Beanbag
Privacy Policy
Effective September 16, 2019
Beanbag, Inc. operates a number of online services, including:
| reviewboard.org | The Review Board website |
|---|---|
| reviews.reviewboard.org | Public open-source Review Board server |
| demo.reviewboard.org | Public Review Board demo |
| rbcommons.com | Private Review Board hosting |
| hellosplat.com | Splat, a public bug tracker |
| beanbaginc.com | The Beanbag, Inc. website |
As part of running these services, we may collect information about you. This policy explains what information is collected, how it is used, what rights you have, and what choices you may make regarding your personal information.
Information we collect
We collect and use the following information to operate and improve our services:
-
Account information:
When creating a user account, we collect a username of your choice, an e-mail address for important notifications and team collaboration, and optionally your real name.
-
Payment information:
When creating an account on https://rbcommons.com, we require providing payment information. This data is collected and managed exclusively by Stripe, our credit card processor. We may also collect your billing address and VAT ID for tax purposes.
-
User data:
In using the services, you may provide user data such as uploaded diffs and files, comments and discussion on reviews, and team/account configuration information.
-
Usage:
We collect information sent by your web browser, such as IP addresses and the type of browser, in order to monitor our servers for security purposes, fix bugs and outages, and otherwise improve our services for our users.
-
Cookies:
A cookie is a small piece of data which is stored on your computer. Our services use cookies to keep track of your login session. This cookie is temporary, and you will be periodically required to log in again. This cookie is not used for tracking purposes outside of the login process.
We also use cookies for CSRF tokens (a security measure to prevent sites from operating on your behalf) and for simple, temporary preference storage for features in the diff viewer. Neither of these contain any identifying information and cannot be used to track users, directly or indirectly.
Some of our third-party processors may make use of additional cookies.
Our guaranteees
We understand that your source code is crucial to your business, and therefore we’d like to start by making a few guarantees:
- We will never sell your private data or personal information to a third party. We will only share your data when required by law (such as to comply with warrants or subpoenas). When possible, we will notify you about any such requests for your data.
- If you cancel your RBCommons account, we will permanently delete your data from our servers. Backups are kept for two weeks, after which they are permanently deleted.
- We will make every effort to ensure the security of your data, including following all best practices for security.
How we use information
We use collected information in various ways:
-
To provide the services:
We use account information and user data to provide the services to you. Many of our services offer collaboration tools which may show your account information (such as username, avatar, and e-mail address) to other users. Some services may notify you of activity via e-mail.
-
To communicate with you:
We may use your e-mail address to send you notifications of activity, notices regarding scheduled maintenance or other service-related issues, and transactional e-mails to accomplish tasks such as resetting a password. If you have opted into our e-mail newsletters, we may send you periodic messages that we believe may be of interest.
-
To improve the services:
We may use anonymized and aggregate data to make decisions about how to improve the services.
-
For customer support:
We use your information to reply to support requests, monitor the services for problems, and otherwise address issues with the services.
-
Where required by law:
We may provide your information or data when legally required to, such as when requested by law enforcement, or in the case of subpoenas or warrants. When possible, we will notify you of such requests for your data.
How we store information
We make all efforts to store your information in a safe and secure manner, and in compliance with all legal requirements and security best practices.
Account information and user data are stored on our servers in the United States. Payment information is kept solely by our billing partner, Stripe.
Most information is stored for as long as your user account is active and deleted as soon as possible after your user account has been canceled. User data submitted to public services may be kept in perpetuity (for example, code diffs published to https://reviews.reviewboard.org). Logs, analytics, and backups are kept for a limited period of time before being deleted.
Who has access to your data
Some services, including https://reviews.reviewboard.org and https://hellosplat.com, are used for public collaboration on open source projects. Information submitted to these services is visible to everyone, and may not be able to be erased completely after the fact. We encourage you to be careful in what personal information or data is shared on these services.
For accounts on RBCommons, data is visible within your registered teams but not accessible outside of it by default. Data will only be visible publicly if team administrators have requested that we make their team public.
Beanbag, Inc. employees may have access to stored data (except for payment information), depending on their role. Private data is only be accessed by Beanbag, Inc. employees for the purposes of providing customer support or as otherwise required by law.
Information shared with third parties
Beanbag, Inc. makes use of various third parties to provide parts of the services offered. This includes vendors that provide the physical infrastructure upon which our software runs. We also use third party tools for things like customer support, payment processing, and performance monitoring. In this context, some of your information or data may be transmitted to these third parties for storage or processing.
For third-party services which are not integral to our services, you have the right to consent to the sharing of your information. You will be presented with this choice when using our services. Regardless of whether you have the ability to consent, all personal data transferred to third parties occurs under the Privacy Shield framework, and Beanbag remains responsible for it.
