~netlandish/policies

e79ecaa6d6881e83b17b56977dc46d9010d13fa3 — Peter Sanchez 3 years ago 
Initial commit
patch browse .tar.gz 
18 files changed, 1649 insertions(+), 0 deletions(-)

A .hgignore
A README.md
A policies/abuse.md
A policies/cancellation.md
A policies/company-processors.md
A policies/copyright.md
A policies/how-we-handle.md
A policies/hyfm-refund.md
A policies/index.md
A policies/ownership-anyhow.md
A policies/ownership-hyfm.md
A policies/privacy.md
A policies/refund.md
A policies/regulations.md
A policies/security-response.md
A policies/security.md
A policies/subprocessors.md
A policies/terms-of-service.md

A  => .hgignore +21 -0
@@ 1,21 @@
syntax:glob
.svn
.hgsvn
settings_local.py
.*.swp
**.pyc
*.*~
.coverage

# virtualenv
syntax:regexp
^env$
^testenv$
^media$
^static$
^fixtures$

# Unit test / coverage reports
htmlcov/

celerybeat-schedule


A  => README.md +60 -0
@@ 1,60 @@
# Netlandish Policies, Terms and Legal Stuff

This is the public repo for all the Netlandish policy documents. Please feel
free to submit changes, corrections, suggestions, etc.

Also, a huge thank you to [Basecamp][bc] for providing these policies
with open licenses. This allowed us to rework our policies to be more fair,
plain, and easier to understand.

## Contact Details

Some contact pages or email address may be wrong or have typos or whatever.
Please if anything ever fails you can always use `hello@<domain.com>` to reach
us. Here are the individual ones:

- Netlandish: [hello@netlandish.com](mailto:hello@netlandish.com)
- AnyHow: [hello@anyhowhq.com](mailto:hello@anyhowhq.com)
- HelpYouFindMe: [hello@helpyoufind.me](mailto:hello@helpyoufind.me)

## Contributing

We accept patches submitted via `hg email` which is the `patchbomb` extension
included with Mercurial.

The mailing list where you submit your patches is
`~netlandish/public-inbox@lists.code.netlandish.com`. You can also view the
archives on the web here:

https://lists.code.netlandish.com/~netlandish/public-inbox

To quickly setup your clone of `policies` to submit to the mailing
list just edit your `.hg/hgrc` file and add the following:

    [email]
    to = ~netlandish/public-inbox@lists.code.netlandish.com

    [patchbomb]
    flagtemplate = "policies"

    [diff]
    git = 1

We have more information on the topic here:

- [Contributing][cdoc]
- [Using email with Mercurial][hgemail]
- [Mailing list etiquette][etiquette]

[etiquette]: https://man.code.netlandish.com/lists/etiquette.md
[hgemail]: https://man.code.netlandish.com/hg/email.md
[cdoc]: https://man.code.netlandish.com/contributing.md

## Copying License

Netlandish policies are open source, licensed under [CC BY
4.0](https://creativecommons.org/licenses/by/4.0/). Adapted from the [Basecamp
open-source policies](https://github.com/basecamp/policies) / [CC BY
4.0](https://creativecommons.org/licenses/by/4.0/).

[bc]: https://basecamp.com "Basecamp"


A  => policies/abuse.md +94 -0
@@ 1,94 @@
---
title: Netlandish Restricted Use Policy
description: It is not okay to use Netlandish products for these restricted purposes.
---

# Use Restrictions

*Last updated: March 21, 2021*

People all over the world use Netlandish products. We are proud to give them a
better way to work. We also recognize that however good the maker's intentions,
technology can amplify the ability to cause great harm. That's why we've
established this policy. We feel an ethical obligation to counter such harm:
both in terms of dealing with instances where Netlandish products are used (and
abused) to further such harm, and to state unequivocally that the products we
make at Netlandish are not safe havens for people who wish to commit such harm.
If you have an account with any of our products, you can't use them for any of
the restricted purposes listed below. If we find out you are, [we will take
action](/policies/how-we-handle/).

## Restricted purposes

* **Violence, or threats thereof**: If an activity qualifies as violent crime
  in the United States or where you live, you may not use Netlandish products
  to plan, perpetrate, or threaten that activity.
* **Child exploitation, sexualization, or abuse**: We don't tolerate any
  activities that create, disseminate, or otherwise cause child abuse. Keep
  away and stop. Just stop.
* **Hate speech**: You cannot use our products to advocate for the
  extermination, domination, or oppression of people.
* **Harassment**: Intimidating or targeting people or groups through repeated
  communication, including using racial slurs or dehumanizing language, is not
  welcome at Netlandish.
* **Doxing**: If you are using Netlandish products to share other peoples'
  private personal information for the purposes of harassment, we don't want
  anything to do with you.
* **Malware or spyware**: Code for good, not evil. If you are using our
  products to make or distribute anything that qualifies as malware or spyware
  — including remote user surveillance — begone.
* **Phishing or otherwise attempting fraud**: It is not okay to lie about who
  you are or who you affiliate with to steal from, extort, or otherwise harm
  others.
* **Spamming**: No one wants unsolicited commercial emails. We don't tolerate
  folks (including their bots) using Netlandish products for spamming purposes.
  If your emails don't pass muster with
  [CAN-SPAM](https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business)
  or any other anti-spam law, it's not allowed.
* **Cybersquatting**: We don't like username extortionists. If you purchase a
  Netlandish product account in someone else's name and then try to sell that
  account to them, you are
  [cybersquatting](https://www.law.cornell.edu/uscode/text/15/1125).
  Cybersquatting accounts are subject to immediate cancellation.
* **Infringing on intellectual property**: You can't use Netlandish products to
  make or disseminate work that uses the intellectual property of others beyond
  the bounds of [fair use](https://www.copyright.gov/fair-use/more-info.html).

While our use restrictions are comprehensive, they can't be exhaustive — it's
possible an offense could defy categorization, present for the first time, or
illuminate a moral quandary we hadn't yet considered. That said, we hope the
overarching spirit is clear: Netlandish products are not to be harnessed for
harm, whether mental, physical, personal or civic. Different points of view —
philosophical, religious, and political — are welcome, but ideologies like
white nationalism, or hate-fueled movements anchored by oppression, violence,
abuse, extermination, or domination of one group over another, will not be
accepted here.

## How to report abuse

For cases of suspected malware, spyware, phishing, spamming, and
cybersquatting, please alert us at [abuse@netlandish.com][abemail]

For all other cases, please let us know by emailing
[hello@netlandish.com][email]. If you're not 100% sure if something rises to the
level of our use restrictions policy, report it anyway.

Please share as much as you are comfortable with about the account, the content
or behavior you are reporting, and how you found it. Sending us a URL or
screenshots is super helpful. If you need a secure file transfer, let us know
and we will send you a link. We will not disclose your identity to anyone
associated with the reported account. For copyright cases, we've outlined extra
instructions on [how to notify us about infringement
claims](/policies/copyright/).

Someone on our team will respond within one business day to let you know we've
begun investigating. We have published details on [how we investigate use
restriction reports](/policies/how-we-handle/). We will also let you know the
outcome of our investigation (unless you ask us not to, or we are not allowed
to under law).

**This policy and process applies to any product created and owned by
Netlandish Inc. That includes AnyHow and HelpYouFindMe.**

[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com"
[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/cancellation.md +53 -0
@@ 1,53 @@
--- title: Cancellation policy description: Everything you need to know about
canceling your Netlandish product account.  ---

# Cancellation policy

*Last updated: March 21, 2021*

We want satisfied customers, not hostages. That's why we make it easy for you
to cancel your account directly in all of our apps — no phone calls required,
no questions asked.

Account owners can follow these instructions to cancel in-app:
* [AnyHow](https://docs.anyhowhq.com/billing/#cancelling)
* [HelpYouFindMe](https://helpyoufind.me/help/billing/#cancelling)

Our legal responsibility is to account owners, which means we cannot cancel an
account at the request of anyone else. If for whatever reason you no longer
know who the account owner is, [contact us][email]. We will
gladly reach out to any current account owners at the email addresses we have
on file.

## What happens when you cancel?

You won't be able to access your account once you cancel, so make sure you
download everything you want to keep beforehand.

