Like a lot of companies, we're updating our terms and conditions and privacy and cookies policy in order to comply with the GDPR. The GDPR is a large regulatory change from the European Union, and is mostly about people's personal data and how it is shared.
The new T&Cs and PP will come into effect on 10 May 2018 and if you carry on using PythonAnywhere after that date, you'll be agreeing to them, so we figured it would be a good idea to post an explanation about the highlights of the changes.
If you just want to see what the new documents contain, here they are:
There are two ways the GDPR impacts PythonAnywhere: data that we collect about you so that you can have an account on our site, and data that you collect about other people and use PythonAnywhere to process (eg. if you collect email addresses or the like on a website you run on PythonAnywhere).
Like all websites that collect information about people from the EU, we now need to explain exactly what we do with any personal data we collect from you, and why we collect it. That's what our own privacy and cookies policy is about, though there are a few things in the terms and conditions too.
This is a pretty simple one for us. Because we don't make money from advertising, we don't collect any more data about you than we need to run the site -- your email address and so on, some payment-related stuff if you're a paying customer, etc., and standard website analytics. To be perfectly honest, the less we know, the happier we are -- it makes us a much less attractive target for data thieves :-)
Of course, you can provide us with more information -- maybe your name is Jane Smith and you chose the name "JaneSmith" as your username, or you posted something in the forums saying "My name is Jane Smith and this is my code", or you run a website that mentions your name, address, telephone number, and favourite colour.
Our new privacy and cookies policy covers all of this, along with mentions of the fact that we keep website access logs (that's 4.3, if you want to know how access logs are described in legal terms) and lots of stuff about cookies. So much stuff about cookies.
"Data controller" and "data processor" are terms used by the GDPR. They can mean different things in different circumstances, but relating to PythonAnywhere, if you're storing personal data about yourself or other people on our systems, you are a data controller and we are a data processor acting for you. Let's imagine that you're hosting a website with us, and on your website you collect personal information about people -- maybe email addresses or names. In the GDPR's terminology, this makes you a "data controller" because you control the data that you've collected. But because we're providing you with the computers that the data is being stored and manipulated on, we're a "data processor".
The GDPR requires data controllers and data processors to have a contract in place that essentially says "this is what we each do" -- a data processing agreement (DPA). It doesn't need to be super-specific, but it does need to meet certain legal criteria.
We've noticed that some companies are sending out separate DPA contracts to cover this in addition to their normal terms and conditions. But in our lawyers' opinion, that's not necessary. When you agree to our terms and conditions and we accept you as a user of our site, that is a contract being formed between you and us. And if that contract includes all the appropriate stuff for the contract between a data processor and a data controller, then all is well.
So, Appendix 1 in the new terms and conditions covers all of that; if you're working towards GDPR compliance yourself, and you need a copy of the DPA, just use that. It mentions the essential stuff -- what we will do and not do, who processes data as a subcontractor (Amazon AWS, who own the servers PythonAnywhere runs on), and whether or not data goes out of the EU (it does, but that's OK because AWS is covered under the EU-US Privacy Shield Framework).
There are also some other GDPR-related changes dotted around the terms and conditions -- basically, making it clear that you can't use PythonAnywhere to breach the GDPR (so no spamming, please) and so on.
That's about it for the GDPR changes!
While we were modifying the T&Cs to be GDPR compliant, our legal advisors took the time to put in a few other updates to make sure that we're doing everything properly. Most of these are pretty minor (things like moving the details of the company from the top of the document to the bottom, or replacing the legalese "natural person" with the more, um, natural word "individual"), but a few are worth noting:
That's all we though it was important to highlight in the new terms; if you have any questions then please leave a comment below. Thanks for reading!