Nice to meet you and thanks for your fast reply.
It is nice to see we are on the same page and that you understand my concerns regarding the data privacy (and security).
I had a look at the link you gave me and then read the information requirements as well. I found some quite loose ends and would love you to help me tie them up.
I am writing all this because while on the one hand it seems that you really take our privacy “seriously”, on the other hand I found some rather lax and ambiguous open ends. I just want to know what to expect.
All the following quotes are directly taken from your information requirements page.
One of the first things that caught my attention was this (under “In addition, we also process the following other personal data” in section 2):
Information about the type and content of contract data, order data, sales and document data, customer and supplier history and consulting documents.
Is this all the information inside our Tape spaces?
Advertising and sales data- Information from your electronic communication with us (e.g. IP address, log-in data)
More on that one later on the advertising section.
Other data that we have received from you in the course of our business relationship (e.g. in discussions with customers)
This “other data that we have received from you” seems very broad.
Data that we generate ourselves from master/contact data and other data such as customer requirement and customer potential analyses"
What is this “customer potential analyses” all about?
Also on this section, although I know that this is not under customers, the “religious affiliation” thing also caught my attention initially.
But where I really started paying attention was under section 3, below " to safeguard legitimate interests (Art. 6 Para. 1 lit.f GDPR)":
- Advertising or marketing (see point 4)
More on this in the advertising section.
- Measures for business management and further development of services and products
This feels open (I can understand it in several different ways).
And also below this under “subject to your consent (Art. 6 Para. 1lit.a GDPR)”:
If you have given us permission to process your data, e.g. by sending us our newsletter, publishing photos, raffles, etc., we will not use your data for any other purpose.
What kind of permission or how explicit must this permission be? Written and/or really explicit? Or really a checkbox and/or general terms acceptance when signing up?
The doubts continue under section 4 (the advertising one):
You may at any time object to the use of your personal data for advertising purposes on the whole or to individual measures without incurring any costs other than the transmission costs according to the basic tariffs.
So, what is this “personal data” exactly? This could be our company name and general identification (as I believe you were trying to mean), but it also could be all user generated data, hence in this context all the data in created inside Tape by us (all our clients data). It is nice to have this object against this use but I don’t know why I felt this advertising thing won’t apply here. I mean that after all this “we take privacy seriously” that I read before this, honestly, I didn’t expect to find an advertising section. Also I believe that these “transmission costs” mentioned might refer to the cost of “sending an email” or equivalent, but it would be great to confirm this.
Under the section 5, at the very end, I found that:
Insurance companies, banks, credit agencies and service providers may also be recipients of your data for the purpose of initiating and fulfilling contracts.
Given the context, I believe you were just trying to explicitly mention this type of companies but not sure since you already mentioned “service providers” on top of this section. So I just want to make sure this is limited to the order processing (to provide us the platform service) you mentioned that other providers may do and would greatly appreciate your confirmations.
I felt quite shocked with section 7, since when I read it I had already read in this trust page this " All customer data is stored on servers within the European Union". I would really like to know what “third countries” might be the case (and if you are meaning other European countries or other countries outside of the EU).
Also on the other hand, it would be really nice not to have the ubiquitous Google Analytics watching. I totally understand the need for some telemetry/analytics to improve the product but I also see that there are some less “itching” alternatives. The same (although more complicated once committed) could apply to these AWS servers (and any other data-disrespectful “tech giants” that may help provide the services).
Thank you very much for taking the time to read this far. I know this is a long post but I just want to make sure I understand where I could head to, and that you will live to your data privacy promise (without blind spots).