[pccampbell]

Let's back up a second. The silence isn't because I/we don't want to talk about this, it's because it was 2am here in Boston and I was sleeping at that point (coincidentally after leaving the office around 1130pm pouring over our new GDPR paperwork).

The short answer is 100%, absolutely no - we do not, have not, and will not ever sell your data. We say this pretty clearly at the top in our terms and services, which you didn't link to (found here: https://www.profitwell.com/terms-security). For context, there's a difference between a privacy policy and a terms of service. I'm not a lawyer, but from my understanding the reason here we structured things this way (as a lot of BI/analytics providers do) is because one handles the actual handling of data, especially pursuant to EU/International/US law, and the other handles the actual service of that data. For instance, we will share your email address with our email service or with our payment processor. The terms are inclusive of the privacy policy.

From a terms perspective, we don't access someone's account unless given permission for QA, analysis, and the like. We do aggregate data for research purposes, but there needs to be a minimum of 30 companies in that data set and if you'd like to opt out of that we're more than happy to sign/put together custom Ts&Cs, which we do with almost every company that requests one.

Additionally, with GDPR the nature of our privacy policy is going one step further beyond EU/Swiss Privacy Shield compliance to offering up DPAs and a whole host of new functionality to make sure we go beyond the requirements.

Apologies if I'm coming off any bit passive aggressive/defensive. Just trying to explain and sometimes the legalease can be tough to sift through. I started my career working in network security/intelligence, so I personally take this really seriously and we put a lot of work into all of this fun stuff (pen tests, training, our policies, etc.), so I take it too personally when hearing someone misinterpret how we work. We can always make this clearer, as we tried to do with the pre-amble to our terms, but happy to do what some other companies have done and really refine the plain speak of our terms and privacy policy (especially since they're shifting a bit with GDPR). Assume you meant the best here with your comments though, so hope this clears this up at least a bit.

From a monetization perspective, we do offer a service to _someone_ - our customers. We sell Price Intelligently, ProfitWell Retain, ProfitWell Recognized, and ProfitWell Premium. All of these products are feature and performance based - and more than paying the bills for us to continue to invest in building the company without a drop of funding (which is intentional to keep us independent).

The reason we set up our monetization this way is that frankly we don't think there's a whole lot of value in taking your data and putting it into a bunch of graphs. I know that's trivializing BI/analytics, but that's the crux of the industry right now. Plus, doing willingness to pay and pricing analysis supports this - hence why most BI companies have to go upmarket to survive/grow. Instead, metrics are the gateway.

The world we're building is one where ProfitWell can show you the one graph (or few) that you need to look at - not the 60 you need to sift through to truly understand if there's a problem or not. Then we're going to help you see exactly the metric you should worry about (and the ones you shouldn't worry about) before offering up resources to help you fix it or a product that takes care of that metric for you with 0 work on your part through what we call an anti-active usage product (like ProfitWell Retain). This just feels like the right move to best serve our customers and the greater community.

[dsacco]

You should resolve the discrepancy between this comment and your Privacy Policy. A message board comment is not legally binding, and what I linked to has substantial wiggle room in interpretation.

[pccampbell]

Yup - a HN comment is definitely not legally binding. Given some of the flame wars on some of the threads over the years, that would definitely be a scary world.

Based on a number of lawyers (we've gone deep on this over the past several years), I'm confident this is resolved through the combination of our terms and privacy policy - the EU/Swiss privacy shield stipulations, which drove the privacy policy encompasses the specific data there that's shared (check out the section entitled "Collection", which is then what's referenced in the shared section). These are common information to engage in internet commerce like email, billing info, etc. This is actually specifically why we had language in our Terms to encompass the actual financial data. The ironic part of all this is we repeatedly told our legal folks we needed to simplify, simplify, simplify.

All that being said - you clearly came to the page and thought the worst based on the language, so I guess it doesn't really matter if we're legally doing the right thing, we need to make sure you (and other folks who reach us) are interpreting and seeing what we're doing as intended.

Give me/us a little bit of time to figure out how to make this instantly obvious. As I mentioned, we're in the midst of clearing up our house based on GDPR requirements, so it's a good time to revisit. Really appreciate the feedback - only way we get better. :)

[dsacco]

For greater context, the reason why I’m saying your Privacy Policy needs to be revised for precision is because:

1. I have experience acquiring data for the financial industry, and your privacy policy looks like the kind used to discreetly allow data brokering for free apps that have a lot of user data, and

2. I’ve seen executives who do sell data deny that they sell data by being overly literal and obtuse about what users mean when they ask if their data is sold. When users ask if their data is sold they’re usually including “data sharing with affiliates”, even if they aren’t savvy enough to use that terminology. The concern there is that user data collected by third parties is allowed to be reshared by their affiliates and under opaque terms that do not preclude monetization.

[wsy]

In EU, you need to write something like "...share data with third-party service providers..." already if you use AWS, because customer data will not only be held at your premises, but also held by another company (Amazon).

It seems to be difficult to phrase the Privacy Policy in a way that will satisfy this condition, and at the same time remove the 'wiggle room' you see.

[dsacco]

Call out the third party service providers explicitly.

[wsy]

That has the big disadvantage that if you switch from AWS to Google Cloud, you need to notify all of your customers about the changed policy and ask them for consent again. I have not seen any Privacy Policy yet which lists the service providers.

[dsacco]

You don't need to ask for consent, because it's typical that a clause will simply state, "Continued use of this service indicates acceptance of these terms", etc. That seems like a non-problem as far as these things go.

The reason you don't see privacy policies which list that information is not because it has an exorbitant inconvenience cost, it's because they benefit directly from that information asymmetry.

[wsy]

You actually do, because now you want to send data to Google Inc., for which you don't have the consent of your customers yet. They only agreed to sending it to Amazon. You can't make them agree to any future changes of your Privacy Policy.

edit: yes, you can send out a notification on every change and tell your customers that it is an implicit consent if they don't object. But I still wouldn't want to do that for every change of service provider, and there can be quite a few such providers in an SaaS.