diff --git a/.github/workflows/browserslist.yml b/.github/workflows/browserslist.yml new file mode 100644 index 00000000..f7b4a431 --- /dev/null +++ b/.github/workflows/browserslist.yml @@ -0,0 +1,39 @@ +name: Update Browserslist database +on: [push] +permissions: + contents: write + pull-requests: write +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Configure git + run: | + # Setup for commiting using built-in token. See https://github.com/actions/checkout#push-a-commit-using-the-built-in-token + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + - name: Cache node modules + uses: actions/cache@v2 + env: + cache-name: cache-node-modules + with: + path: ~/.npm + key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-build-${{ env.cache-name }}- + ${{ runner.os }}-build- + ${{ runner.os }}- + - uses: actions/setup-node@v1 + with: + node-version: '22' + - run: npm install + - name: Update Browserslist database and create PR if applies + uses: c2corg/browserslist-update-action@v2.4.0 + with: + github_token: ${{ github.token }} + commit_message: 'chore: update Browserslist db' + title: 'Update Browserslist database' + body: 'Auto-generated by `.github/workflows/browserslist.yml` using c2corg/browserslist-update-action' + labels: 'dependencies,fast tracked,process,size/XS' + reviewers: 'doamatto' diff --git a/CONTRIBUTORS.toml b/CONTRIBUTORS.toml index c5d94946..e47a818f 100644 --- a/CONTRIBUTORS.toml +++ b/CONTRIBUTORS.toml @@ -20,6 +20,12 @@ email = "heyy@maatt.fr" [kulchynska] +[vkeerthivikram] +name = "V Keerthi Vikram" +website = "https://bio.vkvikram.com" +github = "vkeerthivikram" + + [YuriiStasiuk] [UnKnOwN] @@ -181,6 +187,12 @@ github = "davidbernau" [kelplover] +[ausernameisnotavailable] +github = "ausernameisnotavailable" + +[bcbee] +github = "bcbee" + [ItsIgnacioPortal] name = "Ignacio Portal" website = "https://itsignacioportal.github.io/" @@ -190,4 +202,24 @@ email = "5990@protonmail.com" [loviuz] name = "Loviuz" website = "https://loviuz.me" -github = "loviuz" \ No newline at end of file +github = "loviuz" + +[SimplyUnknown] +name = "SimplyUnknown" +github = "simplyknown" + +[smspool] +name = "SMSPool" +website = "https://www.smspool.net" +github = "smspool" + +[opile8] +name = "Ollie Pile" +github = "opile8" + +[maximbelyakov] +name = "Maxim Belyakov" +github = "maximbelyakov" + +[Anon-sec] +github = "Anon-sec" diff --git a/icons/bitwarden.svg b/icons/bitwarden.svg new file mode 100644 index 00000000..23e86135 --- /dev/null +++ b/icons/bitwarden.svg @@ -0,0 +1,18 @@ + + + + + + + diff --git a/icons/ente.png b/icons/ente.png new file mode 100644 index 00000000..b6c8427b Binary files /dev/null and b/icons/ente.png differ diff --git a/icons/id-me.png b/icons/id-me.png new file mode 100644 index 00000000..fe40a834 Binary files /dev/null and b/icons/id-me.png differ diff --git a/icons/kagi.png b/icons/kagi.png new file mode 100644 index 00000000..612d5102 Binary files /dev/null and b/icons/kagi.png differ diff --git a/icons/nebula.png b/icons/nebula.png new file mode 100644 index 00000000..f8bac5fb Binary files /dev/null and b/icons/nebula.png differ diff --git a/icons/omny.png b/icons/omny.png new file mode 100644 index 00000000..aa59ec34 Binary files /dev/null and b/icons/omny.png differ diff --git a/icons/protonmail.png b/icons/protonmail.png index 7a132eda..04154753 100644 Binary files a/icons/protonmail.png and b/icons/protonmail.png differ diff --git a/icons/protonvpn.png b/icons/protonvpn.png index 9edbc7e6..f5682eee 100644 Binary files a/icons/protonvpn.png and b/icons/protonvpn.png differ diff --git a/icons/smspool.png b/icons/smspool.png new file mode 100644 index 00000000..d2d55e54 Binary files /dev/null and b/icons/smspool.png differ diff --git a/icons/stripe.png b/icons/stripe.png new file mode 100644 index 00000000..083ff2c7 Binary files /dev/null and b/icons/stripe.png differ diff --git a/icons/sumo-scheduler.png b/icons/sumo-scheduler.png new file mode 100644 index 00000000..fc56db25 Binary files /dev/null and b/icons/sumo-scheduler.png differ diff --git a/icons/tuta.jpg b/icons/tuta.jpg new file mode 100644 index 00000000..6173e7fc Binary files /dev/null and b/icons/tuta.jpg differ diff --git a/icons/twitter.png b/icons/twitter.png index 4b5d28ee..a1ed8fbc 100644 Binary files a/icons/twitter.png and b/icons/twitter.png differ diff --git a/icons/zoho.png b/icons/zoho.png new file mode 100644 index 00000000..cfdf0f88 Binary files /dev/null and b/icons/zoho.png differ diff --git a/package-lock.json b/package-lock.json index 064c21f7..7c6fbb7d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,6 @@ "@types/node": "^22.5.0", "a17t": "^0.10.1", "autoprefixer": "^10.2.6", - "babel-jest": "^29.7.0", "del": "^5.1.0", "dotenv": "^8.2.0", "gulp": "^5.0.0", @@ -36,7 +35,7 @@ "hbl-urls": "^0.1.0", "image-size": "^0.8.3", "lunr": "^2.3.9", - "postcss": "^8.2.10", + "postcss": "^8.4.31", "postcss-import": "^14.0.2", "postcss-scss": "^3.0.5", "simple-git": "^3.16.0", diff --git a/package.json b/package.json index 25bef8bd..66cc60ec 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,6 @@ "@types/node": "^22.5.0", "a17t": "^0.10.1", "autoprefixer": "^10.2.6", - "babel-jest": "^29.7.0", "del": "^5.1.0", "dotenv": "^8.2.0", "gulp": "^5.0.0", @@ -34,7 +33,7 @@ "hbl-urls": "^0.1.0", "image-size": "^0.8.3", "lunr": "^2.3.9", - "postcss": "^8.2.10", + "postcss": "^8.4.31", "postcss-import": "^14.0.2", "postcss-scss": "^3.0.5", "simple-git": "^3.16.0", diff --git a/products/bitwarden.toml b/products/bitwarden.toml new file mode 100644 index 00000000..9cbb730f --- /dev/null +++ b/products/bitwarden.toml @@ -0,0 +1,98 @@ +name = "Bitwarden" +description = "Bitwarden is a free and open-source password management service." +slug = "bitwarden" +hostnames = ["bitwarden.com"] +sources = ["https://bitwarden.com/privacy/"] +contributors = ["Deivedux"] + +[rubric.behavioral-marketing] +value = "yes-opt-out" +citations = ["Bitwarden respects your email communications and marketing preferences. If you prefer not to receive product release notes communications or promotional email messages (such as product updates, security alerts, marketing, events, training and certifications) from Bitwarden, you can unsubscribe from Bitwarden email marketing by following the unsubscribe link located at the bottom of each promotional email, or Contact Us. Note: Please allow five (5) business days to be removed from all email communications."] +notes = ["While their website prompts the optional cookie settings to all new visitors, email marketing is still enabled by default."] + +[rubric.data-breaches] +value = "no" +notes = ["No data breach protocol is found in the policy."] + +[rubric.data-collection-reasoning] +value = "mostly" +citations = [ +""" +Bitwarden may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes and to fulfill other legal obligations, including: + +- To provide you services that you request, such as when we: + - Respond to your requests for information about our products, services, training and events; + - To enable your access and use of the Site, and to enable you to communicate, collaborate, and share information with those you designate; + - To send you technical notices, updates, security alerts, and support and administrative messages; +- For our business purposes we have a legitimate interest, when we: + - Operate the Site; + - Administer your account if you have registered on the Site, including billing and payment; + - Send marketing, advertising, training, certification or event materials to which you've agreed, requested or subscribed or to otherwise inform you about our products and services; +- Apply information security policies and controls on the Site, including overall Site integrity, identity management and account authentication; +- For research and development to improve the Bitwarden Service, Site and other Bitwarden services; +- Perform other general business management and operations purposes, such as to provide, operate, maintain, make modifications to protect and improve the Site. +- To fulfill legal obligations, including: +- Legal compliance, such as to enforce our legal rights, to comply in good faith with applicable laws, and to protect users of the Site or Service. +- For other purposes about which we notify you and, where relevant or required, give you choice about the new purpose.""" +] + +[rubric.data-deletion] +value = "yes-contact" +citations = ["We enable you to access, correct, and delete your account with the Bitwarden Service at any time. If you would like to request assistance with accessing, correcting, or deleting your Personal Information, please submit your request to us by email at privacypolicy@bitwarden.com. We will verify these requests and respond to you in accordance with our legal obligations, which typically means forwarding your request to the licensed administrator (in your organization) of your Bitwarden account for review."] + +[rubric.history] +value = "last-modified" +citations = ["Last revised APRIL-2024"] + +[rubric.law-enforcement] +value = "reasonable" +citations = ["We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or lawful government request, including in connection with national security or law enforcement requirements. This may include disclosures: to respond to subpoenas or court orders; to establish or exercise our legal rights or defend against legal claims; or to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law. In each case, we will make reasonable efforts to verify the validity of the request before disclosing your Personal Information."] + +[rubric.list-collected] +value = "generally" +citations = [ +"Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data.", +"Vault Data includes all information stored within accounts to the Bitwarden Service, including but not limited to login credentials, attachments including photos, videos, images and other files, and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data.You may add, modify, and delete Vault Data at any time.", +"Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account (\"Administrative Data\"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.", +""" +When you use the Site or communicate with us (e.g. via email) you will provide, and Bitwarden will collect certain Personal Information such as + +- Name +- Business name and address +- Business telephone number +- Email address +- IP-address and other online identifiers +- Any customer testimonial you have given us consent to share. +- Information you provide to the Site's Interactive Areas, such as fillable forms or text boxes, training, webinars or event registration. +- Information about the device you are using, comprising the hardware model, operating system and version, unique device identifiers, network information, IP address, and/or Bitwarden Service information when interacting with the Site. +- If you interact with the Bitwarden Community or training, or registered for an exam or event, we may collect biographical information and the content that you share. +- Information gathered via cookies, pixel tags, logs, or other similar technologies.""" +] + +[rubric.noncritical-purposes] +value = "opt-out-all" +notes = ["Bitwarden relies on users' cookie settings for the use of their non-critical personal data."] + +[rubric.revision-notify] +value = "yes" +citations = ["If we make any material changes, we will notify you by email (sent to the email address specified in your account registered with the Site or Bitwarden Service) or by means of a notice on the Site or Service."] + +[rubric.security] +value = "yes-independent-audits" +citations = [ +""" +The security of your Personal Information is important to us. Your data, including Personal Information, is never sent to the Bitwarden cloud servers without first being encrypted on your local device using AES 256 bit encryption. In addition, Bitwarden encrypts the transmission of that information using secure socket layer technology (SSL). + +We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. You acknowledge and agree that no Internet or email transmission is ever fully secure or error free. You agree to take special care in deciding what information you send to us via email. If you have any questions about the security of your Personal Information, you can Contact Us.""" +] +notes= [ + "Bitwarden is SOC2 and SOC3 certified and HIPAA compliant. More information about their audit history and compliance can be found at bitwarden.com/compliance" +] + +[rubric.third-party-access] +value = "yes-specified-noncritical" +notes = ["A list of subprocessors can be found at bitwarden.com/help/subprocessors. The privacy policy mentions only Google Analytics is mentioned as an example for their collection of Analytics Data."] + +[rubric.third-party-collection] +value = "no" +notes = ["No data found to be collected from third-parties."] diff --git a/products/ente.toml b/products/ente.toml new file mode 100644 index 00000000..90438ead --- /dev/null +++ b/products/ente.toml @@ -0,0 +1,82 @@ +name = "Ente" +description = "Ente is an end-to-end encrypted, open-source cloud storage service for photos and videos." +slug = "ente" +hostnames = [ "ente.io" ] +sources = [ "https://ente.io/privacy" ] +contributors = [ "vkeerthivikram" ] + +[rubric.behavioral-marketing] +value = "no" +citations = [ "We do not sell your personal information, nor do we intend to do so." ] + +[rubric.data-breaches] +value = "yes-72" +citations = [ "In the event of a personal data breach, we will notify you within seventy-two (72) hours via email." ] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ + "We collect and store only the bare minimum amount of information necessary to fulfill our role as a service provider.", + """ + We use the information that you provide to: + Provide our Services that you contract for when you agree to our Terms and Conditions ("Terms"); + Communicate with you in accordance with this Privacy Policy and ourTerms; + Maintain and improve our systems and Services; + Ensure your account's security and mitigate attacks; + Carry out obligations and enforce rights arising from contracts entered into between you and us, including billing and collection; + Control access permissions to your Files and your account; + Remove deleted files from users who might have already downloaded them; + Notify you about changes to our Services; and + Anonymize data and aggregate data for statistics. + """ +] + +[rubric.data-deletion] +value = "yes-contact" +citations = [ + "To make any of the aforementioned requests, please contact our Data Privacy Officer, Manav Rathi at dpo@ente.io, or contact us in accordance with Section 17.", + "After account termination, we may retain your Data for sixty (60) days, or as warranted by your jurisdiction (\"Retention Period\"), unless an enforcement action is likely under ourTerms. If there is no enforcement action likely or commenced and Retention Period has expired, your Data that identifies you will be anonymized." +] +notes = [ + "While the privacy policy does not explicitly state that users can automatically delete their data, there is a delete account button in the app settings." +] + +[rubric.history] +value = "last-modified" +citations = [ "Last Updated: Sep 25, 2024" ] + +[rubric.law-enforcement] +value = "strict" +citations = [ "We will disclose personal information (i) to comply with any court order, law, or legal process, including to respond to any government or regulatory request" ] + +[rubric.list-collected] +value = "exhaustively" +citations = [ + "Information you Provide: At the time of registration, or through your use of our Services, you will provide us with 1. Your email address; 2. Referral details including referrers and people you have referred; 3. Email addresses you choose to share your Files with; 4. Our Communications with you and records or copies of such communications; 5. Other personal information you provide to us for support purposes, bug reports, newsletters, surveys, sweepstakes, product feedback, or via forms.", + "Information we automatically collect: 1. Public keys; 2. Anonymized crash reports; 3. Server logs; 4. Device identifiers including information about your internet connection, IP address and user agent details; 5. Takedowns and account suspension history.", + "Other Instances: We may keep your Files after your account has been suspended or terminated where we consider it necessary for evidential purposes relating to a breach of our Terms or with respect to current or anticipated action by any competent enforcement authority or other third party." +] + +[rubric.noncritical-purposes] +value = "na" +notes = [ "There is no mention of non-critical purposes for collecting data in the privacy policy." ] + +[rubric.revision-notify] +value = "no" +citations = [ "We will update this privacy policy as needed so that it is current, accurate, and as clear as possible. Your continued use of our Services confirms your acceptance of our updated Privacy Policy." ] + +[rubric.security] +value = "somewhat" +citations = [ "We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. Specifically (a) all information you provide to us is stored on our secure servers behind firewalls, (b) our website and app use an SSL certificate, receive regular security scans, penetration tests and regular malware scans; (c) we require username and passwords for our employees who can access your personal information that we store and/or process, and (d) we actively prevent third parties from getting access to your personal information that we store and/or process." ] +notes = [ "While Ente has undergone third-party security audits (by Cure53 and Fallible), it's been awhile since their last audit (Feb 2023). You can view more information about the audits on their blog: https://ente.io/blog/cryptography-audit/" ] + +[rubric.third-party-access] +value = "yes-specified-critical" +citations = [ + "We do not sell, trade, rent, or otherwise transfer personal information to others, unless we provide you with advance notice. There are times when Personal Information that you have shared with us may be shared by Ente with others to enable us to provide you over Services, including contractors, service providers, and third parties (\"Partners\") and subsidiaries.", + "Ente uses the following third-party service providers for the provision of services as detailed under the Terms, as applicable: Apple, Google, Stripe, BitPay, PayPal, Scaleway, Backblaze, Cloudflare, Amazon, Hetzner, FeatureMonkey, Simple Analytics, Zoho, Grafana, Open Street Maps" +] + +[rubric.third-party-collection] +value = "critical-only" +citations = [ "We collect payment invoices provided to us by our third-party payment processors, which includes details of your Subscription Plan and any payments made by you in favor of Ente in order to receive Services from us. We do not collect or store any credit cards or bank information." ] diff --git a/products/epic-games.toml b/products/epic-games.toml index 8537e2ba..4726a0ca 100644 --- a/products/epic-games.toml +++ b/products/epic-games.toml @@ -3,83 +3,91 @@ description = "Epic Games is an American game development company." slug = "epic-games" hostnames = [ "epicgames.com" ] sources = [ "https://www.epicgames.com/site/privacypolicy/" ] -contributors = [ "milesmcc", "yaagesoft" ] +contributors = [ "milesmcc", "yaagesoft", "bcbee" ] [rubric.behavioral-marketing] value = "yes" citations = [ - "To support our legitimate interests, consistent with your rights and preferences, we use personal information:\n[...]