Like a lot of companies, we're updating our terms and conditions and privacy and cookies policy in order to comply with the GDPR. The GDPR is a large regulatory change from the European Union, and is mostly about people's personal data and how it is shared.
The new T&Cs and PP will come into effect on 10 May 2018 and if you carry on using PythonAnywhere after that date, you'll be agreeing to them, so we figured it would be a good idea to post an explanation about the highlights of the changes.
If you just want to see what the new documents contain, here they are:
The specifically GDPR-related stuff
There are two ways the GDPR impacts PythonAnywhere: data that we collect about you so that you can have an account on our site, and data that you collect about other people and use PythonAnywhere to process (eg. if you collect email addresses or the like on a website you run on PythonAnywhere).
Data that we collect about you
Like all websites that collect information about people from the EU, we now need to explain exactly what we do with any personal data we collect from you, and why we collect it. That's what our own privacy and cookies policy is about, though there are a few things in the terms and conditions too.
This is a pretty simple one for us. Because we don't make money from advertising, we don't collect any more data about you than we need to run the site -- your email address and so on, some payment-related stuff if you're a paying customer, etc., and standard website analytics. To be perfectly honest, the less we know, the happier we are -- it makes us a much less attractive target for data thieves :-)
Of course, you can provide us with more information -- maybe your name is Jane Smith and you chose the name "JaneSmith" as your username, or you posted something in the forums saying "My name is Jane Smith and this is my code", or you run a website that mentions your name, address, telephone number, and favourite colour.
Our new privacy and cookies policy covers all of this, along with mentions of the fact that we keep website access logs (that's 4.3, if you want to know how access logs are described in legal terms) and lots of stuff about cookies. So much stuff about cookies.
Data that you "control" and we "process"
"Data controller" and "data processor" are terms used by the GDPR. They can mean different things in different circumstances, but relating to PythonAnywhere, if you're storing personal data about yourself or other people on our systems, you are a data controller and we are a data processor acting for you. Let's imagine that you're hosting a website with us, and on your website you collect personal information about people -- maybe email addresses or names. In the GDPR's terminology, this makes you a "data controller" because you control the data that you've collected. But because we're providing you with the computers that the data is being stored and manipulated on, we're a "data processor".
The GDPR requires data controllers and data processors to have a contract in place that essentially says "this is what we each do" -- a data processing agreement (DPA). It doesn't need to be super-specific, but it does need to meet certain legal criteria.
We've noticed that some companies are sending out separate DPA contracts to cover this in addition to their normal terms and conditions. But in our lawyers' opinion, that's not necessary. When you agree to our terms and conditions and we accept you as a user of our site, that is a contract being formed between you and us. And if that contract includes all the appropriate stuff for the contract between a data processor and a data controller, then all is well.
So, Appendix 1 in the new terms and conditions covers all of that; if you're working towards GDPR compliance yourself, and you need a copy of the DPA, just use that. It mentions the essential stuff -- what we will do and not do, who processes data as a subcontractor (Amazon AWS, who own the servers PythonAnywhere runs on), and whether or not data goes out of the EU (it does, but that's OK because AWS is covered under the EU-US Privacy Shield Framework).
There are also some other GDPR-related changes dotted around the terms and conditions -- basically, making it clear that you can't use PythonAnywhere to breach the GDPR (so no spamming, please) and so on.
That's about it for the GDPR changes!
While we were modifying the T&Cs to be GDPR compliant, our legal advisors took the time to put in a few other updates to make sure that we're doing everything properly. Most of these are pretty minor (things like moving the details of the company from the top of the document to the bottom, or replacing the legalese "natural person" with the more, um, natural word "individual"), but a few are worth noting:
- The T&Cs are now explicit about the fact that you agreeing to the terms and conditions (and us letting you use the site) form a contract. This was already the case, but it's good to be clear about these things.
- If you're a consumer (that is, not a business) and you don't like any future changes to the terms and conditions, then under the new terms you'll have the legal right to cancel your account and -- if you have a paid account -- get a refund for any unused time left from your last payment. Of course, technically this only applies when we update our terms and conditions the next time, as this wording wasn't in the old T&Cs... but we won't be difficult if you decide that you don't like these new ones specifically and want to cancel your account.
- "Cooling off" (section 7). We offer a 30-day no-questions-asked money-back guarantee. But not all businesses do, so there is EU-wide legislation that creates something similar (but not as good) for EU consumers. When you sign up for a service, you get 14 days to change your mind. The company in question is not obliged to provide you with anything during those 14 days, but you can request that they do. If you don't ask them to provide you with the service during those 14 days, then you can get any money you paid them back by cancelling any time over those 14 days; if you do ask them to provide you with the service, then you can at least get back a pro-rated refund. If you've signed up for a new electricity contract or something similar in the EU recently, you'll probably remember that they asked you if you were willing for them to start supplying you immediately -- this is why. Anyway, given that our own guarantee has a longer timeline (30 days instead of 14), is more generous (we'll refund everything without pro-rating), and covers more people (everyone in the world rather than just consumers in the EU), then you can probably regard section 7 (and the associated "model cancellation form") as boilerplate. If you want to cancel a paid subscription within the first 30 days and get a refund, just cancel it on the "Account" page and drop us an email.
- Finally, and perhaps most importantly, we no longer accept faxes as a way to send and receive information about PythonAnywhere accounts. Which is probably a good thing, because we've never had a fax machine...
That's all we though it was important to highlight in the new terms; if you have any questions then please leave a comment below. Thanks for reading!