Home

On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) comes into effect. In this article we will explain what are the changes it brings with regards to our services and our software.

IMPORTANT INFORMATION REGARDING AUTOMATIC ACCOUNT DELETION

The EU GDPR requires us to automatically and irreversibly delete inactive user accounts. If you have not logged in to our site in the past 18 (eighteen) calendar months we will be legally obliged to delete your account on Friday, May 18th, 2018. The deletion is automatic and IRREVERSIBLE: we are legally forbidden from being able to restore your user information.

If you want to prevent your account from being deleted you simply need to log into our site. You DO NOT have to make any purchase WHATSOEVER.  All accounts which have EITHER logged in the last 6 months OR have one or more active subscriptions are exempt from the automatic account deletion.

Please don't send us angry emails that we are terrible people for deleting your user account without asking you or that we're extorting you to make a purchase. Again a. the account deletion is required BY THE LAW (on penalty of up to twenty million Euros) and b. you ABSOLUTELY DO NOT need to purchase anything to keep your account active and prevent its deletion, you just need to log in AT LEAST once every 6 months.

Unfortunately we cannot exempt you from the account deletion policy even if you ask us to. The law does not give us that option.

GDPR and your account at Macrotone Consulting Ltd

The GDPR is legislation designed to promote a privacy first approach to handling your personal data with more transparency and a way to reasonably exercise your data rights. While it only covers citizens of any member state to the European Union we consider it better to provide the same level of treatment to everyone. Not only it's more sane for us (since we can't know what is your nationality, to begin with) but also because we care deeply about your privacy and security.

First and foremost, you will see that there our Privacy Statement and our Cookies Policy are now separate documents from our Terms of Service. However, accepting the whole lot is still required to use our services. The Terms of Service does state that the privacy statment and our cookies policy are integral parts of our Terms of Service.

Per the GDPR you now have to give your explicit consent to us processing your personal information. That's a fancy way of saying that you let us give your invoicing information to the tax authorities and our accountants and auditors, as well as let our staff (who are technically subcontractors) to provide you support. Starting May 19th you will need to indicate your consent if you subscribed before April 2018 or do not have an active subscription with us. You can withdraw your consent at any time but we won't be able to provide any of our services to you until you give your consent again. Managing your consent (revoking your consent) is possible after that. Read the "Exercising your Data Rights" section below for more information.

Cookies can likewise be rejected, including the login / session cookie of our site. If you reject cookies you will not be able to log into our site and we will not be able to provide you our services due to no fault of ours. We might revise this policy in the future since login cookies are exempt by the GDPR. It's just that the third party extension we currently use does not have that option. Most importantly, when you reject cookies you just disable Google Analytics. We don't use any other cookies on our site as of the time of this writing; check the Cookies Policy for the most up to date information. Cookie consent can be given and revoked at any time. Look at the bottom of every page of our site for the controls.

Finally, the GDPR mandates data minimization. That's a complicated way of saying that we must delete your information when we have no reasonable business use for that. This means that we will delete your data profile 6 months after your last subscription expires or you last logged into our site, whichever comes later. This is a legal requirement. We will send you an email to the email address we have on file for you a month before we delete your user account as a courtesy and to prevent any issues. You DO NOT have to buy a subscription or otherwise pay us to keep your data with us. You can very simply log into your user account with us at least once every six months. Please note that emails will NOT be sent to the first batch of users who have not logged in the past 18 months, to be deleted between May 17th and May 25th, 2018.

Since profile deletion is permanent and irreversible we are going to be ramping up the deletion period over time. We will start with an 18 month cutoff period (instead of 6 months) until September. Then we will reduce it to 12 months. On January 2019 we will reduce it again to 6 months. Please DO NOT email us asking to not delete your user account or why we deleted your user account. If you want your user account to not be deleted just log into our site. If your account is deleted it's because we are legally required to do so and no, we cannot reinstate your account because we no longer have your data and we are not allowed by the law to do it anyway. If you do send us an email we will point you back to this page since there are only so many ways this can be put into words. Yes, we do understand that for the average client this is horrible and will lead to frustration but no, we cannot ignore the law. The highest fine for ignoring the GDPR is 20 million Euros which is very much higher than our total company income since we started writing our software in October 2006.

If you have questions about our handling of your personal information please do read the privacy statement and cookie policy pages. All the information the European Union requires us to make available to you is in there. Emails or other forms of contact with similar questions will be answered with a link to this page which contains links to the pages with the information you are seeking. If you feel something is missing please do say so in your email and point out exactly what so we can help you. If you have spotted something substantial missing we will of course update this page to include the missing information.

Exercising your Data Rights

Starting May 19th, 2018 you are able to exercise your Data Rights using our self-service Data Processing Options self-service page. You can get to that self-service page in the following ways:

• Click on this link: Data Processing Options
• Click on the Data Processing Options link you can find at the footer of every page of our site after logging in.
• Log in. Then click on My Profile. Click on the Edit Profile link at the top right of that page. On the edit page scroll down until you find the Personal Data Options header. Click the “Manage your personal data options” link next to it.

Kindly note that you must be logged for the link to work. We DO NOT keep personal information for any natural persons who do not have a user account on our site. As a result, all your personal information is linked to your user account. For obvious security and privacy reasons you need to log into our site to verify that you are in control of the user account you are trying to manage Data Processing Options for. If you cannot log into your account use the "Forgot my username" and "Forgot my password" links on our site. If you can log in but cannot get past your account's Two Step Verification please use the Contact Us page to request our assistance.