We'll permanently delete your account data within 30 days from our servers and
logs, and within 60 days from our backups. Retrieving data for a single account
from a backup isn't possible, so if you change your mind you'll need to do it
within the first 30 days. **Data can't be recovered once it has been
permanently deleted.**

We won't bill you again once you cancel. We don't automatically prorate any
unused time you may have left but if you haven't used your account in months or
just started a new billing cycle, [contact us][email] for a
[fair refund](/policies/refund/). We'll treat you right.

## Netlandish-initiated cancellations

We may cancel accounts if they have been inactive for an extended period:
* For trial accounts:
	* For all services: 30 days after a trial has expired without being
	  upgraded
* For frozen accounts: 180 days after being frozen due to billing failures
* For free accounts: after 365 days of inactivity

We also retain the right to suspend or terminate accounts for any reason at any
time, as outlined in our [Terms of Service](/policies/terms-of-service/). In practice,
this generally means we will cancel your account without notice if we have
evidence that you are using our products to engage in [abusive
behavior](/policies/abuse/).

[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/company-processors.md +25 -0
@@ 1,25 @@
---
title: Company Processors
description: Netlandish Inc. uses some other third-party processors for company purposes outside of delivering our services.
---

# Company processors

We as a company use third-party software that may process your information
under certain circumstances.

For the following processors, we have established GDPR-compliant data
processing agreements, extending [GDPR safeguards](../regulations/index.md)
everywhere personal data is processed. These processors are all located in the
United States:

* [HelloSign](https://www.hellosign.com/trust/compliance/gdpr). Electronic
  signature service.
* [Paypal](https://www.paypal.com/us/webapps/mpp/gdpr-readiness-requirements).
  Payment transfer service.

As a company, we also host a blog and maintain social media profiles. If you
voluntarily engage with us through those media, your personal information may
also be collected by the following processors, also all located in the US:

* [Twitter](https://gdpr.twitter.com/). Social media platform.


A  => policies/copyright.md +72 -0
@@ 1,72 @@
---
title: Copy that?
description: How Netlandish handles copyright infringement claims.
---

# Copyright Infringement Claims

## Notification of Copyright Infringement Claims

Making original work is hard! As described in our [Use Restrictions
policy](/policies/abuse/), you can't use Netlandish products* to make or
disseminate work that uses the intellectual property of others beyond the
bounds of [fair use](https://www.copyright.gov/fair-use/more-info.html).

Are you a copyright owner? Under the Digital Millennium Copyright Act (17
U.S.C. § 512), you have the right to notify us (Netlandish Inc.) if you believe
that an account user of any product we built and maintain has infringed on your
work(s) as copyright owner. To be effective, the notification of claimed
infringement must be written. Please include the following information:

- A physical or electronic signature of a person authorized to act on behalf of
  the owner of an exclusive right that is allegedly infringed.
- Identification of the copyrighted work(s) claimed to have been infringed. If
  there are multiple, please share a representative list of those works.
- A way for us to locate the material you believe is infringing the copyrighted
  work.
- Your name and contact information so that we can get back to you. Email
  address is preferred but a telephone number or mailing address works too.
- A statement that you, in good faith, believe that use of the material in the
  manner complained of is not authorized by the copyright owner, its agent, or
  the law.
- A statement that the information in the notification is accurate, and under
  penalty of perjury, that you are authorized to act on behalf of the owner of
  an exclusive right that is allegedly infringed.

## Digital Millennium Copyright Act ("DCMA") Counter-notifications

On the flip-side, if you believe your material has been removed in error, you
can file a written counter-notification. Please include the following
information:

- A physical or electronic signature, or the signature of the person authorized
  to act on your behalf.
- A description of the material that was removed.
- A description of where the material appeared in Netlandish products prior to
  their removal.
- Your name and contact information so that we can get back to you. Email
  address is preferred but a telephone number or mailing address works too.
- A statement under penalty of perjury that you have a good faith belief that
  the material was removed or disabled as a result of mistake or
  misidentification.
- A statement that you consent to the jurisdiction of the Federal District
  Court for the judicial district in which your address is located, or if your
  address is outside of the United States, in the Southern District of
  California (where Netlandish is located).
- A statement that you will accept service of process from the person who filed
  the original DMCA notice or an agent of that person. (In other words, you've
  designated that person to receive documents on your behalf.)

## Where to Send Notices

You can notify us of either copyright infringement claims or DCMA
counter-notifications through either of the following channels:

**By email**: [abuse@netlandish.com][abemail]

**By mail**: Netlandish Inc., 5200 Clark Ave, #832, Lakewood CA 90714, USA

**This policy and process applies to any product created and owned by
Netlandish Inc. That includes AnyHow and HelpYouFindMe.**

[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com"


A  => policies/how-we-handle.md +119 -0
@@ 1,119 @@
---
title: How we handle abusive usage
description: Guiding principles and process for investigating abuse reports
---

# How we handle abusive usage

*Last updated: March 21, 2021*

We build our products* to give teams a better way to work. We are proud of that
purpose and trust that our customers use our products for appropriate
endeavors.

Sometimes, though, we discover potential abusive usage as detailed in our [Use
Restrictions policy](/policies/abuse/). When that happens, we investigate using the
following guiding principles and process.

## Guiding Principles

### Human oversight

Who's "we", you ask? It's us: folks from the Netlandish team. Our internal abuse
oversight committee includes our President, Peter Sanchez, and
representatives from multiple departments across the company. On rare occasions
for particularly sensitive situations or if legally required, we may also seek
counsel from external experts.

### Balanced responsibilities

We have an obligation to protect the privacy and safety of both our customers
and the people reporting issues to us. We do our best to balance those
responsibilities throughout the process.

### Focus on evidence

We base our decisions on the evidence available to us: what we see and hear
account users say and do. We document what we observe and ask whether that
observable evidence points to a restricted use.

## Process

Every case goes through the same general process:

1. Discovery
2. Investigation
3. Decision, sometimes with right to an appeal

### How do we discover potential abuse?

From our experience, we learn about potential abuse because:

- Someone alerts us. We give [abuse reports](/policies/abuse/) our full care and
  attention. Our Support team also responds to every question or comment that
  comes in. If we notice anything in those emails that points to a violation,
  we will look into it.
- We notice an anomaly in our business operations monitoring. We monitor a
  range of things about our products, like sign-up volume and error rates of web
  requests. If we see something weird with those numbers, we get to the bottom
  of it.
- We stumble upon public web content that links an individual or organization
  to a Netlandish product. We aren't scouring the Internet looking for those
  links, but if we do come across any, we check them out.

This list is not exhaustive; there are always edge cases. We will update the
list if we find regular new avenues.

### How do we investigate?

We focus on the evidence:

- Language and imagery used by users on the account
- Evidence of account users' power and/or ability to act on spoken claims
- Publicly available information about account users

We strive to balance privacy and safety for all those involved:

- We make every effort to complete our investigations without accessing a
  customer account. For instance, if there are screenshots or public documents
  available, we review those. We also consider whether it is appropriate to
  involve the account owner in a given investigation and seek additional
  evidence from them.
- As we review the evidence, we look for indications of existing negative
  impact. We also assess the severity of any potential negative impact,
  regardless of intent. When relevant, we look for and follow available
  guidelines from expert institutions.
- If we cannot come to a fair assessment from the information available, we may
  decide to access a customer account without notice. We do not make this
  decision lightly. Customer privacy is a big deal to us and we only pursue
  this course of action if the evidence we have already is very concerning, but
  not definitive.

While some violations are flatly obvious, others are subjective, nuanced, and
difficult to adjudicate. We give each case adequate time and attention,
commensurate with the violation, criticality, and severity of the charge.

### What happens if someone really broke the rules?

We will terminate an account without advance notice if there is evidence it is
being used for a restricted purpose that has, is, or will cause severe harm. If
applicable, we will also report the incident to the appropriate authorities.

For other cases, we'll take a case-by-case approach to clear things up.

Further, as a small, privately owned independent business that puts our values
and conscience ahead of growth at all costs, we reserve the right to deny
service to anyone we ultimately feel uncomfortable doing business with.

### Can you appeal a decision?

If we terminate an account without notice, the decision is final.

For other cases, we will consider good faith appeals sent to
[abuse@netlandish.com][abemail] by the account owner within
14 calendar days.