\nTo manage and customize advertisements or promotional offers." + "7B. Epic does not sell the personal information we collect. We do, however, disclose personal information as described in this policy (see “How Do We Share Information?” above).", +] +notes = [ + "Epic Games' targeted marketing is ONLY within their ecosystem. They do not sell or share personal data with third parties." ] [rubric.security] value = "somewhat" citations = [ - "We maintain appropriate administrative, technical, and physical safeguards to protect your personal information from accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use and other unlawful forms of processing. In some cases, your information is accessible when you log into a feature we offer, and in those cases you need to keep your user credentials and password confidential and secure so that your information is protected. " + "8. SECURITY\nWe maintain appropriate administrative, technical, and physical safeguards to protect your personal information from accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use and other unlawful forms of processing. In some cases, your information is accessible when you log into a feature we offer, and in those cases you need to keep your user credentials and password confidential and secure so that your information is protected.", ] [rubric.third-party-collection] -value = "yes" +value = "critical-only" citations = [ - "In some cases, other parties provide us with information about you, or allow us to collect information about you. We generally collect information from other parties in four ways: (1) you access the Epic services using a website or device that is not controlled by us, such as a game console or social network, (2) you choose to use a social feature of the Epic services, (3) you purchase one of our games or applications from another party, or (4) you use Epic services that contain or require anti-cheat services from other parties. In some cases, we are not able to control the amount or type of information that other parties like social networks, make available to us. In those cases, we use only the data that we need to provide the types of services we think our users want and expect. Although we cannot control your privacy settings at those websites or how those other parties protect your privacy, once we receive information about you through those websites, we will treat it in accordance with this policy." + "2C. Information We Collect from Other Sources\nIn some cases, we may also receive information about you from service providers and third parties in connection with your use of the Epic Services or your interactions with us on other platforms.\n\nFor example, some other developers allow you to use your Epic account to log in to their service. And if you choose to link your Epic account with your account on a third-party social media (like Facebook), gaming (like Steam), or other similar website or service, or if you interact with an ad for one of the Epic Services on an external website or service, the company that operates that website or service may share some information with Epic in accordance with their own privacy practices. Your privacy settings on the other company's website or service typically control the specific types of information they can share with Epic, so please be sure to review and update them regularly. Common examples for linked accounts might include your third-party account display name and user ID, as well as associated device information, name, and email address. For participants in our Support-a-Creator program, we may also collect the number of social media account followers you have for program eligibility purposes.\n\nYou can also buy, download, or access some Epic Services on or through services operated by third parties. If you do, they may provide us with information to facilitate your access to and use of the Epic Services. This typically includes information like your display name, user ID, and device and region information. For example, you can choose to download and play games like Fortnite on gaming consoles (like PlayStation®, Microsoft Xbox, and Nintendo Switch) through your gaming console account. When you do, the company operating that platform or service may share some information with us, which helps us do things like facilitate your gameplay and track your progression and entitlements.", ] notes = [ - "There is no guarantee that the data collected is used for only non-critical purposes." + "Epic Games only collects data from service providers that is essential for core experiences. Where Epic Games does collect from third parties, it is connected to engagement with Epic Games' products/services.", ] [rubric.history] value = "last-modified" citations = [ - "This policy may be updated periodically to reflect changes in our personal information practices or relevant laws. We will indicate at the top of this policy when this policy was last updated. Please review this policy every time you access or use the Epic services to make sure that you have reviewed the most recent version." + "We'll update this policy from time to time to reflect changes in our practices or relevant laws. When we do, we'll change the date noted at the top of the policy. In some cases we may also notify you of the relevant changes by email or within the Epic Services. Please review this policy regularly to make sure that you understand your relationship with Epic and the ways we may collect, use, and share information in connection with the Epic Services." ] [rubric.data-deletion] -value = "no" +value = "yes-contact" citations = [ - "If you are located in the EU or Epic entities located in the EU process your personal information, then we will provide you with the ability to request access to and correction or deletion of your personal information." + "6. YOUR CHOICES AND CONTROLS\nYou can request that we provide access to, or that we correct or delete, personal information we've collected from you. Please submit requests to access, update, or delete personal information associated with your Epic account by reaching out to us as described in “Contact Us” below. Note that we may ask you for additional information to help us verify who you are before completing your request.", ] notes = [ - "There is no guarantee that this functionality is provided for users outside of the EU." + "Epic Games does allow users to delete their own data via automated mechanism when logged into their account: https://www.epicgames.com/help/en-US/epic-accounts-c5719348850459/general-support-c5719341353627/how-do-i-delete-my-epic-games-account-a5720271610651. Epic Games also provides player support to assist with deletion if the user is unable to complete the self-service process.", ] [rubric.data-breaches] value = "no" -notes = [ "Is not mentioned" ] +notes = [ + "No mention." +] [rubric.third-party-access] value = "yes-unspecified" citations = [ - "We may share personal information we collect with Epic Games, Inc. subsidiaries to support the Epic services worldwide. We also will share information with service providers that perform services on our behalf and under our instructions. These service providers are not authorized by us to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements. We also may share certain limited information, such as device identifiers, with advertisers and other marketing partners for purposes of gauging the effectiveness of advertising and other marketing strategies." + "4. HOW DO WE SHARE INFORMATION?\nWe may share some of the information we collect to help operate and improve the Epic Services. Depending on how you interact with us, common examples might include sharing:\n\nWith console and platform partners (for example, to facilitate gameplay when you access the Epic Services through a third-party console provider);\nWith other game developers (such as to enable features for games you acquire through the Epic Games Store);\nWith other users (like if you use social features such as chat);\nPublicly (for example, your display name, content you create or share, basic game statistics, and other similar information may be generally accessible to others);\nWith service providers that operate on our behalf to help support the Epic Services in accordance with our instructions (for example, cloud storage providers, payment processors, or marketing and advertising partners);\nWhen we believe we must in order to comply with the law or to protect you, Epic, or others (for example, in response to court order or subpoena, as part of an investigation of fraud or other illegal activity, or violation of our terms or policies, or if necessary to protect others from death or serious harm to body or property);\nWith other Epic entities (including to help provide support for the Epic Services internationally);\nIn connection with certain types of corporate transactions (like in the event of a restructuring or the sale of all or a significant part of our business); and\nWith your permission (for example, if you link external accounts with your Epic account, or use your Epic account to sign in to third-party games and services or participate in cross-promotional events).\n\nWe may also share information that does not identify you with third parties, including aggregate or de-identified information.\nThird parties you interact with through Epic Services may have different privacy practices than Epic, so we encourage you to review their privacy policies before sharing your information with them.", +] +notes = [ + "Where Epic Games provides third party data that is outside service providers, it only does so with the users' consent", ] [rubric.data-collection-reasoning] -value = "somewhat" +value = "mostly" citations = [ - "The type of information that we automatically collect may vary, but generally includes:\n\n- Technical information about your computer, device, hardware, or software you use to access the Internet or our services, such as IP address or other transactional or identifier information for your device (such as device make and model, information about device operating systems and browsers, or other device or system related specifications)\n\n- Usage information and statistics about your interaction with the Epic services, which may include the URLs of our websites that you have visited, URLs of referring and exiting pages, page views, time spent on a page, number of clicks, platform type, the application you used or the game you played, how long you used or played it and when, and other usage statistics\n\n- Crash reports, which may be automatically generated when a game or application crashes and includes information about your system and the crash\n\n- Information that facilitates a safer and more personalized experience, such as your display name or other user identification provided in connection with your application use or game play, saved preferences, game progress, and device identifiers or usage information for authentication and fraud prevention purposes\n\n- The location of your device, such as may be derived from your device’s IP address" + "3. HOW DO WE USE INFORMATION?\nAs a general matter, we use the information we collect (either individually or in combination with other information collected as described in this policy) to help us provide, improve, customize, analyze, and promote the Epic Services.\n\nThis includes using it for purposes such as:\n\nCreating, verifying, and managing user accounts and features;\nProviding the Epic Services, as well as support and assistance for them, including by responding to inquiries, processing transactions or requests, and communicating with users (such as by sending service and account-related messages and updates);\nDeveloping, delivering, and improving the Epic Services and other offerings, some of which may be offered in partnership with other parties;\nPersonalizing your experience, including by presenting content or features better tailored to you or your interests, or our inferences about your interests (for instance, if you frequently play games in a certain genre, we may infer that you'd be interested in that genre and suggest similar games to you);\nPromoting the Epic Services, including managing, customizing, and measuring the effectiveness of our advertisements, promotional offers, surveys, and events;\nManaging alpha, beta, or early access tests (and collecting feedback);\nConducting data analytics (like analyzing how the Epic Services are used so we can better understand, improve, and personalize them);\nComplying with our legal or contractual obligations and enforcing our terms; and\nSecuring the Epic Services, such as by detecting fraud and otherwise protecting Epic and other users from illegal or harmful actions.\nWe may also process information that does not identify you individually, including aggregate or de-identified information that we create or collect from other sources. This information helps us better understand larger groups of users. If we combine this information with information that identifies you, we will treat it as described in this privacy policy. But please note that this privacy policy does not restrict our ability to process information that does not individually identify you, and we may use and disclose aggregated or de-identified information for any reason permitted by law.", ] [rubric.noncritical-purposes] value = "opt-out-some" citations = [ - "We provide you with choices about whether to provide us with personal information and whether it is shared. For example, we may seek your prior consent for certain processing. We are required to seek your consent before we use your personal information for any purpose incompatible with the purposes identified in this policy. You may withdraw your consent at any time by sending an email as specified in the “How to Contact Us” section below. Any withdrawal of consent is only effective on a going-forward basis and will not impact processing we undertook while relying on your consent." + "6. YOUR CHOICES AND CONTROLS\nWe seek to provide you with meaningful choices about the personal information we collect. The specific choices available to you often vary depending on the exact nature of our relationship with you, such as the Epic Services you use. Common examples include:\n\nYou can request that we provide access to, or that we correct or delete, personal information we've collected from you. Please submit requests to access, update, or delete personal information associated with your Epic account by reaching out to us as described in “Contact Us” below. Note that we may ask you for additional information to help us verify who you are before completing your request.\nYou can change your email marketing preferences at any time, such as by using the opt-out mechanism provided in our marketing emails, updating your Epic account settings, or contacting us with your request (see “Contact Us” below).\nYou can change your privacy settings on other parties' websites (such as social networks) or platforms (like console providers) to limit the information they may share with us.\nYou can change your browser or mobile device settings to block, manage, delete, or limit tracking technologies like cookies. In some cases, blocking or disabling cookies may cause the Epic Services not to work as intended and some features may not be available.\nIf you're under the age of 18 and have an Epic account, you can ask that we remove or anonymize certain content you've provided on the Epic Services. Please direct requests to help delete or edit content on the Epic Services to Epic as described in “Contact Us” below.\nParents and guardians can adjust the settings for their child's Epic account by visiting https://www.epicgames.com/fortnite/en-US/parental-controls.\nSome parts of the world provide individuals with specific choices related to their personal information by right under local law.", ] notes = [ - "Phrases like \"certain processing\" are vague, and there is no guarantee that the opt-outs they provide cover all non-critical data uses. " + "Epic does provide users with options to opt-in or opt-out of non-critical data uses.", ] [rubric.law-enforcement] value = "reasonable" citations = [ - "We may also disclose information about you: (i) if we are required to do so by law, legal process, or a reasonable request from law enforcement authorities or other government officials, (ii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity, or (iii) if necessary to protect the vital interests of another individual (such as to prevent death, bodily harm, or serious damage to property)." + "[From section 4, above]\n\nWhen we believe we must in order to comply with the law or to protect you, Epic, or others (for example, in response to court order or subpoena, as part of an investigation of fraud or other illegal activity, or violation of our terms or policies, or if necessary to protect others from death or serious harm to body or property);", ] [rubric.list-collected] value = "generally" citations = [ - "- Technical information about your computer, device, hardware, or software you use to access the Internet or our services, such as IP address or other transactional or identifier information for your device (such as device make and model, information about device operating systems and browsers, or other device or system related specifications);\n- Usage information and statistics about your interaction with the Epic services, which may include the URLs of our websites that you have visited, URLs of referring and exiting pages, page views, time spent on a page, number of clicks, platform type, the application you used or the game you played, how long you used or played it and when, and other usage statistics;\n- Crash reports, which may be automatically generated when a game or application crashes and includes information about your system and the crash;\n- Information that facilitates a safer and more personalized experience, such as your display name or other user identification provided in connection with your application use or game play, saved preferences, game progress, and device identifiers or usage information for authentication and fraud prevention purposes;\n- The location of your device, such as may be derived from your device’s IP address." + "2. WHAT INFORMATION DO WE COLLECT?\nThe types of information we collect depend on how you interact with us. Generally speaking, we collect information in three main ways: A) when you provide it to us, B) automatically when you use the Epic Services, and C) from service providers and third parties.\n\nA. Information You Provide\nYou can provide us with different kinds of information depending on how you interact with the Epic Services. Sometimes we'll ask you to provide specific pieces of information, such as when we require it to provide parts of the Epic Services to you (for example, by prompting you to complete an online registration process). If we ask you to provide us with information in these cases and you choose not to, you may not be able to access the relevant Epic Services and/or some features may not operate as intended.\n\nFor instance, in order to make purchases on the Epic Games Store and to play some of our games, you'll need an Epic account. To create one, you'll need to provide us with basic registration information like your name, a public-facing display name, password, the country you live in, and email address. If you want to make a purchase, we may ask you to provide payment-related information (like your credit card number and expiration date) to complete the transaction.