Privicy Policy

[tylerjohneddy]

should include all data we collect and what we will do with it, and how to request that we delete it in accordance with GDPR

[adder-gntl]

https://app.privacypolicies.com/wizard/privacy-policy helps build from standard templates.

[sudoebm]

I can look deeper into this. Do we plan on collecting any PII from users for a KYC or are we just sticking with email address?

[BKdilse]

@sudoebm I believe just email address for now. I don't see a need for further information.

[tylerjohneddy]

Possibly IP address &| locale for security and user experience

[bennytehcat]

Would locale need to be logged though and tied to their account, or simply a token from the browser to set timestamps correctly?

[tylerjohneddy]

Honestly not sure what info I can pull through the browser yet, the little reading I have done locale != Timezone

[tylerjohneddy]

Honestly not sure what info I can pull through the browser yet, the little reading I have done locale != Timezone

[bennytehcat]

Sorry, vocab mix-up. Yes, locale and IP would be useful. We should only log the most recent instance so the user can compare it to their current info, no need to keep a detailed log. "Your last login was from [IP] located in [locale], if this appears incorrect please contact support immediately."

[tylerjohneddy]

As an email or notification on webpage?

[sudoebm]

Possibly IP address &| locale for security and user experience

Would locale need to be logged though and tied to their account, or simply a token from the browser to set timestamps correctly?

My research so far is telling me that it is lawful under GDPR Article 6 to log IP address information for the purpose of security.

(f) Processing is necessary for **the purposes of the legitimate interests pursued by the controller** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

This can also be solved with an over all consent agreement.

(a) the data subject **has given consent** to the processing of his or her personal data for one or more specific purposes;

The other points don't apply to us as a whole. We also only need to satisfy one of these points.
Notably point (a) has more specific stipulations regarding children.

There is a lot more to unpack from this monster of a law, but I'll be working on it and likely draw up a more detailed Privacy Policy and terms of server for @BKdilse 's review.

[bennytehcat]

I wrote up the last set of changes to the ToS, I'll turn it into a google doc and shoot you a link. There are some edits I want to make to the wording.

[sudoebm]

Do we use flash cookies?

[tylerjohneddy]

@sudoebm the only cookie i am using for for the sessionid

[BKdilse]

The Dark/Light mode also uses a cookie, to store what mode has been selected.

[sudoebm]

We are supposed to have 2 ways for a user to make data inquiries or data deletion requests. Do we want to make a form fillable webpage? The other options would be PO box or phone number. The Support email fulfills the 2nd requirement.

[tylerjohneddy]

I think a fillable form, least that could be automated in the future

[BKdilse]

Draft policy added: https://exchange.gntl.co.uk/pages/privacy.html

[sudoebm]

Privacy Policy.docx
This is the draft @bennytehcat and I have been working on. If you have any input.

[BKdilse]

@sudoebm policy looks good.