**This process applies to any product created and owned by
Netlandish Inc. That includes AnyHow and HelpYouFindMe.**

[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com"


A  => policies/hyfm-refund.md +35 -0
@@ 1,35 @@
---
title: Refund policy
description: "Learn about how and when we offer refunds for HelpYouFindMe."
---

# A fair refund policy

## With HelpYouFindMe, we sell subscriptions on an annual basis only.

If you pay for a year of HelpYouFindMe and then cancel before the year is up,
we make sure you aren't charged in the future. Your account will remain active
for the remainder of the period you'd already paid for. Once your account
becomes inactive it becomes subject to the data retention rules defined in our
[Cancellation policy](/policies/cancellation/).

Here are examples of refunds for HelpYouFindMe we'd grant:

- You decided HelpYouFindMe wasn't for you and stopped using it early on but forgot to
  cancel your account. Then you got the auto-renewal invoice. If you don't need
  any extra time to migrate and you don't need outbound forwarding, let us know
  and we'll refund that last payment.
- If you were really not happy with HEY, you can have your money back.

We'll also consider giving credits for future cycles if something goes wrong on
our side. For example, if we had extended downtime (multiple hours in a day, or
multiple days in a month) or you emailed customer service and it took multiple
days to get back to you, we'll issue a partial credit to your account.

## Get in touch

At the end of the day, nearly everything on the edges comes down to a
case-by-case basis. [Send us a note][email], tell us what's up, and we'll work
with you to make sure you're happy.

[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/index.md +16 -0
@@ 1,16 @@
---
title: 'Netlandish Policies and Terms of Service'
description: 'All the policies and legal stuff for Netlandish customers. We try to make all our policies as clear, fair, and readable as possible.'
---

# Netlandish Policies, Terms, and Legal Stuff

The rough print and the fine print. We try to make all our policies as clear, fair, and readable as possible.

* [Terms of Service](/policies/terms-of-service/)
* [Privacy policy](/policies/privacy/)
* [Privacy Regulations reference](/policies/regulations/)
* [Cancellation policy](/policies/cancellation/)
* [Refund policy](/policies/refund/)
* [Use Restrictions policy](/policies/abuse/)
* [Security overview](/policies/security/)


A  => policies/ownership-anyhow.md +58 -0
@@ 1,58 @@
---
title: 'AnyHow Account Ownership'
description: 'Everything you need to know about AnyHow account ownership.'
---

# Who owns a AnyHow account?

AnyHow accounts are owned by individuals, not by organizations. When you sign
up and create a [AnyHow account][home], you are the owner of that account and
all the data in it. Our legal responsibility is to the account owner(s), so we
won't let other people take over your account without your permission.

## What can account owners do?

Account owners can:

- **Create multiple organizations**: Any account owner can create
  organizations. Each organization can have it's own team members, clients,
  projects, and separate billing profiles.
- **Join multiple organizations**: Any account can be a member of any
  organization. If the account is not the owner of said organization then the
  organization manager must invite the account to join.
- **Access and export all data in an account**: account owners can add
  themselves to any Team or Project and view everything in the organization
  accumulated assets.
- **Manage all aspects of the account's subscription:** including updating
  billing information; adding more users and account administrators; and
  cancelling an account
  ([how-to](https://docs.anyhowhq.com/billing/#cancelling)).
- **Designate other account owners**: AnyHow organizations can have multiple
  managers. We recommend designating other managers you trust, so
  that updates can be made to the account when you're not available.

## Designating other people as organization managers

It's important to remember that accounts own organizations and one account can
own multiple organizations. Each organization has it's own billing, users, etc.

An organization owner can add or remove other managers from the
"Manage" section in the organization. When you designate someone
else as a manager, they will have the same power to add and remove other
managers at any time. However they can **not** remove you as the organization
owner. So your account will always maintain control over any organizations it
owns.

## What if I have another question about ownership?

Netlandish may update this policy once in a blue moon — we'll notify you about
significant changes by emailing the account owner or by placing a prominent
notice on our site. You can access, change or delete your personal information
at any time by contacting Netlandish [support][support].

Questions about this account ownership policy? Please get in touch with our
[support team][support-email] and we'll be happy to answer them!

[home]: https://anyhowhq.com/
[support]: https://anyhowhq.com/support
[support-email]: mailto:hello@anyhowhq.com


A  => policies/ownership-hyfm.md +32 -0
@@ 1,32 @@
---
title: 'HelpYouFind.Me Account Ownership and Management'
description: 'Who owns and manages HYFM accounts.'
---

# HelpYouFindMe Ownership & Management Policy

HelpYouFindMe accounts are owned by each individual who created the during sign-up.
Even in the event of sub-accounts. In other words, regardless of who is
*paying* for the account, the account owner is *always* the person who
registered the account. For information on account types, etc. see the
[terminology help page][terms].

Regardless of account type, the *management* of the account is done by the account
owner. This is the person who originally signed up for the account.

## Can "Family Account" owners access data of sub-accounts?

Not without specific permission. Data access in HelpYouFindMe works the same
for everyone, regardless of family/sub account relationships.

This is not just our policy it's actually built into the application itself.
It's impossible for us to provide the Family Account (or any other account or
third party) access to a sub-accounts private data. This is because the data is
encrypted on your local browser. We have no access to it.

## Still have a question?

Please get in touch with our [support team](mailto:hello@helpyoufind.me) and we'll
be happy to answer them!

[terms]: https://helpyoufind.me/help/terms/


A  => policies/privacy.md +422 -0
@@ 1,422 @@
--- title: Privacy policy description: The privacy of your data — and it is
your data, not ours! — is a big deal to us. Here's the rundown of what we
collect and why, when we access your information, and your rights.  ---

# Privacy policy

*Last updated: March 21, 2021*

The privacy of your data — and it is your data, not ours! — is a big deal to
us. In this policy, we lay out: what data we collect and why; how your data is
handled; and your rights to your data. We promise we never sell your data:
never have, never will.

This policy applies to all products built and maintained by Netlandish Inc.
including AnyHow and HelpYouFindMe.

## What we collect and why

Our guiding principle is to collect only what we need. Here's what that means
in practice:

### Identity & access

When you sign up for a Netlandish product, we typically ask for identifying
information such as your name, email address, and maybe a company name. That's
just so you can personalize your new account, and we can send you invoices,
updates, or other essential information. We sometimes also give you the option
to add a profile picture that displays in our products, but we do not normally
look at or access that picture. We'll never sell your personal info to third
parties, and we won't use your name or company in marketing statements without
your permission either.

### Billing information

When you pay for a Netlandish product, we ask for your credit card and billing
address. That's so we can charge you for service, calculate taxes due, and send
you invoices. Your credit card is passed directly to our payment processor and
doesn't ever go through our servers. We store a record of the payment
transaction, including the last 4 digits of the credit card number and as-of
billing address, for account history, invoicing, and billing support. We store
your billing address to calculate any sales tax due in the United States or VAT
in the EU, to detect fraudulent credit card transactions, and to print on your
invoices.

### Geolocation data

We log all access to all accounts by full IP address so that we can always
verify no unauthorized access has happened. We keep this login data for as long
as your product account is active.

We also log full IP addresses used to sign up a product account. We keep this
record forever because they are used to mitigate spammy signups.

Web analytics data — described further in the Website Interactions section —
are also tied temporarily to IP addresses to assist with troubleshooting cases.
We blind all web analytics data after 30 days.

### Website interactions

When you browse our marketing pages or applications, your browser automatically
shares certain information such as which operating system and browser version
you are using. We track that information, along with the pages you are
visiting, page load timing, and which website referred you for statistical
purposes like conversion rates and to test new designs. We sometimes track
specific link clicks to help inform some design decisions. These web analytics
data are tied to your IP address and user account if applicable and you are
signed into our Services. We blind all of these individual identifiers after 30
days.

### Anti-bot assessments

We use [CAPTCHA](https://en.wikipedia.org/wiki/CAPTCHA) services across our
applications to mitigate brute force logins and in HEY as a means of spam
protection. We have a legitimate interest in protecting our apps and the
broader Internet community from credential stuffing attacks and spam. When you
log into your accounts and fill specific forms, the CAPTCHA service
evaluates various information (e.g IP address, how long the visitor has been on
the app, mouse movements) to check whether the data is possibly filled out by
an automated program instead of a human. We retain these data via our
subprocessor forever because they are used for anti-spam mitigation.