\n\nWe also collect the information you voluntarily provide to sign up for email alerts, use social features like forums or chat, register for early access to our games, use our developer tools (including to create and publish games and other content), complete surveys, or contact us through Player Support requests or customer service. If you enter a contest or competitive event, or participate in our Support-A-Creator program, we'll collect your application information and other information we may need to help confirm your eligibility and process payouts. We collect whatever information you choose to provide to us in those or other similar cases.\n\nB. Information We Collect Automatically\nWe collect some information automatically when you visit, access, or use the Epic Services. This includes information about your gameplay or application usage, purchases, entitlements, and other activity in the Epic Services, typically associated with your account (if you are logged into your Epic account or use a third-party account to access the Epic Services) or with an identifier we have assigned to your device or profile. While the specific types of information that we automatically collect may vary, they generally include:\n\nUsage information and statistics about how you interact with the Epic Services, including the application you used or the game you played, how long you used or played it and when, gameplay attempts, progression and results, saved preferences, crash reports, the URLs of our websites that you have visited, URLs of referring and exiting pages, page views, time spent on a page, number of clicks, and platform type;\nTechnical information about your computer, device, hardware, or software you use to access our services, such as IP address, device identifiers, your internet service provider, plugins, or other transactional or identifier information for your device (such as device make and model, information about device operating systems and browsers, or other device or system-related specifications); and\nThe general location of your device, which we typically derive from your device's IP address.\nThe Epic Services use technologies such as cookies, log files, and web beacons to automatically collect the types of information listed above. Some of these technologies may create small files or record-keeping tools that may be stored on your device. They help us, our service providers, and third parties recognize your device and provide information about how you use and interact with the Epic Services. For example, they support our ability to authenticate users, remember preferences, manage advertising, personalize experiences, and conduct data analytics.\n\nPlease note that if certain features on the Epic Services are provided by third parties, those third parties may also use automated means of data collection and may record information about your use of the Epic Services or others' websites over time. These features are subject to those third parties' privacy notices and policies.\n\nC. Information We Collect from Other Sources\nIn some cases, we may also receive information about you from service providers and third parties in connection with your use of the Epic Services or your interactions with us on other platforms.\n\nFor example, some other developers allow you to use your Epic account to log in to their service. And if you choose to link your Epic account with your account on a third-party social media (like Facebook), gaming (like Steam), or other similar website or service, or if you interact with an ad for one of the Epic Services on an external website or service, the company that operates that website or service may share some information with Epic in accordance with their own privacy practices. Your privacy settings on the other company's website or service typically control the specific types of information they can share with Epic, so please be sure to review and update them regularly. Common examples for linked accounts might include your third-party account display name and user ID, as well as associated device information, name, and email address. For participants in our Support-a-Creator program, we may also collect the number of social media account followers you have for program eligibility purposes.\n\nYou can also buy, download, or access some Epic Services on or through services operated by third parties. If you do, they may provide us with information to facilitate your access to and use of the Epic Services. This typically includes information like your display name, user ID, and device and region information. For example, you can choose to download and play games like Fortnite on gaming consoles (like PlayStation®, Microsoft Xbox, and Nintendo Switch) through your gaming console account. When you do, the company operating that platform or service may share some information with us, which helps us do things like facilitate your gameplay and track your progression and entitlements.\n\nD. Fraud Prevention & Anti-Cheat\nProviding users with a fair, balanced, and competitive experience on the Epic Services is extremely important to us. We strictly enforce prohibitions against cheating, hacking, account stealing, and any other unauthorized or fraudulent activity on the Epic Services. We use a variety of anti-cheat and fraud prevention technologies to help us identify and prevent malicious activity. These services may collect and analyze data about your computer and the software on your computer to detect cheating and may be provided by Epic or by service providers such as BattlEye.", ] [rubric.revision-notify] -value = "no" +value = "yes" citations = [ - "Please review this policy every time you access or use the Epic services to make sure that you have reviewed the most recent version." + "9. UPDATES\nWe'll update this policy from time to time to reflect changes in our practices or relevant laws. When we do, we'll change the date noted at the top of the policy. In some cases we may also notify you of the relevant changes by email or within the Epic Services. Please review this policy regularly to make sure that you understand your relationship with Epic and the ways we may collect, use, and share information in connection with the Epic Services.", ] diff --git a/products/id-me.toml b/products/id-me.toml new file mode 100644 index 00000000..05658257 --- /dev/null +++ b/products/id-me.toml @@ -0,0 +1,169 @@ +name = "ID.me" +description = "Consumers can verify their identity with ID.me once and seamlessly log in across websites without having to create a new login or verify their identity again." +slug = "id-me" +hostnames = ["id.me"] +sources = ["https://www.id.me/privacy", "https://id.me/biometric", "https://www.id.me/security"] +contributors = ["opile8"] + +[rubric.behavioral-marketing] +value = "yes-opt-out" +citations = [ + "We may use your information to send promotional messages and newsletters via email or otherwise alert you to products or Services we think might be of interest to you including for ID.me Shop. You may unsubscribe from receiving marketing communications from us at any time by logging in to your account and navigating to \"My Preferences\" to manage your subscriptions.", + "Please note, if you are using ID.me Services in connection with legal identity verification for a state or federal government agency, or in association with Electronic Prescriptions for Controlled Substance Services, we will not use any Personal Information provided as part of your verification for any type of marketing or promotional purposes related to ID.me Shop without your consent, or unless you otherwise use your ID.me credential for verification with any ID.me customer who is not a state or federal government agency customer, use your ID.me account in connection with ID.me Shop, ID.me Jobs, or ID.me Rx, or otherwise opt-in to receiving marketing communications from ID.me." +] +notes = [ + "Explanation of 2nd paragraph: Use of personal data requires consent (\"opt-in\") if ID.me services are used EXCLUSIVELY for \"state or federal government [agencies]\" or \"in association with Electronic Prescriptions for Controlled Substance Services\". ", + "However, verification with any one of ID.me's \"Shop\", \"Jobs\", or \"RX\" services (tabs at the top) or any non-government agency appears to constitute *automatic* \"opt-in\" for marketing.", + "Opt-out is completed through links in marketing emails or account preferences." +] + +[rubric.security] +value = "yes-independent-audits" +citations = [ + "[Privacy Page]", + "We use reasonable security measures. We are committed to protecting your information. We have adopted technical, administrative, and physical security procedures to help protect your information from loss, misuse, unauthorized access, and alteration. Please note that no data transmission or storage can be guaranteed to be 100% secure.", + "To safeguard certain sensitive information (such as biometric information and government-issued identification information), we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.", + "In addition, the following are examples of security measures that are used to safeguard all types of Personal Information we maintain about our consumers:", + "- Procedures for the identification and classification of Personal Information and implementation of safeguards appropriate to the sensitivity of the information;", + "- access control procedures designed to verify a business need before access to Personal Information is granted, and procedures for the periodic review of access permissions;", + "- procedures for termination of access to Personal Information designed to curtail access to the information by terminated personnel or when there is no longer a business need for access;", + "- personnel security controls designed to reduce the risk of human error, theft, fraud or misuse of facilities; and", + "- physical and environmental security procedures designed to prevent unauthorized access, damage or interference to business premises and information.", + "", + "[Security Page]", + "ID.me has been designed to comply with rigorous information security regulations including AICPA SOC 2, ISO 27001, FedRAMP, and multiple NIST 800 guidelines. Multiple ID.me clients have completed extensive technical due diligence with regard to the processing environment. [...] ID.me implements role based access management, separation of duties, and multifactor authentication. Data at rest and in transit is encrypted using approved FIPS 140-2 algorithms. Personally Identifiable Information (PII) is encrypted using a rolling key and the AES-256-CBC algorithms." +] +notes = [ + "See ID.me's [Security](https://www.id.me/security) page for a thorough explanation of their data, network, and data center security standards." +] + +[rubric.third-party-collection] +value = "yes" +citations = [ + "Information from our partners. We acquire information from other trusted sources. These business partners might include companies, such as your mobile phone carriers, certain government agencies, licensing bodies, etc. We may also collect information about you from other sources, including service providers, data licensors and aggregators, marketing companies, programming distributors, and public databases.", + "Information you provide through social media", + "If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.", + "Information We Derive", + "We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties." +] +notes = [ + "ID.me previously (until 3/14/2022) allowed login to Facebook using ID.me as the sign-on service (via Facebook Connect). The privacy policy at that time included language about ID.me's collection and storage of data about those contacts (depending on the users' privacy settings). ID.me still allows a customer to [use social media accounts to sign into ID.me](https://help.id.me/hc/en-us/articles/360057107014-Connecting-social-or-third-party-accounts-to-your-ID-me-account) from accounts like Apple, Facebook, Google, or LinkedIn, but ID.me no longer seems policy no longer mentions these by name." +] + +[rubric.history] +value = "last-modified" +citations = [ + "[Privacy Policy Page]", + "This Privacy Policy may be periodically updated. This Privacy Policy may be updated periodically to reflect new ID.me features or changes in our Personal Information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes. We will indicate at the top of the Privacy Policy when the policy was most recently updated.", + "[Biometric Policy Page]", + "This Biometric Information Privacy Policy may be periodically updated. From time-to-time we may update this policy to reflect new features or changes in our Personal Information practices or our Services. We will post a notice for users at the top of this Privacy Policy addressing any significant changes." +] +notes = [ + "ID.me does not make previous policies available nor do they indicate (either on the website or via customer email) the substance of any major changes. Wayback Machine (web.archive.org) confirmed ID.me does post a top banner with a link to the privacy policy when it changes. Both the privacy policy and biometric policy pages include a version number and date when last updated." +] + +[rubric.data-deletion] +value = "yes-automated" +citations = [ + "[Privacy Policy Page]", + "Personal Information will be retained until we have fulfilled our legal, contractual and policy obligations. ID.me stores your Personal Information for as long as needed, or permitted, based on the reason why we obtained it (consistent with applicable law and contractual obligations). This means we may retain your Personal Information even after you close your account with us, for up to three (3) years. Users may request that ID.me delete certain Personal Information at any time at account.ID.me or through our Privacy Rights Center, where applicable. We acknowledge all such requests, however we reserve the right to retain data tied to certain high-risk transactions, particularly in government and healthcare settings, exclusively for fraud prevention and government audit purposes.", + "ID.me aligns to the National Archives recommended guidelines for data retention when supporting government agencies. Personal Information provided by users in connection with a public sector agency as part of their verification may be retained for up to three (3) years after account closure, unless applicable regulations require a shorter retention period.", + "[Biometric Policy Page]", + "8. Can I Request that ID.me Delete My Biometric Information?", + "Yes, you may direct ID.me to delete your Biometric Information. After successfully verifying your identity, you may request that ID.me delete your Biometric Information. You may request the deletion of both the selfie image and Biometric Information submitted during your verification by submitting a request through the ID.me \"Privacy Rights Center\" which is accessible via a link at the bottom of our Website, or under the \"Privacy\" setting in your account. Deletion of the selfie image and associated Biometric Information may take up to seven (7) days and will not impact the validity of your credential or verified status. ID.me reserves the right to retain this information as needed to comply with our legal obligations, including warrants, subpoenas or other court orders, or to help prevent fraud.", + "Pursuant to the California Consumer Privacy Act of 2018 (CCPA), residents of California are entitled to additional rights and disclosures regarding their Personal information, including Biometric Information. Please see our Notice to California Residents for additional details regarding these disclosures and how to exercise your rights." +] +notes = [ + "Some information you provide to ID.me may be retained for up to 36 months for legal compliance purposes following a deletion request. Biometric information will automatically \"age off\" after 36 months, if not sooner." +] + +[rubric.data-breaches] +value = "no" +notes = [ + "Policy makes no mention of data breach procedures or notification to potential victims." +] + +[rubric.third-party-access] +value = "yes-unspecified-critical" +citations = [ + "We may share your Personal Information with entities necessary to validate your ID.me Account and provide our Services to you. In order to verify your identity and eligibility to receive discounts and other benefits from our partners and other service providers, we may provide your Personal Information to third parties such as government agencies, telecommunications networks, financial institutions or other trusted and reliable sources of information. Our provision of your Personal Information to the foregoing parties is solely to verify your identity and eligibility for ID.me Services. We have established relationships with Registration Authorities similar to the entities described above whereby the Personal Information you provide to us will be transmitted to them using industry standard encryption tools, designed to protect such information from unauthorized access.", + "[...]", + "We may share information with third parties who perform services on our behalf. We may share your information with unaffiliated companies or individuals we hire or work with that provide us with professional advice, business support, or perform services on our behalf, including customer support, web hosting, information technology, payment processing, direct mail and email distribution, and administration, and analytics services. These Service Providers are allowed to use your information to help us provide our Services and not for any other purpose." +] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ + "[Privacy Policy Page]", + "**2. How We May Use Your Information and Why**", + "[...]", + "**We may use information to provide you with our Services.** We may use the information collected from or about you to authenticate and manage your identity when you create an ID.me account, including to verify attributes of your identity including, but not limited to, community affiliations (e.g., military status, first responder, student, veteran status, etc.), memberships, social media accounts, educational degrees, and professional certifications, [...] . We may use this information to verify your identity with ID.me partners in both the public and private sector at your request and perform our contractual obligations with you or to ensure that our Services function properly.", + "**We may use Personal Information to perform reporting with our public sector customers.** In order to better serve our users, and to facilitate the identity verification process, ID.me may share a limited set of Personal Information - including first name, last name, date of birth, phone number, email address, and physical address as requested by a specific state or federal government agency - on behalf of users undergoing legal identity verification for a given government agency. [...] ", + "**We may use information for marketing purposes.** We may use your information to send promotional messages and newsletters via email, or otherwise alert you to products or Services we think might be of interest to you, including for ID.me Shop. [...]", + "[Biometric Policy Page]", + "We use your Biometric Information only as follows:", + "- To verify your identity when you are opening an account or using our Services;", + "- To authenticate use of your account and the Services for a transaction;", + "- To prevent fraudulent uses of ID.me’s Services or the creation of multiple accounts; and", + "- To comply with legal obligations or comply with a request from law enforcement or government entities where not prohibited by law." +] +notes = [ + "(see also, \"non-critical purposes\" grade for discussion about data collected for marketing purposes)" +] + +[rubric.noncritical-purposes] +value = "opt-out-all" +citations = [ + "We may use your information to send promotional messages and newsletters via email or otherwise alert you to products or Services we think might be of interest to you including for ID.me Shop. You may unsubscribe from receiving marketing communications from us at any time by logging in to your account and navigating to \"My Preferences\" to manage your subscriptions." +] +notes = [ + "If ID.me is strictly used as identity verification for (state/federal) government services then this is on an \"opt-in basis\" so no marketing occurs (see also \"behavioral marketing\")." +] + +[rubric.law-enforcement] +value = "reasonable" +citations = [ + "[Privacy Policy Page]", + "**We may share information as needed in order to comply with legal processes, to protect ourselves, or improve our Services.