Using a Privacy Policy Generator
Since the start of openSNP we had a disturbing lack of faith a real privacy policy. Instead just offered the disclaimer people had to read while registering and uploading their genetic information on the website. In order to keep things simple we decided that there shouldn’t be an elaborate privacy-management-system like e.g. Facebook provides. Not only to save us some work but also to minimize the damage done in any case of a programming/server access fuck-up. The worst case would’ve been to promise not to display/share data with the public and accidentally doing so (a thing somehow quite frequent with social networks et al.). So we settled with making virtually all information public from the beginning.
The only information which is not public, but is entered by users while registering and using openSNP, are their eMail-addresses and their passwords (which is also only saved in its encrypted form). Everything else can be viewed on the website and downloaded using the APIs or the mass-download-features of the website itself. So even the worst-case scenario of some third party getting access to our servers shouldn’t result in much trouble for the users (the webserver also doesn’t even log the IPs used for access). Still: This doesn’t solve the lack of a privacy policy. Fortunately some months ago I found out about iubenda, a italian startup-company which tries to transform the process of creating a privacy policy into a point-and-click adventure.
One could register for a closed beta around that time, but I missed out to join for it. Fortunately they just launched their service to the public this week. To create a privacy policy you just grab the different services you’ve implemented into your website out of different categories (advertising, analytics, social networks, commenting systems,…), enter your name & address as the data owner (as if somebody should own it) and then you are good to go. An example of how this looks with more standard services can be found in the footer of this page. I really like that – similarly to Creative Commons – they not only provide the legalese version of the policy but also a human-readable summary. They also have a quite reasonable business model: As long as you limit yourself to the standard services their service can be used for free. If you want to get some more flexibility you can opt-in to pay them a yearly fee for a pro-policy. The fee will be $27/year, but currently they have a lifetime-discount where the price will stay at $13.50/year.
Surprisingly it isn’t a standard application to collect genetic and phenotypic information, so yesterday I purchased a policy for openSNP. I encountered some trouble with PayPal during the purchasing-process (The very unspecific error message that PayPal did provide: «The transaction cannot complete successfully. Instruct the customer to use an alternative payment method.», no matter if a credit card or a standard bank account was used), so I already had a chance to test their support and I’ve to say they are doing a good job. They instantly called PayPal for further information about this and in the end we could find a workaround which allowed me to get a pro-policy. If you are interested in how such a policy can look like: I already put the policy in the footer of openSNP. So if you are like me and tend to procrastinate doing the privacy policies because you can’t speak legalese and can’t wrap your head around this stuff you can give iubenda. They seem to be eager to get feedback.