### Cookies and Do Not Track

We do use persistent first-party cookies to store certain preferences, make it
easier for you to use our applications, and support some in-house analytics. A
cookie is a piece of text stored by your browser to help it remember your login
information, site preferences, and more. You can adjust cookie retention
settings in your own browser. To learn more about cookies, including how to
view which cookies have been set and how to manage and delete them, please
visit: [www.allaboutcookies.org](https://www.allaboutcookies.org).

At this time, our sites and applications do not respond to Do Not Track beacons
sent by browser plugins.

### Voluntary correspondence

When you write Netlandish with a question or to ask for help, we keep that
correspondence, including the email address, so that we have a history of past
correspondences to reference if you reach out in the future.

We also store any information you volunteer like surveys. Sometimes when we do
customer interviews, we may ask for your permission to record the conversation
for future reference or use. We only do so if you give your express consent.

### Information we do not collect

We don't collect any characteristics of protected classifications including
age, race, gender, religion, sexual orientation, gender identity, gender
expression, or physical and mental abilities or disabilities. You may provide
these data voluntarily, such as if you include a pronoun preference in your
email signature when writing into our Support team.

We also do not collect any biometric data. You are given the option to add a
picture to your user profile, which could be a real picture of you or a picture
of something else that represents you best. We do not extract any information
from profile pictures: they are for your use alone.

### How we approach mobile app permissions

We currently do not have any mobile apps for our Services. However for
HelpYouFindMe we do have mobile integration using the [Telegram][telegram]
secure messaging service. There are no special permissions required to
integrate your HelpYouFindMe account with Telegram but you do need to provide
permissions for certain features when using Telegram. For example, if you want
to send your location to HelpYouFindMe using Telegram then you will need to
grant the Telegram application permission to access your location.

[telegram]: https://telegram.org "Telegram"

## When we access or share your information

Our default practice is to not access your information. The only times we'll
ever access or share your info are:

**To provide products or services you've requested**. We do use some
third-party services to run our applications and only to the extent necessary
process some or all of your personal information via these third parties. You
can [view the list of third-party services we use][subp] for our products.
Having subprocessors means we are using technology to access your data. No
Netlandish human looks at your data for these purposes unless an error occurs
that stops an automated process from working and requires manual intervention
to fix. These are rare cases and when they happen, we look for root cause
solutions as much as possible to avoid them from reoccurring. We also use some
other processors for other business functions, which you can view: [Company
processors](/policies/company-processors/).

**To help you troubleshoot or squash a software bug, with your permission.** If
at any point we need to access your account to help you with a Support case, we
will ask for your consent before proceeding.

**To investigate, prevent, or take action regarding [restricted
uses](../abuse/index.md).** Accessing a customer's account when investigating
potential abuse is a measure of last resort. We have an obligation to protect
the privacy and safety of both our customers and the people reporting issues to
us. We do our best to balance those responsibilities throughout the process. If
we do discover you are using our products for a restricted purpose, we will
report the incident to the appropriate authorities.

**When required under applicable law.**

Netlandish, Inc. is a US company and all data infrastructure are located in the
US.

* If US law enforcement authorities have the necessary warrant, criminal
  subpoena, or court order requiring we share data, we have to comply.
  Otherwise, we flat-out reject requests from local and federal law enforcement
  when they seek data. And unless we're legally prevented from it, we'll always
  inform you when such requests are made. In the event a government authority
  outside the US approaches Netlandish with a request, our default stance is to
  refuse unless the US government compels us to comply through procedures
  outlined in a mutual legal assistance treaty or agreement. ***We have never
  received a National Security Letter or Foreign Intelligence Surveillance Act
  (FISA) order.***
* Similarly, if Netlandish receives a request to preserve data, we refuse unless
  compelled by either the US Federal Stored Communications Act, 18 U.S.C.
  Section 2703(f) or a properly served US subpoena for civil matters. In both
  of these situations, we have to comply. In these situations, we notify
  affected customers as soon as possible unless we are legally prohibited from
  doing so. We do not share preserved data unless absolutely required under the
  Stored Communications Act or compelled by a court order that we choose not to
  appeal. Furthermore, unless we receive a proper warrant, court order, or
  subpoena before the required preservation period expires, we destroy any
  preserved copies we made of customer data once the preservation period
  lapses.
* If we get an informal request from any person, organization, or entity, we do
  not assist. If you are an account owner who wants to export data from their
  accounts, you can do so directly by [submitting a request directly][email].
* If we are audited by a tax authority, we may be required to share
  billing-related information. If that happens, we only share the bare minimum
  needed such as billing addresses and tax exemption information.

Finally, if Netlandish, Inc. is acquired by or merged with another company — we
don't plan on that, but if it happens — we'll notify you well before any info
about you is transferred and becomes subject to a different privacy policy.

## Your rights with respect to your information

At Netlandish, we apply the same data rights to all customers, regardless of
their location. Currently some of the most privacy-forward regulations in place
are the European Union's General Data Protection Regulation ("GDPR") and
California Consumer Privacy Act ("CCPA") in the US. Basecamp recognizes all of
the rights granted in these regulations, except as limited by applicable law.
These rights include:

* **Right to Know.** You have the right to know what personal information is
  collected, used, shared or sold. We outline both the categories and specific
  bits of data we collect, as well as how they are used, in this privacy
  policy.
* **Right of Access.** This includes your right to access the personal
  information we gather about you, and your right to obtain information about
  the sharing, storage, security and processing of that information.
* **Right to Correction.** You have the right to request correction of your
  personal information.
* **Right to Erasure / "To be Forgotten".** This is your right to request,
  subject to certain limitations under applicable law, that your personal
  information be erased from our possession and, by extension, all of our
  service providers. Fulfillment of some data deletion requests may prevent you
  from using Basecamp services because our applications may then no longer
  work. In such cases, a data deletion request may result in closing your
  account.
* **Right to Complain.** You have the right to make a complaint regarding our
  handling of your personal information with the appropriate supervisory
  authority. To identify your specific authority or find out more about this
  right, EU individuals should go to
  [https://edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en).
* **Right to Restrict Processing.** This is your right to request restriction
  of how and why your personal information is used or processed, including
  opting out of sale of personal information. (Again: we never have and never
  will sell your personal data.)
* **Right to Object.** You have the right, in certain situations, to object to
  how or why your personal information is processed.
* **Right to Portability.** You have the right to receive the personal
  information we have about you and the right to transmit it to another party.
* **Right to not be subject to Automated Decision-Making.** You have the right
  to object and prevent any decision that could have a legal, or similarly
  significant, effect on you from being made solely based on automated
  processes. This right is limited, however, if the decision is necessary for
  performance of any contract between you and us, is allowed by applicable law,
  or is based on your explicit consent.
* **Right to Non-Discrimination.** This right stems from the CCPA. We do not
  and will not charge you a different amount to use our products, offer you
  different discounts, or give you a lower level of customer service because
  you have exercised your data privacy rights. However, the exercise of certain
  rights (such as the right "to be forgotten") may, by virtue of your
  exercising those rights, prevent you from using our Services.

Many of these rights can be exercised by signing in and directly updating your
account information.

If you have questions about exercising these rights or need assistance, please
contact us at [hello@netlandish.com][email] or at
Netlandish, Inc., 5200 Clark Ave, #832, Lakewood, CA 90714 USA. For
requests to delete personal information or know what personal information has
been collected, we will first verify your identity using a combination of at
least two pieces of information already collected including your user email
address. If an authorized agent is corresponding on your behalf, we will first
need written consent with a signature from the account holder before
proceeding.

If you are in the EU, you can identify your specific authority to file a
complaint or find out more about GDPR, at
[https://edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en).

## How we secure your data

All data is encrypted via
[SSL/TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) when
transmitted from our servers to your browser. The database backups are also
encrypted.

For products except HelpYouFindMe, most data are not encrypted while they live
in our database (since it needs to be ready to send to you when you need it),
but we go to great lengths to secure your data at rest. For more information
about how we keep your information secure, please review our [security
overview](/policies/security/).

With HelpYouFindMe, the security overview still applies _and_ we've gone even
further by encrypting the private data in your, the user's, web-browser. All
private data is encrypted on your computer before it is ever sent to Netlandish
servers. Your private data is protected by your own encryption key that you
set and are responsible for safe guarding.

