Look into ToS & related legalish stuff

glowfic-constellation / glowfic

The Glowfic Constellation

https://www.glowfic.com

MIT License

16 stars 10 forks source link

Look into ToS & related legalish stuff #602

Open Throne3d opened 6 years ago

Throne3d commented 6 years ago

Get a ToS? Notify users when it's updated, perhaps block writing on the site until it's agreed to but perhaps just have a term that we'll make a reasonable effort to notify of changes and then do it by email / in-site notification?
Check our handling of private data? (UK has Data Protection Act, EU has similar laws – GDPR? – do we need to alter anything to ensure we comply?)
Cookie banner?

Marri commented 6 years ago

More things we may need:

Privacy policy, goes with ToS. Require agreement at sign up, block-to-backfill-agreement for existing users.
Maaaaybe encrypt email addresses?
There's a Right to Erasure thing that looks interesting under the GDPR, but that might be as simple as "we allow you to request a dev/mod detaches your email address from your account", it's not like an email address is required functionality. (UI required, sure, but nothing would break except notifications.)

Throne3d commented 6 years ago

To comply with the GDPR, we need to have several things. I can probably come up with a more exhaustive list than this, but:

A list of data we gather, and why
The whole privacy policy written in plain English
Who they should contact in the event we have some erroneous data gathered about them
Who they can appeal to should we fail to respond promptly to requests like this
Right to erasure (need to figure out what's up with that: https://www.google.com/amp/s/blog.vanillaforums.com/community-answers-to-common-questions-about-gdpr-community-forums%3fhs_amp=true)
Anything third-party (like NewRelic?) might need to be consented to

We should also do this ASAP since GDPR went active back in May, iirc.

Marri commented 5 years ago

Leaving open for now despite #919 existing because I have not yet confirmed GDPR compliance

l1n commented 3 years ago

This is marked crit, what is needed to actually confirm GDPR compliance?

Throne3d commented 9 months ago

I think we're compliant enough at this point - we have clear consent + clear explanations of how we use data in our privacy policy (linked from the TOS) and we have a feature to be able to delete a user account on request. https://www.glowfic.com/privacy

AIUI these are our main obligations