From e79ecaa6d6881e83b17b56977dc46d9010d13fa3 Mon Sep 17 00:00:00 2001 From: Peter Sanchez Date: Sun, 21 Mar 2021 12:47:38 -0700 Subject: [PATCH] Initial commit --- .hgignore | 21 ++ README.md | 60 +++++ policies/abuse.md | 94 ++++++++ policies/cancellation.md | 53 +++++ policies/company-processors.md | 25 ++ policies/copyright.md | 72 ++++++ policies/how-we-handle.md | 119 ++++++++++ policies/hyfm-refund.md | 35 +++ policies/index.md | 16 ++ policies/ownership-anyhow.md | 58 +++++ policies/ownership-hyfm.md | 32 +++ policies/privacy.md | 422 +++++++++++++++++++++++++++++++++ policies/refund.md | 48 ++++ policies/regulations.md | 126 ++++++++++ policies/security-response.md | 55 +++++ policies/security.md | 83 +++++++ policies/subprocessors.md | 23 ++ policies/terms-of-service.md | 307 ++++++++++++++++++++++++ 18 files changed, 1649 insertions(+) create mode 100644 .hgignore create mode 100644 README.md create mode 100644 policies/abuse.md create mode 100644 policies/cancellation.md create mode 100644 policies/company-processors.md create mode 100644 policies/copyright.md create mode 100644 policies/how-we-handle.md create mode 100644 policies/hyfm-refund.md create mode 100644 policies/index.md create mode 100644 policies/ownership-anyhow.md create mode 100644 policies/ownership-hyfm.md create mode 100644 policies/privacy.md create mode 100644 policies/refund.md create mode 100644 policies/regulations.md create mode 100644 policies/security-response.md create mode 100644 policies/security.md create mode 100644 policies/subprocessors.md create mode 100644 policies/terms-of-service.md diff --git a/.hgignore b/.hgignore new file mode 100644 index 0000000..0014b45 --- /dev/null +++ b/.hgignore @@ -0,0 +1,21 @@ +syntax:glob +.svn +.hgsvn +settings_local.py +.*.swp +**.pyc +*.*~ +.coverage + +# virtualenv +syntax:regexp +^env$ +^testenv$ +^media$ +^static$ +^fixtures$ + +# Unit test / coverage reports +htmlcov/ + +celerybeat-schedule diff --git a/README.md b/README.md new file mode 100644 index 0000000..75249f6 --- /dev/null +++ b/README.md @@ -0,0 +1,60 @@ +# Netlandish Policies, Terms and Legal Stuff + +This is the public repo for all the Netlandish policy documents. Please feel +free to submit changes, corrections, suggestions, etc. + +Also, a huge thank you to [Basecamp][bc] for providing these policies +with open licenses. This allowed us to rework our policies to be more fair, +plain, and easier to understand. + +## Contact Details + +Some contact pages or email address may be wrong or have typos or whatever. +Please if anything ever fails you can always use `hello@` to reach +us. Here are the individual ones: + +- Netlandish: [hello@netlandish.com](mailto:hello@netlandish.com) +- AnyHow: [hello@anyhowhq.com](mailto:hello@anyhowhq.com) +- HelpYouFindMe: [hello@helpyoufind.me](mailto:hello@helpyoufind.me) + +## Contributing + +We accept patches submitted via `hg email` which is the `patchbomb` extension +included with Mercurial. + +The mailing list where you submit your patches is +`~netlandish/public-inbox@lists.code.netlandish.com`. You can also view the +archives on the web here: + +https://lists.code.netlandish.com/~netlandish/public-inbox + +To quickly setup your clone of `policies` to submit to the mailing +list just edit your `.hg/hgrc` file and add the following: + + [email] + to = ~netlandish/public-inbox@lists.code.netlandish.com + + [patchbomb] + flagtemplate = "policies" + + [diff] + git = 1 + +We have more information on the topic here: + +- [Contributing][cdoc] +- [Using email with Mercurial][hgemail] +- [Mailing list etiquette][etiquette] + +[etiquette]: https://man.code.netlandish.com/lists/etiquette.md +[hgemail]: https://man.code.netlandish.com/hg/email.md +[cdoc]: https://man.code.netlandish.com/contributing.md + +## Copying License + +Netlandish policies are open source, licensed under [CC BY +4.0](https://creativecommons.org/licenses/by/4.0/). Adapted from the [Basecamp +open-source policies](https://github.com/basecamp/policies) / [CC BY +4.0](https://creativecommons.org/licenses/by/4.0/). + +[bc]: https://basecamp.com "Basecamp" diff --git a/policies/abuse.md b/policies/abuse.md new file mode 100644 index 0000000..242cfc3 --- /dev/null +++ b/policies/abuse.md @@ -0,0 +1,94 @@ +--- +title: Netlandish Restricted Use Policy +description: It is not okay to use Netlandish products for these restricted purposes. +--- + +# Use Restrictions + +*Last updated: March 21, 2021* + +People all over the world use Netlandish products. We are proud to give them a +better way to work. We also recognize that however good the maker's intentions, +technology can amplify the ability to cause great harm. That's why we've +established this policy. We feel an ethical obligation to counter such harm: +both in terms of dealing with instances where Netlandish products are used (and +abused) to further such harm, and to state unequivocally that the products we +make at Netlandish are not safe havens for people who wish to commit such harm. +If you have an account with any of our products, you can't use them for any of +the restricted purposes listed below. If we find out you are, [we will take +action](/policies/how-we-handle/). + +## Restricted purposes + +* **Violence, or threats thereof**: If an activity qualifies as violent crime + in the United States or where you live, you may not use Netlandish products + to plan, perpetrate, or threaten that activity. +* **Child exploitation, sexualization, or abuse**: We don't tolerate any + activities that create, disseminate, or otherwise cause child abuse. Keep + away and stop. Just stop. +* **Hate speech**: You cannot use our products to advocate for the + extermination, domination, or oppression of people. +* **Harassment**: Intimidating or targeting people or groups through repeated + communication, including using racial slurs or dehumanizing language, is not + welcome at Netlandish. +* **Doxing**: If you are using Netlandish products to share other peoples' + private personal information for the purposes of harassment, we don't want + anything to do with you. +* **Malware or spyware**: Code for good, not evil. If you are using our + products to make or distribute anything that qualifies as malware or spyware + — including remote user surveillance — begone. +* **Phishing or otherwise attempting fraud**: It is not okay to lie about who + you are or who you affiliate with to steal from, extort, or otherwise harm + others. +* **Spamming**: No one wants unsolicited commercial emails. We don't tolerate + folks (including their bots) using Netlandish products for spamming purposes. + If your emails don't pass muster with + [CAN-SPAM](https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business) + or any other anti-spam law, it's not allowed. +* **Cybersquatting**: We don't like username extortionists. If you purchase a + Netlandish product account in someone else's name and then try to sell that + account to them, you are + [cybersquatting](https://www.law.cornell.edu/uscode/text/15/1125). + Cybersquatting accounts are subject to immediate cancellation. +* **Infringing on intellectual property**: You can't use Netlandish products to + make or disseminate work that uses the intellectual property of others beyond + the bounds of [fair use](https://www.copyright.gov/fair-use/more-info.html). + +While our use restrictions are comprehensive, they can't be exhaustive — it's +possible an offense could defy categorization, present for the first time, or +illuminate a moral quandary we hadn't yet considered. That said, we hope the +overarching spirit is clear: Netlandish products are not to be harnessed for +harm, whether mental, physical, personal or civic. Different points of view — +philosophical, religious, and political — are welcome, but ideologies like +white nationalism, or hate-fueled movements anchored by oppression, violence, +abuse, extermination, or domination of one group over another, will not be +accepted here. + +## How to report abuse + +For cases of suspected malware, spyware, phishing, spamming, and +cybersquatting, please alert us at [abuse@netlandish.com][abemail] + +For all other cases, please let us know by emailing +[hello@netlandish.com][email]. If you're not 100% sure if something rises to the +level of our use restrictions policy, report it anyway. + +Please share as much as you are comfortable with about the account, the content +or behavior you are reporting, and how you found it. Sending us a URL or +screenshots is super helpful. If you need a secure file transfer, let us know +and we will send you a link. We will not disclose your identity to anyone +associated with the reported account. For copyright cases, we've outlined extra +instructions on [how to notify us about infringement +claims](/policies/copyright/). + +Someone on our team will respond within one business day to let you know we've +begun investigating. We have published details on [how we investigate use +restriction reports](/policies/how-we-handle/). We will also let you know the +outcome of our investigation (unless you ask us not to, or we are not allowed +to under law). + +**This policy and process applies to any product created and owned by +Netlandish Inc. That includes AnyHow and HelpYouFindMe.** + +[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com" +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/cancellation.md b/policies/cancellation.md new file mode 100644 index 0000000..4564b8c --- /dev/null +++ b/policies/cancellation.md @@ -0,0 +1,53 @@ +--- title: Cancellation policy description: Everything you need to know about +canceling your Netlandish product account. --- + +# Cancellation policy + +*Last updated: March 21, 2021* + +We want satisfied customers, not hostages. That's why we make it easy for you +to cancel your account directly in all of our apps — no phone calls required, +no questions asked. + +Account owners can follow these instructions to cancel in-app: +* [AnyHow](https://docs.anyhowhq.com/billing/#cancelling) +* [HelpYouFindMe](https://helpyoufind.me/help/billing/#cancelling) + +Our legal responsibility is to account owners, which means we cannot cancel an +account at the request of anyone else. If for whatever reason you no longer +know who the account owner is, [contact us][email]. We will +gladly reach out to any current account owners at the email addresses we have +on file. + +## What happens when you cancel? + +You won't be able to access your account once you cancel, so make sure you +download everything you want to keep beforehand. + +We'll permanently delete your account data within 30 days from our servers and +logs, and within 60 days from our backups. Retrieving data for a single account +from a backup isn't possible, so if you change your mind you'll need to do it +within the first 30 days. **Data can't be recovered once it has been +permanently deleted.