords handled? Are they encrypted and stored? What encryption algorithm? Or do we just hash them and not store them?
Note here that OSUOSL runs our hardware and does administration. I assume the Inkscape admin team also has administrative access to the database at least; that is worth mentioning. Can the Inkscape admins also install software to the hardware that could intercept passwords or other personal information, or is that also limited also just to OSUOSL?
Sharing your personal information
The second sentence of this, regarding generic aggregated demographic information, should be dropped. We don't do that nor do I think we have any intent or plans to do that. If some day we do want to do that, then we should rev this document and raise visibility to the effect.
Instead this could mention that information related to their user account may be visible to other users who access the site.
Mailing Lists and Announcements ... at the bottom of each email or User may contact us
or the User may
Also link 'contact us' to the same link as in the Contact Us section at the bottom.
When we do, we will post a notification on the main page of our Site, revise the updated date at the bottom of this page.
When we do, we will post a notification on the main page of our Site and revise the updated date at the bottom of this page.
Contact us
Note the contact us link appears not to be terminated, and is linkifying the update date too.
Other idle thoughts, which may or may not be of relevance for this doc but might be worth considering:
* Should we address our policy allowing use of pseudonyms in usernames?
* Are there any extra personal information implications that our voting system brings up? I.e. might we require verifyable identification data for voting rights?
* Sometimes we have contests or award items, for which we require a mailing address. This doesn't need to be their home address - a P.O. box or place of employment or a trusted third party of their choice would be acceptable in most cases, just somewhere they can receive packages. This is also opt-in but if they choose not to opt-in they may be ineligible to receive the rewards.
* Board membership requires we have the person's legal name (which we endeavor to keep private, and AFAICT don't show or store on the website).
* Posting of other people's personal information to any public area on our site is not permitted without that person's consent, and is cause for revoking access and/or removing their content from the site.
* Inkscape may fund development activities or reimburse individuals for expenses or similar. Payments for these things will require some banking information (or postal address for sending checks), but this information is not required by Inkscape or its administrators; instead the User will be directed to provide it to the Software Conservancy, who will cut the checks or conduct the money transfer directly with the User.
* Certain services on the website permit the User to upload files including but not limited to written text, rendered artwork (PNG, etc.), and source artwork (SVG, etc.) It is assumed by the uploading of the data that the intent is for it to be shared; we provide tagging mechanisms for allowing the User to specify a license to govern the sharing of this data. Apart from the license, no promises of non-disclosure are provided for material uploaded to the site.
Thanks for tackling this.
Bryce