Privacy Policy and Terms of Use
We are a Danish company called DinoSource ApS, and we run Squibble.
Summary:
Your IP address and access times are kept for security purposes. Your OAuth username is kept unless requested to provide a service and potential discounts to you. Your email address is kept for financial auditing. You may also be collecting personally identifiable data from your list users, and we store that data on your behalf, but you are considered the controller of that data and must act responsibly and legally with respect to that data.
Website visitors:
If you are visiting this website, we keep server logs of your interactions with us which record your IP address and the time of visit. We do that because sometimes websites are attacked by bandits who try to infiltrate and steal your information, and keeping logs helps to see who might be attempting that. Sometimes people also try to interrupt service to a website by doing something called a denial of service attack. Keeping logs helps us to mitigate any such attacks.
We keep IPs and times for 90 days in case we need to audit past attacks. If somebody infiltrated the website and we deleted the logs, we'd never know who did it! Of course we take security very seriously and aim to prevent infiltration in a variety of ways, and keeping logs is just part of the process of being responsible about security. The logs themselves are kept secure, and are not published.
Our role in this is as a data controller.Website users:
We class you as a user if you've signed up to manage a CFP, even if you're just on the free introductory plan.
Username and email:
As well as collecting the same information that we do of website visitors, we also collect your OAuth username and verified OAuth email address. OAuth is a system invented to make it easier for people to log into websites. It means you can use your existing login details with one site, e.g. Google, to log into a new site, e.g. ours, without ever giving your password to the new site. That means that we don't collect your password, because we don't need to! But we do need your username and email address.
We need your username because that's how we identify you as a user. When you log in, we need to know who you are in order to give you access to your account. We need your email address because this is a mailing list hosting service. If we don't know your email address, how are we going to subscribe you to your own lists for example? We don't share your username, but we may share your email address if you have a mailing list with a public archive and you send a message to that list.
We keep your username and email for as long as you have an account with us. When you close your account we keep your username and email by default, for two reasons. One is so that we can potentially give you a discount if you sign up with us again! The other is so that we have a record of our financial account with you, i.e. so that our invoices can be linked to our records in case of disputes etc.
You may request that we delete your OAuth username at any time. To do so means closing and erasing your account, because without the username we are of course unable to provide a service to you! Your email address is retained as part of our financial records, which is described in more detail in the following section.
Our role in this is as a data controller.Third-party access to data:
Squibble is a mixed privacy service. When you create a CFP, submit to it or manage submissions, parts of it (the CFP itself) may be public (depending on settings), but most of it, such as submissions remain private.
When submitting proposals to a CFP hosted at Squibble, it will be reviewed by those in charge of the CFP, technically designated as 3rd party. While we do not share submissions outside of the specific set of people designated as reviewers or administrators by those managing the CFP, we do share it with them.
You therefore give consent not only for us to keep CFP data and submissions on file, but you also recognise that there is nothing we can do about foreamentioned third parties accessing, having accessed, or making copies of your data. If third parties act illegally, then you must take it up with those third parties independently of us. We cannot, in other words, pursue on your behalf the resolution of any copyright, privacy, trademark, or other rights violations committed by third parties.
Your users (when hosting a CFP):
When you create a CFP, you may have users. A user is anybody who's submitted a CFP proposal or signed up as a reviewer or administrator. You may have responsibilities to your users with regards to privacy. It is your responsibility to ensure that your users' rights are not violated. We store personally identifiable information of your users on your behalf. Our role in this is as a data processor.
In case of emergency:
The worst case scenario for any website is that bandits infiltrate their systems and make copies of their users' personally identifiable data. This would mean that your personal data would be in the hands of potentially some very bad people. We try to mitigate this risk as much as possible by not collecting from you anything of value, such as your card details. Since we do have your OAuth username and email, however, we of course need a plan for what happens if that data is stolen by the aforementioned bandits. Since we are based in the EU, which has very good privacy laws, we simply follow the requirements of those laws and promptly notify the local data authorities when information is stolen. As long as the information wasn't erased, we also notify all of our affected users. Unfortunately beyond that there isn't much else that we'd be able to do. Again, we take many measures to ensure that this doesn't happen in the first place, which is the best policy.
Questions?
This privacy policy was written by a human, not a lawyer, so we hope it's been legitimately helpful. If you do have any questions, though, please contact us!
Data Privacy Officer:
You may get in touch with our GDPR Data Privacy Officer at: privacy@dinosource.co