For services which allow you to consent to the use of your data or opt out, doing so may degrade your experience with our services. For example, blocking Intercom may make it harder to access customer support.
| Third party | Purpose of sharing | Used by | Requires consent | |
|---|---|---|---|---|
| Amazon Web Services |
Computing and network infrastructure Beanbag hosts all of its services using the infrastructure run by Amazon Web Services. Your information and data is therefore held and processed by their servers located in the United States. |
|
No | |
| FreshDesk |
Customer Support When you reach out to us for support via e-mail, we process those tickets using FreshDesk. |
|
No | |
| Google Analytics |
Usage monitoring Beanbag uses Google Analytics to monitor the use of our services. The data transmitted to Google includes the URLs of the pages you are visiting, your IP address subnet, and information about your browser. |
|
No | |
| Gravatar |
User avatar pictures Several of Beanbag's services allow you to display a photo or picture representing yourself. By default, these services use Gravatar, a third-party service which can provide avatar images across the web. If you consent to this use, our services will send a hashed version of your e-mail address to Gravatar. While this contains no directly identifiable information, that hash could theoretically be used to track your activity across the web. Gravatar will only have an avatar for you if you've set one using their service. |
|
Yes | |
| Intercom |
Customer support RBCommons uses Intercom to provide on-line chat support. If you consent to this sharing, we send your username, full name, and basic information about your RBCommons team. Intercom will also infer your general location from your IP address and attempt to search for public social media accounts linked to your e-mail address. |
|
Yes | |
| Mailchimp |
E-mail newsletters Beanbag offers opt-in e-mail newsletters to make announcements and share tips and tricks for development and code review. If you join these newsletters, your e-mail address and name will be shared with Mailchimp. |
|
Yes | |
| Mailgun |
Transactional e-mail delivery Several of our tools use e-mail to notify you of activity or to handle transactional items such as account verification and password resets. These e-mails are delivered using Mailgun, and so your information and user data will be transmitted to them. |
|
No | |
| PagerDuty |
Alerting PagerDuty notifies us of certain high-priority support tickets. These alerts may include your name and e-mail address. |
|
No | |
| Papertrail |
Log aggregation Beanbag keeps logs of usage and operation of our services in order to debug problems, keep audit trails, and maintain security. All logs are shared with Papertrail in order to aggregate and analyze them. |
|
No | |
| Slack |
Team communication Beanbag runs public instances of the Review Board and Splat tools for the purposes of open-source development activities. Internally, Beanbag uses Slack for team communication. The public servers have been connected to Slack, so any data which you voluntarily provide when submitting an open-source contribution will be sent to Slack. |
|
No | |
| Stripe |
Payment processing Beanbag uses Stripe to do payment processing for RBCommons. When you enter your payment information, it is sent directly to Stripe and no sensitive cardholder information is stored on Beanbag's servers. |
|
No | |
| Twilio |
Two-factor authentication text messages If you've turned on two-factor authentication via text message on RBCommons, we'll use Twilio to send those text messages. They'll receive your phone number. |
|
Yes | |
| Quaderno |
Global tax compliance For team billing administrators, some aspects of your billing information such as your name and address, and your IP address location are shared with Quaderno in order for us to determine applicable sales taxes and VAT. |
|
No |
Some services may have optional integrations with other third-party tools. No data is shared automatically with these tools, but if you configure them, account information and user data may be shared with them. For a full list of the possible integrations, see https://www.reviewboard.org/integrations/
Your rights and choices
You have several rights regarding the treatment of your information: to request a copy of your information, to correct or object to our use of your information, or to request the deletion or restriction of your information. These rights may be limited in the case where it would divulge another user's information, or where we are legally required to keep records.
You have choices about what data is collected and how it is used. When creating accounts or using the services, you can choose what information to provide (for example, deciding whether or not to show your full name). Profile and other user information can be changed in your user profile settings screens.
For optional data shared with third parties, we will request your affirmative consent when you use our services. Denying consent will prevent sharing of any of your information, but may degrade your experience of the service.
To make requests regarding your information or data, please contact us at support@beanbaginc.com.
EU and Swiss Privacy Shield
By choosing to use any services offered by Beanbag, Inc., you consent to the transfer and storage of any provided information on our servers located in the United States.
Beanbag, Inc. adheres to the US-EU and US-Swiss Privacy Shield Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Privacy Shield Program at https://www.privacyshield.gov/
For EU and Swiss residents, we ask that you submit any questions or concerns about this privacy policy to us at support@beanbaginc.com. We will investigate and attempt to resolve your complaint. If we cannot resolve your complaint, we have chosen JAMS as the organization responsible for resolving disputes. If we were unable to resolve your issue, you may file a claim at https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim/
In some circumstances, European Union individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. See https://www.privacyshield.gov/ for more information about this process.
Beanbag, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission.
Changes
If we are involved in a merger, acquisition, or other reorganization, your information may be transferred as part of that deal. We will notify you of any such deal and outline your choices at that time.
Beanbag, Inc. may periodically make changes to this policy. We will notify you of any significant changes via an e-mail to the address associated with your account.
Contact us
If you have any questions or concerns about this privacy policy or how your data is used, please contact us at support@beanbaginc.com.