## What happens when you delete data in your product accounts

In many of our applications, we give you the option to trash data. Anything you
trash on your product accounts while they are active will be kept in an
accessible trash can for up to 30 days (it varies a little by product). After
that, the trashed data are no longer accessible via the application and are
deleted from our active servers within the next 30 days. We also have some
backups of our application databases, which are kept for up to another 30 days.
In total, when you trash things in our applications, they are purged within 90
days from all of our systems and logs. Retrieving data for a single account
from a backup is cost-prohibitive and unduly burdensome so if you change your
mind you'll need to do so before your data are deleted from our active servers.

We also delete your data after an account is cancelled. In this case, there is
no period of data being kept in an accessible trash can so your data are purged
within 60 days. This applies both for cases when an account owner directly
cancels and for auto-cancelled accounts. Please refer to our [Cancellation
policy](../cancellation/index.md) for more details.

## Location of site and data

Our products and other web properties are operated in the United States. If you
are located in the European Union or elsewhere outside of the United States,
**please be aware that any information you provide to us will be transferred to
and stored in the United States**. By using our Site, participating in any of
our services and/or providing us with your information, you consent to this
transfer.

## When transferring personal data from the EU

The GDPR requires that any data transferred out of the EU must be treated with
the same level of protection that the EU privacy laws grant. The privacy laws
of the United States generally do not meet that requirement. That is why since
GDPR went into effect, Basecamp has offered a data processing addendum and
voluntarily participated in the EU-US Privacy Shield Framework as well as the
Swiss-US Privacy Shield Framework.

There are also a few ad-hoc cases where EU personal data may be transferred to
the US related to Netlandish, Inc. operations. For instance, if someone in the
EU comments on our company blog or a customer participates in one of our
infrequent surveys or someone applies to one of our open positions or buys swag
on our company shop. Such transfers are only occasional and transferred under
the [Article 49(1)(b) derogation](https://gdpr-info.eu/art-49-gdpr/) under
GDPR.

## EU-US and Swiss-US Privacy Shield policy

The EU-US [Privacy Shield](https://www.privacyshield.gov/) is an agreement
between certain European jurisdictions and the United States that up until July
16, 2020, allowed for the transfer of personal data from the EU to the US.
Participation in the Privacy Shield program is voluntary. The Swiss-US Privacy
Shield is a similar program for data transferred to the US from Switzerland
that was in effect until September 8, 2020.

### We comply with the frameworks for EU, UK, and Swiss data that are transferred into the United States

Netlandish complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S.
Privacy Shield Framework as set forth by the U.S. Department of Commerce
regarding the collection, use, and retention of personal information
transferred from the European Union, the United Kingdom, and Switzerland to the
United States, respectively. We've certified to the Department of Commerce that
we adhere to the Privacy Shield Principles. If there is any conflict between
the terms in this privacy policy and the Privacy Shield Principles, the Privacy
Shield Principles take precedent. To learn more about the Privacy Shield
program, and to view our certification, please visit
[https://www.privacyshield.gov/](https://www.privacyshield.gov/).

Netlandish is subject to the investigatory and enforcement powers of the Federal
Trade Commission (FTC) with regard to the Privacy Shield Frameworks.

The Privacy Shield Frameworks uphold specific principles, many of which are
already outlined in the section on Your Rights. For clarity, pursuant to the
Privacy Shield Frameworks, the following principles apply to all EU, UK, and
Swiss data that has been transferred into the United States:

- Individuals have the right to access their personal data and to update,
  correct, and/or amend information that is incomplete. Individuals also have
  the right to request erasure of personal information that has been processed
  in violation of the principles. Individuals wishing to exercise these rights
  may do so by by signing in and directly updating your account information. If
  you have questions about exercising these rights or need assistance, please
  contact us at [hello@netlandish.com][email] or at Netlandish, Inc., 5200
  Clark Ave, #832, Lakewood, CA 90714 USA.
- We remain liable for the onward transfer of personal data to third parties
  acting as our agents unless we can prove we were not a party to the events
  giving rise to the damages.
- We do not sell personal data nor do we permit it to be used for reasons other
  than those for which it was originally provided. If this practice should
  change in the future, we will update this policy accordingly and provide
  individuals with opt-out or opt-in choice as appropriate.
- We may be required to release personal data in response to lawful requests
  from public authorities including to meet national security and law
  enforcement requirements.

### We commit to resolving all complaints

In compliance with the EU-US Privacy Shield Principles and the Swiss-US Privacy
Shield Principles, we commit to resolve complaints about your privacy and our
collection or use of your personal information. European Union, United Kingdom,
or Swiss individuals with inquiries or complaints regarding this privacy policy
should first contact Peter Sanchez at Netlandish at hello@netlandish.com, or by
mail at Netlandish, Inc., 5200 Clark Ave, #832, Lakewood, CA 90714 USA.

Netlandish (the company) has further committed to refer unresolved privacy
complaints under the EU-US Privacy Shield Principles and the Swiss-US Privacy
Shield Principles to an independent dispute resolution mechanism, the BBB EU
PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely
acknowledgment of your complaint, or if your complaint is not satisfactorily
addressed, please visit
[https://bbbprograms.org/privacy-shield-complaints/](https://bbbprograms.org/privacy-shield-complaints/)
for more information and to file a complaint. This service is provided at no
cost to you. Please do not submit GDPR complaints to BBB EU Privacy Shield.

If your EU-US Privacy Shield complaint cannot be resolved through these
described channels, under certain conditions, you may invoke binding
arbitration for some residual claims not resolved by other redress mechanisms.
To learn more, please view the Privacy Shield Annex 1 at
[https://www.privacyshield.gov/article?id=ANNEX-I-introduction](https://www.privacyshield.gov/article?id=ANNEX-I-introduction).

## Changes & questions

We may update this policy as needed to comply with relevant regulations and
reflect any new practices. You can view a history of the changes to our
policies [on our code forge][sh].  Whenever we make a significant change to our
policies, we will also announce them on our [company blog][nlb].

Have any questions, comments, or concerns about this privacy policy, your data,
or your rights with respect to your information? Please get in touch by
emailing us at [hello@basecamp.com][email] and we'll be
happy to answer them!

[email]: mailto:hello@netlandish.com "hello@netlandish.com"
[nl]: https://www.netlandish.com/ "Netlandish Inc."
[anyhow]: https://anyhowhq.com/ "AnyHow"
[hyfm]: https://helpyoufind.me "Help You Find Me"
[sh]: https://hg.code.netlandish.com/~netlandish/policies/log "Code Forge"
[nlb]: https://www.netlandish.com/blog/ "Netlandish Blog"
[ah2fa]: https://docs.anyhowhq.com/two_step_verification/ "AnyHow 2FA"
[hyfm2fa]: https://helpyoufind.me/help/two-step-verification/ "HYFM 2FA"
[subp]: /policies/subprocessors/ "Subprocessors"


A  => policies/refund.md +48 -0
@@ 1,48 @@
---
title: Refund policy
description: "Bad refund policies are infuriating. We never want our customers to feel that way, so our refund policy is simple: If you're ever unhappy with our products for any reason, we'll take care of you."
---

# A fair refund policy.

Bad refund policies are infuriating. You feel like the company is just trying
to rip you off. We never want our customers to feel that way, so our refund
policy is simple: If you're ever unhappy with our products* for any reason,
just contact [our support team][email] and we'll take care
of you.

## Examples of full refunds we'd grant.

* If you were just charged for your next month of service but you meant to
  cancel, we're happy to refund that extra charge.
* If you forgot to cancel your account a couple months ago and you haven't used
  it since then, we'll give you a full refund for a few back months. No
  problem.
* If you tried one of our products for a couple months and you just weren't
  happy with it, you can have your money back.

## Examples of partial refunds or credits we'd grant.

* If you forgot to cancel your account a year ago, and there's been activity on
  your account since then, we'll review your account usage and figure out a
  partial refund based on how many months you used it.
* If you upgraded your account a few months ago to a higher plan and kept using
  it in general but you didn't end up using the extra features, projects, or
  storage space, we'd consider applying a prorated credit towards future
  months.
* If we had extended downtime (multiple hours in a day, or multiple days in a
  month) or you emailed customer service and it took multiple days to get back
  to you, we'd issue a partial credit to your account.

## Get in touch

At the end of the day, nearly everything on the edges comes down to a
case-by-case basis. [Send us a note][email], tell us what's
up, and we'll work with you to make sure you're happy.