** For example, we will share information when it is necessary for us to comply with applicable law or legal process, to respond to legal claims, to prevent fraud, or to protect our rights or the property or personal safety of our users, employees, or the public.", + "We also use third party service providers to track and analyze website usage and volume statistical information to administer our Website and constantly improve its quality.", + "**We may share information as required with the United States federal government and certain state governments.** ID.me does not provide any government with direct and unfettered access to our user's data, and we do not provide any government with our encryption keys or the ability to break our encryption. We may share certain Personal Information associated with an ID.me account with government entities where we reasonably believe that account may be engaging in fraud.", + "If a government entity requires additional information related to an ID.me account, whether related to a suspected instance of fraud or otherwise, it must follow applicable legal processes. It must serve us with a subpoena, warrant, or present other legally compelling justification for the additional information associated with the account, the request must be targeted and specific in nature.", + "Our legal and compliance teams review all requests to ensure they are valid, reject those that are not valid, and only provide the data specified in the subpoena or similar court order.", + "**Information you provide offline.** You may also provide information to us in person and offline. You may be recorded if you visit our offices (including by security surveillance of our premises, including CCTV).", + "**Other information.** We also collect information that relates to or is capable of being associated with you, such as age, gender, and any other information you choose to provide.", + "***Information Collected Automatically***", + "When using our Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices. This includes information about your use of our Services and your preferences. Such information may be automatically collected through device-based tracking technologies such as cookies, pixels, tags, beacons, scripts, or other technologies. For more information about cookies or other tracking technologies and the choices you have regarding the use of them, please visit our ID.me [Cookie Policy](https://www.id.me/cookie-policy).", + "The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your approximate location.", + "**Information from our partners.** We acquire information from other trusted sources. These business partners might include companies, such as your mobile phone carriers, certain government agencies, licensing bodies, etc. We may also collect information about you from other sources, including service providers, data licensors and aggregators, marketing companies, programming distributors, and public databases.", + "***Information you provide through social media***", + "If you connect to us through a social media platform or navigate to a social media platform from one of our sites, the social media platform will collect your information separately from us. You should review the social media platforms' privacy policies to understand how they are using your information and your rights in relation to such information.", + "***Information We Derive***", + "We may derive additional information or draw inferences about you based on the information we have collected from you directly, passively, or through third parties.", + "[Biometric Policy Page]", + "ID.me will only share your Biometric Information with our partners in the following circumstances:", + "As required with other third parties where permitted by law to enforce our Terms of Service, to comply with legal obligations, or to cooperate with law enforcement agencies concerning conduct or activity that we reasonably believe may violate federal, state, or local law when required by a subpoena, warrant, or other court ordered legal action, and to prevent harm, loss or injury to others.", + "To third party service providers that perform functions on our behalf. These service providers are limited to using the Biometric Information to assist in our provision of Services, and must maintain any Biometric Information we share in a secure fashion." +] + +[rubric.list-collected] +value = "exhaustively" +citations = [ + "[Privacy Policy Page]", + "***Information You Provide***", + "*We Collect Information You Provide to Us Which Includes:*", + "**Verification information.** When you verify yourself, either individually or as part of a community, with ID.me you provide us with Personal Information that may include your name, date of birth, social security number and/or other government issued identification numbers, copies of your government issued identification card (e.g., license or passport), email address, phone number, mailing address, and certain photographic images, and biometric data. You may also be asked to provide community affiliations (e.g., Military, First Responder, Student, Veteran, etc.), memberships, educational degrees, and professional certifications.", + "Please note, ID.me asks that you not provide physical documentation, via mail service or otherwise, to ID.me. All documentation to be collected should be provided either through the ID.me app or website portal, or presented to a trusted referee where applicable.", + "Your correspondence and your feedback about our Services. We collect information you provide when you contact us directly or provide feedback, comments, or suggestions on our Services directly to us.", + "**Information you provide when you do business with ID.me.** If you are a vendor, service provider, or business partner of ID.me, we may collect information about you and the services you provide, including your or your employees' business contact information and other information you or your employees provide to us as part of the services you may provide and our agreement with you.", + + "[Biometric Policy Page]", + "The information we collect will vary depending on the specific type of Services you request. Many ID.me Services do not require Biometric Information, however certain Services – those requiring a NIST 800-63A IAL2 credential, such as the Internal Revenue Service (IRS), Office of Veterans Affairs (VA), or certain state unemployment or labor departments - may require a higher level of assurance for your identity verification. When you sign up for an applicable ID.me Service we may collect the following Biometric Information:", + " - Facial Biometrics: Our Service may require you to upload an image of your government issued or other identification document(s) as well as your photographic image or \"selfie\" photograph using your mobile or other device. We use these images to create a facial geometry or faceprint which we use for purposes of identity verification and to prevent the creation of multiple accounts in a fraudulent manner.", + " - Fingerprint Information: Our Service may require the submission of fingerprints, including fingerprint or hand scanning. Our Service may require the submission of fingerprints, including fingerprint or hand scanning, which we use for purposes of identity verification and to prevent the creation of multiple accounts in a fraudulent manner." +] + +[rubric.revision-notify] +value = "yes" +citations = [ + "This Privacy Policy may be periodically updated. This Privacy Policy may be updated periodically to reflect new ID.me features or changes in our Personal Information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes. We will indicate at the top of the Privacy Policy when the policy was most recently updated." +] diff --git a/products/kagi.toml b/products/kagi.toml new file mode 100644 index 00000000..82774f82 --- /dev/null +++ b/products/kagi.toml @@ -0,0 +1,113 @@ +name = "Kagi" +description = "Privacy-Focused Search Engine." +slug = "kagi" +hostnames = [ "kagi.com" ] +sources = [ "https://kagi.com/privacy" ] +contributors = [ "vkeerthivikram" ] + +[rubric.behavioral-marketing] +value = "no" +citations = [ + "We do not share customer data with third parties, except as needed to perform explicitly accessed services. In those cases, we will share the minimum amount of data needed to provide the service, and will do so in an anonymous way.", + "We do not display any ads, or have any first-party or third-party tracking in service of ads.", + "Kagi does not store your IP address or any association with other user data. We perform an *offline* lookup using a database to resolve the IP address that your client sends to us in to a location with enough accuracy to enrich your search experience.", + "Absent from our logs are any identifying information about your client.", + "To ensure your privacy and security, we don’t monitor, log or store your queries or associate them with your account." + ] + +[rubric.data-breaches] +value = "no" +notes = [ +"The policy doesn't seem to mention a data breach policy." + ] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ +"Kagi only stores the information about the client that you explicitly provide by using your account, as laid out in our interface. This includes: Your email to facilitate account access and support contact (ex: password reset) and Your account settings (ex: theme, search region, selected language)" +] + +[rubric.data-deletion] +value = "yes-contact" +citations = [ +"There is an option to delete your account."," When you do this, all information and settings related to your account is removed from our database." +] + + + +[rubric.history] +value = "yes" +citations = [ +"Changelog", +"2023-09-21", +"Increased Fair Use limits for AI tools (300 to 500)", +"2023-08-15", +"Updated Terms of Use (Clarified commercial use licensing)", +"2023-08-04", +"Updated Privacy Policy (Clarified summary)", +"2023-05-24", +"Updated Privacy Policy (Added Warrant Canary and covered \"Labs\" experiments such as FastGPT)", +"2023-05-04", +"Updated Privacy Policy (Clarified when data is shared with third parties, and to what extent. Added upload section.)", +"2023-02-29", +"Updated Privacy Policy (AI Tools & Universal Summarizer)", +"2023-02-28", +"Updated Terms of Service (Fair Use Policy for AI Tools)", +"2022-03-31", +"Updated Terms of Service", +"2021-11-30", +"Added kagi_previous_page cookie to Cookies & Client data table.", +"2021-09-02", +"Initial draft." +] + +[rubric.law-enforcement] +value = "unspecified" +notes = [ +"There is no explicit mention of law enforcement access to personal user data. The document focuses on describing Kagi's data practices and privacy protections for users, but does not address law enforcement access or exceptions to their privacy policy." +] + +[rubric.list-collected] +value = "generally" +citations = [ +"Kagi only stores the information about the client that you explicitly provide by using your account, as laid out in our interface. This includes: Your email to facilitate account access and support contact (ex: password reset), Your account settings (ex: theme, search region, selected language) And nothing else." +] + +[rubric.noncritical-purposes] +value = "na" +notes = [ +"No data is used for non critical purposes.","There are some limited options for users to control caching, local storage, and account deletion, but do not explicitly mention opting out of non-critical data collection.", +"Anonymous logs are aggregated with GCP's logging tools, retained for 30 days.", +"Anonymous logs are shared with Sentry when bugs, crashes, or warnings that occur for debugging purposes." +] + +[rubric.revision-notify] +value = "yes" +citations = [ +"Kagi may update these Terms from time to time to address a new feature of the Services or to clarify a provision. The updated Terms will be posted online. If the changes are substantive, we will announce the update through Kagi's usual channels for such announcements such as blog posts and forums. To make your review more convenient, we will post an effective date at the top of this page." +] + +[rubric.security] +value = "somewhat" +citations = [ +"All Kagi communications - inbound and outbound - are made over encrypted HTTPS.","HTTPS does not protect these other parties from knowing where the request is going, but it does protect the request content.", +"Passwords are hashed and salted and all passwords are hashed and salted.", +"To ensure your privacy and security, we don’t monitor, log or store your queries or associate them with your account." +] + +[rubric.third-party-access] +value = "yes-unspecified-critical" +citations = [ +"We do not share customer data with third parties, except as needed to perform explicitly accessed services."," In those cases, we will share the minimum amount of data needed to provide the service, and will do so in an anonymous way. ", +"Data uploaded to allow Kagi to perform a service will be stored and used only to the extent needed to perform said service. This data may be shared with third parties, but only when sharing is required for fulfillment of the service. In these cases, Kagi's servers will be the sole actor communicating (securely) with third parties, and only to the extent required to fulfill your intent.", +"Anonymous logs are shared with Sentry when bugs, crashes, or warnings that occur for debugging purposes.", +"Anonymous logs are aggregated with GCP's logging tools, retained for 30 days." +] + +[rubric.third-party-collection] +value = "no" +notes = [ +"The policy does not mention any collection of data from third parties." +] + + diff --git a/products/nebula.toml b/products/nebula.toml new file mode 100644 index 00000000..e10f6195 --- /dev/null +++ b/products/nebula.toml @@ -0,0 +1,111 @@ +name = "Nebula" +description = "Nebula is a creator-owned video streaming platform." +slug = "nebula" +hostnames = [ "nebula.tv" ] +sources = [ "https://nebula.tv/privacy" ] +contributors = [ "ausernameisnotavailable", "doamatto" ] + +[rubric.behavioral-marketing] +value = "yes-opt-out" +citations = ["We may work with third-party advertising companies and social media companies to help us advertise our business and to display ads for our products and services. These companies may use cookies and similar technologies to collect information about you ... over time across our Services and other websites and services or your interaction with our emails, and use that information to serve ads that they think will interest you."] + +[rubric.data-breaches] +value = "no" +citations = ["In the event that we are required by law to inform you of any unauthorized access or acquisition of your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law."] +notes = ["Although some people may be able to receive such notifications, it is not guaranteed for all users."] + +[rubric.data-collection-reasoning] +value = "mostly" +citations = [ + "We use personal information to provide the Services and for purposes that you reasonably expect.", + """ + We may use personal information to provide our Services and operate our business. For example, we use personal information to: + - fulfill your requests for selecting and purchasing merch and subscriptions; + - establish, manage, monitor, and maintain your account on our Platform; + - improve and personalize your experience on or with the Services; + - verify your identity or determine your eligibility for offers and promotions; + - communicate with you, including providing notices about your account or transaction, and responding to any of your requests or questions; + - provide any surveys, contests, or promotions that you participate in; + - provide maintenance and support; and + - fulfill any other purpose for which you provide personal information. + """, + "We use personal information for research and development purposes, including to study and improve the Services and our business, understand and analyze the usage trends and preferences of our users, and develop new features, functionality, products, and services.", + "We may work with third-party advertising companies and social media companies to help us advertise our business and to display ads for our products and services.", + "We will use personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.", + "We may use personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) maintain the safety, security, and integrity of the Services and our products and services, business, databases, and other technology assets; (b) protect our, your, or others' rights, privacy, safety or property (including by making and defending legal claims); (c) audit our internal processes for compliance with legal and contractual requirements and internal policies; (d) enforce the terms and conditions that govern the Services; and (e) prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.", + "We will disclose your personal information in accordance with your prior direction or, in some cases, we may specifically ask you for your consent to collect, use, or share your personal information, such as when required by law." +] +notes = ["It is unclear what they mean by providing users with a great experience."] + +[rubric.data-deletion] +value = "yes-automated" +citations = ["If you wish to delete your account with us, you may do so by logging into your account and selecting \"Delete account\"."] + +[rubric.history] +value = "last-modified" +citations = [ "Last updated: August 31, 2023" ] + +[rubric.law-enforcement] +value = "reasonable" +citations = ["Under certain circumstances, we may be required to disclose personal information to law enforcement, government authorities, and other parties if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency)."] + +[rubric.list-collected] +value = "generally" +citations = [ + """ + Personal information you provide to us through the Services, such as when you purchase a subscription or merchandise, contact us (including by social media), participate in an online survey, or otherwise, may include the following categories. We may also collect other personal information that is not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection. + + Contact details, such as your first and last name, email and mailing addresses, and phone number. + Account information, such as your username (email address) and password that you set to establish an online account with us, your watch history, preferences, and other details about your use of the Services. + Payment and transactional data, such as the information needed to complete your merch orders and subscriptions on or through our Platform (all payment processing services connected with your use of the Platform are provided to you by our third-party payment processor), and records of merch and subscriptions you have purchased from us. + Marketing preferences, such as your preferences for receiving communications about Nebula content, merch, activities, events, publications, and related services, and details about how you engage with our communications. + Survey responses, such as the information