Git-point: Request: Published Privacy Policy

Created on 17 Jul 2017  路  8Comments  路  Source: gitpoint/git-point

I have a hurdle to adopting Gitpoint for the team I manage.

Namely, you don't have a data-privacy policy. Any chance you could add a privacy policy that details what you do/don't/won't do with your customer's private Github data? Not retaining or inspecting our team data, and also noting you code review to prevent malicious loggers/includes from 3rd-parties seems like the right thing to do (I hope you are doing that so far).

Also, this is something we need to comply with our own security assurances to our customers. For example, in case a dev accidentally includes private contact info or a security token in a code comment. I know this might seem "enterprisey," but as a privacy-minded individual I like seeing this too.

docs has pr

Most helpful comment

The screen & the text look good @housseindjirdeh. Thanks for jumping on something so dry very quickly.

Since the text of that is in the repo & the organization will hold to it regardless of the app version, our team is going to start using GitPoint ASAP.

Just as FYI, this doesn't need to be embedded in every client app if it becomes a pain or extra-effort to keep updated. Most of the organizations that require us to evaluate privacy policies are used to desktop, enterprise apps. They're used to software vendors faxing privacy/legal docs over on-demand. So while that's not the easiest way to do things, you can certainly get away with just linking to a web-based policy from in side the apps.

All 8 comments

I'm so glad that even with a bit of a hurdle, you're still looking to use GitPoint with your team 鉂わ笍

I definitely think this is something we can (and probably should add) to the application. Is there anywhere specific you'd like to see this? When a user just signs in perhaps? Right now we have a screen that says Welcome to GitPoint and an enter button when they do - maybe this is where we can have a scrolling data policy screen and at the bottom the user can enter the application?

Now aside from where we can put this policy screen, what kind of information should we have there? This is what I can think of so far:

  • Write about how the user authenticates and their access token is stored in their device (AsyncStorage). It's virtually impossible for us to retrieve that information. We never view a user's access token nor store it whatsoever.
  • In no way, shape or form do we ever view or use a customer's private GitHub data (see point 1: not possible with the way the app is currently set up).
  • With each contribution to the app, PR approval is needed to prevent anybody from including malicious code of any kind

Is there anything else you would like to see in the policy? Also opening the floor to suggestion to anybody reading this 馃挰

Thanks again for logging this @mbijon, I can't wait for your team to use GitPoint as their primary mobile client for GitHub 馃檶

Having a project policy is definitely far more important than where this info goes.

I think it would get us past our hurdle if the info was limited to just a page on your public website (so long as none of your lolicies fell to the deceptive/sneaky side of things). But an optional button or link anywhere in the app itself would be great.

As for the 3 point you make, yes on all counts. Regardless of whether it's hard or easy to see tokens, saying that you don't record them is good, and enforcable on all project contributors later on. Regardless of whether it's possible to view private data, can you make a not that if the data ever does become visible that you will not record or view it. And if it is accidentally recorded in the future what would you do with it, delete it immediately using secure erase methods?

The only additional thing I can think of right now is logging and encryption. Do you or the other devs have any tool or ability to log traffic? Is that data anonymized and encrypted (both SSL/TLS and encrypted disks or files)?

Thank you so much for this @mbijon. I agree that it's definitely worthwhile to include a mention that even if data ever happens to visible, we will not record or view it whatsoever. And if it happens to be accidentally recorded/saved and it comes to our attention: we'll delete is as fast as we can.

We are currently not collecting mobile analytics or log data of any kind using a library or package. The only analytics that is available right now is the analytics provided by Itunes Connect. Might be also worthwhile to mention that if we _happen to_ include third party logging software in the future, we'll make sure that data is anonymized and encrypted.

Before the end of this week I'll write up a draft of the privacy policy and put it here for your feedback. We'll make sure to have this included before our next app update.

Thanks Houssein, that all sounds great.

Keep in mind that acting securely & privately is the most important thing here. The written policy is just shareable proof that we can have on-record for our customers' security auditors. While none (few?) of us love writing policy-docs, in the long run it tends to reduce the amount of questions & saves time.

@mbijon I've just merged a PR for a Privacy Policy screen in the app https://github.com/gitpoint/git-point/pull/169

Please take a quick look and let me know if there isn't anything else you think I can add/modify to it. I'll make sure it's included in the next app update + Android release.

The screen & the text look good @housseindjirdeh. Thanks for jumping on something so dry very quickly.

Since the text of that is in the repo & the organization will hold to it regardless of the app version, our team is going to start using GitPoint ASAP.

Just as FYI, this doesn't need to be embedded in every client app if it becomes a pain or extra-effort to keep updated. Most of the organizations that require us to evaluate privacy policies are used to desktop, enterprise apps. They're used to software vendors faxing privacy/legal docs over on-demand. So while that's not the easiest way to do things, you can certainly get away with just linking to a web-based policy from in side the apps.

Cheers thank you so much @mbijon, I'm the one who should thank you for proposing this _and_ letting me know exactly what you would like to see in the policy.

I was seriously considering having it on the website and linking it through the app but I really think this is something important to have inside the app (can have it on the website as well at a later point if we think that would be a good idea as well). I'm just glad you brought up the discussion for it and I don't think it'll be too much effort to leave it in the app at all!

So happy your team can start using GitPoint. Please don't hesitate to ever drop suggestions/bugs you've noticed/areas of improvement at anytime :)

A web based version of the privacy policy is now available. If we update the content on the policy, we may streamline this to a single location and just link to the website in the app :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nikolaevigor picture nikolaevigor  路  3Comments

cheshire137 picture cheshire137  路  3Comments

arthurdenner picture arthurdenner  路  3Comments

TautFlorian picture TautFlorian  路  4Comments

randy3k picture randy3k  路  5Comments