search

solidtime-io / solidtime

Modern open-source time-tracking app
https://www.solidtime.io
GNU Affero General Public License v3.0
686 stars 32 forks source link

Question : Position regarding privacy #188

Open MaelImhof opened 5 days ago

MaelImhof commented 5 days ago

Hi there !

I discovered solidtime last week and found the app nice to use so far, but I'm now wondering : what is your stand (maintainers/developers/managers/whoever is in charge) on privacy?

In particular, on the following scale, where would you place solidtime?

  1. User privacy is a top priority for us, we intend to add end-to-end encryption and all in the future
  2. User privacy is a priority for us, but we do not intend to add end-to-end encryption, as we do not think it is necessary or worth the complexity
  3. User privacy is a good-to-have, but we might introduce some trade-offs such as Google or other third-party libraries if it saves us time and effort
  4. Unfortunately we need user data to finance the project, so being privacy-friendly is not a priority nor a real option for us
  5. We are an evil corporation and our goal is to be as privacy-not-friendly as possible

Let me know what is your stand about this, thank you for your time and for your wonderful work with this app so far !

Onatcer commented 4 days ago

Hi, first of all, I'm glad you like the app so far.

I'll try to address the concerns mentioned on behalf of the maintainers of solidtime (@korridor and me). If there is something I didn't cover feel free to follow up with a comment.

End-to-end encryption is nothing we can do feasibly because of how solidtime works. The main reasons being

  1. We do a lot of aggregation and filtering in the API/backend, so the backend has to be aware of the data in the database
  2. solidtime heavily focuses on team and collaboration support, so the data has to be shared between those different users, and the users who have access to it can also change over time.

If you want to have all data under your control, you can self-host it on your infrastructure. We are aware that this is a concern for some companies, and this is one of the main reasons solidtime is open source and provides self-hosting guides. If you want the same level of support you get with solidtime cloud you can contact us for enterprise support plans.

We do not include third-party services by default in the self-hosted version, but there are ways to integrate them with third-party services (like mail providers or S3-compatible cloud storage providers). We plan to add more integrations; by the nature of integrations, they will interact with third-party services.

For solidtime cloud, we use analytics and error-tracking tools to find and fix bugs quickly. All our services are hosted in Europe, and we try to keep them as minimal as possible.

User privacy is a good-to-have, but we might introduce some trade-offs such as Google or other third-party libraries if it saves us time and effort

I am unsure what "third-party libraries" you refer to here. Yes, we use Frameworks and Libraries, mainly Vue and Laravel, in the backend and frontend, but there should be no privacy concerns about them.

In conclusion, we want to give users of solidtime the privacy that they need. This is why we offer solidtime not only as a SaaS application but also On-Premise. No matter how you use Solidtime, you can be sure that we are always looking for the most privacy-friendly way to run the service, but for some functionalities (like integrations), it is simply not possible to have them work without external services. Also, solidtime cloud is hosted in Europe, on EU-based cloud providers and only uses Services hosted in Europe to ensure the privacy of our users.

We do not sell user data for monetization; our plan is to fund the development by selling subscriptions on solidtime cloud and support plans for on-premise enterprises.