If you’ve been on the Internet at all in the past few weeks, you’ve likely been bombarded by e-mails from every service you’ve ever used telling you that they’ve updated their privacy policy.
Yes, we’ve updated ours too, but we want to talk to you about how we manage your data, the greater picture of privacy on the Internet, the European Union’s new GDPR legislation, and why this all matters to you, no matter where you are in the world.
GDPR: A new standard for privacy
On May 25th, the GDPR (General Data Protection Regulation) goes into effect in the EU. It gives users there an unprecedented level of control and insight into their personal information. Amongst other things:
- People must be able to change, delete, or request copies of their personally identifiable information
- Companies need a valid legal basis for the usage of that information (which may require getting consent for that use)
- Handing that data off to third-parties also requires a legal basis, and must be documented in a privacy policy
- That privacy policy must be able to be read and understood without a law degree
You must admit, that’s pretty nice. Though companies are not required to give these rights to non-EU residents, many (including us) are treating this as a new global standard.
Some parts of the GDPR are a bit vague and not all companies see eye-to-eye on the level of control you should have. We’re hoping our approach goes above and beyond.
Our new privacy guarantees
We’ve always collected as little data as needed. We don’t need much, except to provide services to you, to aid in team communication, and to make use of third-party services we trust who help us run our business and provide support to you.
Still, under the GDPR, there was more for us to do. So here’s what we’re promising:
- We’ll continue to only collect what we strictly need, and to document it clearly in our Privacy Policy.
- We’ll continue to give you control of your data, and handle deletion and alteration requests, as we always have.
- We’ve updated our services to request your consent (and give you full control over it at any time) for any optional usage of your personal information, and any usage we strictly require to run our services effectively will be clearly documented.
- We’ve never sold your information and never will.
- We’re extending the rights granted by the GDPR to all users of our products, everywhere.
- If you ever have any questions or concerns about your data, we’re always here to help.
To help, we’ve built a whole new privacy-focused framework in Djblets to help with privacy guarantees and consent requests. All our software will be using this and we’ll be encouraging Review Board extension authors to use it. We’ll talk about this in more detail in an upcoming post.
What to expect by May 25th
Our Privacy Policy is up now, and will take effect on May 25th, 2018.
We’ll be activating the enhanced privacy support on RBCommons, reviewboard.org, reviews.reviewboard.org, and Splat in time for the 25th. If you’re a user on these, the next time you connect you’ll be asked to accept the Privacy Policy and to allow or block usage of your information for some services.
We’ll also be releasing Review Board 3.0.7 and Djblets 1.0.6, which are privacy-enhanced, optionally allowing for Terms of Service and Privacy Policy URLs and GDPR-compliant consent functionality. Many servers may not need this, but it’ll be available for those that do.
If you want to change, delete, or request any of your personal information from our servers, or want more information on all this, reach out to us at any time and we’ll help. You don’t need to wait for May 25th.