** + +We won't bill you again once you cancel. We don't automatically prorate any +unused time you may have left but if you haven't used your account in months or +just started a new billing cycle, [contact us][email] for a +[fair refund](/policies/refund/). We'll treat you right. + +## Netlandish-initiated cancellations + +We may cancel accounts if they have been inactive for an extended period: +* For trial accounts: + * For all services: 30 days after a trial has expired without being + upgraded +* For frozen accounts: 180 days after being frozen due to billing failures +* For free accounts: after 365 days of inactivity + +We also retain the right to suspend or terminate accounts for any reason at any +time, as outlined in our [Terms of Service](/policies/terms-of-service/). In practice, +this generally means we will cancel your account without notice if we have +evidence that you are using our products to engage in [abusive +behavior](/policies/abuse/). + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/company-processors.md b/policies/company-processors.md new file mode 100644 index 0000000..cb42782 --- /dev/null +++ b/policies/company-processors.md @@ -0,0 +1,25 @@ +--- +title: Company Processors +description: Netlandish Inc. uses some other third-party processors for company purposes outside of delivering our services. +--- + +# Company processors + +We as a company use third-party software that may process your information +under certain circumstances. + +For the following processors, we have established GDPR-compliant data +processing agreements, extending [GDPR safeguards](../regulations/index.md) +everywhere personal data is processed. These processors are all located in the +United States: + +* [HelloSign](https://www.hellosign.com/trust/compliance/gdpr). Electronic + signature service. +* [Paypal](https://www.paypal.com/us/webapps/mpp/gdpr-readiness-requirements). + Payment transfer service. + +As a company, we also host a blog and maintain social media profiles. If you +voluntarily engage with us through those media, your personal information may +also be collected by the following processors, also all located in the US: + +* [Twitter](https://gdpr.twitter.com/). Social media platform. diff --git a/policies/copyright.md b/policies/copyright.md new file mode 100644 index 0000000..ab7c1ae --- /dev/null +++ b/policies/copyright.md @@ -0,0 +1,72 @@ +--- +title: Copy that? +description: How Netlandish handles copyright infringement claims. +--- + +# Copyright Infringement Claims + +## Notification of Copyright Infringement Claims + +Making original work is hard! As described in our [Use Restrictions +policy](/policies/abuse/), you can't use Netlandish products* to make or +disseminate work that uses the intellectual property of others beyond the +bounds of [fair use](https://www.copyright.gov/fair-use/more-info.html). + +Are you a copyright owner? Under the Digital Millennium Copyright Act (17 +U.S.C. § 512), you have the right to notify us (Netlandish Inc.) if you believe +that an account user of any product we built and maintain has infringed on your +work(s) as copyright owner. To be effective, the notification of claimed +infringement must be written. Please include the following information: + +- A physical or electronic signature of a person authorized to act on behalf of + the owner of an exclusive right that is allegedly infringed. +- Identification of the copyrighted work(s) claimed to have been infringed. If + there are multiple, please share a representative list of those works. +- A way for us to locate the material you believe is infringing the copyrighted + work. +- Your name and contact information so that we can get back to you. Email + address is preferred but a telephone number or mailing address works too. +- A statement that you, in good faith, believe that use of the material in the + manner complained of is not authorized by the copyright owner, its agent, or + the law. +- A statement that the information in the notification is accurate, and under + penalty of perjury, that you are authorized to act on behalf of the owner of + an exclusive right that is allegedly infringed. + +## Digital Millennium Copyright Act ("DCMA") Counter-notifications + +On the flip-side, if you believe your material has been removed in error, you +can file a written counter-notification. Please include the following +information: + +- A physical or electronic signature, or the signature of the person authorized + to act on your behalf. +- A description of the material that was removed. +- A description of where the material appeared in Netlandish products prior to + their removal. +- Your name and contact information so that we can get back to you. Email + address is preferred but a telephone number or mailing address works too. +- A statement under penalty of perjury that you have a good faith belief that + the material was removed or disabled as a result of mistake or + misidentification. +- A statement that you consent to the jurisdiction of the Federal District + Court for the judicial district in which your address is located, or if your + address is outside of the United States, in the Southern District of + California (where Netlandish is located). +- A statement that you will accept service of process from the person who filed + the original DMCA notice or an agent of that person. (In other words, you've + designated that person to receive documents on your behalf.) + +## Where to Send Notices + +You can notify us of either copyright infringement claims or DCMA +counter-notifications through either of the following channels: + +**By email**: [abuse@netlandish.com][abemail] + +**By mail**: Netlandish Inc., 5200 Clark Ave, #832, Lakewood CA 90714, USA + +**This policy and process applies to any product created and owned by +Netlandish Inc. That includes AnyHow and HelpYouFindMe.** + +[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com" diff --git a/policies/how-we-handle.md b/policies/how-we-handle.md new file mode 100644 index 0000000..bbd0f0f --- /dev/null +++ b/policies/how-we-handle.md @@ -0,0 +1,119 @@ +--- +title: How we handle abusive usage +description: Guiding principles and process for investigating abuse reports +--- + +# How we handle abusive usage + +*Last updated: March 21, 2021* + +We build our products* to give teams a better way to work. We are proud of that +purpose and trust that our customers use our products for appropriate +endeavors. + +Sometimes, though, we discover potential abusive usage as detailed in our [Use +Restrictions policy](/policies/abuse/). When that happens, we investigate using the +following guiding principles and process. + +## Guiding Principles + +### Human oversight + +Who's "we", you ask? It's us: folks from the Netlandish team. Our internal abuse +oversight committee includes our President, Peter Sanchez, and +representatives from multiple departments across the company. On rare occasions +for particularly sensitive situations or if legally required, we may also seek +counsel from external experts. + +### Balanced responsibilities + +We have an obligation to protect the privacy and safety of both our customers +and the people reporting issues to us. We do our best to balance those +responsibilities throughout the process. + +### Focus on evidence + +We base our decisions on the evidence available to us: what we see and hear +account users say and do. We document what we observe and ask whether that +observable evidence points to a restricted use. + +## Process + +Every case goes through the same general process: + +1. Discovery +2. Investigation +3. Decision, sometimes with right to an appeal + +### How do we discover potential abuse? + +From our experience, we learn about potential abuse because: + +- Someone alerts us. We give [abuse reports](/policies/abuse/) our full care and + attention. Our Support team also responds to every question or comment that + comes in. If we notice anything in those emails that points to a violation, + we will look into it. +- We notice an anomaly in our business operations monitoring. We monitor a + range of things about our products, like sign-up volume and error rates of web + requests. If we see something weird with those numbers, we get to the bottom + of it. +- We stumble upon public web content that links an individual or organization + to a Netlandish product. We aren't scouring the Internet looking for those + links, but if we do come across any, we check them out. + +This list is not exhaustive; there are always edge cases. We will update the +list if we find regular new avenues. + +### How do we investigate? + +We focus on the evidence: + +- Language and imagery used by users on the account +- Evidence of account users' power and/or ability to act on spoken claims +- Publicly available information about account users + +We strive to balance privacy and safety for all those involved: + +- We make every effort to complete our investigations without accessing a + customer account. For instance, if there are screenshots or public documents + available, we review those. We also consider whether it is appropriate to + involve the account owner in a given investigation and seek additional + evidence from them. +- As we review the evidence, we look for indications of existing negative + impact. We also assess the severity of any potential negative impact, + regardless of intent. When relevant, we look for and follow available + guidelines from expert institutions. +- If we cannot come to a fair assessment from the information available, we may + decide to access a customer account without notice. We do not make this + decision lightly. Customer privacy is a big deal to us and we only pursue + this course of action if the evidence we have already is very concerning, but + not definitive. + +While some violations are flatly obvious, others are subjective, nuanced, and +difficult to adjudicate. We give each case adequate time and attention, +commensurate with the violation, criticality, and severity of the charge. + +### What happens if someone really broke the rules? + +We will terminate an account without advance notice if there is evidence it is +being used for a restricted purpose that has, is, or will cause severe harm. If +applicable, we will also report the incident to the appropriate authorities. + +For other cases, we'll take a case-by-case approach to clear things up. + +Further, as a small, privately owned independent business that puts our values +and conscience ahead of growth at all costs, we reserve the right to deny +service to anyone we ultimately feel uncomfortable doing business with. + +### Can you appeal a decision? + +If we terminate an account without notice, the decision is final. + +For other cases, we will consider good faith appeals sent to +[abuse@netlandish.com][abemail] by the account owner within +14 calendar days. + +**This process applies to any product created and owned by +Netlandish Inc. That includes AnyHow and HelpYouFindMe.