you provide in response to our surveys, questionnaires, or contests. + Communications, such as the information associated with your requests or inquiries, including for support, assistance, or order information, and any feedback you provide when you communicate with us, or otherwise. + """, + """ + Nebula, our service providers, and our advertising partners may automatically log information about you, your computer, or mobile device, and your activity over time on our Services and other sites and online services. Personal information that may be automatically collected includes: + + Device information, such as your computer or mobile device operating system type and version number, wireless carrier, manufacturer and model, device identifier (such as the Google Advertising ID or Apple ID for Advertising), browser type, screen resolution, IP address, general location information such as city, state or geographic area; and + Online activity information, such as information about your use of and actions on the Services, such as the website you visited before browsing to our Services, pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access. + """, + "Nebula may receive personal information about you from other third-party sources, including from our service providers, data analytics partners, social media platforms, advertising partners, business partners, data providers, publicly available sources, and third party APIs. We may merge or combine such personal information with the personal information we collect from you directly or automatically." +] +notes = ["This is the only mentioning of what data is collected."] + +[rubric.noncritical-purposes] +value = "opt-out-some" +citations = [ + "The Nebula Store uses Google Analytics to help us analyze how the Website is being accessed and used. You can learn more about Google Analytics cookies by clicking here and about how Google protects your data by clicking here. To opt-out of Google Analytics, you can download and install the Google Analytics Opt-out Browser Add-on, available here.", + "You can also opt out of interest-based ads from companies participating in the following industry opt-out programs by visiting the linked websites: the Network Advertising Initiative (http://www.networkadvertising.org/managing/opt_out.asp) and the Digital Advertising Alliance (https://optout.aboutads.info). Users of our Mobile Application may opt out of receiving targeted advertising in through participating members of the Digital Advertising Alliance by installing the AppChoices mobile app, available here, and selecting the user's choices." +] + +[rubric.revision-notify] +value = "yes" +citations = ["Nebula reserves the right, at any time, to modify this Privacy Policy. If we modify how we collect, use, or share personal information, we will post the updated Privacy Policy on this page. In some cases, we may notify you about an update by sending you an email, posting a notice about the update on the Services, or other means as may be required by applicable law."] + +[rubric.security] +value = "somewhat" +citations = [ + "We build security into our Platform that is designed to protect your personal information, but no method over the Internet is fully secure.", + "No method of transmission over the Internet, or method of electronic storage, is fully secure. While we use reasonable efforts to protect your personal information from the risks presented by unauthorized access or acquisition, we cannot guarantee the security of your personal information. In the event that we are required by law to inform you of any unauthorized access or acquisition of your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law." +] + +[rubric.third-party-access] +value = "yes-unspecified" +citations = [ + "We share personal information as necessary to provide the Services and for purposes described elsewhere in this Privacy Policy or at the time of collection, including with related companies, service providers, advertising partners (including for interest-based advertising), and to law enforcement, authorities, and other third parties as may be necessary for compliance, fraud prevention, safety, or in the event of a business transaction.", + "We may share your personal information with our affiliates, subsidiaries, and other related companies.", + "We may share your personal information with the Nebula community of digital video creators and podcasters.", + "We may share your personal information with third parties who perform services on our behalf that are necessary for the orderly operation of our business. For example, we work with services providers who help us perform e-commerce and product fulfillment, billing, payment processing, website hosting, app design, maintenance services, database management, web analytics, app analytics, fraud protection, credit risk reduction, marketing, and other purposes.", + "We may also share personal information with third parties who we partner with for advertising campaigns or that collect information about your activity on the Services for the purposes described in the \"Interest-Based Advertising\" section above.", + "We may share personal information with persons, companies, or professional firms providing Nebula with advice and consulting in accounting, administrative, legal, tax, financial, debt collection, and other matters.", + "Under certain circumstances, we may be required to disclose personal information to law enforcement, government authorities, and other parties if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).", + "We may disclose personal information in the good faith belief that such action is necessary to comply with a legal obligation or for the purposes described above in the section titled \"Compliance, Fraud Prevention, and Safety.\"", + "We may disclose personal information to third parties in connection with any business transaction (or potential transaction) involving a merger, acquisition, sale of shares or assets, financing, consolidation, reorganization, divestiture, or dissolution of all or a portion of our business (including in connection with a bankruptcy or similar proceedings)." +] + +[rubric.third-party-collection] +value = "yes" +citations = [ + "Nebula may receive personal information about you from other third-party sources, including from our service providers, data analytics partners, social media platforms, advertising partners, business partners, data providers, publicly available sources, and third party APIs. We may merge or combine such personal information with the personal information we collect from you directly or automatically." +] diff --git a/products/omny.toml b/products/omny.toml new file mode 100644 index 00000000..b1f94a99 --- /dev/null +++ b/products/omny.toml @@ -0,0 +1,59 @@ +name = "OMNY" +description = "OMNY is a public transit payment system in the New York City area." +slug = "omny" +hostnames = [ "omny.info" ] +sources = [ "https://omny.info/privacy-policy" ] +contributors = [ "ausernameisnotavailable", "doamatto" ] + +[rubric.behavioral-marketing] +value = "yes" +citations = ["We use information that we collect or process, including Personal Information, Online Activity Information, and Anonymous Information, as permitted under applicable law and consistent with this OMNY Privacy Policy and the OMNY Terms of Service. More specifically, we use the information we collect for the following purposes: ... to perform analytics, quality control, market research, and to determine the effectiveness of our OMNY Services, promotional campaigns, to improve our current products, OMNY Services, and develop new products and services;...In addition to the uses specifically identified above, there may be instances where you request information and OMNY Services from us that are not described in this OMNY Privacy Policy."] + +[rubric.data-breaches] +value = "no" +citations = ["By using the OMNY Services, you acknowledge and agree that there is a risk that unauthorized third parties may engage in illegal activity, such as hacking or intercepting transmissions of Personal Information. You agree that the MTA is not responsible for any data or Personal Information obtained"] + +[rubric.data-collection-reasoning] +value = "mostly" +citations = ["We use information that we collect or process, including Personal Information, Online Activity Information, and Anonymous Information, as permitted under applicable law and consistent with this OMNY Privacy Policy and the OMNY Terms of Service. More specifically, we use the information we collect for the following purposes:"] +notes = ["They list what the data is used for, although there is no reason that they should need to be collecting Online Activity Information, which is defined as device-related information, such as cookies and IP addresses."] + +[rubric.data-deletion] +value = "yes-contact" +citations = ["An OMNY Account may be closed at any time by contacting OMNY Customer Service at (877) 789-OMNY (6669) or https://www.omny.info/Contact."] + +[rubric.history] +value = "last-modified" +citations = ["OMNY Privacy Policy Revised June 7, 2022"] +notes = ["The date of latest modification is stated at the top of the page. The previous version(s) are not available."] + +[rubric.law-enforcement] +value = "strict" +citations = ["We may be required to share your Personal Information pursuant to a court order or other legal or regulatory obligation or process."] + +[rubric.list-collected] +value = "generally" +citations = ["We collect a few categories of information via our OMNY Services:"] +notes = ["A full list of data collected is available."] + +[rubric.noncritical-purposes] +value = "opt-out-some" +citations = ["Certain OMNY Services, such as the Website and OMNY App, may request your current location, which, if selected, could determine your geographic location. We will only collect and process such information if you have consented and opted-in to this feature. You may also always opt out or withdraw your permission by changing your permissions or settings on your browser or on the OMNY App.", "If we choose to send to you, or you have elected to receive, bulletins, updates, questionnaires, surveys, or other marketing-related materials, we will provide you with the ability to decline – or 'opt out' – of receiving such communications."] +notes = ["Opt-out methods are only specified for location and email marketing."] + +[rubric.revision-notify] +value = "no" +citations = ["We may update this OMNY Privacy Policy from time to time. If we make changes to this OMNY Privacy Policy, then we will post them on the Website and indicate the Effective Date. Your continued use of the OMNY Services constitutes your agreement with this OMNY Privacy Policy and any updates to it."] + +[rubric.security] +value = "somewhat" +citations = ["We have implemented physical, technical, and administrative security measures and controls designed to prevent unauthorized access to, or disclosure of, Personal Information that you provide to us. Additionally, we require our third party providers to implement security measures and to otherwise handle Personal Information consistent with this OMNY Privacy Policy and applicable law. Our security measures and other safeguards are intended to deter and prevent hackers and others from unauthorized access to information that you provide to us."] + +[rubric.third-party-access] +value = "yes-unspecified" +citations = ["We may share your Personal Information among our affiliates and subsidiaries for purposes consistent with this OMNY Privacy Policy."] + +[rubric.third-party-collection] +value = "no" +citations = ["If we collect other information about you using a method that is not specifically listed here, then we will use it in accordance with this OMNY Privacy Policy."] +notes = ["No specific mentioning of third-party data collection, although they do state they they may collect data from other methods that have not been listed."] diff --git a/products/smspool.toml b/products/smspool.toml new file mode 100644 index 00000000..016c8581 --- /dev/null +++ b/products/smspool.toml @@ -0,0 +1,77 @@ +name = "SMSPool" +description = "SMSPool is a service that provides temporary phone numbers." +slug = "smspool" +hostnames = [ "www.smspool.net" ] +sources = [ "https://www.smspool.net/privacy-policy" ] +contributors = [ "smspool", "doamatto" ] + +[rubric.behavioral-marketing] +value = "no" +citations = [ + "We collect and process the following personal data from visitors and subscribers. The purpose of this will be to register you as a User to our services: Username, and optionally email address. In addition, we may store the IP addresses from each visitor, which is only used for statistical purposes, and this will not be linked to your personal data." +] + +[rubric.security] +value = "somewhat" +notes = [ + "Smspool.net is committed to taking all necessary measures and actions to protect your data. Our data protection practices are based on the best industry standards such as hashing your passwords with bCrypt, and only ask for information that is deemed important to us." +] + +[rubric.third-party-collection] +value = "critical-only" +citations = [ "Smspool.net makes use of the services of third party companies that are processing your data. We are committed to only engage with those companies that fully comply with the GDPR and CCP, maintain the highest standards of data protection and never sell data to other parties. We only make use of the services of Cloudfare for Analytics, CDN and DDoS protection, based out of the United States that will monitor certain visitor behavior on our website. We advise you to read their Privacy Policy available on https://www.cloudflare.com/privacypolicy/. Next to Cloudflare; we use Stripe which processes your payments and the requests only contain your user ID." ] + +[rubric.history] +value = "last-modified" +citations = [ + "\"Most recent updated\"" +] + +[rubric.data-deletion] +value = "yes-automated" +citations = [ + "\"Each User has at all times the right to withdraw its consent. In addition, each individual may request the permanent removal of its personal data and information. Upon your request through your settings page, Smspool.net will remove all personal data that we collected from you. Furthermore, each individual has the right to correct or update its personal information, deletions may take up to 48 hours to process.\"" +] + +[rubric.data-breaches] +value = "yes-72" +citations = [ + "\"In case of any breach, every user will be notified within 72 hours of the breach through any available channel that the user has provided.\"" +] + +[rubric.third-party-access] +value = "yes-specified-critical" +citations = [ + "\"Smspool.net makes use of the services of third party companies that are processing your data. We are committed to only engage with those companies that fully comply with the GDPR and CCP, maintain the highest standards of data protection and never sell data to other parties. We only make use of the services of Cloudfare for Analytics, CDN and DDoS protection, based out of the United States that will monitor certain visitor behavior on our website. We advise you to read their Privacy Policy available on https://www.cloudflare.com/privacypolicy/. Next to Cloudflare; we use Stripe which processes your payments and the requests only contain your user ID.\"" +] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ + "\"We collect and process the following personal data from visitors and subscribers. The purpose of this will be to register you as a User to our services: Username, password (hashed in bCrypt), and optionally email address. In addition, we may store the IP addresses from each request which is only used for statistical purposes for our DDoS protection such as ratelimits per IP, and this will not be linked to your user data.\"" +] + +[rubric.noncritical-purposes] +value = "opt-out-some" +citations = [ + "\"All data we collect and process will be used to provide our Services to you. In addition, we may use this information for maintaining and improving our website, mobile applications and all other services we offer. We may provide you with information about our Services that you explicitly requested from us, answering your questions or responding to other communications you send to us. We do not send sell/send your information for marketing.\"", + "We only make use of the services of Cloudfare for Analytics, CDN and DDoS protection, based out of the United States that will monitor certain visitor behavior on our website." +] + +[rubric.law-enforcement] +value = "reasonable" +citations = [ + "\"We may also track and analyze data for investigating and preventing fraudulent behavior, or other unauthorized or illegal transactions and/or activities. For that purpose we may link, connect or combine certain pieces of data. This information can be requested by law enforcement as long as it is within reasonable demand, and our investigations deem the provided report to be matching up with our internal records.\"" +] + +[rubric.list-collected] +value = "summarily" +citations = [ + "\"We collect and process the following personal data from visitors and subscribers. The purpose of this will be to register you as a User to our services: Username, password (hashed in bCrypt), and optionally email address. In addition, we may store the IP addresses from each request which is only used for statistical purposes for our DDoS protection such as ratelimits per IP, and this will not be linked to your user data.