Effective September 16, 2019
Effective September 16, 2019
Beanbag, Inc. operates a number of online services, including:
|reviewboard.org||The Review Board website|
|reviews.reviewboard.org||Public open-source Review Board server|
|demo.reviewboard.org||Public Review Board demo|
|rbcommons.com||Private Review Board hosting|
|hellosplat.com||Splat, a public bug tracker|
|beanbaginc.com||The Beanbag, Inc. website|
As part of running these services, we may collect information about you. This policy explains what information is collected, how it is used, what rights you have, and what choices you may make regarding your personal information.
We collect and use the following information to operate and improve our services:
When creating a user account, we collect a username of your choice, an e-mail address for important notifications and team collaboration, and optionally your real name.
When creating an account on https://rbcommons.com, we require providing payment information. This data is collected and managed exclusively by Stripe, our credit card processor. We may also collect your billing address and VAT ID for tax purposes.
In using the services, you may provide user data such as uploaded diffs and files, comments and discussion on reviews, and team/account configuration information.
We collect information sent by your web browser, such as IP addresses and the type of browser, in order to monitor our servers for security purposes, fix bugs and outages, and otherwise improve our services for our users.
Some of our third-party processors may make use of additional cookies.
We understand that your source code is crucial to your business, and therefore we’d like to start by making a few guarantees:
We use collected information in various ways:
We use account information and user data to provide the services to you. Many of our services offer collaboration tools which may show your account information (such as username, avatar, and e-mail address) to other users. Some services may notify you of activity via e-mail.
We may use your e-mail address to send you notifications of activity, notices regarding scheduled maintenance or other service-related issues, and transactional e-mails to accomplish tasks such as resetting a password. If you have opted into our e-mail newsletters, we may send you periodic messages that we believe may be of interest.
We may use anonymized and aggregate data to make decisions about how to improve the services.
We use your information to reply to support requests, monitor the services for problems, and otherwise address issues with the services.
We may provide your information or data when legally required to, such as when requested by law enforcement, or in the case of subpoenas or warrants. When possible, we will notify you of such requests for your data.
We make all efforts to store your information in a safe and secure manner, and in compliance with all legal requirements and security best practices.
Account information and user data are stored on our servers in the United States. Payment information is kept solely by our billing partner, Stripe.
Most information is stored for as long as your user account is active and deleted as soon as possible after your user account has been canceled. User data submitted to public services may be kept in perpetuity (for example, code diffs published to https://reviews.reviewboard.org). Logs, analytics, and backups are kept for a limited period of time before being deleted.
Some services, including https://reviews.reviewboard.org and https://hellosplat.com, are used for public collaboration on open source projects. Information submitted to these services is visible to everyone, and may not be able to be erased completely after the fact. We encourage you to be careful in what personal information or data is shared on these services.
For accounts on RBCommons, data is visible within your registered teams but not accessible outside of it by default. Data will only be visible publicly if team administrators have requested that we make their team public.
Beanbag, Inc. employees may have access to stored data (except for payment information), depending on their role. Private data is only be accessed by Beanbag, Inc. employees for the purposes of providing customer support or as otherwise required by law.
Beanbag, Inc. makes use of various third parties to provide parts of the services offered. This includes vendors that provide the physical infrastructure upon which our software runs. We also use third party tools for things like customer support, payment processing, and performance monitoring. In this context, some of your information or data may be transmitted to these third parties for storage or processing.
For third-party services which are not integral to our services, you have the right to consent to the sharing of your information. You will be presented with this choice when using our services. Regardless of whether you have the ability to consent, all personal data transferred to third parties occurs under the Privacy Shield framework, and Beanbag remains responsible for it.
For services which allow you to consent to the use of your data or opt out, doing so may degrade your experience with our services. For example, blocking Intercom may make it harder to access customer support.
|Third party||Purpose of sharing||Used by||Requires consent|
|Amazon Web Services||
Computing and network infrastructure
Beanbag hosts all of its services using the infrastructure run by Amazon Web Services. Your information and data is therefore held and processed by their servers located in the United States.
