Defect #21374

Redmine.org doesn't have a privacy policy

Added by Cris Fuhrman about 2 years ago. Updated 11 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jan Niggemann (redmine.org team member)% Done:

0%

Category:Website (redmine.org)
Target version:-
Resolution: Affected version:

Description

Per the recommendation of Toshi MARUYAMA in the forums, It seems there should be a privacy policy for a site that has user log-ins (profiles) and potentially collects information about its users. Read more at https://en.wikipedia.org/wiki/Privacy_policy

Secondly, I feel that email address should be by default hidden on the profiles. Email addresses are mostly considered confidential these days, especially when one signs up for an account somewhere.

History

#1 Updated by Toshi MARUYAMA about 2 years ago

Cris Fuhrman wrote:

Per the recommendation of Toshi MARUYAMA in the forums,

FTR: Privacy policy and spam from Redmine.com.

#2 Updated by Jean-Philippe Lang about 2 years ago

Cris Fuhrman wrote:

Secondly, I feel that email address should be by default hidden on the profiles. Email addresses are mostly considered confidential these days, especially when one signs up for an account somewhere.

Email addresses are now hidden by default. And all existing addresses here at redmine.org are now set to hidden, users have to opt in to make it visible.

#3 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

  • Assignee changed from Jean-Philippe Lang to Jan Niggemann (redmine.org team member)

Good idea, thank you JPL!
Regarding a privacy policy, I'll try to come up with something.
I'll post a draft on the forums to gather user feedback and then post a second (hopefully final) draft in this issue for contributors to comment on.

#4 Updated by Jan from Planio www.plan.io about 2 years ago

There are also services which allow you to generate one based on a couple of questions: I've used https://www.iubenda.com/ before, for instance...

#5 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

Good input, thank you, Jan!

#6 Updated by Jean-Philippe Lang about 2 years ago

Jan Niggemann (redmine.org team member) wrote:

Regarding a privacy policy, I'll try to come up with something.

That would be great!

#7 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

First draft in sticky post: Draft for a redmine.org privacy policy
Let's wait a couple of weeks for feedback...

#8 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

No feedback at all... Not that I really expected some, but after explicitly asking for a privacy policy, I'd hoped that at least "Cris Fuhrman" would have commented...

Fellow devs, what do you think about this text:
----

redmine.org privacy policy

redmine.org does not use social networking stuff - no "+1" or "like" buttons here.
We do not share personal information with third parties.

Information we gather

Our webserver creates a logfile with the following non-personally-identifying information that your browser sends on each request:

  • browser type
  • language preference
  • referring site
  • date and time of request

redmine.org also collects potentially personally-identifying information like Internet Protocol (IP) addresses.

Additional information we require when registering an account

When registering, you're asked to provide the following data (later referred to as profile information):

  • the login name you'd like to use
  • your name (first name and last name)
  • your email address (hidden by default)

You may use the site pseudonymously, but please use an active email address in case an administrator needs to contact you.

We do not collect any more information than those given in the above paragraphs.

How do we use this information

  • We use the information in the logfiles to analyze browser usage and to protect the integrity of the site in case of attacks.
  • Administrators (see below) may use your email address to contact you regarding (mis-)behaviour on our website.

We do not disclose any information to third parties other than under circumstances imposed by the law. The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

Who can access your profile information?

Redmine profiles are public, except for your email address. When registering for an account, your email address is hidden from your profile by default. To facilitate contacting you privately via email, you may chose to display your email address on your profile.

Only redmine.org administrators can see your email address regardless of your settings. The following persons are redmine.org administrators:

  • Etienne Massip
  • Jean-Baptiste Barth
  • Jan Niggemann
  • Jean-Philippe Lang
  • Toshi MARUYAMA

Cookies

You can use redmine.org without cookies, but if you're looging in, we have to set a session cookies to make it possible for you to navigate the website.

Ads

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. This Privacy Policy covers the use of cookies by redmine.org and does not cover the use of cookies by any advertisers.

Gravatar profile pictures

Gravatars are loaded from the Gravatar web-server using a URL containing an MD5 hash of the associated email address.

Privacy Policy Changes

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.
Older versions are archived in the history of this page.

#9 Updated by Jan from Planio www.plan.io about 2 years ago

I like it.

The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

;-) We use this sentence at Planio as well, but rather in "marketing" texts than in our privacy policy. Not really sure it belongs here...

This Privacy Policy covers the use of cookies by Vanilla and does not cover the use of cookies by any advertisers.

What is Vanilla?

#10 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

Jan from Planio www.plan.io wrote:

I like it.

Thank you.

The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

;-) We use this sentence at Planio as well, but rather in "marketing" texts than in our privacy policy. Not really sure it belongs here...