\"" +] + +[rubric.revision-notify] +value = "yes" +notes = [ + "Users would be notified on-site, or over e-mail in case there was one provided. As the e-mail input is optional this cannot be guaranteed." +] diff --git a/products/stripe.toml b/products/stripe.toml new file mode 100644 index 00000000..725c9f65 --- /dev/null +++ b/products/stripe.toml @@ -0,0 +1,74 @@ +name = "Stripe" +description = "Payment processor for e-commerce and mobile applications." +slug = "stripe" +hostnames = [ "stripe.com" ] +sources = [ "https://stripe.com/privacy" ] +contributors = [ "Deivedux" ] + +[rubric.behavioral-marketing] +value = "yes" +citations = [ + "We may use your Personal Data to assess your eligibility for, and offer you, other End User Services or promote existing End User Services. Where allowed by law (including with your opt-in consent where required), we use and share End User Personal Data with others so that we may market our End User Services to you, including through interest-based advertising.", + "If you have begun a purchase, we share Personal Data with that Business User in connection with our provision of Services and that Business User may use your Personal Data to market and advertise their products or services, subject to the terms of their privacy policy. Please review your merchant’s privacy policy to learn more, including your rights to stop their use of your Personal Data for marketing purposes.", + "Where allowed by applicable law, we use and share Representative Personal Data with others so that we may advertise and market our Services to you. Subject to applicable law (including any consent requirements), we may advertise to you through interest-based advertising and emails and seek to measure the effectiveness of our ads.", + "As allowed by law, we use and share Visitor Personal Data with others so that we may advertise and market our Services to you. Subject to applicable law (including any consent requirements), we may advertise our Services to you through interest-based advertising and emails, and seek to measure the effectiveness of our ads." +] + +[rubric.data-breaches] +value = "no" +notes = [ "The policy doesn't seem to mention a data breach policy." ] + +[rubric.data-collection-reasoning] +value = "yes" +notes = [ + "Sections [1.1b](https://stripe.com/privacy#1-1-end-users) (regarding \"End Users\"), [1.2b](https://stripe.com/privacy#1-2-end-customers) (regarding \"End Customers\"), [1.3b](https://stripe.com/privacy#1-3-representatives) (regarding \"Representatives\") and [1.4b](https://stripe.com/privacy#1-4-visitors) (regarding \"Visitors\") in the policy contain brief overviews of their use and share of personal data.", + "The entirety of [Section 2](https://stripe.com/privacy#2-more-ways-we-collect-use-and-share-personal-data) is a continuation of their use and share of personal data." +] + +[rubric.data-deletion] +value = "yes-contact" +citations = [ + "If you have a Stripe user account, you can close your account in the settings of your Stripe dashboard. [...] Once you complete the account closure steps, we will delete your data in accordance with applicable law.", + "If you signed up for Link on the Link website or when you’ve made a purchase from a business that uses Link, you can delete your account by going to the settings page on the Link website, or by following this guide.", + "If you are a customer who’s had your identity verified by a Stripe Identity user(s), we need to verify and authenticate your request in order to delete your information. In order to authenticate your request, please send an email to privacy@stripe.com to begin the process. Please include the name and date of birth that you submitted (either by way of ID document or keyed-in data), along with the names and websites of your merchant(s) who verified you via Stripe Identity." +] + +[rubric.history] +value = "last-modified" +citations = [ "Last updated: May 17, 2023" ] + +[rubric.law-enforcement] +value = "reasonable" +citations = [ + "We share Personal Data as we believe necessary: [...] (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.", + "In certain situations, we may be required to disclose Personal Data in response to lawful requests from officials (such as law enforcement or security authorities)." +] + +[rubric.list-collected] +value = "generally" +notes = [ "While their list seems exhaustive in size, it is filled with vague wording like \"such as\" and \"for example\", making it difficult to verify so." ] + +[rubric.noncritical-purposes] +value = "opt-out-all" +notes = [ "Stripe's control over the use of non-critical personal data relies on the user's [cookie settings](https://stripe.com/cookie-settings), which are enabled by default in jurisdictions that don't require user consent." ] + +[rubric.revision-notify] +value = "yes" +citations = [ "We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our website and, if you are an End User or Representative, by contacting you through your Stripe Dashboard, email address and/or the physical address listed in your Stripe account." ] + +[rubric.security] +value = "somewhat" +citations = [ "We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical and administrative measures designed to protect Personal Data covered by this Policy against unauthorized access, destruction, loss, alteration or misuse. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure." ] +notes = [ "Stripe is a [certified PCI Service Provider](https://stripe.com/docs/security), though that shouldn't justify their lack of a proper overview of their security practices." ] + +[rubric.third-party-access] +value = "yes-specified-noncritical" +notes = [ + "A list of their sub-processors and service providers can be found [here](https://stripe.com/legal/service-providers).", + "Some providers listed, such as Marketo and Google, are used for marketing and analytical tracking purposes, respectively." +] + +[rubric.third-party-collection] +value = "critical-only" +citations = [ "We may collect information from you, and about you, from Business Users, financial parties and in some cases third parties. For example, to protect our Services, we may receive information from third parties about IP addresses that malicious actors have compromised." ] + diff --git a/products/sumo-scheduler.toml b/products/sumo-scheduler.toml new file mode 100644 index 00000000..67a61a7b --- /dev/null +++ b/products/sumo-scheduler.toml @@ -0,0 +1,88 @@ +name = "SUMO Scheduler" +description = "SUMO Scheduler provides online appointment, event, and course scheduling applications." +slug = "sumo-scheduler" +hostnames = [ "sumoscheduler.com" ] +sources = [ "https://www.sumoscheduler.com/privacy-policy" ] +contributors = [ "maximbelyakov" ] + +[rubric.behavioral-marketing] +value = "yes" +citations = [ + "If you no longer wish to receive any marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails." +] +notes = [ + "The policy mentions opting out of marketing emails, but doesn't specifically address behavioral marketing or targeted advertising opt-out options beyond email communications." +] + +[rubric.security] +value = "somewhat" +citations = [ + "We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal data." +] +notes = [ + "For more detailed information, refer to the Security Policy: https://sumoscheduler.com/security-policy/" +] + +[rubric.third-party-collection] +value = "no" +citations = [] +notes = [ "There is no mention of third-party data collection in the policy." ] + +[rubric.history] +value = "last-modified" +citations = [ + "These updates will take effect on May 25, 2018." +] + +[rubric.data-deletion] +value = "yes-contact" +citations = [ + "If you would like to correct, update, amend, or remove personal data that you have provided to us, you may do so in your account settings or by directing your query to your System Administrator. You may also contact us at support@sumoscheduler.com to request the complete deletion of your personal data. We will respond to your request within 30 days." +] + +[rubric.data-breaches] +value = "eventually" +citations = [ + "Should a security incident occur, we will notify affected users of the nature and extent of the breach, and take steps to minimize any damage. There have been no security incidents to date." +] +notes = [ "Citation is from the Security Policy." ] + +[rubric.third-party-access] +value = "yes-unspecified" +citations = [ + "We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses." +] + +[rubric.data-collection-reasoning] +value = "mostly" +citations = [ + "Any of the information we collect from you may be used in one of the following ways: To provide, operate, maintain, improve, and promote our services; To personalize your experience, including by providing content, features, or advertisements that match your interests and preferences; To send messages, including responding to your questions, comments, and requests; providing customer service and support; and sending you technical notices, updates, security alerts, and support and administrative messages To process and complete transactions – your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the purchased product or service requested; To send promotional communications, such as providing you with information about services, features, surveys, newsletters, offers, promotions, contests, and events; and providing other news or information about us and our select partners. If any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email; To improve our website (we continually strive to improve our website offerings based on the information and feedback we receive from you); and For other purposes about which we obtain your consent." +] + +[rubric.noncritical-purposes] +value = "opt-out-some" +citations = [ + "If you no longer wish to receive any marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails." +] + +[rubric.law-enforcement] +value = "reasonable" +citations = [ + "We may disclose your information, including your personal data, to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable laws and regulation or governmental request by court order or subpoena." +] + +[rubric.list-collected] +value = "generally" +citations = [ + "We collect information from you when you register on our site, place an order, subscribe to our newsletter, respond to a survey, fill out a form or visit us at an event.", + "When ordering or registering on our site, as appropriate, you may be asked to enter your: name, e-mail address, mailing address, phone number or credit card information. You may, however, visit our site anonymously.", + "A system admin or another user may create an account on your behalf and may provide your information, including personal Information. We collect information under the direction of our customers and often have no direct relationship with the individuals whose personal information we process. If you are an employee of one of our customers and would no longer like us to process your information, please contact your employer. If you are providing information, including personal information about someone else, you must have the authority to act for them and to consent to the collection and use of their personal information.", + "We collect and store content that you create, submit, post, upload, transmit, store or display in the process of using SUMO or our websites. Such content may include any personal information or other sensitive information that you choose to include.", + "As you navigate our sites, we may also collect standard information from your Web browser through the use of commonly-used information-gathering tools. This information may include browser type and browser language preferences, your Internet Protocol (“IP”) address, the actions you take on our sites (such as the web pages viewed and the links clicked), and other content you send via the chat feature." +] + +[rubric.revision-notify] +value = "yes" +citations = [ + " If we decide to change our privacy policy, We will provide notice of any changes to the Privacy Policy by posting the revised policy on this page and, if appropriate, by sending an email notification to all users." +] diff --git a/products/tuta.toml b/products/tuta.toml new file mode 100644 index 00000000..2a5a44ea --- /dev/null +++ b/products/tuta.toml @@ -0,0 +1,132 @@ +name = "Tuta" +description = "Tuta is a freemium secure email provider (formerly Tutanota)." +slug = "tuta" +hostnames = [ "tuta.com" ] +sources = [ "https://tuta.com/privacy-policy", "https://tuta.com/de/privacy-policy?stickyLang=true" ] +contributors = [ "doamatto" ] + +[rubric.behavioral-marketing] +value = "no" +notes = [ "The privacy policy does not have any mentions about behavioural marketing. " ] + +[rubric.security] +value = "yes" +notes = [ + "This is not outlined in the privacy policy, but on a separate page: https://tuta.com/security" +] + +[rubric.third-party-collection] +value = "yes" +citations = [ + "In order to be able to evaluate campaigns with partners and advertising campaigns (e.g. advertising via Google or other search engines), we store an ID of the campaign with your Tutanota account when you reach Tutanota via a campaign link and register a Tutanota account. To be able to assign returning users to a campaign, we store a cryptographic hash of the IP address and the user agent (including information about the user’s browser and operating system) together with the campaign ID when you visit our website via a campaign link. If you visit our website via a search query and an advertising campaign, we also store the keywords and the search query together with the hash and the campaign ID. By using the hash, it is no longer possible to infer the IP address or the user agent. The keywords and the search query are not stored with the Tutanota account.", + "The hash and the campaign ID, keywords and search query stored together with the hash are deleted after 72 hours. Beyond this period of 72 hours, for the purpose of evaluating the campaign and until the completion of the evaluation, only completely anonymized campaign data (keywords and search query) are stored and processed without any link to the hash.", + "Insofar as we process personal data during the campaign analysis, this is done on the basis of Art 6 para. 1 p. lit. f) GDPR. Our interest in being able to evaluate advertising campaigns and to improve our marketing activities constitute a legitimate interest within the meaning of Art. 6 para. 1 p. lit. f) GDPR." +] + +[rubric.history] +value = "last-modified" +citations = [ "Status: September 26, 2022" ] + +[rubric.data-deletion] +value = "yes-automated" +citations = [ + "When signing up for a Tutanota account, you give consent to the processing of this data according to Art. 6 DSGVO 1. a). All textual content is encrypted for the user and its communication partners in a way that even Tutao GmbH has no access to the data. This data can be deleted by the user." +] + +[rubric.data-breaches] +value = "no" +notes = [ + "Tutanota is based in Germany so it is legally obliged to notify users of data breaches, but does not make any mention about if they will do so." +] + +[rubric.third-party-access] +value = "yes-specified-critical" +citations = [ + "For the execution of direct debiting we will share your banking details with the authorized credit institution. For the execution of PayPal payments we will share your PayPal data with PayPal (Europe).", + "For the execution of credit card payments your credit card data will be shared with our payment service provider Braintree. This includes the transfer of personal data into a third country (USA). An agreement entered into with Braintree defines appropriate safeguards and demands that the data is only processed in compliance with the GDPR and only for the purpose of execution of payments.", + "With the exception of payment data, we will not disclose your personal data including your email address to third parties. However, we can be legally bound to provide content data (in case of a valid court order) and inventory data to prosecution services. There will be no sale of data." +] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ + """ + For the initiation of a contractual relationship and for service provision we collect + - the newly registered email address + as inventory data. + """, + """ + For invoicing and determining the VAT we collect for paid product variants + - the domicile of the customer (country) + - the name and invoicing address (for private users optional) + - the VAT identification number (only for business customers of some countries) + as inventory data. + """, + """ + For the transaction of payments we collect depending on the chosen payment method the following payment data (inventory data): + - Banking details (account number and sort code and IBAN/BIC, if necessary bank name, account holder), + - credit card data, + - PayPal user name. + """, + "This inventory data is processed for the performance of the contract with the customer according to Art. 6 para. 1 p. 1 lit. b) GDPR.", + """ + For the execution of direct debiting we will share your banking details with the authorized credit institution. For the execution of PayPal payments we will share your PayPal data with PayPal (Europe). + - Address: PayPal (Europe) S.à r.l. et Cie, S.C.A.,22-24 Boulevard Royal, L-2449 Luxembourg + - Paypal privacy statement + - Paypal contact for questions about privacy + """, + "For the execution of credit card payments your credit card data will be shared with our payment service provider Braintree. This includes the transfer of personal data into a third country (USA). An agreement entered into with Braintree defines appropriate safeguards and demands that the data is only processed in compliance with the GDPR and only for the purpose of execution of payments.", + "In order to maintain email server operations, for error diagnosis and for prevention of abuse, mail server logs are stored max. 7 days. These logs contain sender and recipient email addresses and time of connection but no customer IP addresses. Storage takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 para. 1 p. 1 lit. f) GDPR.", + "In order to maintain operations, for prevention of abuse and and for visitors analysis, IP addresses of users are processed. Storage only takes place for IP addresses made anonymous which are therefore not personal data any more. This processing takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 para. 1 p. 1 lit. f) GDPR.", + "In order to be able to evaluate campaigns with partners and advertising campaigns (e.g. advertising via Google or other search engines), we store an ID of the campaign with your Tutanota account when you reach Tutanota via a campaign link and register a Tutanota account." +] + +[rubric.noncritical-purposes] +value = "opt-in" +citations = [ + "We use technical analysis options very sparingly and only if you have consented in advance and to the extent that this is necessary for the further development and improvement of Tutanota. In particular, we do not use analysis tools such as Google Analytics or other third-party tools. ... If you have given consent in advance, your anonymized usage data will be sent to our servers.", + "You can revoke your consent to participate in the anonymized usage statistics at any time by deactivating this function in the settings of your account. The random ID stored on your device is used only as long as users of the device participate in the collection of usage statistics.", + """ + You can delete the random ID stored locally on your device yourself at any time, for instance, like this: + - In the web client (https://app.tuta.com): In the browser’s menu settings by clearing the website data (e.g., “Clear browsing data” or “Clear cookies and other site data”). + - Mobile apps (Android/iOS): In the app settings by clearing the app’s stored data. + - Installed desktop clients: In the file system by deleting the app’s stored data. + """ +] + +[rubric.law-enforcement] +value = "strict" +citations = [ + "However, we can be legally bound to provide content data (in case of a valid court order) and inventory data to prosecution services. There will be no sale of data." +] +notes = [ + "They have a warrant canary at https://tutanota.com/blog/posts/transparency-report/" +] + +[rubric.list-collected] +value = "exhaustively" +citations = [ + """ + For the initiation of a contractual relationship and for service provision we collect + - the newly registered email address + as inventory data. + """, + """ + For invoicing and determining the VAT we collect for paid product variants + - the domicile of the customer (country) + - the name and invoicing address (for private users optional) + - the VAT identification number (only for business customers of some countries) + as inventory data. + """, + """ + For the transaction of payments we collect depending on the chosen payment method the following payment data (inventory data): + - Banking details (account number and sort code and IBAN/BIC, if necessary bank name, account holder), + - credit card data, + - PayPal user name. + """, + "In order to be able to evaluate campaigns with partners and advertising campaigns (e.g. advertising via Google or other search engines), we store an ID of the campaign with your Tutanota account when you reach Tutanota via a campaign link and register a Tutanota account. To be able to assign returning users to a campaign, we store a cryptographic hash of the IP address and the user agent (including information about the user’s browser and operating system) together with the campaign ID when you visit our website via a campaign link. If you visit our website via a search query and an advertising campaign, we also store the keywords and the search query together with the hash and the campaign ID. By using the hash, it is no longer possible to infer the IP address or the user agent. The keywords and the search query are not stored with the Tutanota account." +] + +[rubric.revision-notify] +value = "no" +notes = [ "German laws require users to be notified four weeks prior to a policy change. Tutanota has historically sent out these notices, but does not make any mention about if they will do so." ] diff --git a/products/tutanota.toml b/products/tutanota.toml index 8efb4104..5473fed4 100644 --- a/products/tutanota.toml +++ b/products/tutanota.toml @@ -1,77 +1,6 @@ name = "Tutanota" -description = "Tutanota is a free and open-source end-to-end encrypted email software and freemium secure email provider." -slug = "tutanota" +description = "Tutanota is the old name of Tuta — a freemium secure email provider." hostnames = [ "tutanota.com", "tutao.de" ] -sources = [ "https://tutanota.com/privacy/" ] -contributors = [ "doamatto" ] - -[rubric.behavioral-marketing] -value = "no" -notes = [ "Tutanota does not use any analytical tools. " ] - -[rubric.security] -value = "yes" -notes = [ - "This is not outlined in the privacy policy, rather on a separate page: https://tutanota.com/security" -] - -[rubric.third-party-collection] -value = "no" -notes = [ "There's no examples of such in their privacy polic(ies)" ] - -[rubric.history] -value = "last-modified" -citations = [ "Status: May 25, 2018" ] - -[rubric.data-deletion] -value = "yes-automated" -citations = [ - "When signing up for a Tutanota account, you give consent to the processing of this data according to Art. 6 DSGVO 1. a). All textual content is encrypted for the user and its communication partners in a way that even Tutao GmbH has no access to the data. This data can be deleted by the user." -] - -[rubric.data-breaches] -value = "no" -notes = [ - "Although their imprint describes them being based in Germany, Tutanota does not comply with Article 33 of the GDPR." -] - -[rubric.third-party-access] -value = "yes-specified-critical" -citations = [ - "With the exception of payment data, we will not disclose your personal data including your email address to third parties." -] -notes = [ "Payment is handled by Braintree." ] - -[rubric.data-collection-reasoning] -value = "yes" -citations = [ - "For the initiation of a contractual relationship and for service provision we collect\n\nthe newly registered email address\nas inventory data.