When you reach out to us for support via e-mail, we process those tickets using FreshDesk.
Beanbag uses Google Analytics to monitor the use of our services. The data transmitted to Google includes the URLs of the pages you are visiting, your IP address subnet, and information about your browser.
User avatar pictures
Several of Beanbag's services allow you to display a photo or picture representing yourself. By default, these services use Gravatar, a third-party service which can provide avatar images across the web. If you consent to this use, our services will send a hashed version of your e-mail address to Gravatar. While this contains no directly identifiable information, that hash could theoretically be used to track your activity across the web. Gravatar will only have an avatar for you if you've set one using their service.
RBCommons uses Intercom to provide on-line chat support. If you consent to this sharing, we send your username, full name, and basic information about your RBCommons team. Intercom will also infer your general location from your IP address and attempt to search for public social media accounts linked to your e-mail address.
Beanbag offers opt-in e-mail newsletters to make announcements and share tips and tricks for development and code review. If you join these newsletters, your e-mail address and name will be shared with Mailchimp.
Transactional e-mail delivery
Several of our tools use e-mail to notify you of activity or to handle transactional items such as account verification and password resets. These e-mails are delivered using Mailgun, and so your information and user data will be transmitted to them.
PagerDuty notifies us of certain high-priority support tickets. These alerts may include your name and e-mail address.
Beanbag keeps logs of usage and operation of our services in order to debug problems, keep audit trails, and maintain security. All logs are shared with Papertrail in order to aggregate and analyze them.
Beanbag runs public instances of the Review Board and Splat tools for the purposes of open-source development activities. Internally, Beanbag uses Slack for team communication. The public servers have been connected to Slack, so any data which you voluntarily provide when submitting an open-source contribution will be sent to Slack.
Beanbag uses Stripe to do payment processing for RBCommons. When you enter your payment information, it is sent directly to Stripe and no sensitive cardholder information is stored on Beanbag's servers.
Two-factor authentication text messages
If you've turned on two-factor authentication via text message on RBCommons, we'll use Twilio to send those text messages. They'll receive your phone number.
Global tax compliance
For team billing administrators, some aspects of your billing information such as your name and address, and your IP address location are shared with Quaderno in order for us to determine applicable sales taxes and VAT.
Some services may have optional integrations with other third-party tools. No data is shared automatically with these tools, but if you configure them, account information and user data may be shared with them. For a full list of the possible integrations, see https://www.reviewboard.org/integrations/
You have several rights regarding the treatment of your information: to request a copy of your information, to correct or object to our use of your information, or to request the deletion or restriction of your information. These rights may be limited in the case where it would divulge another user's information, or where we are legally required to keep records.
You have choices about what data is collected and how it is used. When creating accounts or using the services, you can choose what information to provide (for example, deciding whether or not to show your full name). Profile and other user information can be changed in your user profile settings screens.
For optional data shared with third parties, we will request your affirmative consent when you use our services. Denying consent will prevent sharing of any of your information, but may degrade your experience of the service.
To make requests regarding your information or data, please contact us at firstname.lastname@example.org.
By choosing to use any services offered by Beanbag, Inc., you consent to the transfer and storage of any provided information on our servers located in the United States.
Beanbag, Inc. adheres to the US-EU and US-Swiss Privacy Shield Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Privacy Shield Program at https://www.privacyshield.gov/
In some circumstances, European Union individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. See https://www.privacyshield.gov/ for more information about this process.
Beanbag, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission.
If we are involved in a merger, acquisition, or other reorganization, your information may be transferred as part of that deal. We will notify you of any such deal and outline your choices at that time.
Beanbag, Inc. may periodically make changes to this policy. We will notify you of any significant changes via an e-mail to the address associated with your account.