Cris Fuhrman wrote:

Per the recommendation of Toshi MARUYAMA in the forums,

FTR: Privacy policy and spam from Redmine.com.

Cris Fuhrman wrote:

Secondly, I feel that email address should be by default hidden on the profiles. Email addresses are mostly considered confidential these days, especially when one signs up for an account somewhere.

Email addresses are now hidden by default. And all existing addresses here at redmine.org are now set to hidden, users have to opt in to make it visible.

There are also services which allow you to generate one based on a couple of questions: I've used https://www.iubenda.com/ before, for instance...

Good input, thank you, Jan!

Jan Niggemann (redmine.org team member) wrote:

Regarding a privacy policy, I'll try to come up with something.

That would be great!

First draft in sticky post: Draft for a redmine.org privacy policy
Let's wait a couple of weeks for feedback...

No feedback at all... Not that I really expected some, but after explicitly asking for a privacy policy, I'd hoped that at least "Cris Fuhrman" would have commented...

Fellow devs, what do you think about this text:
----

redmine.org privacy policy¶

redmine.org does not use social networking stuff - no "+1" or "like" buttons here.
We do not share personal information with third parties.

Information we gather¶

Our webserver creates a logfile with the following non-personally-identifying information that your browser sends on each request:

• browser type
• language preference
• referring site
• date and time of request

redmine.org also collects potentially personally-identifying information like Internet Protocol (IP) addresses.

Additional information we require when registering an account¶

When registering, you're asked to provide the following data (later referred to as profile information):

• the login name you'd like to use
• your name (first name and last name)
• your email address (hidden by default)

You may use the site pseudonymously, but please use an active email address in case an administrator needs to contact you.

We do not collect any more information than those given in the above paragraphs.

How do we use this information¶

• We use the information in the logfiles to analyze browser usage and to protect the integrity of the site in case of attacks.
• Administrators (see below) may use your email address to contact you regarding (mis-)behaviour on our website.

We do not disclose any information to third parties other than under circumstances imposed by the law. The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

Who can access your profile information?¶

Redmine profiles are public, except for your email address. When registering for an account, your email address is hidden from your profile by default. To facilitate contacting you privately via email, you may chose to display your email address on your profile.

Only redmine.org administrators can see your email address regardless of your settings. The following persons are redmine.org administrators:

• Etienne Massip
• Jean-Baptiste Barth
• Jan Niggemann
• Jean-Philippe Lang
• Toshi MARUYAMA

Cookies¶

You can use redmine.org without cookies, but if you're looging in, we have to set a session cookies to make it possible for you to navigate the website.

Ads¶

Ads appearing on any of our websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. This Privacy Policy covers the use of cookies by redmine.org and does not cover the use of cookies by any advertisers.

Gravatar profile pictures¶

Gravatars are loaded from the Gravatar web-server using a URL containing an MD5 hash of the associated email address.

Privacy Policy Changes¶

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.
Older versions are archived in the history of this page.

I like it.

The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

;-) We use this sentence at Planio as well, but rather in "marketing" texts than in our privacy policy. Not really sure it belongs here...

This Privacy Policy covers the use of cookies by Vanilla and does not cover the use of cookies by any advertisers.

What is Vanilla?

Jan from Planio www.plan.io wrote:

I like it.

Thank you.

The redmine.org server is physically located in Germany, a country with the strongest privacy protection laws in the world.

;-) We use this sentence at Planio as well, but rather in "marketing" texts than in our privacy policy. Not really sure it belongs here...

At first, I wasn't sure either. I think mentioning this completes the picture of "how we use your data"; by stating the physical location, the user can imagine in which context law enforcement may require us to hand over data (i.e. in only a very narrow context)...

This Privacy Policy covers the use of cookies by Vanilla and does not cover the use of cookies by any advertisers.

What is Vanilla?

Wait what... Must be the name of the company I copied that section from... Should have read "redmine.org" instead. Fixed above an in the forum thread.

Sounds good to me. Maybe we could move this to a wiki page Privacy_policy so we can track changes?

Jean-Philippe Lang wrote:

Sounds good to me. Maybe we could move this to a wiki page Privacy_policy so we can track changes?

That was my intention and the reason it contains the phrase "Older versions are archived in the history of this page." :-)

Jan Niggemann (redmine.org team member) wrote:

No feedback at all... Not that I really expected some, but after explicitly asking for a privacy policy, I'd hoped that at least "Cris Fuhrman" would have commented...

Jan - thanks for doing this and I'm sorry for the late reply. My Gmail classifies redmine.org defect emails outside of my inbox, and I just found all the things that were happening.

It looks great! Here are some comments:

• The naming of admins might be a violation of their privacy. They all might be OK with it today, but what happens if (a new) one doesn't want it in the future? I'm not sure it adds much, having their names there.
• Should the privacy policy explain the difference between redmine.*org* and redmine.*com*?

For the record, I requested the privacy policy because I got spammed from redmine.*com* and assumed that something was fishy about the sharing of my login info on this site. Then I realized my email here was visible publicly by default. By my standards it's still spam to send promotional email to addresses discovered by crawling precise web pages that have public email addresses, but the privacy policy should make it clear.

Hi Chris,
thanks for the feedback. I think that the names of the administrators are important because unlike a contributor, an administrator has access to the personal data of the users. Being an administrator imposes certain responsibilities and having your name on display is part of the job.

As to redmine.com: AFAIK we don't have a trademark registered and as such, we can't enforce the use of the term.
redmine.com seems to be have been registered 2003 for some Chinese person or entity... I don't know what to make of that.

Jan Niggemann (redmine.org team member) wrote:

As to redmine.com: AFAIK we don't have a trademark registered and as such, we can't enforce the use of the term.
redmine.com seems to be have been registered 2003 for some Chinese person or entity... I don't know what to make of that.

Unfortunately, as Jan said, the domain redmine.com is not owned by the Redmine project. Even though the Redmine project does in fact own a European trademark now, the process of obtaining the rights to that domain would be long and costly (especially with China being outside of EU jurisdiction), and therefore probably out of reach for Redmine being the not for profit initiative that it is.

To help Redmine, your best course of action would probably be to report the mail(s) you've received from redmine.COM (not redmine.ORG – those are legit!) as spam with your mail provider or directly with services such as SpamCop.

Jan from Planio www.plan.io wrote:

the domain redmine.com is not owned by the Redmine project.

Stating that in the privacy policy is sufficient.

I have created an initial revision PrivacyPolicy and put a link in the sidebar.

Last updated (at the bottom of the page) is not shown:

This privacy policy is subject to change without notice and was last updated on Month, Day, Year.

Jan Niggemann (redmine.org team member) wrote:

I changed the wording now, perhaps Win DePreter thought Month, Day, Year were variables, but they are not. They are just text

Indeed. Thanks for the clarification.