\n\nFor invoicing and determining the VAT we collect for paid product variants\n\nthe domicile of the customer (country)\nthe invoicing address (for private users optional)\nthe VAT identification number (only for business customers of some countries)\nas inventory data.\n\nFor the transaction of payments we collect depending on the chosen payment method the following payment data (inventory data):\n\nBanking details (account number and sort code and IBAN/BIC, if necessary bank name, account holder),\ncredit card data,\nPayPal user name.\nThis inventory data is processed for the performance of the contract with the customer according to Art. 6 GDPR 1. b). For the execution of direct debiting we will share your banking details with the authorized credit institution. For the execution of PayPal payments we will share your PayPal data with PayPal (Europe).\n\nAddress: PayPal (Europe) S.à r.l. et Cie, S.C.A.,22-24 Boulevard Royal, L-2449 Luxembourg\nPaypal privacy statement\nPaypal contact for questions about privacy\nFor the execution of credit card payments your credit card data will be shared with our payment service provider Braintree. This includes the transfer of personal data into a third country (USA). An agreement entered into with Braintree defines appropriate safeguards and demands that the data is only processed in compliance with the GDPR and only for the purpose of execution of payments.\n\nTutanota provides services for saving, editing, presentation and electronic transmission of data, such as email service, contact management and data storage. This content data is voluntarily entered into Tutanota by the customer. When signing up for a Tutanota account, you give consent to the processing of this data according to Art. 6 DSGVO 1. a). All textual content is encrypted for the user and its communication partners in a way that even Tutao GmbH has no access to the data. This data can be deleted by the user.\n\nIn order to maintain email server operations, for error diagnosis and for prevention of abuse, mail server logs are stored max. 7 days. These logs contain sender and recipient email addresses and time of connection but no customer IP addresses. Storage takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 DSGVO 1. f).\n\nIn order to maintain operations, for prevention of abuse and and for visitors analysis, IP addresses of users are processed. Storage only takes place for IP addresses made anonymous which are therefore not personal data any more. This processing takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 DSGVO 1. f)." -] - -[rubric.noncritical-purposes] -value = "opt-out-all" -citations = [ - "For invoicing and determining the VAT we collect for paid product variants\n[...]\nthe invoicing address (for private users optional)" -] -notes = [ - "There are certain details that are optional for certain tiers. " -] - -[rubric.law-enforcement] -value = "strict" -citations = [ - "With the exception of payment data, we will not disclose your personal data including your email address to third parties. However, we can be legally bound to provide content data (in case of a valid German court order) and inventory data to prosecution services. There will be no sale of data." -] -notes = [ - "They have a warrant canary at https://tutanota.com/blog/posts/transparency-report/" -] - -[rubric.list-collected] -value = "exhaustively" -citations = [ - "For the initiation of a contractual relationship and for service provision we collect\n\nthe newly registered email address\nas inventory data.\n\nFor invoicing and determining the VAT we collect for paid product variants\n\nthe domicile of the customer (country)\nthe invoicing address (for private users optional)\nthe VAT identification number (only for business customers of some countries)\nas inventory data.\n\nFor the transaction of payments we collect depending on the chosen payment method the following payment data (inventory data):\n\nBanking details (account number and sort code and IBAN/BIC, if necessary bank name, account holder),\ncredit card data,\nPayPal user name.\nThis inventory data is processed for the performance of the contract with the customer according to Art. 6 GDPR 1. b). For the execution of direct debiting we will share your banking details with the authorized credit institution. For the execution of PayPal payments we will share your PayPal data with PayPal (Europe).\n\nAddress: PayPal (Europe) S.à r.l. et Cie, S.C.A.,22-24 Boulevard Royal, L-2449 Luxembourg\nPaypal privacy statement\nPaypal contact for questions about privacy\nFor the execution of credit card payments your credit card data will be shared with our payment service provider Braintree. This includes the transfer of personal data into a third country (USA). An agreement entered into with Braintree defines appropriate safeguards and demands that the data is only processed in compliance with the GDPR and only for the purpose of execution of payments.\n\nTutanota provides services for saving, editing, presentation and electronic transmission of data, such as email service, contact management and data storage. This content data is voluntarily entered into Tutanota by the customer. When signing up for a Tutanota account, you give consent to the processing of this data according to Art. 6 DSGVO 1. a). All textual content is encrypted for the user and its communication partners in a way that even Tutao GmbH has no access to the data. This data can be deleted by the user.\n\nIn order to maintain email server operations, for error diagnosis and for prevention of abuse, mail server logs are stored max. 7 days. These logs contain sender and recipient email addresses and time of connection but no customer IP addresses. Storage takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 DSGVO 1. f).\n\nIn order to maintain operations, for prevention of abuse and and for visitors analysis, IP addresses of users are processed. Storage only takes place for IP addresses made anonymous which are therefore not personal data any more. This processing takes place for the purposes of the legitimate interests pursued by the controller according to Art. 6 DSGVO 1. f)." -] - -[rubric.revision-notify] -value = "no" -notes = [ "There is no clause requiring such." ] +slug = "tutanota" +parent = "tuta" +contributors = [ "doamatto" ] \ No newline at end of file diff --git a/products/twitter.toml b/products/twitter.toml index b2ec52cd..2966b8ed 100644 --- a/products/twitter.toml +++ b/products/twitter.toml @@ -1,76 +1,121 @@ -name = "Twitter" -description = "Twitter is a microblogging social network popular among the masses." +name = "X (formerly Twitter)" +description = "X (formerly Twitter) is a microblogging social network popular among the masses." slug = "twitter" -hostnames = [ "twitter.com", "ads-twitter.com" ] -sources = [ "https://twitter.com/en/privacy" ] -contributors = [ "milesmcc" ] +hostnames = [ "x.com", "twitter.com" ] +sources = [ "https://x.com/en/privacy" ] +contributors = [ "milesmcc", "SimplyUnknown", "doamatto" ] [rubric.behavioral-marketing] value = "yes-opt-out" citations = [ - "\"Advertising revenue allows us to support and improve our services. We use the information described in this Privacy Policy to help make our advertising more relevant to you, to measure its effectiveness, and to help recognize your devices to serve you ads on and off of Twitter.\"\n\n\"Twitter adheres to the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising (also referred to as “interest-based advertising”) and respects the DAA’s consumer choice tool for you to opt out of interest-based advertising at https://optout.aboutads.info. In addition, our ads policies prohibit advertisers from targeting ads based on categories that we consider sensitive or are prohibited by law, such as race, religion, politics, sex life, or health. Learn more about your privacy options for interest-based ads here and about how ads work on our services here.\"" + "We use your information to provide our advertising and sponsored content services subject to your settings, which helps make ads on X more relevant to you. We also use this information to measure the effectiveness of ads and to help recognize your devices to serve you ads on and off of X. Some of our ad partners also enable us to collect similar information directly from their website or app by integrating our advertising technology. Information shared by ad partners and affiliates or collected by X from the websites and apps of ad partners and affiliates may be combined with the other information you share with X and that X receives, generates, or infers about you, as described elsewhere in our Privacy Policy.", + "Advertising revenue enables us to provide our products and services. Advertisers may learn information from your engagement with their ads on or off X.", + "You can control whether X shares your personal information with these partners by using the “Data sharing with business partners” option in your Privacy & Safety settings." ] +notes = [ "You can access the Privacy & Safety settings by going to https://x.com/settings/privacy_and_safety" ] [rubric.security] value = "no" notes = [ - "The policy does not mention any security measures Twitter takes to secure its data (though Twitter does _not_ have a history of data breaches)." + "The policy does not mention any security measures taken to secure any data." ] [rubric.third-party-collection] value = "yes" citations = [ - "\"We may receive information about you from third parties who are not our ad partners, such as others on Twitter, partners who help us evaluate the safety and quality of content on our platform, our corporate affiliates, and other services you link to your Twitter account.\"\n\n\"Our ad partners and affiliates share information with us such as browser cookie IDs, mobile device IDs, hashed email addresses, demographic or interest data, and content viewed or actions taken on a website or app.\"" + "Our ad and business partners share information with us such as browser cookie IDs, X-generated identifiers, mobile device IDs, hashed user information like email addresses, demographic or interest data, and content viewed or actions taken on a website or app. Some of our ad partners, particularly our advertisers, also enable us to collect similar information directly from their website or app by integrating our advertising technology. Information shared by ad partners and affiliates or collected by X from the websites and apps of ad partners and affiliates may be combined with the other information you share with X and that X receives, generates, or infers about you described elsewhere in this Privacy Policy.", + "We may receive information about you from third parties who are not our ad partners, such as other X users, developers, and partners who help us evaluate the safety and quality of content on our platform, our corporate affiliates, and other services you link to your X account. You may choose to connect your X account to your account on another service, and that other service may send us information about your account on that service." ] [rubric.history] value = "yes" -notes = [ - "At the bottom of the policy, the last modified date as well as previous policy revisions are available." -] +citations = [ "Effective: September 29, 2023" ] +notes = [ "A link at the bottom of the page (https://x.com/privacy/previous) can allow you to view past privacy policies." ] [rubric.data-deletion] value = "yes-automated" -citations = [ - "\"We keep Log Data for a maximum of 18 months. If you follow the instructions here (or for Periscope here), your account will be deactivated and then deleted. When deactivated, your Twitter account, including your display name, username, and public profile, will no longer be viewable on Twitter.com, Twitter for iOS, and Twitter for Android. For up to 30 days after deactivation it is still possible to restore your Twitter account if it was accidentally or wrongfully deactivated.\"\n\n\"Twitter provides you a means to download the information you have shared through our services by following the steps here. Periscope provides you a means to download the information you have shared through our services by following the steps here.\"" -] +citations = [ "If you follow the instructions here, your account will be deactivated and your data will be queued for deletion. When deactivated, your X account, including your display name, username, and public profile, will no longer be viewable on X.com, X for iOS, and X for Android. For up to 30 days after deactivation it is still possible to restore your X account if it was accidentally or wrongfully deactivated." ] +notes = [ "You can view the instructions to delete your account at https://help.x.com/managing-your-account/how-to-deactivate-twitter-account" ] [rubric.data-breaches] value = "no" notes = [ "The policy does not specify a data breach protocol." ] [rubric.third-party-access] -value = "yes-unspecified-critical" +value = "yes-specified-noncritical" citations = [ - "\"We engage service providers to perform functions and provide services to us in the United States, Ireland, and other countries. For example, we use a variety of third-party services to help operate our services, such as hosting our various blogs and wikis, and to help us understand the use of our services, such as Google Analytics.\"" + "Depending on your settings, we also provide certain third parties with information to help us offer or operate our products and services. You can learn more about these partnerships in our Help Center. You can control whether X shares your personal information with these partners by using the “Data sharing with business partners” option in your Privacy & Safety settings. (This setting does not control sharing described elsewhere in this Privacy Policy, such as when we share information with our service providers, or through partnerships other than as described in this Help Center article.)", + "We may share your information with our service providers that perform functions and provide services on our behalf, including payment services providers who facilitate payments; service providers that host our various blogs and wikis; service providers that help us understand the use of our services; applicant tracking system providers to send and receive applicant and job data to potential employers; and those that provide fraud detection services.", + "Advertising revenue enables us to provide our products and services. Advertisers may learn information from your engagement with their ads on or off X. For example, if you click on an external link or ad on our services, that advertiser or website operator might figure out that you came from X, along with other information associated with the ad you clicked, such as characteristics of the audience it was intended to reach and other X-generated identifiers for that ad. They may also collect other personal information from you, such as cookie identifiers, or your IP address.", + "We share or disclose your information with your consent or at your direction, such as when you authorize a third-party web client or application to access your account or when you direct us to share your feedback with a business. Similarly, to improve your experience, we work with third-party partners to display their video content on X or to allow cross-platform sharing. When you watch or otherwise interact with content from our video or cross-platform sharing partners, they may receive and process your personal information as described in their privacy policies. For video content, you can adjust your autoplay settings if you prefer that content not to play automatically.", + "We use technology like APIs and embeds to make public X information available to websites, apps, and others for their use, for example, displaying posts on a news website or analyzing what people say on X. We generally make this content available in limited quantities for free and charge licensing fees for large-scale access. We have standard terms that govern how this information can be used, and a compliance program to enforce these terms. But these individuals and companies are not affiliated with X, and their offerings may not reflect updates you make on X. For more information about how we make public data on X available to the world, visit https://developer.x.com." ] +notes = [ "A list of subprocessors can be found at https://privacy.x.com/subprocessors" ] [rubric.data-collection-reasoning] value = "yes" notes = [ - "The policy clearly explains why it collects essentially all data, including data used almost solely for marketing purposes. While the amount of data it collects is not ideal, Twitter is very transparent about it." + "We use the information we collect to provide and operate X products and services. We also use the information we collect to improve and personalize our products and services so that you have a better experience on X, including by showing you more relevant content and ads, suggesting people and topics to follow, enabling and helping you discover affiliates, third-party apps, and services. We may use the information we collect and publicly available information to help train our machine learning or artificial intelligence models for the purposes outlined in this policy.", + "We may use the information we collect from accounts of other services that you choose to connect your X account to provide you features like cross-posting or cross-service authentication, and to operate our services.", + "We use your contact information to help others find your account if your settings permit, including through third-party services and client applications.", + "We use your information to provide our advertising and sponsored content services subject to your settings, which helps make ads on X more relevant to you. We also use this information to measure the effectiveness of ads and to help recognize your devices to serve you ads on and off of X. Some of our ad partners also enable us to collect similar information directly from their website or app by integrating our advertising technology. Information shared by ad partners and affiliates or collected by X from the websites and apps of ad partners and affiliates may be combined with the other information you share with X and that X receives, generates, or infers about you, as described elsewhere in our Privacy Policy.", + "We use the information we collect to measure and analyze the effectiveness of our products and services and to better understand how you use them in order to make them better.", + "We use the information we collect to communicate with you about our products and services, including about product updates and changes to our policies and terms. If you’re open to hearing from us, we may also send you marketing messages from time to time.", + "We use information you share with us, or that we collect to conduct research, surveys, product testing, and troubleshooting to help us operate and improve our products and services." ] [rubric.noncritical-purposes] value = "opt-out-some" -notes = [ - "Twitter has relatively comprehensive privacy settings, but Google Analytics monitors users on Twitter regardless of their privacy settings." +citations = [ + "Depending on your settings, we also provide certain third parties with information to help us offer or operate our products and services. You can learn more about these partnerships in our Help Center. You can control whether X shares your personal information with these partners by using the “Data sharing with business partners” option in your Privacy & Safety settings.", + "X adheres to the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising (also referred to as “interest-based advertising”) and respects the DAA’s consumer choice tool for you to opt out of interest-based advertising at https://optout.aboutads.info/." ] +notes = [ "You can access the Privacy & Safety settings by going to https://x.com/settings/privacy_and_safety" ] [rubric.law-enforcement] value = "reasonable" citations = [ - "\"Notwithstanding anything to the contrary in this Privacy Policy or controls we may otherwise offer to you, we may preserve, use, or disclose your personal data if we believe that it is reasonably necessary to comply with a law, regulation, legal process, or governmental request...