judge2020/privacy.txt

## privacy.txt
Updated 5/19/2018


Text is bolded in this document not necessarily to emphasise, but to increase readability and navigation of the document.
Managing your data


We allow a user to request all information related to their account to be deleted upon request. A user may also request all of their information to be downloaded upon request.


Requests can be made by emailing accounts@corporateclash.net with the subject line being one of, although not limited to, the following:


* Account deletion request
* Account data download request
* Account data download and deletion request
* Stop processing my account’s data
* Withdrawal of data processing consent
* Withdrawal of TOS/Privacy Policy consent


Due to technical limitations, users can only request their information be downloaded, not directly transferred to a competitor.


Due to all collected data being required for an account to be operational, requests to “stop processing” data, withdrawal of data processing consent, withdrawal of TOS consent, or withdrawal of Privacy Policy consent will result in their account being deleted (the user will be notified of this before their account is deleted).


For security and authentication purposes, we require the email be sent from the email on the account. Requests to delete accounts with emails different from the sender’s email will be denied. We may also deny requests for account deletion if we believe an email to be spoofed (via email spoofing services) or otherwise not sent from the account’s owner.


Upon a request being sent, we will verify the sender with a response email requiring one more confirmation that they would like their account be deleted. This is done to prevent email spoofing, as incoming mail is much harder to spoof. After a reply email that confirms they want the account deleted, the account and all information on an account will be deleted within 1 month with a response email.


If a user decides to delete an account, and does not send another email before we delete the account to cancel the request, the user understands that their account and related information, including the user’s toons, will be permanently lost.


Profiling and automated Decision Making
We do not perform profiling or automated decision making on users’ behalf beyond account security by verifying a requesting IP Address has been expressly authorized by the user (via user input).
Data Processors
As a data controller, we use, and are in contract with, DigitalOcean as our data processor for personally identifiable information (as described below). You may view Digitalocean’s data processing agreement here.


What we collect


At Corporate Clash, we collect information in order to identify you and access our services, while only collecting surface-level information (eg, no names or addresses).


Personally identifiable information:


* Usernames
* Emails
* Password (securely stored via bcrypt hashing with a strong salt)
* IP addresses
* Browser user agents


This information is collected by the user entering the information in fields upon account creation. In order for a user to create an account, they must check a checkbox allowing us to collect this information.

This information is stored on the servers we control and is not shared with any third parties.


We use this information to:


* Securely sign users in
* Ensure users’ account security and prevent unauthorized access of user accounts
* Audit security and ensure no unauthorized access has been gained on our systems
* Comply with law enforcement upon valid legal request


This information is kept on our servers for as long as the user uses our service, and is permanently removed and/or deleted upon user request (as described above).


This information is stored via:


* Our database software (MySql-compatible databases)
* Access log files  (IP Addresses and browser user agent only)


Why do we need to collect this?


We need to collect this information to operate this service. IP Addresses and browser user agents are required to prevent malicious abuse of our systems. The email, username and password fields are required to log users in and perform email communication for privacy policy updates.


Ip addresses and browser user agents stored in log files are deleted after 6 months in case we need to audit past access to our services. Ip addresses are stored as a general public interest in order to ensure to users of our platform that their user account is not being accessed by an unauthorized party.


Breach reporting


Upon receiving valid information, or we discover on our own accord, regarding unauthorized access to stored user data or a breach in our computer systems, we will notify local law enforcement if applicable as well as notify all users as to what information was breach via email within a fortnight or a reasonable time frame (unless encrypted and inaccessible to the breaching party).


Age requirement


In order to use our services, upon sign up a user agrees that it is truthful that they are older than 16 years of age. While we to the best of our ability try to ensure our service is friendly for all ages, in order to comply with EU and US law, users must be at least 16 years of age to use our services.


Updates to this document


Users will be notified in advance of up to 15 days before updates to this privacy policy or our terms of service go into effect via email. We will include a condensed list of changes made, however,  it is always recommended to view the changes in full.


Due to technical limitations, if a user decides they do not wish to comply to updates to our privacy policy or terms of service, users must perform a data deletion request as described above, and the user will be informed of this option in the notification email. Users who do not take action will automatically be bound to the new privacy policy terms upon the next use of our services.
	Updated 5/19/2018


	Text is bolded in this document not necessarily to emphasise, but to increase readability and navigation of the document.
	Managing your data


	We allow a user to request all information related to their account to be deleted upon request. A user may also request all of their information to be downloaded upon request.