**This policy applies to any product created and owned by Netlandish, Inc. That
includes AnyHow and HelpYouFindMe. There are [some nuances with
HelpYouFindMe](/policies/hyfm-refund/) because its subscriptions are on an
annual basis only.**

[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/regulations.md +126 -0
@@ 1,126 @@
---
title: Privacy Regulations Reference
description: Privacy laws are in a lot of flux. Here's info you should know.
---

# Privacy Regulations Reference

*Last updated: March 21, 2021*

The data privacy regulatory landscape is undergoing a lot of change. You
probably have heard about the EU General Data Protection Regulation (GDPR) that
went into effect on May 25, 2018. There are also other regulations in effect or
in the works around the world. We've written up this reference document to put
helpful information regarding our products and privacy regulations in one
place. Please also view our full [Privacy policy](/policies/privacy/).

If you have any questions, comments, or concerns about our [Privacy
policy](/policies/privacy/), your data, or your rights with respect to your
information, please email us at [hello@netlandish.com][email].

## European Union General Data Protection Regulation (GDPR)

Netlandish is an American company and our data infrastructure is currently
based in the US. That means if you are in another country in the world and you
use our products, your data are transferred to the US. The EU has stronger
privacy laws than the US and a core tenet of the GDPR is that if you transfer
any personal data of EU residents out of the EU, you must protect it to the
same level as guaranteed under EU law. There are two factors to this:

1. The practices that businesses take handling personal data; and
2. The laws of the countries where you transfer the EU personal data to

### Practices we have at Netlandish

We are serious about treating our customers fairly. We are equally serious
about protecting your data, security, and right to privacy as if it were our
own. This applies to all our customers, regardless of where you are in the
world.

Please do read our [Privacy Policy](/policies/privacy/) and our [Security
Overview](/policies/security/) in full. Some highlights:

* We never have and never will sell customer data.
* We don't run ads for other services in our products.
* We limit the data we collect: if we don't need it, we don't ask for it.
* We put a lot of security measures into place including in-transit encryption,
  encryption at-rest, and requiring employees and contractors to sign
  non-disclosure agreements.
* When you email us at [hello@netlandish.com][email], someone from our Privacy
  Working Group will get back to you. You are always speaking with a human! No
  bots.

We do work with sub-processors. We've listed links to our current
sub-processors at the end of this page. With each vendor, we assess their
commitment to privacy and we sign a data processing addendum with them that
include the controller-processor [Standard Contractual
Clauses](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en).

### Relevant US laws

The US does not have a national consumer privacy law akin to GDPR. We'd love to
see one put in place and until then, shout out to California for leading with
the California Consumer Privacy Act ("CCPA" — more information following this
GDPR section) and our spiritual home state of Illinois for its Biometric
Information Privacy Act.

There are national US security laws that are relevant to GDPR. Chief amongst
them are: the [Foreign Intelligence Surveillance Act
(FISA)](https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286) and
Executive Order 12-333. FISA establishes ways for US law enforcement and
intelligence agencies to gather information within the US about non-US entities
suspected of espionage or terrorism. Executive Order 12-333 sets out how US
intelligence agencies can gather information, including outside the borders of
the US.

Virtually every American software service is subject to FISA. That includes all
the American big tech companies you can think of as well as any European
service that uses cloud infrastructure from Amazon Web Services, Microsoft
Azure, or Google Cloud Computing. It also includes small tech American
companies like us, Netlandish Inc. However **to date, Netlandish has never been
served a FISA order or National Security Letter.**

Even so, these laws are relevant for why extra mechanisms need to be in place
to allow the legal transfer of personal data from the EU to the US.

## California Consumer Privacy Act (CCPA)

In the CCPA, there is an important distinction between what are referred to as
"service providers", "businesses", and "third parties". You can see how the
regulation defines these words by visiting the California Attorney General's
website: https://www.oag.ca.gov/privacy/ccpa.

*Under the CCPA, Netlandish is a "service provider."* That means when we
process data you provide, we do so solely for the purpose you signed up for.
Our business model is simple: we charge a recurring subscription fee to our
customers. We do not sell personal information or use your data for any other
commercial purposes unless with your explicit permission.

The CCPA also grants residents of California with additional rights related to
their information. We grant those rights to all of our customers and detail
them in our Privacy policy. Our Privacy policy also explains the information we
collect in order to provide our services and clearly lists the only times we
access or share your data.

## US Health Insurance Portability and Accountability Act (HIPAA)

Our products are currently *not*
[HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html)-compliant
and we do not have immediate plans to become so.

## Subprocessors

Netlandish uses third party subprocessors, such as cloud computing providers,
to provide our services. We enter into data processing agreements including
GDPR Standard Contractual Clauses with each subprocessor, and require the same
of them.

We also use other software as a company that are not part of providing our
services but may collect your personal information for other purposes.

You can see which processors are used by category below:

- [Subprocessors](/policies/subprocessors/)
- [Company Processors](/policies/company-processors/)

[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/security-response.md +55 -0
@@ 1,55 @@
---
title: 'Security Response'
description: 'Have you discovered a web security flaw that might impact one of our products? Here's how you can report it.'
---

# Security response

## We appreciate your concern

Keeping customer data safe and secure is a huge responsibility and a top
priority. We work hard to protect our customers from the latest threats. Your
input and feedback on our security is always appreciated.

## Reporting security problems

**For security vulnerabilities and other urgent or sensitive reports**, please
email our [Security team][email]. If you feel it necessary, use [our public
key][pub] ( 5216B5D28D2E161A7F98D372FF96FA687153E3C1 ) to keep your message
safe and please provide us with a secure way to respond. We'll respond as soon
as we can. Please follow up or [ping us on
Twitter](https://twitter.com/netlandish) if you don't hear back.

**For requests that aren't urgent or sensitive**: submit a [support
request][email].

## Tracking and disclosing security issues

We work with security researchers to keep up with the state-of-the-art in web
security. Have you discovered a web security flaw that might impact our
products? Please let us know. If you [submit a
report][email], here's what will happen:

* We'll acknowledge your report.
* We'll triage your report and determine whether it's eligible for a bounty.
* We'll investigate the issue and determine how it impacts our products. We
  won't disclose issues until they've been fully investigated and patched, but
  we'll work with you to ensure we fully understand severity and impact.
* Once the issue is resolved, we'll post a security update along with thanks
  and credit for the discovery.

Our products are built on the Django framework. The issue you reported might
affect Django, Python, or some other part of our technology stack. We ask for
your patience while we also make sure other companies and their customers are
protected. Either way, you'll always have a Netlandish contact for your issue.

## Bounties

Netlandish is a *tiny* company. At the time of this writing we are only 5
people in total. We are happy to offer bounties but please understand that as a
small company they will probably to be smaller than you may be used to. We are
also open to free accounts on our products as partial bounty payment should you
be interested in such an offer.

[email]: mailto:hello@netlandish.com "hello@netlandish.com"
[pub]: https://www.netlandish.com/security-pub.txt


A  => policies/security.md +83 -0
@@ 1,83 @@
---
title: Security overview
description: Keeping customer data safe and secure is a huge responsibility and a top priority for us. Here's how we make it happen.
---

# Security overview.

## We protect your data.

All data are written to multiple disks instantly, backed up daily, and stored
in multiple locations. Files that our customers upload are stored on servers
that use modern techniques to remove bottlenecks and points of failure.

## Your data are sent using HTTPS.

Whenever your data are in transit between you and us, everything is encrypted,
and sent using HTTPS. Within our firewalled private networks, data may be
transferred unencrypted.

Our application databases are generally not encrypted at rest — the information
you add to the applications is active in our databases and subject to the same
protection and monitoring as the rest of our systems. Our database backups are
encrypted using GPG.

## Full redundancy for all major systems.

Our servers — from power supplies to the internet connection to the air
purifying systems — operate at full redundancy. Our systems are engineered to
stay up even if multiple servers fail.

## Sophisticated physical security.

Our state-of-the-art servers are protected by biometric locks and
round-the-clock interior and exterior surveillance monitoring. Only authorized
personnel have access to the data center. 24/7/365 on-site staff provides
additional protection against unauthorized entry and security breaches.

## Regularly-updated infrastructure.

Our software infrastructure is updated regularly with the latest security
patches. Our products run on a dedicated network which is locked down with
firewalls and carefully monitored. While perfect security is a moving target,
we work with security researchers to keep up with the state-of-the-art in web
security.