** + +[abemail]: mailto:abuse@netlandish.com "abuse@netlandish.com" diff --git a/policies/hyfm-refund.md b/policies/hyfm-refund.md new file mode 100644 index 0000000..833712c --- /dev/null +++ b/policies/hyfm-refund.md @@ -0,0 +1,35 @@ +--- +title: Refund policy +description: "Learn about how and when we offer refunds for HelpYouFindMe." +--- + +# A fair refund policy + +## With HelpYouFindMe, we sell subscriptions on an annual basis only. + +If you pay for a year of HelpYouFindMe and then cancel before the year is up, +we make sure you aren't charged in the future. Your account will remain active +for the remainder of the period you'd already paid for. Once your account +becomes inactive it becomes subject to the data retention rules defined in our +[Cancellation policy](/policies/cancellation/). + +Here are examples of refunds for HelpYouFindMe we'd grant: + +- You decided HelpYouFindMe wasn't for you and stopped using it early on but forgot to + cancel your account. Then you got the auto-renewal invoice. If you don't need + any extra time to migrate and you don't need outbound forwarding, let us know + and we'll refund that last payment. +- If you were really not happy with HEY, you can have your money back. + +We'll also consider giving credits for future cycles if something goes wrong on +our side. For example, if we had extended downtime (multiple hours in a day, or +multiple days in a month) or you emailed customer service and it took multiple +days to get back to you, we'll issue a partial credit to your account. + +## Get in touch + +At the end of the day, nearly everything on the edges comes down to a +case-by-case basis. [Send us a note][email], tell us what's up, and we'll work +with you to make sure you're happy. + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/index.md b/policies/index.md new file mode 100644 index 0000000..80b63a7 --- /dev/null +++ b/policies/index.md @@ -0,0 +1,16 @@ +--- +title: 'Netlandish Policies and Terms of Service' +description: 'All the policies and legal stuff for Netlandish customers. We try to make all our policies as clear, fair, and readable as possible.' +--- + +# Netlandish Policies, Terms, and Legal Stuff + +The rough print and the fine print. We try to make all our policies as clear, fair, and readable as possible. + +* [Terms of Service](/policies/terms-of-service/) +* [Privacy policy](/policies/privacy/) +* [Privacy Regulations reference](/policies/regulations/) +* [Cancellation policy](/policies/cancellation/) +* [Refund policy](/policies/refund/) +* [Use Restrictions policy](/policies/abuse/) +* [Security overview](/policies/security/) diff --git a/policies/ownership-anyhow.md b/policies/ownership-anyhow.md new file mode 100644 index 0000000..60c1ce5 --- /dev/null +++ b/policies/ownership-anyhow.md @@ -0,0 +1,58 @@ +--- +title: 'AnyHow Account Ownership' +description: 'Everything you need to know about AnyHow account ownership.' +--- + +# Who owns a AnyHow account? + +AnyHow accounts are owned by individuals, not by organizations. When you sign +up and create a [AnyHow account][home], you are the owner of that account and +all the data in it. Our legal responsibility is to the account owner(s), so we +won't let other people take over your account without your permission. + +## What can account owners do? + +Account owners can: + +- **Create multiple organizations**: Any account owner can create + organizations. Each organization can have it's own team members, clients, + projects, and separate billing profiles. +- **Join multiple organizations**: Any account can be a member of any + organization. If the account is not the owner of said organization then the + organization manager must invite the account to join. +- **Access and export all data in an account**: account owners can add + themselves to any Team or Project and view everything in the organization + accumulated assets. +- **Manage all aspects of the account's subscription:** including updating + billing information; adding more users and account administrators; and + cancelling an account + ([how-to](https://docs.anyhowhq.com/billing/#cancelling)). +- **Designate other account owners**: AnyHow organizations can have multiple + managers. We recommend designating other managers you trust, so + that updates can be made to the account when you're not available. + +## Designating other people as organization managers + +It's important to remember that accounts own organizations and one account can +own multiple organizations. Each organization has it's own billing, users, etc. + +An organization owner can add or remove other managers from the +"Manage" section in the organization. When you designate someone +else as a manager, they will have the same power to add and remove other +managers at any time. However they can **not** remove you as the organization +owner. So your account will always maintain control over any organizations it +owns. + +## What if I have another question about ownership? + +Netlandish may update this policy once in a blue moon — we'll notify you about +significant changes by emailing the account owner or by placing a prominent +notice on our site. You can access, change or delete your personal information +at any time by contacting Netlandish [support][support]. + +Questions about this account ownership policy? Please get in touch with our +[support team][support-email] and we'll be happy to answer them! + +[home]: https://anyhowhq.com/ +[support]: https://anyhowhq.com/support +[support-email]: mailto:hello@anyhowhq.com diff --git a/policies/ownership-hyfm.md b/policies/ownership-hyfm.md new file mode 100644 index 0000000..9aedc2a --- /dev/null +++ b/policies/ownership-hyfm.md @@ -0,0 +1,32 @@ +--- +title: 'HelpYouFind.Me Account Ownership and Management' +description: 'Who owns and manages HYFM accounts.' +--- + +# HelpYouFindMe Ownership & Management Policy + +HelpYouFindMe accounts are owned by each individual who created the during sign-up. +Even in the event of sub-accounts. In other words, regardless of who is +*paying* for the account, the account owner is *always* the person who +registered the account. For information on account types, etc. see the +[terminology help page][terms]. + +Regardless of account type, the *management* of the account is done by the account +owner. This is the person who originally signed up for the account. + +## Can "Family Account" owners access data of sub-accounts? + +Not without specific permission. Data access in HelpYouFindMe works the same +for everyone, regardless of family/sub account relationships. + +This is not just our policy it's actually built into the application itself. +It's impossible for us to provide the Family Account (or any other account or +third party) access to a sub-accounts private data. This is because the data is +encrypted on your local browser. We have no access to it. + +## Still have a question? + +Please get in touch with our [support team](mailto:hello@helpyoufind.me) and we'll +be happy to answer them! + +[terms]: https://helpyoufind.me/help/terms/ diff --git a/policies/privacy.md b/policies/privacy.md new file mode 100644 index 0000000..7d29038 --- /dev/null +++ b/policies/privacy.md @@ -0,0 +1,422 @@ +--- title: Privacy policy description: The privacy of your data — and it is +your data, not ours! — is a big deal to us. Here's the rundown of what we +collect and why, when we access your information, and your rights. --- + +# Privacy policy + +*Last updated: March 21, 2021* + +The privacy of your data — and it is your data, not ours! — is a big deal to +us. In this policy, we lay out: what data we collect and why; how your data is +handled; and your rights to your data. We promise we never sell your data: +never have, never will. + +This policy applies to all products built and maintained by Netlandish Inc. +including AnyHow and HelpYouFindMe. + +## What we collect and why + +Our guiding principle is to collect only what we need. Here's what that means +in practice: + +### Identity & access + +When you sign up for a Netlandish product, we typically ask for identifying +information such as your name, email address, and maybe a company name. That's +just so you can personalize your new account, and we can send you invoices, +updates, or other essential information. We sometimes also give you the option +to add a profile picture that displays in our products, but we do not normally +look at or access that picture. We'll never sell your personal info to third +parties, and we won't use your name or company in marketing statements without +your permission either. + +### Billing information + +When you pay for a Netlandish product, we ask for your credit card and billing +address. That's so we can charge you for service, calculate taxes due, and send +you invoices. Your credit card is passed directly to our payment processor and +doesn't ever go through our servers. We store a record of the payment +transaction, including the last 4 digits of the credit card number and as-of +billing address, for account history, invoicing, and billing support. We store +your billing address to calculate any sales tax due in the United States or VAT +in the EU, to detect fraudulent credit card transactions, and to print on your +invoices. + +### Geolocation data + +We log all access to all accounts by full IP address so that we can always +verify no unauthorized access has happened. We keep this login data for as long +as your product account is active. + +We also log full IP addresses used to sign up a product account. We keep this +record forever because they are used to mitigate spammy signups. + +Web analytics data — described further in the Website Interactions section — +are also tied temporarily to IP addresses to assist with troubleshooting cases. +We blind all web analytics data after 30 days. + +### Website interactions + +When you browse our marketing pages or applications, your browser automatically +shares certain information such as which operating system and browser version +you are using. We track that information, along with the pages you are +visiting, page load timing, and which website referred you for statistical +purposes like conversion rates and to test new designs. We sometimes track +specific link clicks to help inform some design decisions. These web analytics +data are tied to your IP address and user account if applicable and you are +signed into our Services. We blind all of these individual identifiers after 30 +days. + +### Anti-bot assessments + +We use [CAPTCHA](https://en.wikipedia.org/wiki/CAPTCHA) services across our +applications to mitigate brute force logins and in HEY as a means of spam +protection. We have a legitimate interest in protecting our apps and the +broader Internet community from credential stuffing attacks and spam. When you +log into your accounts and fill specific forms, the CAPTCHA service +evaluates various