Documentation for Privacy, TOS, FAQ

[QuincyLarson]

We will use existing freeCodeCamp privacy and terms of service documents. We do want to make it so people can make their account private and delete their account. We should preferably handle these through the existing freecodecamp.org/settings page.

[chrismgonzalez]

I was just about to ask if we want to use FCCs terms on this. Looks like that’s been answered. Will add them this weekend.

[chrismgonzalez]

The FCC privacy policy is quite long. I will need to trim it down to reflect the goals of Chapter. I will definitely need some input to determine what to keep and what to drop.

[ceciliaconsta3]

Do we need to take into account CCPA updates?

[QuincyLarson]

@chrismgonzalez Our privacy policy was hand-written by a lawyer-developer who is well versed in modern web apps. We could trim it down but we should be careful about it. I recommend instead just updating the specifics slightly. Very few people read the privacy policy, but the ones who do appreciate it being comprehensive.

[allella]

Regarding privacy settings, we've touched on what privacy settings to offer for MVP.

Quincy suggested the need for at least a user-level privacy setting.

Perhaps we start out with allowing a user to be globally shown as "Private Member" or "Private Guest" to the public. However, I'd think the organizer and admin would be able to see at least the person's name and email address.

Who can see what, even when you're marked as private needs to be addressed and made pretty clear in the UI, privacy policy, and privacy-related FAQ.

[chrismgonzalez]

Got it. Good to know.

[allella]

As Quincy mentioned above, we can likely copy the fCC Privacy page and tweak it so it reflects the Chapter context.

https://www.freecodecamp.org/news/privacy-policy/

274 is dealing with how users can control notifications, but the privacy is more encompassing.

My main questions from reading the fCC privacy page are if the MVP will:

• allow for downloading data and if so, that's included?
• allow for deleting an account / user? This could have some complexity with RSVPs and such. So, would we just rename the user as "Deleted Account" and clear their name and email fields, but keep the database record so the RSVP counts and user's relationship to the Chapter are still there in an anonymous context? I assume we'd delete or else set any subscription records to false.
• be GDPR out of the box, or do we need to add specific controls or pages?
• set the privacy contact for the MVP to privacy [at] freecodecamp.com ? Or, do we need an environment variable to declare a privacy address. I'd assume we'd eventually want the privacy contact to be set by the instance owner since fCC won't be involved in most instances.
• have copies of previous versions? I guess if this were a static page in the GitHub repo, then we could link to the file in the repo for version history?

[allella]

Alright, to summarize the conversation from today related to Privacy and TOS:

• We've re-purpose the fCC blog ToC https://www.freecodecamp.org/news/terms-of-service
• We've re-purpose the fCC blog Privacy https://www.freecodecamp.org/news/privacy-policy/
• The TOS and Privacy will be shown to the user immediately after they create an account.
• We'll want to have links to the ToC and Privacy pages somewhere in the app. Are we going to have a footer, or shall we add links to the account page?
• We'll move GDPR downloading to a separate issue, but not let it hold up alpha testing, but we should probably put a note somewhere on the settings / account page showing what personal information (name, email) that is being collected
• For alpha, we'll add a button for Account Deletion requests that emails fCC support for manual deletion until we can create a more automated approach. When an account is deleted, we'll likely show something like "Deleted Member" on event pages where deleting the record would otherwise distort attendance counts and such
• Allowing organizations to tweak or write their own Terms of Service and Privacy Policies is an eventual hope, but we could have fCC testing for a long time before that's a solid concern. We'll avoid using "freeCodeCamp" in the TOS and Privacy in the event other organizations deploy an instance.
• We didn't talk about keeping versions of Terms of Service, but that's a longer term concern.

[allella]

@ojeytonwilliams I'm starting to tweak the fCC Privacy page for Chapter. Depending on how deeply integrated the authentication and profile is for the fCC instance, there are a at least a few approaches.

1) Copy the contents of the fCC Privacy Page and reword things. The main downside I see with this is if fCC's main site changes the privacy page, then we're unlikely to notice those changes, so there's also a good deal of wording about certificates and code that don't apply to Chapter, so this is still probably the best short-term option. 2) Say something like, the freeCodeCamp Privacy page will answer most of your question (Link to the fCC Privacy page) and then a smaller content section stating any additional Chapter specifics? 3) Link to the fCC Privacy page and have someone at fCC expand that page to include references to Chapter's privacy. (Probably a more long term option)

A few questions:

• I believe we're still using / requiring the fCC OAuth 2 to create an account, correct? Quincy said "Google" in the last meeting, but we've been down that road initially at his direction, and then the broader group agreed we would use magic links, and then for the MVP testing fCC decided to go with the OAuth 2. If, using fCC OAuth 2, then does that mean everyone automatically will have a https://www.freecodecamp.org/usernamehere profile page?
• I'm assuming chapter.freecodecamp.com as a sub-domain (easy enough to find a replace if that's not it)

[ojeytonwilliams]

@allella for the MVP the plan is to use Auth0 (so, yeah, OAuth2), same as https://www.freecodecamp.org/learn/. I still need to actually test it, but I'm 99% sure this will be exactly the same page for chapter, but it would redirect back to chapter.freecodecamp.org once you've confirmed your identity.

then does that mean everyone automatically will have a https://www.freecodecamp.org/usernamehere profile page?

No, at least not yet. For the foreseeable future the accounts will be separate (even though they will share the same login flow). I'd like to change that, but it's another post MVP endeavour.

chapter.freecodecamp.com as a sub-domain

chapter.freecodecamp.org, but yes.

[allella]

Posting an example of NextDoor's "Download your data" interface for future reference.

They provide a zip file of CSVs.

[ojeytonwilliams]

When https://github.com/freeCodeCamp/chapter/pull/1920 lands we'll stop redirecting to /policy after signing in. I think that's overall reasonable behaviour as it would be annoying to get redirected every time you logout and log back in again, but it does mean we have to think carefully about how to make users aware of the info that's in /policy.

[Sboonny]

it's possible to add policy as footer data, i.e:

Chapter Policy

We are using you email to link your current data, so we have to store your email. We try our best to as less data as possible in database We aren't selling your data, but we are making use of it by making chapter a better app You can delete your data at anytime and it will be removed from our database in your profile