## We protect your billing information.

All credit card transactions are processed using secure encryption—the same
level of encryption used by leading banks. Card information is transmitted and
processed securely on a <a
href="https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard">PCI-Compliant
network</a>. We do not store any credit card data on our servers.

## Constant monitoring

We have a team dedicated to maintaining your account's security on our systems
and monitoring tools we've set up to alert us to any nefarious activity against
our domains. To date, we've _never_ had a data breach.

We also audit internal data access. If a Netlandish employee wrongly accesses
customer data, they will face penalties ranging from termination to
prosecution. Again, to our knowledge, this hasn't happened.

We have processes and defenses in place to keep our streak of 0 data breaches
going. But in the unfortunate circumstances someone malicious does successfully
mount an attack, we will immediately notify all affected customers.

## Over 12 years in business.

We've been around the block and we've seen a lot of companies come and go.
Security isn't just about technology, it's about trust. Since 2008, we've
worked hard to earn the trust of hundreds of companies world wide. We'll
continue to work hard every day to maintain that trust. Longevity and stability
is core to our mission at Netlandish.

## Have a concern? Need to report an incident?

Have you noticed abuse, misuse, an exploit, or experienced an incident with
your account? Please visit our [security response
page](/policies/security-response/) for details on how to securely submit a
report.

[email]: mailto:hello@netlandish.com "hello@netlandish.com"


A  => policies/subprocessors.md +23 -0
@@ 1,23 @@
---
title: Netlandish Subprocessors
description: All the third-party subprocessors that we use to run Basecamp.
---

# Netlandish subprocessors

We use third party subprocessors, such as cloud computing providers and
customer support software, to run Basecamp (the service). We establish
GDPR-compliant data processing agreements with each subprocessor, extending
[GDPR safeguards](../regulations/index.md) everywhere personal data is
processed.

The following is a list of personal data subprocessors we use. These
subprocessors are all located in the United States:

* [Stripe](https://stripe.com/guides/general-data-protection-regulation).
  Payment processing services.
* [Amazon Web Services](https://aws.amazon.com/compliance/gdpr-center/). Cloud
  services provider.
* [ARP Networks](https://arpnetworks.com/tos). Cloud services provider.
* [Digital Ocean](https://www.digitalocean.com/legal/gdpr/). Cloud services
  provider.


A  => policies/terms-of-service.md +307 -0
@@ 1,307 @@
---
title: Terms of Service
description: All the terms that you agree to when you sign up for a Netlandish product.
---

# Terms of Service

*Last updated: March 21, 2021*

From everyone at Netlandish, thank you for using our products! We build them to
help you do your best work. Many people are using Netlandish
products every day. Because we don't know every one of our customers
personally, we have to put in place some Terms of Service to help keep the ship
afloat.

When we say "Company", "we", "our", or "us" in this document, we are referring
to [Netlandish, Inc.][nl] as a whole.

When we say "Services", we mean any product created and maintained by
Netlandish, Inc. That includes [AnyHow][anyhow] and [HelpYouFindMe][hyfm],
whether delivered within a web browser, desktop application, mobile
application, or another format.

When we say "You" or "your", we are referring to the people or organizations
that own an account with one or more of our Services. We have specific
ownership policies for our products: [AnyHow][ownah], [HelpYouFindMe][ownhyfm].

We may update these Terms of Service in the future. You can track all changes
made [on our code forge][sh]. Typically these changes have been to clarify some
of these terms by linking to an expanded related policy. Whenever we make a
significant change to our policies, we will also announce them on our [company
blog][nlb].

When you use our Services, now or in the future, you are agreeing to the latest
Terms of Service. That's true for any of our existing and future products and
all features that we add to our Services over time. There may be times where we
do not exercise or enforce any right or provision of the Terms of Service; in
doing so, we are not waiving that right or provision. **These terms do contain
a limitation of our liability.**

If you violate any of the terms, we may terminate your account. That's a broad
statement and it means you need to place a lot of trust in us. We do our best
to deserve that trust by being open about [who we
are](https://www.netlandish.com/about), how we work, and keeping an open door
to [your feedback](mailto:hello@netlandish.com).

## Account Terms  

1. You are responsible for maintaining the security of your account and
   password. The Company cannot and will not be liable for any loss or damage
   from your failure to comply with this security obligation. We recommend
   users set up two-factor authentication for added security. In some of our
   Services, we may require it. For help with setting up two-factor
   authentication see specific instructions for [AnyHow][ah2fa] or
   [HelpYouFindMe][hyfm2fa].
2. You may not use the Services for any purpose outlined in our [Use
   Restrictions policy](/policies/abuse/).
3. You are responsible for all content posted and activity that occurs under
   your account. That includes content posted by others who either: (a) have
   access to your login credentials; or (b) have their own logins under your
   account.
4. You must be a human. Accounts registered by "bots" or other automated
   methods are not permitted.

## Payment, Refunds, and Plan Changes

1. If you are using a free version of one of our Services, it is really free:
   we do not ask you for your credit card and — just like for customers who pay
   for our Services — we do not sell your data.
2. For paid Services that offer a free trial, we explain the length of trial
   when you sign up. After the trial period, you need to pay in advance to keep
   using the Service. If you do not pay, we will freeze your account and it
   will be inaccessible until you make payment. If your account has been frozen
   for a while, we will queue it up for auto-cancellation. See our
   [Cancellation policy](/policies/cancellation/) for more details.
3. If you are upgrading from a free plan to a paid plan, we will charge your
   card immediately and your billing cycle starts on the day of upgrade. For
   other upgrades or downgrades in plan level, the new rate starts from the
   next billing cycle.
4. All fees are exclusive of all taxes, levies, or duties imposed by taxing
   authorities. Where required, we will collect those taxes on behalf of the
   taxing authority and remit those taxes to taxing authorities.  Otherwise,
   you are responsible for payment of all taxes, levies, or duties.
5. We process refunds according to our [Fair Refund
   policy](/policies/refund/).

## Cancellation and Termination

1. You are solely responsible for properly canceling your account. Within each
   of our Services, we provide a simple no-questions-asked cancellation link.
   You can find instructions for how to cancel your account in our
   [Cancellation policy](../cancellation/index.md). An email or phone request
   to cancel your account is not automatically considered cancellation. If you
   need help cancelling your account, you can always [contact our Support
   team]({{ site.email_support }}).
2. All of your content will be inaccessible from the Services immediately upon
   cancellation. Within 30 days, all content will be permanently deleted from
   active systems and logs. Within 60 days, all content will be permanently
   deleted from our backups. We cannot recover this information once it has
   been permanently deleted. If you want to export any data before your account
   is cancelled, please send an email to
   [hello@netlandish.com](mailto:hello@netlandish.com) for assistance.
3. If you cancel the Service before the end of your current paid up month, your
   cancellation will take effect immediately, and you will not be charged
   again. We do not automatically prorate unused time in the last billing
   cycle. See our [Fair Refund policy](../refund/index.md) for more details.
4. We have the right to suspend or terminate your account and refuse any and
   all current or future use of our Services for any reason at any time.
   Suspension means you and any other users on your account will not be able to
   access the account or any content in the account. Termination will
   furthermore result in the deletion of your account or your access to your
   account, and the forfeiture and relinquishment of all content in your
   account. We also reserve the right to refuse the use of the Services to
   anyone for any reason at any time. We have this clause because statistically
   speaking, out of the hundreds of thousands of accounts on our Services,
   there is at least one doing something nefarious. There are some things we
   staunchly stand against and this clause is how we exercise that stance. For
   more details, see our [Use Restrictions policy](../abuse/index.md).
5. Verbal, physical, written or other abuse (including threats of abuse or
   retribution) of Company employee or officer will result in immediate account
   termination.

## Modifications to the Service and Prices

1. We make a promise to our customers to support our Services for as long as we
   are in control of them or until the last customer leaves the Service. That
   means when it comes to security, privacy, and customer support, we will
   continue to maintain any legacy Services. Sometimes it becomes technically
   impossible to continue a feature or we redesign a part of our Services
   because we think it could be better or we decide to close new signups of a
   product. We reserve the right at any time to modify or discontinue,
   temporarily or permanently, any part of our Services with or without notice.
2. Sometimes we change the pricing structure for our products. When we do that,
   we tend to exempt existing customers from those changes. However, we may
   choose to change the prices for existing customers. If we do so, we will
   give at least 30 days notice and will notify you via the email address on
   record. We may also post a notice about changes on our websites or the
   affected Services themselves.