	Requests can be made by emailing accounts@corporateclash.net with the subject line being one of, although not limited to, the following:


	* Account deletion request
	* Account data download request
	* Account data download and deletion request
	* Stop processing my account’s data
	* Withdrawal of data processing consent
	* Withdrawal of TOS/Privacy Policy consent


	Due to technical limitations, users can only request their information be downloaded, not directly transferred to a competitor.


	Due to all collected data being required for an account to be operational, requests to “stop processing” data, withdrawal of data processing consent, withdrawal of TOS consent, or withdrawal of Privacy Policy consent will result in their account being deleted (the user will be notified of this before their account is deleted).


	For security and authentication purposes, we require the email be sent from the email on the account. Requests to delete accounts with emails different from the sender’s email will be denied. We may also deny requests for account deletion if we believe an email to be spoofed (via email spoofing services) or otherwise not sent from the account’s owner.


	Upon a request being sent, we will verify the sender with a response email requiring one more confirmation that they would like their account be deleted. This is done to prevent email spoofing, as incoming mail is much harder to spoof. After a reply email that confirms they want the account deleted, the account and all information on an account will be deleted within 1 month with a response email.


	If a user decides to delete an account, and does not send another email before we delete the account to cancel the request, the user understands that their account and related information, including the user’s toons, will be permanently lost.


	Profiling and automated Decision Making
	We do not perform profiling or automated decision making on users’ behalf beyond account security by verifying a requesting IP Address has been expressly authorized by the user (via user input).
	Data Processors
	As a data controller, we use, and are in contract with, DigitalOcean as our data processor for personally identifiable information (as described below). You may view Digitalocean’s data processing agreement here.


	What we collect


	At Corporate Clash, we collect information in order to identify you and access our services, while only collecting surface-level information (eg, no names or addresses).




	Personally identifiable information:


	* Usernames
	* Emails
	* Password (securely stored via bcrypt hashing with a strong salt)
	* IP addresses
	* Browser user agents


	This information is collected by the user entering the information in fields upon account creation. In order for a user to create an account, they must check a checkbox allowing us to collect this information.

	This information is stored on the servers we control and is not shared with any third parties.


	We use this information to:


	* Securely sign users in
	* Ensure users’ account security and prevent unauthorized access of user accounts
	* Audit security and ensure no unauthorized access has been gained on our systems
	* Comply with law enforcement upon valid legal request


	This information is kept on our servers for as long as the user uses our service, and is permanently removed and/or deleted upon user request (as described above).


	This information is stored via:


	* Our database software (MySql-compatible databases)
	* Access log files (IP Addresses and browser user agent only)


	Why do we need to collect this?


	We need to collect this information to operate this service. IP Addresses and browser user agents are required to prevent malicious abuse of our systems. The email, username and password fields are required to log users in and perform email communication for privacy policy updates.


	Ip addresses and browser user agents stored in log files are deleted after 6 months in case we need to audit past access to our services. Ip addresses are stored as a general public interest in order to ensure to users of our platform that their user account is not being accessed by an unauthorized party.


	Breach reporting


	Upon receiving valid information, or we discover on our own accord, regarding unauthorized access to stored user data or a breach in our computer systems, we will notify local law enforcement if applicable as well as notify all users as to what information was breach via email within a fortnight or a reasonable time frame (unless encrypted and inaccessible to the breaching party).




	Age requirement


	In order to use our services, upon sign up a user agrees that it is truthful that they are older than 16 years of age. While we to the best of our ability try to ensure our service is friendly for all ages, in order to comply with EU and US law, users must be at least 16 years of age to use our services.


	Updates to this document


	Users will be notified in advance of up to 15 days before updates to this privacy policy or our terms of service go into effect via email. We will include a condensed list of changes made, however, it is always recommended to view the changes in full.


	Due to technical limitations, if a user decides they do not wish to comply to updates to our privacy policy or terms of service, users must perform a data deletion request as described above, and the user will be informed of this option in the notification email. Users who do not take action will automatically be bound to the new privacy policy terms upon the next use of our services.