GDPR stands for General Data Protection Regulation: it's goal is to better protect personal information. Obviously, it's good news!
Here at Kumbu, we like the GDPR. First, most of the Kumbu team is made of EU citizens. We value our privacy, and we hate it when our data is shopped around without our consent. Second, Kumbu is a privacy focused service; more regulation on privacy helps all private by design companies.
That said, GDPR is a good opportunity to shed some light on how we operate, and the care we put in managing and handling your data.
I’ve tried to stay away from legal-speak as much as possible, but if you have any question, feel free to reach out via email or Twitter and I’ll do my best to answer and update this document.
For us, it means we’ll never do something with your data (any data you give us) without asking you first. We’re not in the business of reselling or aggregating data, and we want to have a very straightforward relationship with you: what you see in Kumbu is what we use your data for, to provide you with a place to collect, store and enjoy your memories.
Then, it’s important to clarify what we talk about when we talk about data. For an service like Kumbu, there are 3 kinds of data : Your email address, Your memories, Your activity and the data it generates and finally Support. Let’s go through them.
- Your email address is what the GDPR refers to as PII: Personally Identifiable Information. We only keep your email address when you have an account with us. We only use it to allow you to login, send you an email to reset your password, and if you want, to send you our newsletter. If you close your account, we delete your email address and remove it from all our systems. Otherwise we keep it as long as you have an account.
- Your memories are the content you put directly in Kumbu. This we keep also as long as you have a Kumbu account. We don’t look at them (they’re encrypted), we don’t process them beyond what is needed for Kumbu to work (e.g to generate thumbnails or appropriate formats). If you close your Kumbu account, we delete all your memories from our systems. Otherwise we keep it as long as you have an account.
- Your activity : this is data that we use to improve our service - for example to figure out how many people are using a particular feature (say shared collections, or cover images, or our mobile app). We also track error messages when things go wrong. We don’t use this data personally, but in aggregate. We only use it to improve Kumbu, and we don’t share it with anyone else. Currently, we keep this data indefinitely, to analyse trends and usage patterns. We may dispose of it as Kumbu grows, probably after it’s a year old - but since we’re just starting, we’re holding on to it for now. Last but not least, we do not track any activity you may have outside of Kumbu.
Being a good data custodian also means making sure all data is secure. Currently, all communications with Kumbu from your browser, extension or mobile application are encrypted. And all content stored is encrypted too, at rest. Access to all Kumbu systems is heavily monitored, and we commit to notifying you if we detect unauthorised access.
Another important part of GDPR are the rights it gives you as a user.
For Kumbu, you can ask us to act on your GDPR rights through a single point of access : support @ getkumbu.com. What can you ask us?
- Ask us to tell you if and with whom we’ve shared your data (right of access)
- Ask us to delete your data (right to be forgotten - it also means closing your Kumbu account)
- Ask us for a copy of your data (right to data portability)
- Ask us about our processes around data
GDPR also forces companies to consider privacy implication of their features. It is something that we fully agree with, and is compatible with our privacy by design process. It means that when we add a new feature, we do a risk analysis that includes privacy aspects. When we have to share data with 3rd parties, we consider filtering and anonymising it where it makes sense. And we pick our third party services carefully - I’ve talked about this process here.
I’m hoping this explains a bit more how Kumbu is adapting to GDPR, and protecting your privacy.
As always, if you have questions, please contact us - we enjoy talking about these topics, and are alway happy to make Kumbu a better service for people’s privacy.