information (e.g IP address, how long the visitor has been on +the app, mouse movements) to check whether the data is possibly filled out by +an automated program instead of a human. We retain these data via our +subprocessor forever because they are used for anti-spam mitigation. + +### Cookies and Do Not Track + +We do use persistent first-party cookies to store certain preferences, make it +easier for you to use our applications, and support some in-house analytics. A +cookie is a piece of text stored by your browser to help it remember your login +information, site preferences, and more. You can adjust cookie retention +settings in your own browser. To learn more about cookies, including how to +view which cookies have been set and how to manage and delete them, please +visit: [www.allaboutcookies.org](https://www.allaboutcookies.org). + +At this time, our sites and applications do not respond to Do Not Track beacons +sent by browser plugins. + +### Voluntary correspondence + +When you write Netlandish with a question or to ask for help, we keep that +correspondence, including the email address, so that we have a history of past +correspondences to reference if you reach out in the future. + +We also store any information you volunteer like surveys. Sometimes when we do +customer interviews, we may ask for your permission to record the conversation +for future reference or use. We only do so if you give your express consent. + +### Information we do not collect + +We don't collect any characteristics of protected classifications including +age, race, gender, religion, sexual orientation, gender identity, gender +expression, or physical and mental abilities or disabilities. You may provide +these data voluntarily, such as if you include a pronoun preference in your +email signature when writing into our Support team. + +We also do not collect any biometric data. You are given the option to add a +picture to your user profile, which could be a real picture of you or a picture +of something else that represents you best. We do not extract any information +from profile pictures: they are for your use alone. + +### How we approach mobile app permissions + +We currently do not have any mobile apps for our Services. However for +HelpYouFindMe we do have mobile integration using the [Telegram][telegram] +secure messaging service. There are no special permissions required to +integrate your HelpYouFindMe account with Telegram but you do need to provide +permissions for certain features when using Telegram. For example, if you want +to send your location to HelpYouFindMe using Telegram then you will need to +grant the Telegram application permission to access your location. + +[telegram]: https://telegram.org "Telegram" + +## When we access or share your information + +Our default practice is to not access your information. The only times we'll +ever access or share your info are: + +**To provide products or services you've requested**. We do use some +third-party services to run our applications and only to the extent necessary +process some or all of your personal information via these third parties. You +can [view the list of third-party services we use][subp] for our products. +Having subprocessors means we are using technology to access your data. No +Netlandish human looks at your data for these purposes unless an error occurs +that stops an automated process from working and requires manual intervention +to fix. These are rare cases and when they happen, we look for root cause +solutions as much as possible to avoid them from reoccurring. We also use some +other processors for other business functions, which you can view: [Company +processors](/policies/company-processors/). + +**To help you troubleshoot or squash a software bug, with your permission.** If +at any point we need to access your account to help you with a Support case, we +will ask for your consent before proceeding. + +**To investigate, prevent, or take action regarding [restricted +uses](../abuse/index.md).** Accessing a customer's account when investigating +potential abuse is a measure of last resort. We have an obligation to protect +the privacy and safety of both our customers and the people reporting issues to +us. We do our best to balance those responsibilities throughout the process. If +we do discover you are using our products for a restricted purpose, we will +report the incident to the appropriate authorities. + +**When required under applicable law.** + +Netlandish, Inc. is a US company and all data infrastructure are located in the +US. + +* If US law enforcement authorities have the necessary warrant, criminal + subpoena, or court order requiring we share data, we have to comply. + Otherwise, we flat-out reject requests from local and federal law enforcement + when they seek data. And unless we're legally prevented from it, we'll always + inform you when such requests are made. In the event a government authority + outside the US approaches Netlandish with a request, our default stance is to + refuse unless the US government compels us to comply through procedures + outlined in a mutual legal assistance treaty or agreement. ***We have never + received a National Security Letter or Foreign Intelligence Surveillance Act + (FISA) order.*** +* Similarly, if Netlandish receives a request to preserve data, we refuse unless + compelled by either the US Federal Stored Communications Act, 18 U.S.C. + Section 2703(f) or a properly served US subpoena for civil matters. In both + of these situations, we have to comply. In these situations, we notify + affected customers as soon as possible unless we are legally prohibited from + doing so. We do not share preserved data unless absolutely required under the + Stored Communications Act or compelled by a court order that we choose not to + appeal. Furthermore, unless we receive a proper warrant, court order, or + subpoena before the required preservation period expires, we destroy any + preserved copies we made of customer data once the preservation period + lapses. +* If we get an informal request from any person, organization, or entity, we do + not assist. If you are an account owner who wants to export data from their + accounts, you can do so directly by [submitting a request directly][email]. +* If we are audited by a tax authority, we may be required to share + billing-related information. If that happens, we only share the bare minimum + needed such as billing addresses and tax exemption information. + +Finally, if Netlandish, Inc. is acquired by or merged with another company — we +don't plan on that, but if it happens — we'll notify you well before any info +about you is transferred and becomes subject to a different privacy policy. + +## Your rights with respect to your information + +At Netlandish, we apply the same data rights to all customers, regardless of +their location. Currently some of the most privacy-forward regulations in place +are the European Union's General Data Protection Regulation ("GDPR") and +California Consumer Privacy Act ("CCPA") in the US. Basecamp recognizes all of +the rights granted in these regulations, except as limited by applicable law. +These rights include: + +* **Right to Know.** You have the right to know what personal information is + collected, used, shared or sold. We outline both the categories and specific + bits of data we collect, as well as how they are used, in this privacy + policy. +* **Right of Access.** This includes your right to access the personal + information we gather about you, and your right to obtain information about + the sharing, storage, security and processing of that information. +* **Right to Correction.** You have the right to request correction of your + personal information. +* **Right to Erasure / "To be Forgotten".** This is your right to request, + subject to certain limitations under applicable law, that your personal + information be erased from our possession and, by extension, all of our + service providers. Fulfillment of some data deletion requests may prevent you + from using Basecamp services because our applications may then no longer + work. In such cases, a data deletion request may result in closing your + account. +* **Right to Complain.** You have the right to make a complaint regarding our + handling of your personal information with the appropriate supervisory + authority. To identify your specific authority or find out more about this + right, EU individuals should go to + [https://edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en). +* **Right to Restrict Processing.** This is your right to request restriction + of how and why your personal information is used or processed, including + opting out of sale of personal information. (Again: we never have and never + will sell your personal data.) +* **Right to Object.** You have the right, in certain situations, to object to + how or why your personal information is processed. +* **Right to Portability.** You have the right to receive the personal + information we have about you and the right to transmit it to another party. +* **Right to not be subject to Automated Decision-Making.** You have the right + to object and prevent any decision that could have a legal, or similarly + significant, effect on you from being made solely based on automated + processes. This right is limited, however, if the decision is necessary for + performance of any contract between you and us, is allowed by applicable law, + or is based on your explicit consent. +* **Right to Non-Discrimination.