Editor's note: We've partnered with technology company Atticus AI to provide insights on complex legal topics such as brand rights, contracts, and policies to benefit the Polywork community.
Privacy policies: An introduction
Privacy policies are consumer-facing documents. They are typically written in plain language and free of legal jargon. It is important for privacy policies to be made easily accessible, for instance, in a website’s footer.
Here’s what 1Password’s Introduction looks like:
We use your data solely to provide you with Services in which you enroll and to provide you an enhanced user experience when you visit our Website. Our business is providing 1Password products and Services to you, the customer. We have no desire or interest to use or transfer the limited data we acquire for any other purposes.
Data collection & usage
Transparency and detail is key here. Your policy should detail all the types of personal data you gather, such as names, email addresses, browsing habits, IP addresses, and any other user-specific information. You should also explain how the different data is used by your company or service.
For example, if you use Rollbar for error monitoring, you might explain how the user’s IP address, operating system, and device make and model are collected, and how that information may be used to debug errors in the system to provide a better user experience.
Here’s an excerpt of 1Password’s description of the data it collects:
Secure Data are the data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. These data are encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.
We inevitably acquire Service Data about your usage of 1Password, your account, and your payments through operating our services. Service Data are kept confidential. It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses.
As long as you are using our services, we retain the right to hold and use Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.
These days, it is not uncommon for user data to be shared with third parties. This may be to offer a critical service like credit card information to a payment processor. But this may also be for non-critical functionality, like serving targeted advertisements.
Users in California and the EU have the right to not have their data shared for purposes non-critical to the core offering of a company or service. Depending on the size of your company and where your users are located, failure to comply with this may grant the consumer the right to sue your company for user data violations.
Here’s an excerpt from 1Password’s policy:
Next, your policy should clearly explain what rights your users have over any personal data collected by your systems. With the passing of GDPR, companies with users in the EU have little room for negotiation. GDPR makes it very clear– EU citizens have the right to access, update, delete, and download all data a company has collected about themselves.
Here’s an excerpt from 1Password:
You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data.
Your Right to Know What We Know
You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer’s email address.
Your Right to Have Your Data Erased
As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one’s data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours.
Your policy should detail any data security practices you implement to secure user data. For example, sensitive user information may be encrypted before being stored. Or user information may have strict access controls, limiting the number of company employees who can access user data.
1Password’s data security practices are described throughout their policy; here are some excerpts:
We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it.
Child data policy
Your policy should describe the minimum age required to access your services. For services intended for users below the age of 16, you must provide a method for verifiable parental consent to be obtained. For example, this can be by requiring a credit card number to be provided on account creation.
Usually, the easiest way to comply with this requirement is by stating an age restriction for using your service, as 1Password has done:
Data breach notification
In the event of a data breach, EU citizens have the right to be notified within 72 hours. Your policy should describe what your planned response will be in the event of such a breach.
This is 1Password’s policy:
1Password provides their company address and an email address for inquiries.
Disclaimer: The information in this article is for general informational purposes only and is not legal advice. Consult with a qualified attorney for advice regarding your individual situation.