\"" + "We may preserve, use, share, or disclose your information if we believe that it is reasonably necessary to: comply with a law, regulation, legal process, or governmental request; protect the safety of any person, protect the safety or integrity of our platform, including to help prevent spam, abuse, or malicious actors on our services; explain why we have removed content or accounts from our services (e.g., for a violation of Our Rules); address fraud, security, or technical issues; or protect our rights or property, or the rights or property of those who use our services." ] [rubric.list-collected] -value = "generally" -notes = [ - "While the policy is generally explicit about the data Twitter collects, it nonetheless uses qualifying phrases like \"such as\" when listing collected data." +value = "exhaustively" +citations = [ + "If you create an account, you must provide us with some information so that we can provide our services to you. This includes a display name (for example, “Creators”); a username (for example, @XCreators); a password; an email address or phone number; a date of birth; your display language; and third-party single sign-in information (if you choose this sign-in method). You can also choose to share your location in your profile and posts, and to upload your address book to X to help find people you may know. Your profile information, which includes your display name and username, is always public, but you can use either your real name or a pseudonym.", + "If you create a professional account, you also need to provide us with a professional category, and may provide us with other information, including street address, contact email address, and contact phone number, all of which will always be public.", + "In order to purchase ads or other offerings provided as part of our paid products and services you will need to provide us payment information, including your credit or debit card number, card expiration date, CVV code, and billing address.", + "When you set your preferences using your settings, we collect that information so that we can respect your preferences.", + "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes.", + "We may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on) to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising.", + """ + We collect information about your activity on X, including: + - Posts and other content you post (including the date, application, and version of X) and information about your broadcast activity (e.g., Spaces), including broadcasts you’ve created and when you created them, your lists, bookmarks, and communities you are a part of. Your interactions with other users’ content, such as reposts, likes, bookmarks, shares, replies, if other users mention or tag you in content or if you mention or tag them, and broadcasts you’ve participated in (including your viewing history, listening, commenting, speaking, and reacting). + - How you interact with others on the platform, such as people you follow and people who follow you, metadata related to Encrypted Messages, and when you use Direct Messages, including the contents of the messages, the recipients, and date and time of messages. + - If you communicate with us, such as through email, we will collect information about the communication and its content. + - We collect information on links you interact with across our services (including in our emails sent to you). + """, + "To allow you to make a payment or send money using X features or services, including through an intermediary, we may receive information about your transaction such as when it was made, when a subscription is set to expire or auto-renew, and amounts paid or received.", + """ + We collect information from and about the devices you use to access X, including: + - Information about your connection, such as your IP address, browser type, and related information. + - Information about your device and its settings, such as device and advertising ID, operating system, carrier, language, memory, apps installed, and battery level. + - Your device address book, if you’ve chosen to share it with us. + """, + "When you use X, we collect some information about your approximate location to provide the service you expect, including showing you relevant ads. You can also choose to share your current precise location or places where you’ve previously used X by enabling these settings in your account.", + """ + We may collect or receive information that we use to infer your identity as detailed below: + - When you sign into X on a browser or device, we will associate that browser or device with your account. Subject to your settings, we may also associate your account with browsers or devices other than those you use to sign into X (or associate your signed-out device or browser with other browsers or devices or X-generated identifiers). + - When you provide other information to X, including an email address or phone number, we associate that information with your X account. Subject to your settings, we may also use this information in order to infer other information about your identity, for example by associating your account with hashes of email addresses that share common components with the email address you have provided to X. + - When you access X and are not signed in, we may infer your identity based on the information we collect. + """, + "We may receive information when you view content on or otherwise interact with our products and services, even if you have not created an account or are signed out, such as: IP address and related information; browser type and language; operating system; the referring webpage; access times; pages visited; location; your mobile carrier; device information (including device and application IDs); search terms and IDs (including those not submitted as queries); ads shown to you on X; X-generated identifiers; and identifiers associated with cookies. We also receive log information when you click on, view, or interact with links on our services, including when you install another application through X.", + "When you view or interact with ads we serve on or off X, we may collect information about those views or interactions (e.g., watching a video ad or preroll, clicking on an ad, interacting with reposts of or replies to an ad).", + "Like many websites, we use cookies and similar technologies to collect additional website usage data and to operate our services. Cookies are not required for many parts of our products and services such as searching and looking at public profiles. You can learn more about how we use cookies and similar technologies here.", + "When you view our content on third-party websites that integrate X content such as embedded timelines or post buttons, we may receive log information that includes the web page you visited.", + "Our ad and business partners share information with us such as browser cookie IDs, X-generated identifiers, mobile device IDs, hashed user information like email addresses, demographic or interest data, and content viewed or actions taken on a website or app. Some of our ad partners, particularly our advertisers, also enable us to collect similar information directly from their website or app by integrating our advertising technology. Information shared by ad partners and affiliates or collected by X from the websites and apps of ad partners and affiliates may be combined with the other information you share with X and that X receives, generates, or infers about you described elsewhere in this Privacy Policy.", + "We may receive information about you from third parties who are not our ad partners, such as other X users, developers, and partners who help us evaluate the safety and quality of content on our platform, our corporate affiliates, and other services you link to your X account. You may choose to connect your X account to your account on another service, and that other service may send us information about your account on that service." ] [rubric.revision-notify] value = "yes" -citations = [ - "\"We may revise this Privacy Policy from time to time. The most current version of the policy will govern our processing of your personal data and will always be at https://twitter.com/privacy. If we make a change to this policy that, in our sole discretion, is material, we will notify you via an @Twitter update or email to the email address associated with your account. By continuing to access or use the Services after those changes become effective, you agree to be bound by the revised Privacy Policy.\"" -] +citations = [ "If we do revise this Privacy Policy and make changes that are determined by us to be material, we will provide you notice and an opportunity to review the revised Privacy Policy before you continue to use X." ] diff --git a/products/zoho.toml b/products/zoho.toml new file mode 100644 index 00000000..4a79597f --- /dev/null +++ b/products/zoho.toml @@ -0,0 +1,106 @@ +name = "Zoho Corp" +description = "Zoho Corp is a global software company that offers a suite of cloud-based applications for business productivity." +slug = "zoho" +hostnames = [ "zoho.com" ] +sources = [ "https://www.zoho.com/privacy.html" ] +contributors = [ "Anon-sec" ] + +[rubric.behavioral-marketing] +value = "yes" +citations = [ + "Opt out of non-essential electronic communications : You may opt out of receiving newsletters and other non-essential messages by using the ‘unsubscribe’ function included in all such messages. However, you will continue to receive essential notices and emails such as account notification emails (password change, renewal reminders, etc.), security incident alerts, security and privacy update notifications, and essential transactional and payment related emails.", + "You can disable browser cookies before visiting our websites. However, if you do so, you may not be able to use certain features of the websites properly." +] +notes = ["There's no way to opt-out of analytical tracking apart from disabling cookies."] + +[rubric.data-breaches] +value = "no" +citations = [ + "However, you will continue to receive essential notices and emails such as account notification emails (password change, renewal reminders, etc.), security incident alerts, security and privacy update notifications, and essential transactional and payment related emails." +] +notes = [ + "In the hopes that 'security incident alerts' are what they mean, the policy does not provide precise details regarding data breaches." +] + +[rubric.data-collection-reasoning] +value = "yes" +citations = [ + "To communicate with you (such as through email) about products that you have downloaded and services that you have signed up for, changes to this Privacy Policy, changes to the Terms of Service, or important notices", + "To keep you posted on new products and services, upcoming events, offers, promotions and other information that we think will be of interest to you", + "To ask you to participate in surveys, or to solicit feedback on our products and services", + "To set up and maintain your account, and to do all other things required for providing our services, such as enabling collaboration, providing website and mail hosting, and backing up and restoring your data", + "To understand how users use our products and services, to monitor and prevent problems, and to improve our products and services", + "To provide customer support, and to analyze and improve our interactions with customers", + "To detect and prevent fraudulent transactions and other illegal activities, to report spam, and to protect the rights and interests of Zoho, Zoho’s users, third parties and the public", + "To update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you", + "To analyze trends, administer our websites, and track visitor navigations on our websites to understand what visitors are looking for and to better help them", + "To monitor and improve marketing campaigns and make suggestions relevant to the user" +] + +[rubric.data-deletion] +value = "yes-contact" +citations = [ + "We hold the data in your account as long as you choose to use Zoho Services. Once you terminate your Zoho user account, your data will eventually get deleted from active database during the next clean-up that occurs once in 6 months. The data deleted from active database will be deleted from backups after 3 months.", + "If you are from the European Economic Area and you believe that we store, use or process your information on behalf of one of our customers, please contact the customer if you would like to access, rectify, erase, restrict or object to processing, or export your personal data. We will extend our support to our customer in responding to your request within a reasonable timeframe.", +] + +[rubric.history] +value = "last-modified" +citations = [ + "Last updated on: 5th June 2023." +] + +[rubric.law-enforcement] +value = "reasonable" +citations = [ + "We may be required by law to preserve or disclose your personal information and service data to comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements." +] + +[rubric.list-collected] +value = "generally" +notes = [ + "1. Information You Provide: Account Signup: Name, contact info (email, phone), company name, username, password (optional: photo, timezone, language), Event Registrations: Name, email, contact info, Payment Processing: Name, contact info, payment details (e.g., last 4 digits of credit card), Testimonials: Name and personal details (if authorized), Support Interactions: Email, phone, and chat support communications.", + "2. Information Collected Automatically: Device and Usage Data: IP address, browser type, device info, operating system, usage patterns, and cookies, Application Logs and Analytics: Clicks, errors, performance data, devices used.", + "3. Information from Third Parties: Federated Logins (Google, LinkedIn): Name, email address, Referrals: Name, email, Resellers and Service Providers: Name, email, company name, Social Media: Public profile info (name, photo, posts)." +] + +[rubric.noncritical-purposes] +value = "opt-out-some" +citations = [ + "You may opt out of receiving newsletters and other non-essential messages by using the ‘unsubscribe’ function included in all such messages. However, you will continue to receive essential notices and emails such as account notification emails (password change, renewal reminders, etc.), security incident alerts, security and privacy update notifications, and essential transactional and payment related emails.", + "You can disable browser cookies before visiting our websites. However, if you do so, you may not be able to use certain features of the websites properly.", + "You can choose not to provide optional profile information such as your photo. You can also delete or change your optional profile information.", + "If you choose to enable any third-party integrations, you may be allowing the third party to access your service data and personal information about you." +] + +[rubric.revision-notify] +value = "yes" +citations = [ + "We may modify the Privacy Policy at any time, upon notifying you through a service announcement or by sending an email to your primary email address. If we make significant changes to the Privacy Policy that affect your rights, you will be provided with at least 30 days' advance notice of the changes by email to your primary email address." +] + +[rubric.security] +value = "yes-independent-audits" +citations = [ + "At Zoho, we take data security very seriously. That's why we have gotten certified for industry standards mentioned here. We have taken steps to implement appropriate administrative, technical & physical safeguards to prevent unauthorized access, use, modification, disclosure or destruction of the information you entrust to us." +] +notes = [ + "A copy of a security whitepaper is linked in the policy and viewable at https://www.zoho.com/security.html", + "A copy of compliance certifications, including independent audits, is linked in the policy and viewable at https://www.zoho.com/compliance.html" +] + +[rubric.third-party-access] +value = "yes-unspecified" +citations = [ + "We may need to share your personal information and aggregated or de-identified information with third-party service providers that we engage, such as marketing and advertising partners, event organizers, web analytics providers and payment processors. These service providers are authorized to use your personal information only as necessary to provide these services to us." +] + +[rubric.third-party-collection] +value = "yes" +citations = [""] +notes =[ + "Federated Authentication (e.g., Google, LinkedIn): Name, Email.", + "Referrals: Name, Email, Partners.", + "Service Providers: Name, Email, Company.", + "Social Media/Public Sources: Profile info (name, photo, posts)." +]