** This right stems from the CCPA. We do not + and will not charge you a different amount to use our products, offer you + different discounts, or give you a lower level of customer service because + you have exercised your data privacy rights. However, the exercise of certain + rights (such as the right "to be forgotten") may, by virtue of your + exercising those rights, prevent you from using our Services. + +Many of these rights can be exercised by signing in and directly updating your +account information. + +If you have questions about exercising these rights or need assistance, please +contact us at [hello@netlandish.com][email] or at +Netlandish, Inc., 5200 Clark Ave, #832, Lakewood, CA 90714 USA. For +requests to delete personal information or know what personal information has +been collected, we will first verify your identity using a combination of at +least two pieces of information already collected including your user email +address. If an authorized agent is corresponding on your behalf, we will first +need written consent with a signature from the account holder before +proceeding. + +If you are in the EU, you can identify your specific authority to file a +complaint or find out more about GDPR, at +[https://edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en). + +## How we secure your data + +All data is encrypted via +[SSL/TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) when +transmitted from our servers to your browser. The database backups are also +encrypted. + +For products except HelpYouFindMe, most data are not encrypted while they live +in our database (since it needs to be ready to send to you when you need it), +but we go to great lengths to secure your data at rest. For more information +about how we keep your information secure, please review our [security +overview](/policies/security/). + +With HelpYouFindMe, the security overview still applies _and_ we've gone even +further by encrypting the private data in your, the user's, web-browser. All +private data is encrypted on your computer before it is ever sent to Netlandish +servers. Your private data is protected by your own encryption key that you +set and are responsible for safe guarding. + +## What happens when you delete data in your product accounts + +In many of our applications, we give you the option to trash data. Anything you +trash on your product accounts while they are active will be kept in an +accessible trash can for up to 30 days (it varies a little by product). After +that, the trashed data are no longer accessible via the application and are +deleted from our active servers within the next 30 days. We also have some +backups of our application databases, which are kept for up to another 30 days. +In total, when you trash things in our applications, they are purged within 90 +days from all of our systems and logs. Retrieving data for a single account +from a backup is cost-prohibitive and unduly burdensome so if you change your +mind you'll need to do so before your data are deleted from our active servers. + +We also delete your data after an account is cancelled. In this case, there is +no period of data being kept in an accessible trash can so your data are purged +within 60 days. This applies both for cases when an account owner directly +cancels and for auto-cancelled accounts. Please refer to our [Cancellation +policy](../cancellation/index.md) for more details. + +## Location of site and data + +Our products and other web properties are operated in the United States. If you +are located in the European Union or elsewhere outside of the United States, +**please be aware that any information you provide to us will be transferred to +and stored in the United States**. By using our Site, participating in any of +our services and/or providing us with your information, you consent to this +transfer. + +## When transferring personal data from the EU + +The GDPR requires that any data transferred out of the EU must be treated with +the same level of protection that the EU privacy laws grant. The privacy laws +of the United States generally do not meet that requirement. That is why since +GDPR went into effect, Basecamp has offered a data processing addendum and +voluntarily participated in the EU-US Privacy Shield Framework as well as the +Swiss-US Privacy Shield Framework. + +There are also a few ad-hoc cases where EU personal data may be transferred to +the US related to Netlandish, Inc. operations. For instance, if someone in the +EU comments on our company blog or a customer participates in one of our +infrequent surveys or someone applies to one of our open positions or buys swag +on our company shop. Such transfers are only occasional and transferred under +the [Article 49(1)(b) derogation](https://gdpr-info.eu/art-49-gdpr/) under +GDPR. + +## EU-US and Swiss-US Privacy Shield policy + +The EU-US [Privacy Shield](https://www.privacyshield.gov/) is an agreement +between certain European jurisdictions and the United States that up until July +16, 2020, allowed for the transfer of personal data from the EU to the US. +Participation in the Privacy Shield program is voluntary. The Swiss-US Privacy +Shield is a similar program for data transferred to the US from Switzerland +that was in effect until September 8, 2020. + +### We comply with the frameworks for EU, UK, and Swiss data that are transferred into the United States + +Netlandish complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. +Privacy Shield Framework as set forth by the U.S. Department of Commerce +regarding the collection, use, and retention of personal information +transferred from the European Union, the United Kingdom, and Switzerland to the +United States, respectively. We've certified to the Department of Commerce that +we adhere to the Privacy Shield Principles. If there is any conflict between +the terms in this privacy policy and the Privacy Shield Principles, the Privacy +Shield Principles take precedent. To learn more about the Privacy Shield +program, and to view our certification, please visit +[https://www.privacyshield.gov/](https://www.privacyshield.gov/). + +Netlandish is subject to the investigatory and enforcement powers of the Federal +Trade Commission (FTC) with regard to the Privacy Shield Frameworks. + +The Privacy Shield Frameworks uphold specific principles, many of which are +already outlined in the section on Your Rights. For clarity, pursuant to the +Privacy Shield Frameworks, the following principles apply to all EU, UK, and +Swiss data that has been transferred into the United States: + +- Individuals have the right to access their personal data and to update, + correct, and/or amend information that is incomplete. Individuals also have + the right to request erasure of personal information that has been processed + in violation of the principles. Individuals wishing to exercise these rights + may do so by by signing in and directly updating your account information. If + you have questions about exercising these rights or need assistance, please + contact us at [hello@netlandish.com][email] or at Netlandish, Inc., 5200 + Clark Ave, #832, Lakewood, CA 90714 USA. +- We remain liable for the onward transfer of personal data to third parties + acting as our agents unless we can prove we were not a party to the events + giving rise to the damages. +- We do not sell personal data nor do we permit it to be used for reasons other + than those for which it was originally provided. If this practice should + change in the future, we will update this policy accordingly and provide + individuals with opt-out or opt-in choice as appropriate. +- We may be required to release personal data in response to lawful requests + from public authorities including to meet national security and law + enforcement requirements. + +### We commit to resolving all complaints + +In compliance with the EU-US Privacy Shield Principles and the Swiss-US Privacy +Shield Principles, we commit to resolve complaints about your privacy and our +collection or use of your personal information. European Union, United Kingdom, +or Swiss individuals with inquiries or complaints regarding this privacy policy +should first contact Peter Sanchez at Netlandish at hello@netlandish.com, or by +mail at Netlandish, Inc., 5200 Clark Ave, #832, Lakewood, CA 90714 USA. + +Netlandish (the company) has further committed to refer unresolved privacy +complaints under the EU-US Privacy Shield Principles and the Swiss-US Privacy +Shield Principles to an independent dispute resolution mechanism, the BBB EU +PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely +acknowledgment of your complaint, or if your complaint is not satisfactorily +addressed, please visit +[https://bbbprograms.org/privacy-shield-complaints/](https://bbbprograms.org/privacy-shield-complaints/) +for more information and to file a complaint. This service is provided at no +cost to you. Please do not submit GDPR complaints to BBB EU Privacy Shield. + +If your EU-US Privacy Shield complaint cannot be resolved through these +described channels, under certain conditions, you may invoke binding +arbitration for some residual claims not resolved by other redress mechanisms. +To learn more, please view the Privacy Shield Annex 1 at +[https://www.privacyshield.gov/article?id=ANNEX-I-introduction](https://www.privacyshield.gov/article?id=ANNEX-I-introduction). + +## Changes & questions + +We may update this policy as needed to comply with relevant regulations and +reflect any new practices. You can view a history of the changes to our +policies [on our code forge][sh]. Whenever we make a significant change to our +policies, we will also announce them on our [company blog][nlb]. + +Have any questions, comments, or concerns about this privacy policy, your data, +or your rights with respect to your information? Please get in touch by +emailing us at [hello@basecamp.com][email] and we'll be +happy to answer them! + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" +[nl]: https://www.netlandish.com/ "Netlandish Inc." +[anyhow]: https://anyhowhq.com/ "AnyHow" +[hyfm]: https://helpyoufind.me "Help You Find Me" +[sh]: https://hg.code.netlandish.com/~netlandish/policies/log "Code Forge" +[nlb]: https://www.netlandish.com/blog/ "Netlandish Blog" +[ah2fa]: https://docs.anyhowhq.com/two_step_verification/ "AnyHow 2FA" +[hyfm2fa]: https://helpyoufind.me/help/two-step-verification/ "HYFM 2FA" +[subp]: /policies/subprocessors/ "Subprocessors" diff --git a/policies/refund.md b/policies/refund.md new file mode 100644 index 0000000..13b5659 --- /dev/null +++ b/policies/refund.md @@ -0,0 +1,48 @@ +--- +title: Refund policy +description: "Bad refund policies are infuriating. We never want our customers to feel that way, so our refund policy is simple: If you're ever unhappy with our products for any reason, we'll take care of you." +--- + +# A fair refund policy. + +Bad refund policies are infuriating. You feel like the company is just trying +to rip you off. We never want our customers to feel that way, so our refund +policy is simple: If you're ever unhappy with our products* for any reason, +just contact [our support team][email] and we'll take care +of you. + +## Examples of full refunds we'd grant. + +* If you were just charged for your next month of service but you meant to + cancel, we're happy to refund that extra charge. +* If you forgot to cancel your account a couple months ago and you haven't used + it since then, we'll give you a full refund for a few back months. No + problem. +* If you tried one of our products for a couple months and you just weren't + happy with it, you can have your money back. + +## Examples of partial refunds or credits we'd grant. + +* If you forgot to cancel your account a year ago, and there's been activity on + your account since then, we'll review your account usage and figure out a + partial refund based on how many months you used it. +* If you upgraded your account a few months ago to a higher plan and kept using + it in general but you didn't end up using the extra features, projects, or + storage space, we'd consider applying a prorated credit towards future + months. +* If we had extended downtime (multiple hours in a day, or multiple days in a + month) or you emailed customer service and it took multiple days to get back + to you, we'd issue a partial credit to your account. + +## Get in touch + +At the end of the day, nearly everything on the edges comes down to a +case-by-case basis. [Send us a note][email], tell us what's +up, and we'll work with you to make sure you're happy. + +**This policy applies to any product created and owned by Netlandish, Inc. That +includes AnyHow and HelpYouFindMe. There are [some nuances with +HelpYouFindMe](/policies/hyfm-refund/) because its subscriptions are on an +annual basis only.** + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/regulations.md b/policies/regulations.md new file mode 100644 index 0000000..e4b9a90 --- /dev/null +++ b/policies/regulations.md @@ -0,0 +1,126 @@ +--- +title: Privacy Regulations Reference +description: Privacy laws are in a lot of flux. Here's info you should know. +--- + +# Privacy Regulations Reference + +*Last updated: March 21, 2021* + +The data privacy regulatory landscape is undergoing a lot of change. You +probably have heard about the EU General Data Protection Regulation (GDPR) that +went into effect on May 25, 2018. There are also other regulations in effect or +in the works around the world. We've written up this reference document to put +helpful information regarding our products and privacy regulations in one +place. Please also view our full [Privacy policy](/policies/privacy/). + +If you have any questions, comments, or concerns about our [Privacy +policy](/policies/privacy/), your data, or your rights with respect to your +information, please email us at [hello@netlandish.com][email]. + +## European Union General Data Protection Regulation (GDPR) + +Netlandish is an American company and our data infrastructure is currently +based in the US. That means if you are in another country in the world and you +use our products, your data are transferred to the US. The EU has stronger +privacy laws than the US and a core tenet of the GDPR is that if you transfer +any personal data of EU residents out of the EU, you must protect it to the +same level as guaranteed under EU law. There are two factors to this: + +1. The practices that businesses take handling personal data; and +2. The laws of the countries where you transfer the EU personal data to + +### Practices we have at Netlandish + +We are serious about treating our customers fairly. We are equally serious +about protecting your data, security, and right to privacy as if it were our +own. This applies to all our customers, regardless of where you are in the +world. + +Please do read our [Privacy Policy](/policies/privacy/) and our [Security +Overview](/policies/security/) in full. Some highlights: + +* We never have and never will sell customer data. +* We don't run ads for other services in our products. +* We limit the data we collect: if we don't need it, we don't ask for it. +* We put a lot of security measures into place including in-transit encryption, + encryption at-rest, and requiring employees and contractors to sign + non-disclosure agreements. +* When you email us at [hello@netlandish.com][email], someone from our Privacy + Working Group will get back to you. You are always speaking with a human! No + bots. + +We do work with sub-processors. We've listed links to our current +sub-processors at the end of this page. With each vendor, we assess their +commitment to privacy and we sign a data processing addendum with them that +include the controller-processor [Standard Contractual +Clauses](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en). + +### Relevant US laws + +The US does not have a national consumer privacy law akin to GDPR. We'd love to +see one put in place and until then, shout out to California for leading with +the California Consumer Privacy Act ("CCPA" — more information following this +GDPR section) and our spiritual home state of Illinois for its Biometric +Information Privacy Act. + +There are national US security laws that are relevant to GDPR. Chief amongst +them are: the [Foreign Intelligence Surveillance Act +(FISA)](https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286) and +Executive Order 12-333. FISA establishes ways for US law enforcement and +intelligence agencies to gather information within the US about non-US entities +suspected of espionage or terrorism. Executive Order 12-333 sets out how US +intelligence agencies can gather information, including outside the borders of +the US. + +Virtually every American software service is subject to FISA. That includes all +the American big tech companies you can think of as well as any European +service that uses cloud infrastructure from Amazon Web Services, Microsoft +Azure, or Google Cloud Computing. It also includes small tech American +companies like us, Netlandish Inc. However **to date, Netlandish has never been +served a FISA order or National Security Letter.** + +Even so, these laws are relevant for why extra mechanisms need to be in place +to allow the legal transfer of personal data from the EU to the US. + +## California Consumer Privacy Act (CCPA) + +In the CCPA, there is an important distinction between what are referred to as +"service providers", "businesses", and "third parties". You can see how the +regulation defines these words by visiting the California Attorney General's +website: https://www.oag.ca.gov/privacy/ccpa. + +*Under the CCPA, Netlandish is a "service provider."* That means when we +process data you provide, we do so solely for the purpose you signed up for. +Our business model is simple: we charge a recurring subscription fee to our +customers. We do not sell personal information or use your data for any other +commercial purposes unless with your explicit permission. + +The CCPA also grants residents of California with additional rights related to +their information. We grant those rights to all of our customers and detail +them in our Privacy policy. Our Privacy policy also explains the information we +collect in order to provide our services and clearly lists the only times we +access or share your data. + +## US Health Insurance Portability and Accountability Act (HIPAA) + +Our products are currently *not* +[HIPAA](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html)-compliant +and we do not have immediate plans to become so. + +## Subprocessors + +Netlandish uses third party subprocessors, such as cloud computing providers, +to provide our services. We enter into data processing agreements including +GDPR Standard Contractual Clauses with each subprocessor, and require the same +of them. + +We also use other software as a company that are not part of providing our +services but may collect your personal information for other purposes. + +You can see which processors are used by category below: + +- [Subprocessors](/policies/subprocessors/) +- [Company Processors](/policies/company-processors/) + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/security-response.md b/policies/security-response.md new file mode 100644 index 0000000..3e5fe0e --- /dev/null +++ b/policies/security-response.md @@ -0,0 +1,55 @@ +--- +title: 'Security Response' +description: 'Have you discovered a web security flaw that might impact one of our products? Here's how you can report it.' +--- + +# Security response + +## We appreciate your concern + +Keeping customer data safe and secure is a huge responsibility and a top +priority. We work hard to protect our customers from the latest threats. Your +input and feedback on our security is always appreciated. + +## Reporting security problems + +**For security vulnerabilities and other urgent or sensitive reports**, please +email our [Security team][email]. If you feel it necessary, use [our public +key][pub] ( 5216B5D28D2E161A7F98D372FF96FA687153E3C1 ) to keep your message +safe and please provide us with a secure way to respond. We'll respond as soon +as we can. Please follow up or [ping us on +Twitter](https://twitter.com/netlandish) if you don't hear back. + +**For requests that aren't urgent or sensitive**: submit a [support +request][email]. + +## Tracking and disclosing security issues + +We work with security researchers to keep up with the state-of-the-art in web +security. Have you discovered a web security flaw that might impact our +products? Please let us know. If you [submit a +report][email], here's what will happen: + +* We'll acknowledge your report. +* We'll triage your report and determine whether it's eligible for a bounty. +* We'll investigate the issue and determine how it impacts our products. We + won't disclose issues until they've been fully investigated and patched, but + we'll work with you to ensure we fully understand severity and impact. +* Once the issue is resolved, we'll post a security update along with thanks + and credit for the discovery. + +Our products are built on the Django framework. The issue you reported might +affect Django, Python, or some other part of our technology stack. We ask for +your patience while we also make sure other companies and their customers are +protected. Either way, you'll always have a Netlandish contact for your issue. + +## Bounties + +Netlandish is a *tiny* company. At the time of this writing we are only 5 +people in total. We are happy to offer bounties but please understand that as a +small company they will probably to be smaller than you may be used to. We are +also open to free accounts on our products as partial bounty payment should you +be interested in such an offer. + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" +[pub]: https://www.netlandish.com/security-pub.txt diff --git a/policies/security.md b/policies/security.md new file mode 100644 index 0000000..aed9cc1 --- /dev/null +++ b/policies/security.md @@ -0,0 +1,83 @@ +--- +title: Security overview +description: Keeping customer data safe and secure is a huge responsibility and a top priority for us. Here's how we make it happen. +--- + +# Security overview. + +## We protect your data. + +All data are written to multiple disks instantly, backed up daily, and stored +in multiple locations. Files that our customers upload are stored on servers +that use modern techniques to remove bottlenecks and points of failure. + +## Your data are sent using HTTPS. + +Whenever your data are in transit between you and us, everything is encrypted, +and sent using HTTPS. Within our firewalled private networks, data may be +transferred unencrypted. + +Our application databases are generally not encrypted at rest — the information +you add to the applications is active in our databases and subject to the same +protection and monitoring as the rest of our systems. Our database backups are +encrypted using GPG. + +## Full redundancy for all major systems. + +Our servers — from power supplies to the internet connection to the air +purifying systems — operate at full redundancy. Our systems are engineered to +stay up even if multiple servers fail. + +## Sophisticated physical security. + +Our state-of-the-art servers are protected by biometric locks and +round-the-clock interior and exterior surveillance monitoring. Only authorized +personnel have access to the data center. 