On Fri, Jun 03, 2016 at 04:21:35PM -0400, Martin Owens wrote:
Dear collaborators,
Here is the draft version of the inkscape website's privacy policy.
Please have a look at it and note changes in responses here.
https://inkscape.org/en/about/privacy/
It should cover why we need user information, what we might do with it
and how we would want to protect it.
Thanks for your help, this should be the last missing legal document
from our website. (hopefully)
Best Regards, Martin Owens
Sure here's a few suggested changes:
of the
https://inkscape.com website (“Site”).
https://inkscape.org
Probably we should also link at the top to privacy policies of OSUOSL
and maybe of the Software Conservancy? Both those organizations seem
relevant to our processes.
We may collect personal identification information from Users in a
variety of ways, including, but not limited to, when Users visit our
site, fill out a form, respond to a survey, and in connection with
other activities, services, features or resources we make available on
our Site.
This sentence feels a bit choppy, would this flow better?
We may collect personal identification information from a User in a
variety of ways, including activities, services, and resources such as,
but not limited to: visiting our site, filling out forms, and responding
to surveys.
Perhaps the "activities, services, and resources" bit could be dropped
to make it more concise, I'm not sure what that adds exactly.
Non-personal identification information may include the browser
name,
the type of computer and technical information about Users means of
connection to our Site, such as the operating system and the country and
default language and other similar information.
I'm not sure the differentiation between general and technical
information is necessary. Maybe simplify this a bit to:
Non-personal identification information may include the browser name,
the type of computer, operating system, country, default language, and
similar information.
Our Site uses “cookies” to enhance User experience. User’s web
browser
places cookies on their hard drive for record-keeping purposes and
sometimes to track information about them. User may choose to set their
web browser to refuse cookies, or to alert you when cookies are being
sent. If they do so, note that some parts of the Site may not function
properly.
Grammar is a bit horky here, how about:
Our Site uses “cookies” to enhance the User's experience. The User’s
web browser places cookies on their hard drive for record-keeping and
tracking purposes. The User may set their web browser to refuse
cookies, or to alert them when cookies are being sent. If they do so,
note that some parts of the Site may not function properly.
Or else rephrase it to use 'you' and 'your' instead of 'the User'.
But
either way, the document should use the address consistently throughout.
I'm betting we know more specifically what will break if cookies aren't
in use (e.g. all logged in functionality), and we could strengthen this
section by indicating a little more explicitly what will break.
How we use collected information
The "We may use ..." could be dropped and just make each item start with
"To ..." This will be more concise and readable IMHO.
How we protect your information
This section gives kind of a non-answer, "We protect your information
using great information protection methods." :-)
How are passwords handled? Are they encrypted and stored? What
encryption algorithm? Or do we just hash them and not store them?
Note here that OSUOSL runs our hardware and does administration. I
assume the Inkscape admin team also has administrative access to the
database at least; that is worth mentioning. Can the Inkscape admins
also install software to the hardware that could intercept passwords or
other personal information, or is that also limited also just to OSUOSL?
Sharing your personal information
The second sentence of this, regarding generic aggregated demographic
information, should be dropped. We don't do that nor do I think we have
any intent or plans to do that. If some day we do want to do that, then
we should rev this document and raise visibility to the effect.
Instead this could mention that information related to their user
account may be visible to other users who access the site.
Mailing Lists and Announcements
...
at the bottom of each email or User may contact us
or the User may
Also link 'contact us' to the same link as in the Contact Us section at
the bottom.
When we do, we will post a notification on the main page of our
Site,
revise the updated date at the bottom of this page.
When we do, we will post a notification on the main page of our Site
and revise the updated date at the bottom of this page.
Contact us
Note the contact us link appears not to be terminated, and is linkifying
the update date too.
Other idle thoughts, which may or may not be of relevance for this doc
but might be worth considering:
* Should we address our policy allowing use of pseudonyms in usernames?
* Are there any extra personal information implications that our voting
system brings up? I.e. might we require verifyable identification
data for voting rights?
* Sometimes we have contests or award items, for which we require a
mailing address. This doesn't need to be their home address - a
P.O. box or place of employment or a trusted third party of their
choice would be acceptable in most cases, just somewhere they can
receive packages. This is also opt-in but if they choose not to
opt-in they may be ineligible to receive the rewards.
* Board membership requires we have the person's legal name (which we
endeavor to keep private, and AFAICT don't show or store on the
website).
* Posting of other people's personal information to any public area on
our site is not permitted without that person's consent, and is cause
for revoking access and/or removing their content from the site.
* Inkscape may fund development activities or reimburse individuals for
expenses or similar. Payments for these things will require some
banking information (or postal address for sending checks), but this
information is not required by Inkscape or its administrators; instead
the User will be directed to provide it to the Software Conservancy,
who will cut the checks or conduct the money transfer directly with
the User.
* Certain services on the website permit the User to upload files
including but not limited to written text, rendered artwork (PNG,
etc.), and source artwork (SVG, etc.) It is assumed by the uploading
of the data that the intent is for it to be shared; we provide tagging
mechanisms for allowing the User to specify a license to govern the
sharing of this data. Apart from the license, no promises of
non-disclosure are provided for material uploaded to the site.
Thanks for tackling this.
Bryce