@JesseF8693@mindly.social I just got a follow request from your server, and upon checking, I see that mindly.social has a registered LLC in the USA, and that it's hosted on US infrastructure

@JesseF8693@mindly.social
I just got a follow request from your server, and upon checking, I see that mindly.social has a registered LLC in the USA, and that it's hosted on US infrastructure.

Now, I don't mind community instances, but yours being owned by a business does raise some flags in terms of what's happening with all the personal data you're processing.

Is there any chance you could provide an overview of how the data is being protected, and if it's shared with any third parties?

Do you have any protections in place for EU-based individuals whose data fall under GDPR?

Do you have a BCR, DTIA, or SCCs in place for organizations your network connects to?

Thanks

#gdpr #compliance #privacy #personadata #personalinformation #pii #fediverse #dataprotection

@phil

No data is being shared with any 3rd parties unless it’s volunteered like donations and such, which are all optional.

I believe Mastodon has built in GPDR compliance for most of the requirements. I’m not a lawyer nor do I live in the EU so it’s best effort in that regards, I’m mostly at the mercy of the software so whatever it implements is what I can offer.

I don’t know what BCR, DTIA, or SCC are, but I don’t think they apply since the only network we’re responsible for is our connection to our data center and then we’re hands off. I don’t plan on investing too much effort beyond that, especially since our data center can change any day.

I answered the LLC questions here: https://mindly.social/@KuJoe/115644291661102808

Let me know if you have any other questions. 🙂

@KuJoe@mindly.social
Thanks, I appreciate the response. Let me cut to the chase.

The rules governing the processing of PII are very different between running a personal instance, and one that's owned by a business.

As an LLC, mindly.social carries higher legal and regulatory obligations. It is a data controller under GDPR Article 3.

What's the legal basis (i.e. what right do you claim) for processing the PII of individuals who are not mindly.social's customers or partners?

And your privacy policy isn't particularly encouraging:

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

@phil understood, the default privacy policy included in Mastodon probably isn’t the best, so I’ll get a better version of it deployed soon with a list of our vendors that might have access to user data. I can’t think of any off hand, maybe Cloudflare depending on how things are configured. Probably Stripe, PayPal, and other payment processors.

I definitely considered dissolving the LLC, but that risk is too much for me to take on sadly.

I guess I’ll have to think more about the future and hope there’s a simple and cheap solution or just keep things the way they are with some minor tweaks.

@KuJoe@mindly.social
That's a start. What's the plan for current data you're processing?

Reason I'm asking is because mindly is (yet another) business that's processing my data without my awareness or any privacy controls in place.

It's getting to the point where Fedi is becoming more of a liability than a benefit, and the work I have to do to track my digital footprint is exploding lately.

Now to be clear - I'm not accusing you, but it's been the case in the past that LLC's would collect my data, and a few years later either be breached, or decide to sell that data to third parties (advertising, other purposes).

I'd like to avoid that if possible.

@phil what PII data am I currently processing and how are we processing it? I don't really understand this question because we don't require any PII data except from our users who provide an e-mail and IP address when they create an account, but nothing that identifies a user personally to my knowledge. If you can explain this in more detail I'll definitely take steps to purge all PII from out systems from non-members.

@KuJoe@mindly.social PII includes names, usernames, e-mail addresses, physical addresses, IP addresses, phone numbers, and essentially any personal information that can be used to identify an individual, including in combination with other available data.

This does extend to user-contributed content, as people do tend to write about themselves, which does add to the pool of information that can be used to identify them.

So... yeah. The very fact that we're talking means that your server is pulling and processing my Fedi profile, which is rife with PII.

And the same applies to any other user whose instance federates with mindly.social.

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.