24/7/365 on-site staff provides +additional protection against unauthorized entry and security breaches. + +## Regularly-updated infrastructure. + +Our software infrastructure is updated regularly with the latest security +patches. Our products run on a dedicated network which is locked down with +firewalls and carefully monitored. While perfect security is a moving target, +we work with security researchers to keep up with the state-of-the-art in web +security. + +## We protect your billing information. + +All credit card transactions are processed using secure encryption—the same +level of encryption used by leading banks. Card information is transmitted and +processed securely on a PCI-Compliant +network. We do not store any credit card data on our servers. + +## Constant monitoring + +We have a team dedicated to maintaining your account's security on our systems +and monitoring tools we've set up to alert us to any nefarious activity against +our domains. To date, we've _never_ had a data breach. + +We also audit internal data access. If a Netlandish employee wrongly accesses +customer data, they will face penalties ranging from termination to +prosecution. Again, to our knowledge, this hasn't happened. + +We have processes and defenses in place to keep our streak of 0 data breaches +going. But in the unfortunate circumstances someone malicious does successfully +mount an attack, we will immediately notify all affected customers. + +## Over 12 years in business. + +We've been around the block and we've seen a lot of companies come and go. +Security isn't just about technology, it's about trust. Since 2008, we've +worked hard to earn the trust of hundreds of companies world wide. We'll +continue to work hard every day to maintain that trust. Longevity and stability +is core to our mission at Netlandish. + +## Have a concern? Need to report an incident? + +Have you noticed abuse, misuse, an exploit, or experienced an incident with +your account? Please visit our [security response +page](/policies/security-response/) for details on how to securely submit a +report. + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" diff --git a/policies/subprocessors.md b/policies/subprocessors.md new file mode 100644 index 0000000..b4c60ed --- /dev/null +++ b/policies/subprocessors.md @@ -0,0 +1,23 @@ +--- +title: Netlandish Subprocessors +description: All the third-party subprocessors that we use to run Basecamp. +--- + +# Netlandish subprocessors + +We use third party subprocessors, such as cloud computing providers and +customer support software, to run Basecamp (the service). We establish +GDPR-compliant data processing agreements with each subprocessor, extending +[GDPR safeguards](../regulations/index.md) everywhere personal data is +processed. + +The following is a list of personal data subprocessors we use. These +subprocessors are all located in the United States: + +* [Stripe](https://stripe.com/guides/general-data-protection-regulation). + Payment processing services. +* [Amazon Web Services](https://aws.amazon.com/compliance/gdpr-center/). Cloud + services provider. +* [ARP Networks](https://arpnetworks.com/tos). Cloud services provider. +* [Digital Ocean](https://www.digitalocean.com/legal/gdpr/). Cloud services + provider. diff --git a/policies/terms-of-service.md b/policies/terms-of-service.md new file mode 100644 index 0000000..79b16da --- /dev/null +++ b/policies/terms-of-service.md @@ -0,0 +1,307 @@ +--- +title: Terms of Service +description: All the terms that you agree to when you sign up for a Netlandish product. +--- + +# Terms of Service + +*Last updated: March 21, 2021* + +From everyone at Netlandish, thank you for using our products! We build them to +help you do your best work. Many people are using Netlandish +products every day. Because we don't know every one of our customers +personally, we have to put in place some Terms of Service to help keep the ship +afloat. + +When we say "Company", "we", "our", or "us" in this document, we are referring +to [Netlandish, Inc.][nl] as a whole. + +When we say "Services", we mean any product created and maintained by +Netlandish, Inc. That includes [AnyHow][anyhow] and [HelpYouFindMe][hyfm], +whether delivered within a web browser, desktop application, mobile +application, or another format. + +When we say "You" or "your", we are referring to the people or organizations +that own an account with one or more of our Services. We have specific +ownership policies for our products: [AnyHow][ownah], [HelpYouFindMe][ownhyfm]. + +We may update these Terms of Service in the future. You can track all changes +made [on our code forge][sh]. Typically these changes have been to clarify some +of these terms by linking to an expanded related policy. Whenever we make a +significant change to our policies, we will also announce them on our [company +blog][nlb]. + +When you use our Services, now or in the future, you are agreeing to the latest +Terms of Service. That's true for any of our existing and future products and +all features that we add to our Services over time. There may be times where we +do not exercise or enforce any right or provision of the Terms of Service; in +doing so, we are not waiving that right or provision. **These terms do contain +a limitation of our liability.** + +If you violate any of the terms, we may terminate your account. That's a broad +statement and it means you need to place a lot of trust in us. We do our best +to deserve that trust by being open about [who we +are](https://www.netlandish.com/about), how we work, and keeping an open door +to [your feedback](mailto:hello@netlandish.com). + +## Account Terms + +1. You are responsible for maintaining the security of your account and + password. The Company cannot and will not be liable for any loss or damage + from your failure to comply with this security obligation. We recommend + users set up two-factor authentication for added security. In some of our + Services, we may require it. For help with setting up two-factor + authentication see specific instructions for [AnyHow][ah2fa] or + [HelpYouFindMe][hyfm2fa]. +2. You may not use the Services for any purpose outlined in our [Use + Restrictions policy](/policies/abuse/). +3. You are responsible for all content posted and activity that occurs under + your account. That includes content posted by others who either: (a) have + access to your login credentials; or (b) have their own logins under your + account. +4. You must be a human. Accounts registered by "bots" or other automated + methods are not permitted. + +## Payment, Refunds, and Plan Changes + +1. If you are using a free version of one of our Services, it is really free: + we do not ask you for your credit card and — just like for customers who pay + for our Services — we do not sell your data. +2. For paid Services that offer a free trial, we explain the length of trial + when you sign up. After the trial period, you need to pay in advance to keep + using the Service. If you do not pay, we will freeze your account and it + will be inaccessible until you make payment. If your account has been frozen + for a while, we will queue it up for auto-cancellation. See our + [Cancellation policy](/policies/cancellation/) for more details. +3. If you are upgrading from a free plan to a paid plan, we will charge your + card immediately and your billing cycle starts on the day of upgrade. For + other upgrades or downgrades in plan level, the new rate starts from the + next billing cycle. +4. All fees are exclusive of all taxes, levies, or duties imposed by taxing + authorities. Where required, we will collect those taxes on behalf of the + taxing authority and remit those taxes to taxing authorities. Otherwise, + you are responsible for payment of all taxes, levies, or duties. +5. We process refunds according to our [Fair Refund + policy](/policies/refund/). + +## Cancellation and Termination + +1. You are solely responsible for properly canceling your account. Within each + of our Services, we provide a simple no-questions-asked cancellation link. + You can find instructions for how to cancel your account in our + [Cancellation policy](../cancellation/index.md). An email or phone request + to cancel your account is not automatically considered cancellation. If you + need help cancelling your account, you can always [contact our Support + team]({{ site.email_support }}). +2. All of your content will be inaccessible from the Services immediately upon + cancellation. Within 30 days, all content will be permanently deleted from + active systems and logs. Within 60 days, all content will be permanently + deleted from our backups. We cannot recover this information once it has + been permanently deleted. If you want to export any data before your account + is cancelled, please send an email to + [hello@netlandish.com](mailto:hello@netlandish.com) for assistance. +3. If you cancel the Service before the end of your current paid up month, your + cancellation will take effect immediately, and you will not be charged + again. We do not automatically prorate unused time in the last billing + cycle. See our [Fair Refund policy](../refund/index.md) for more details. +4. We have the right to suspend or terminate your account and refuse any and + all current or future use of our Services for any reason at any time. + Suspension means you and any other users on your account will not be able to + access the account or any content in the account. Termination will + furthermore result in the deletion of your account or your access to your + account, and the forfeiture and relinquishment of all content in your + account. We also reserve the right to refuse the use of the Services to + anyone for any reason at any time. We have this clause because statistically + speaking, out of the hundreds of thousands of accounts on our Services, + there is at least one doing something nefarious. There are some things we + staunchly stand against and this clause is how we exercise that stance. For + more details, see our [Use Restrictions policy](../abuse/index.md). +5. Verbal, physical, written or other abuse (including threats of abuse or + retribution) of Company employee or officer will result in immediate account + termination. + +## Modifications to the Service and Prices + +1. We make a promise to our customers to support our Services for as long as we + are in control of them or until the last customer leaves the Service. That + means when it comes to security, privacy, and customer support, we will + continue to maintain any legacy Services. Sometimes it becomes technically + impossible to continue a feature or we redesign a part of our Services + because