Terms, Privacy Policy, and Legal Compliance

[grarer]

Currently the "user agreement" and "privacy policy" dialogs in the registration process are placeholder text. We need to figure out what these terms should say, and what information we need to provide to be compliant with GDPR and similar data privacy laws. Relatedly, are there other features that we would need to have because of privacy laws, such as a right to be forgotten?

[grarer]

Summary from today's team meeting where Gunnar explained his research:

GDPR requires these features:

• Storage limitation (dont store data longer than it is needed)
• Data minimization (only collect minimum data needed to do what we need to do)
• Purpose Limitation (make clear the purpose that we collect data for, dont use it for other things)
• appropriate security measures, ensure confidentiality, etc.
• Users can request that we stop processing data in certain ways (without deleting the data).
• Data portability: right to request their info in a usable format that is machine-readable and works cross-platform.

section 230: if we want to have protection from users posting e.g. copyright content on our service, we have to have the ability to respond to takedown notices.

age limit in the US is 13 years for services like this (this is already implemented).

legally we would need to be a corporation to make a contact like a user agreement. presumably this is out of scope, but we should figure out the right way to get around this.

terms of conditions:

• we need to be clear about our intellectual property
• make it clear that users own their own content but we have a right to use and distribute it
• change clause: we reserve the right to modify the user agreement
• reserve the right to terminate or suspend user accounts at any time for any reason without notice
• specify things that will be banned (e.g. copyright violations)
• terms must be accessible to users (so we should make it available after signup as well)
• we (and our employees and partners) are not liable for harms that occur by using our service
• disclose relationships with third parties, say we are not liable for their actions

privacy policy:

• separately but linked to by terms and conditions
• we can only process personal data under specific lawful basic. in our case, it's under consent, or because of a "legitimate business reason").
• clause about how to withdraw consent (e.g. by closing account)
• explain how and why data is collected, why we need to process this data
• what third parties we share data with
• state what country our data is hosted in
• right to erase your data
• effective date of the privacy policy

we need to outline how we will update users about changes to the terms or privacy policy.