The following data rights are available from that page:

• Revoke or give again your consent to processing personal information. Kindly remember that without your consent we cannot let you use our site since there are no services we can render without being able to collect your IP address in a log for security purposes (download service) or use your personal information to reply to your requests (support, contact us etc). Should you revoke your consent you will only be able to use the logged out (public) version of our site until you give your consent again.
• Export your profile with us (data portability right). The exported data is in XML format using the same database keys the Open Source software we use on our site (Joomla and our extensions) use. Therefore you could possibly use it to transfer your data to another site using the same software and / or transform it to another suitable format for your purposes.
• Delete your profile with us (right to be forgotten). THIS IS IRREVERSIBLE. If you have a subscription it's terminated without a refund and you waive all your rights against us. Use with EXTREME caution.

Keen readers may have spotted that the rights to amendment and objection are not mentioned. Your right to amendment has always been possible through the My Profile link on our site. It's at the top of every page of our site once you log in. The right to objection is invalid in the context of our relationship. Your invoicing information is required to be transmitted by the tax laws which override the GDPR protections. Security logs are exempt from GDPR. The information you send us in tickets or contact requests is processed only under active consent. Therefore there is no case where objection has reasonable grounds.

As a further clarification, we'd like to note that emails and any off-site communications are deleted immediately after we conclude our communication (typically: after we send you a reply). We do not keep any copies. Please keep in mind that from May 25th, 2018 onwards we will NOT consider email or other out-of-site communications as binding us in any way whatsoever since we are not allowed to keep copies, therefore we are not allowed to have a permanent audit log of such communications which renders these communications effectively off-the-record. This includes the Contact Us page which simply sends us an email. If you want to conduct communication which is official and binding you MUST tell us in advance and explicitly waive your right to be forgotten in the strict scope of that particular communication.

Moreover, we'd like to remind our users and clients that should you email us or otherwise ask us to manually exercise your data rights on your behalf you will be asked to use the Data Processing Options self-service page. You will also receive a link to this document. This is for your own security and privacy. We do not have the know-how or technical means to verify identities off-line. We can only trust that if you know the log in to a user account you have the authorization to manage the Data Processing Options for that person. That's why we ask you to log in.

Let us reiterate that we DO NOT keep personal information for people who do not have a user account with us. Do not ask us for information regarding a non-user, we have none. If you do, you'll just get a link to this page.

Moreover, we cannot divulge who is a user or not, whether a user account exists or confirm any property of a user account. If you send us a request about a non-user or the existence and / or properties of a user account you will be linked to this page without further reply. We do this to protect your privacy and security. 

GDPR and our software, on our site and on your sites

Disclaimer: this is not legal advice; we are not lawyers. If unsure or have questions about GDPR compliance please consult a qualified laywer.

In the following paragraphs we will discuss how the information collected by our various software, installed on bot our site and,most importantly, your sites affects the GDPR compliance of the site where they are installed.

Our support / helpdesk software (Issue Tracker System)

Macrotone Issue Tracker by its very nature stores personally identifiable information in 'issues'. It is impossible to encrypt the issue titles and body because the hit in performance and the inability to search through the content renders it impractical. To the best of our knowledge GDPR accepts that line of reasoning.

However, you should NEVER, EVER store passwords or other sensitive information (such as a person's real address) as unencrypted data in the database.

Another sticky point with regards to GDPR is the issue-by-email and the issue notification by email features. According to the GDPR it's illegal to accept personal information over unencrypted email. Since implementing support for encrypted email is complicated and technically infeasible in most cases we have to warn you that it's ILLEGAL to use that feature after May 25th, 2018. We plan to remove it in a future version of the software. Regarding email notifications to issues, you are advised to remove the issue content from the email template. We cannot do this automatically. You have to go an edit your email templates for PRIVATE tickets.

Speaking of which, the GDPR provisions for privacy do not apply to public issues, obviously. People electing to file public issues do so being fully aware that their information will be visible to anyone and they do receive adequate warning. You may, however, want to set up your Issue Tracker categories to ofer private tickets by default. The idea is that the GDPR asks you to implement your sites with privacy by default. We understand the implication to that is that the default issue visibility should be Private as a result.

Moreover, old private issues of inactive clients will be removed from our site as they may contain sensitive information. If you are an active client (you have a subscription) or you have logged in the last 18 months on our site please review your private tickets. If they have private information please ask us to remove them and remember to give us the issue numbers (or we will remove ALL your private issues!). No, if you ask us to check we cannot do that; we do not have the manpower. That's why you can log in and check for yourself. Also note that we do explicitly tell you to give us temporary access, therefore we do not have any responsibility if you failed to revoke our access since your issue was closed.

Other software we make

To the best of our understanding, our other software does not store personal information of any kind. Therefore the GDPR is irrelevant to its use on our site or anywhere else.

The software we are using to enforce GDPR compliance

The cookie policy is enforced by the EU e-Privacy Directive extension for Joomla! by Michael Richey with some modifications.

Joomla! 3.9 will come with its own solution called com_privacy. We cannot yet guarantee that our software will work together with com_privacy in the future since we don't even know how it's supposed to work on account of it being under development at the time of this writing (May 15th, 2018).