This article describes how we implemented GDPR in our terms, privacy policy, cookie policy and the changes we did in the app and behind the scenes to be compliant. Feel free to reach out in the chat or by e-mail ([email protected]) when you have any questions.
What is GDPR
GPDP essentially governs how to use, store and protect personal data. Personal data can be anything that allows an individual to be directly or indirectly identified (name, address, ip, email, avatar, etc).
GDPR uses a number of principles that are listed in more detail below, we'll explain in the next section how we comply to these principles.
Transparent communication
In order to ensure that personal data are processed fairly, EU data protection law obliges controllers to communicate transparently with data subjects regarding the processing of their personal data.
Identifying data subjects
Third parties might attempt to exercise a data subject's rights without proper authorisation to do so. Controllers are therefore permitted to ask data subjects to provide proof of their identity before giving effect to their rights.
Time limits for complying with the rights of data subjects
Controllers are obliged to give effect to the rights of data subjects within specified time periods, in order to avoid the frustration of those rights through excessive delays.
Right to basic information
A core principle of EU data protection law is that data subjects should be entitled to a minimum set of information concerning the purposes for which their personal data will be processed.
Right of access
In order to allow data subjects to enforce their data protection rights, EU data protection law obliges controllers to provide data subjects with access to their personal data.
Right of rectification
Data subjects are entitled to require a controller to rectify any errors in their personal data.
Right to erasure (the "right to be forgotten")
Data subjects are entitled to require a controller to delete their personal data if the continued processing of those data is not justified.
The right to restrict processing
In some circumstances, data subjects may not be entitled to require the controller to erase their personal data, but may be entitled to limit the purposes for which the controller can process those data (e.g., the exercise or defence of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest; or such other purposes as the data subject may consent to).
Right of data portability
Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
Our implementation
Transparent communication
We have updated our terms of service and privacy policy to make it more transparent how data is processed. We made our non disclosure policy on non-privacy data more explicit.
We have added a cookie policy (extracted from the privacy policy) to make it more clear which cookies we use and how.
We have updated our sign-up forms to make it more clear how data is handled, and we have made it transparant in your profile page what type of communication you opted in to.
Identifying data subjects
We have implemented the processes to make sure you identify yourself on request, and we will confirm your e-mail address after sign in when you don't already sign in with Trello and/or Google.
Time limits for complying with the rights of data subjects
We made sure that we can comply to request you have with regards to requesting, changing or deleting your user data. We expect to be will within the required duration of one month (as you are used from us).
Right to basic information
We have updated our terms of service and privacy policy to tell you why we are using your personal information and how we are using it.
Right of access
Personal information is available on the profile page, also you can request a dump of your privacy information using our chat or by e-mail on [email protected].
Right of rectification
You can reach out to us in the chat or by e-mail to change the personal information that we have stored.
Right to erasure (the "right to be forgotten")
You can reach out to us in the chat or by e-mail to get your personal data fully removed from our systems. In case you started a subscription, we will need to keep a record of our invoices for legal purposes. (this is also described in the privacy policy).
The right to restrict processing
We already restrict processing of the data and have created a number of opt-in settings so you can enable or disable specific communication or tracking. In case you want to further restrict the processing of your data, you will need to erase your account.
Right of data portability
You can reach out to us to receive an extract of the data so you can use that in any way you want.
โ