## Uptime, Security, and Privacy

1. Your use of the Services is at your sole risk. We provide these Services on
   an "as is" and "as available" basis. We do not offer service-level
   agreements for our Services but do take uptime of our applications
   seriously.
2. We reserve the right to temporarily disable your account if your usage
   significantly exceeds the average usage of other customers of the Services.
   Of course, we'll reach out to the account owner before taking any action
   except in rare cases where the level of use may negatively impact the
   performance of the Service for other customers.
3. We take many measures to protect and secure your data through backups,
   redundancies, and encryption. We enforce encryption for data transmission
   from the public Internet. There are some edge cases where we may send your
   data through our network unencrypted. Please refer to our [Security
   Overview](../security/index.md) for full details and our [Security Response
   page](../security/response/index.md) for how to report a security incident
   or threat.
4. When you use our Services, you entrust us with your data. We take that trust
   to heart. You agree that Netlandish may process your data as described in
   our [Privacy Policy](../privacy/index.md) and for no other purpose. We as
   humans can access your data for the following reasons:
   - **To help you with support requests you make.** We'll ask for express
	 consent before accessing your account.
   - **On the rare occasions when an error occurs that stops an automated
	 process partway through.** We get automated alerts when such errors occur.
	 When we can fix the issue and restart automated processing without looking
	 at any personal data, we do. In rare cases, we have to look at a minimum
	 amount of personal data to fix the issue. In these rare cases, we aim to
	 fix the root cause as much as possible to avoid the errors from
	 reoccurring.
   - **To safeguard Netlandish.** We'll look at logs and metadata as part of
	 our work to ensure the security of your data and the Services as a whole.
	 If necessary, we may also access accounts as part of an [abuse report
	 investigation](../abuse/how-we-handle/index.md).
   - **To the extent required by applicable law.** As a US company with all
	 data infrastructure located in the US, we only preserve or share customer
	 data if compelled by a US government authority with a legally binding
	 order or proper request under the Stored Communications Act. If a non-US
	 authority approaches Netlandish for assistance, our default stance is to
	 refuse unless the order has been approved by the US government, which
	 compels us to comply through procedures outlined in an established mutual
	 legal assistance treaty or agreement mechanism. If Netlandish is audited
	 by a tax authority, we only share the bare minimum billing information
	 needed to complete the audit.
5. We use third party vendors and hosting partners to provide the necessary
   hardware, software, networking, storage, and related technology required to run
   the Services. You can see a [list of all subprocessors][subp] who handle
   personal data for Netlandish products.
6. Under the California Consumer Privacy Act ("CCPA"), Netlandish is a "service
   provider", not a "business" or "third party", with respect to your use of the
   Services. That means we process any data you share with us only for the purpose
   you signed up for and as described in these Terms of Service, [Privacy
   policy](../privacy/index.md), and [other policies](../index.md). We do not
   retain, use, disclose, or sell any of that information for any other commercial
   purposes unless we have your explicit permission. And on the flip-side, you
   agree to comply with your requirements under the CCPA and not use Netlandish's
   Services in a way that violates the regulations.
7. These Service Terms incorporate the [Netlandish Data Processing Addendum
   ("DPA")](../privacy/regulations/dpa/Netlandish.pdf),
   when the General Data Protection regulation ("GDPR") applies to your use of
   Netlandish Services to process Customer Data as defined in the DPA. The DPA is
   effective as of October 5, 2020 and replaces and supersedes any previously
   agreed data processing addendum between you and Netlandish Inc. relating to the
   GDPR. If you prefer to have an executed copy of the Data Processing Addendum,
   you may [sign a copy online](https://app.hellosign.com/s/c0908a3d). Regardless
   of whether you execute or not, we protect and secure your data to the high
   standards set out in the addendum.

## Copyright and Content Ownership

1. All content posted on the Services must comply with U.S. copyright law. We
   provide details on [how to file a copyright infringement
   claim](../copyright/index.md).
2. We claim no intellectual property rights over the material you provide to
   the Services. All materials uploaded remain yours.
3. We do not pre-screen content, but reserve the right (but not the obligation)
   in our sole discretion to refuse or remove any content that is available via
   the Service.
4. The names, look, and feel of the Services are copyright© to the Company. All
   rights reserved. You may not duplicate, copy, or reuse any portion of the
   HTML, CSS, JavaScript, or visual design elements without express written
   permission from the Company. You must request permission to use the
   Company's logo or any Service logos for promotional purposes. Please [email
   us][email] requests to use logos. We reserve the right to rescind this
   permission if you violate these Terms of Service.
5. You agree not to reproduce, duplicate, copy, sell, resell or exploit any
   portion of the Services, use of the Services, or access to the Services
   without the express written permission by the Company.
6. You must not modify another website so as to falsely imply that it is
   associated with the Services or the Company.

## Features and Bugs

We design our Services with care, based on our own experience and the
experiences of customers who share their time and feedback. However, there is
no such thing as a service that pleases everybody. We make no guarantees that
our Services will meet your specific requirements or expectations.

We also test all of our features extensively before shipping them. As with any
software, our Services inevitably have some bugs. We track the bugs reported to
us and work through priority ones, especially any related to security or
privacy. Not all reported bugs will get fixed and we don't guarantee completely
error-free Services.

## Services Adaptations and API Terms

We offer Application Program Interfaces ("API"s) for some of our Services
(currently AnyHow). Any use of the API, including through a third-party product
that accesses the Services, is bound by the terms of this agreement plus the
following specific terms:

1. You expressly understand and agree that we are not liable for any damages or
   losses resulting from your use of the API or third-party products that
   access data via the API.
2. Third parties may not access and employ the API if the functionality is part
   of an application that remotely records, monitors, or reports a Service
   user's activity *other than time tracking*, both inside and outside the
   applications.  The Company, in its sole discretion, will determine if an
   integration service violates this bylaw. A third party that has built and
   deployed an integration for the purpose of remote user surveillance will be
   required to remove that integration.
3. Abuse or excessively frequent requests to the Services via the API may
   result in the temporary or permanent suspension of your account's access to
   the API. The Company, in its sole discretion, will determine abuse or
   excessive usage of the API. If we need to suspend your account's access, we
   will attempt to warn the account owner first. If your API usage could or has
   caused downtime, we may cut off access without prior notice.

## Liability

We mention liability throughout these Terms but to put it all in one section:

***You expressly understand and agree that the Company shall not be liable, in
law or in equity, to you or to any third party for any direct, indirect,
incidental, lost profits, special, consequential, punitive or exemplary
damages, including, but not limited to, damages for loss of profits, goodwill,
use, data or other intangible losses (even if the Company has been advised of
the possibility of such damages), resulting from: (i) the use or the inability
to use the Services; (ii) the cost of procurement of substitute goods and
services resulting from any goods, data, information or services purchased or
obtained or messages received or transactions entered into through or from the
Services; (iii) unauthorized access to or alteration of your transmissions or
data; (iv) statements or conduct of any third party on the service; (v) or any
other matter relating to this Terms of Service or the Services, whether as a
breach of contract, tort (including negligence whether active or passive), or
any other theory of liability.***

In other words: choosing to use our Services does mean you are making a bet on
us. If the bet does not work out, that's on you, not us. We do our darnedest to
be as safe a bet as possible through careful management of the business;
investments in security, infrastructure, and talent; and in general giving a
damn. If you choose to use our Services, thank you for betting on us.

If you have a question about any of the Terms of Service, please [contact our
Support team][email].

[email]: mailto:hello@netlandish.com "hello@netlandish.com"
[nl]: https://www.netlandish.com/ "Netlandish Inc."
[anyhow]: https://anyhowhq.com/ "AnyHow"
[hyfm]: https://helpyoufind.me "Help You Find Me"
[sh]: https://hg.code.netlandish.com/~netlandish/policies/log "Code Forge"
[nlb]: https://www.netlandish.com/blog/ "Netlandish Blog"
[ah2fa]: https://docs.anyhowhq.com/two_step_verification/ "AnyHow 2FA"
[hyfm2fa]: https://helpyoufind.me/help/two-step-verification/ "HYFM 2FA"
[subp]: /policies/subprocessors/ "Subprocessors"
[ownah]: /policies/ownership-anyhow/ "Ownership: AnyHow"
[ownhyfm]: /policies/ownership-hyfm/ "Ownership: HelpYouFindMe"