At first, I wasn't sure either. I think mentioning this completes the picture of "how we use your data"; by stating the physical location, the user can imagine in which context law enforcement may require us to hand over data (i.e. in only a very narrow context)...

This Privacy Policy covers the use of cookies by Vanilla and does not cover the use of cookies by any advertisers.

What is Vanilla?

Wait what... Must be the name of the company I copied that section from... Should have read "redmine.org" instead. Fixed above an in the forum thread.

#11 Updated by Jean-Philippe Lang about 2 years ago

Sounds good to me. Maybe we could move this to a wiki page Privacy_policy so we can track changes?

#13 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

Jean-Philippe Lang wrote:

Sounds good to me. Maybe we could move this to a wiki page Privacy_policy so we can track changes?

That was my intention and the reason it contains the phrase "Older versions are archived in the history of this page." :-)

#14 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

  • Private changed from No to Yes

#16 Updated by Cris Fuhrman about 2 years ago

Jan Niggemann (redmine.org team member) wrote:

No feedback at all... Not that I really expected some, but after explicitly asking for a privacy policy, I'd hoped that at least "Cris Fuhrman" would have commented...

Jan - thanks for doing this and I'm sorry for the late reply. My Gmail classifies redmine.org defect emails outside of my inbox, and I just found all the things that were happening.

It looks great! Here are some comments:

  • The naming of admins might be a violation of their privacy. They all might be OK with it today, but what happens if (a new) one doesn't want it in the future? I'm not sure it adds much, having their names there.
  • Should the privacy policy explain the difference between redmine.*org* and redmine.*com*?

For the record, I requested the privacy policy because I got spammed from redmine.*com* and assumed that something was fishy about the sharing of my login info on this site. Then I realized my email here was visible publicly by default. By my standards it's still spam to send promotional email to addresses discovered by crawling precise web pages that have public email addresses, but the privacy policy should make it clear.

#17 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

Hi Chris,
thanks for the feedback. I think that the names of the administrators are important because unlike a contributor, an administrator has access to the personal data of the users. Being an administrator imposes certain responsibilities and having your name on display is part of the job.

As to redmine.com: AFAIK we don't have a trademark registered and as such, we can't enforce the use of the term.
redmine.com seems to be have been registered 2003 for some Chinese person or entity... I don't know what to make of that.

#18 Updated by Jan Niggemann (redmine.org team member) about 2 years ago

  • Private changed from Yes to No

#20 Updated by Jan from Planio www.plan.io about 2 years ago

Jan Niggemann (redmine.org team member) wrote:

As to redmine.com: AFAIK we don't have a trademark registered and as such, we can't enforce the use of the term.
redmine.com seems to be have been registered 2003 for some Chinese person or entity... I don't know what to make of that.

Unfortunately, as Jan said, the domain redmine.com is not owned by the Redmine project. Even though the Redmine project does in fact own a European trademark now, the process of obtaining the rights to that domain would be long and costly (especially with China being outside of EU jurisdiction), and therefore probably out of reach for Redmine being the not for profit initiative that it is.

To help Redmine, your best course of action would probably be to report the mail(s) you've received from redmine.COM (not redmine.ORG – those are legit!) as spam with your mail provider or directly with services such as SpamCop.

#22 Updated by Cris Fuhrman about 2 years ago

Jan from Planio www.plan.io wrote:

the domain redmine.com is not owned by the Redmine project.

Stating that in the privacy policy is sufficient.

#23 Updated by Jan Niggemann (redmine.org team member) almost 2 years ago

I have created an initial revision PrivacyPolicy and put a link in the sidebar.

#24 Updated by Cris Fuhrman almost 2 years ago

  • Status changed from New to Resolved

Thanks!

#25 Updated by Jan Niggemann (redmine.org team member) over 1 year ago

  • Status changed from Resolved to Closed

#26 Updated by Wim DePreter over 1 year ago

Last updated (at the bottom of the page) is not shown:

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.

#27 Updated by Go MAEDA over 1 year ago

  • Status changed from Closed to Reopened

Wim DePreter wrote:

Last updated (at the bottom of the page) is not shown:

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.

Thanks for pointing it out.

@Jan, could you update the page?

#28 Updated by Jan Niggemann (redmine.org team member) 11 months ago

  • Status changed from Reopened to Closed

@Wim DePreter, @Go MAEDA
Ever since the initial revision, there's a comment at the bottom:

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.
Older versions are archived in the history of this page.

I changed the wording now, perhaps Win DePreter thought Month, Day, Year were variables, but they are not. They are just text

#29 Updated by Wim DePreter 11 months ago

Jan Niggemann (redmine.org team member) wrote:

I changed the wording now, perhaps Win DePreter thought Month, Day, Year were variables, but they are not. They are just text

Indeed. Thanks for the clarification.

Also available in: Atom PDF