we think it could be better or we decide to close new signups of a + product. We reserve the right at any time to modify or discontinue, + temporarily or permanently, any part of our Services with or without notice. +2. Sometimes we change the pricing structure for our products. When we do that, + we tend to exempt existing customers from those changes. However, we may + choose to change the prices for existing customers. If we do so, we will + give at least 30 days notice and will notify you via the email address on + record. We may also post a notice about changes on our websites or the + affected Services themselves. + +## Uptime, Security, and Privacy + +1. Your use of the Services is at your sole risk. We provide these Services on + an "as is" and "as available" basis. We do not offer service-level + agreements for our Services but do take uptime of our applications + seriously. +2. We reserve the right to temporarily disable your account if your usage + significantly exceeds the average usage of other customers of the Services. + Of course, we'll reach out to the account owner before taking any action + except in rare cases where the level of use may negatively impact the + performance of the Service for other customers. +3. We take many measures to protect and secure your data through backups, + redundancies, and encryption. We enforce encryption for data transmission + from the public Internet. There are some edge cases where we may send your + data through our network unencrypted. Please refer to our [Security + Overview](../security/index.md) for full details and our [Security Response + page](../security/response/index.md) for how to report a security incident + or threat. +4. When you use our Services, you entrust us with your data. We take that trust + to heart. You agree that Netlandish may process your data as described in + our [Privacy Policy](../privacy/index.md) and for no other purpose. We as + humans can access your data for the following reasons: + - **To help you with support requests you make.** We'll ask for express + consent before accessing your account. + - **On the rare occasions when an error occurs that stops an automated + process partway through.** We get automated alerts when such errors occur. + When we can fix the issue and restart automated processing without looking + at any personal data, we do. In rare cases, we have to look at a minimum + amount of personal data to fix the issue. In these rare cases, we aim to + fix the root cause as much as possible to avoid the errors from + reoccurring. + - **To safeguard Netlandish.** We'll look at logs and metadata as part of + our work to ensure the security of your data and the Services as a whole. + If necessary, we may also access accounts as part of an [abuse report + investigation](../abuse/how-we-handle/index.md). + - **To the extent required by applicable law.** As a US company with all + data infrastructure located in the US, we only preserve or share customer + data if compelled by a US government authority with a legally binding + order or proper request under the Stored Communications Act. If a non-US + authority approaches Netlandish for assistance, our default stance is to + refuse unless the order has been approved by the US government, which + compels us to comply through procedures outlined in an established mutual + legal assistance treaty or agreement mechanism. If Netlandish is audited + by a tax authority, we only share the bare minimum billing information + needed to complete the audit. +5. We use third party vendors and hosting partners to provide the necessary + hardware, software, networking, storage, and related technology required to run + the Services. You can see a [list of all subprocessors][subp] who handle + personal data for Netlandish products. +6. Under the California Consumer Privacy Act ("CCPA"), Netlandish is a "service + provider", not a "business" or "third party", with respect to your use of the + Services. That means we process any data you share with us only for the purpose + you signed up for and as described in these Terms of Service, [Privacy + policy](../privacy/index.md), and [other policies](../index.md). We do not + retain, use, disclose, or sell any of that information for any other commercial + purposes unless we have your explicit permission. And on the flip-side, you + agree to comply with your requirements under the CCPA and not use Netlandish's + Services in a way that violates the regulations. +7. These Service Terms incorporate the [Netlandish Data Processing Addendum + ("DPA")](../privacy/regulations/dpa/Netlandish.pdf), + when the General Data Protection regulation ("GDPR") applies to your use of + Netlandish Services to process Customer Data as defined in the DPA. The DPA is + effective as of October 5, 2020 and replaces and supersedes any previously + agreed data processing addendum between you and Netlandish Inc. relating to the + GDPR. If you prefer to have an executed copy of the Data Processing Addendum, + you may [sign a copy online](https://app.hellosign.com/s/c0908a3d). Regardless + of whether you execute or not, we protect and secure your data to the high + standards set out in the addendum. + +## Copyright and Content Ownership + +1. All content posted on the Services must comply with U.S. copyright law. We + provide details on [how to file a copyright infringement + claim](../copyright/index.md). +2. We claim no intellectual property rights over the material you provide to + the Services. All materials uploaded remain yours. +3. We do not pre-screen content, but reserve the right (but not the obligation) + in our sole discretion to refuse or remove any content that is available via + the Service. +4. The names, look, and feel of the Services are copyright© to the Company. All + rights reserved. You may not duplicate, copy, or reuse any portion of the + HTML, CSS, JavaScript, or visual design elements without express written + permission from the Company. You must request permission to use the + Company's logo or any Service logos for promotional purposes. Please [email + us][email] requests to use logos. We reserve the right to rescind this + permission if you violate these Terms of Service. +5. You agree not to reproduce, duplicate, copy, sell, resell or exploit any + portion of the Services, use of the Services, or access to the Services + without the express written permission by the Company. +6. You must not modify another website so as to falsely imply that it is + associated with the Services or the Company. + +## Features and Bugs + +We design our Services with care, based on our own experience and the +experiences of customers who share their time and feedback. However, there is +no such thing as a service that pleases everybody. We make no guarantees that +our Services will meet your specific requirements or expectations. + +We also test all of our features extensively before shipping them. As with any +software, our Services inevitably have some bugs. We track the bugs reported to +us and work through priority ones, especially any related to security or +privacy. Not all reported bugs will get fixed and we don't guarantee completely +error-free Services. + +## Services Adaptations and API Terms + +We offer Application Program Interfaces ("API"s) for some of our Services +(currently AnyHow). Any use of the API, including through a third-party product +that accesses the Services, is bound by the terms of this agreement plus the +following specific terms: + +1. You expressly understand and agree that we are not liable for any damages or + losses resulting from your use of the API or third-party products that + access data via the API. +2. Third parties may not access and employ the API if the functionality is part + of an application that remotely records, monitors, or reports a Service + user's activity *other than time tracking*, both inside and outside the + applications. The Company, in its sole discretion, will determine if an + integration service violates this bylaw. A third party that has built and + deployed an integration for the purpose of remote user surveillance will be + required to remove that integration. +3. Abuse or excessively frequent requests to the Services via the API may + result in the temporary or permanent suspension of your account's access to + the API. The Company, in its sole discretion, will determine abuse or + excessive usage of the API. If we need to suspend your account's access, we + will attempt to warn the account owner first. If your API usage could or has + caused downtime, we may cut off access without prior notice. + +## Liability + +We mention liability throughout these Terms but to put it all in one section: + +***You expressly understand and agree that the Company shall not be liable, in +law or in equity, to you or to any third party for any direct, indirect, +incidental, lost profits, special, consequential, punitive or exemplary +damages, including, but not limited to, damages for loss of profits, goodwill, +use, data or other intangible losses (even if the Company has been advised of +the possibility of such damages), resulting from: (i) the use or the inability +to use the Services; (ii) the cost of procurement of substitute goods and +services resulting from any goods, data, information or services purchased or +obtained or messages received or transactions entered into through or from the +Services; (iii) unauthorized access to or alteration of your transmissions or +data; (iv) statements or conduct of any third party on the service; (v) or any +other matter relating to this Terms of Service or the Services, whether as a +breach of contract, tort (including negligence whether active or passive), or +any other theory of liability.*** + +In other words: choosing to use our Services does mean you are making a bet on +us. If the bet does not work out, that's on you, not us. We do our darnedest to +be as safe a bet as possible through careful management of the business; +investments in security, infrastructure, and talent; and in general giving a +damn. If you choose to use our Services, thank you for betting on us. + +If you have a question about any of the Terms of Service, please [contact our +Support team][email]. + +[email]: mailto:hello@netlandish.com "hello@netlandish.com" +[nl]: https://www.netlandish.com/ "Netlandish Inc." +[anyhow]: https://anyhowhq.com/ "AnyHow" +[hyfm]: https://helpyoufind.me "Help You Find Me" +[sh]: https://hg.code.netlandish.com/~netlandish/policies/log "Code Forge" +[nlb]: https://www.netlandish.com/blog/ "Netlandish Blog" +[ah2fa]: https://docs.anyhowhq.com/two_step_verification/ "AnyHow 2FA" +[hyfm2fa]: https://helpyoufind.me/help/two-step-verification/ "HYFM 2FA" +[subp]: /policies/subprocessors/ "Subprocessors" +[ownah]: /policies/ownership-anyhow/ "Ownership: AnyHow" +[ownhyfm]: /policies/ownership-hyfm/ "Ownership: HelpYouFindMe" -- 2.45.2