How we made the Nest Privacy policy

Bummer. This content is unavailable in your region.

Sorry, this post is not available in your region. Your region has decided to enact laws which target vague definitions of 'harmful' content which would require ID verification. This is my personal blog; I am not collecting your ID.

Obviously, you would think this law helps people stay safe online, but in reality, someone using a VPN, like Mullvad, could easily bypass it, so it just defeats the point.

And then, you have sketchy companies trying to take your ID. The amount of data breaches is insane, why would you let your ID be in said breach, even if they "delete it after verification" (one small bug could keep it there, like the Tea app.)

It's also putting a foot into the door. First it's NSFW content. Then it's anything the government does not like. It's madness.

Do not use a VPN. That would make your lawmakers very cross. They know what is best for you.

You're free to enjoy the rest of the blog posts not tagged with geo-restricted. You could also move to another location, but that's expensive.

“If we don't believe in freedom of expression for people we despise, we don't believe in it at all.”
— Noam Chomsky

If you're curious about how this region detection worked, you can read more on the Redblock homepage.

I will explain how we did this so others can do it in the future.

NOTE
Obviously, I’m not a lawyer, I’m just a dog with a laptop.

Finding what was where#

We sat down with each other, figured out where each service had data in, and talked it out. We made a Slack canvas called “Data Everywhere”. It outlined which services of ours (e.g. Cockpit, Authentik, etc) had what data and where it was.

Part of the canvas "Data Everywhere"

Legitimate interests#

We also had to consider the legitimate interests for providing Nest. This one was complicated but basically, we had to determine why we needed your data and if the rights of the user (data subject) outweighed our own interests.

Nest spends about $250 to take care of 1245 users. That’s about 20 cents per user. This means we simply don’t need your data to prevent fraud. The potential financial risk from any single user is so minimal it’s not a legitimate concern.

NOTE
If we were storing identity documents or anything like that and it was, say, more than $100 per user, the most I would want to keep it for is 90 days. But I even hate the idea of that. The more data you have on someone, the more headaches you will need to deal with.

Then we had to look at legal requirements. The only KYC we knew of were for cryptocurrency providers and other regulated stuff like that, which Nest doesn’t fall into.Basically, there was nothing we needed to keep your data for, so we don’t need to keep it longer than we provide the service.

We also needed to see if we used automated decision making to suspend your account. We don’t. That would be incredibly stupid.

Ending words#

With that, we started drafting our informal privacy policy. Once that looked alright, I sat down and turned it into an actual privacy policy, which you can view here.

Privacy is a human right. To desire privacy is to be human. To know what we do with your data is to be human. People trust Nest to host their projects and I presume certain small businesses on it (people have asked if commercial usage was allowed and it is!)

We’re grateful that you trust us to handle your data and I think we should return the favor by respecting you.

In sum, this shouldn’t be as complicated as some people make it out to be. If you try to respect people, be transparent about it fully, and to not keep more than what you really need, it’ll make a lot of people happy.