[Animats]

privacy-first approach

So, let's take a look at your terms.[1]

However, we cannot guarantee that unauthorized third parties will never be able to defeat our security measures or use your personal information for improper purposes. You should always use caution before sharing your sensitive personal information online.

we each agree to resolve any claim, dispute, or controversy (excluding any claims for injunctive or other equitable relief as provided below) arising out of or in connection with or relating to these Website Terms of Use, or the breach or alleged breach thereof, by binding arbitration by JAMS, Inc.

Not only mandatory arbitration, but arbitration with JAMS, which has problems.[2] Not the American Arbitration Association consumer rules. The AAA will often send small claims to Small Claims Court, which is cheaper, and has real judges.

These Website Terms of Use, and any rights and licenses granted hereunder, may not be transferred or assigned by you, but may be assigned by Berbix without restriction.

So if you exit by being acquired by Google or Facebook or Tencent, they get all the data.

There's nothing in the terms which places any legal responsibilities on Berbix beyond minimal compliance with the law. The terms are no better than the average web site, and worse than many.

So, "privacy last".

[1] https://terms.berbix.com/terms/website [2] https://www.sfgate.com/news/article/PRIVATE-JUSTICE-Can-publ...

[sinalet]

Thanks for taking the time to carefully read our terms of service! We share your point of view that these aren't merely a series of boxes to check.

Our “privacy-first” claims are namely three-fold:

1. We limit the data returned to our customers and enforce a maximum data retention period after which data is permanently deleted. We encourage customers to reduce the amount of data they need and the number of days it must be stored.

2. We built our own image watermarking service to protect the sensitive images we process and store. This helps ensure that the images cannot be used to verify an identity on any other service.

3. We completed our SOC 2 Type 1 examination in March 2019. This is an intensive security audit performed by an accredited third party. We perform these annually.

And thanks for the feedback regarding JAMS specifically. We are in the process of revising our terms that were first drafted early this year before our public launch.

We really do appreciate this feedback, which we will take into account as we continue to iterate on both our Terms of Service and Privacy Policy to best-reflect our business practices. As part of this effort, we are making a commitment to always publish a record of all changes to our terms.

[anadem]

Commenting as an uninvolved bystander: your entire reply sounds like corporate-speak to me, and it's offputting. I get that you're trying to state your intent, and perhaps English isn't your native language, but it's deterring me from looking further into Berbix. Also, your second claim really just seems to be a lock-in, not a user-friendly positioning.

[Animats]

If your primary business is trust, you have to commit contractually to back it. Not just make "claims".

[e1g]

FYI: SOC 2 Type 1 has no weight for corporate/data privacy/infosec because anyone get it with a dozen .docx templates from the internet. Type II report is substantial because it requires the auditor to observe your actual operations for the previous 3-6 months. If you got Type 1 report in March, does that mean that Type 2 report will be available to prospect customers any day now?

[londons_explore]

How can you force your customers to have a retention period for data you provide them? They could just keep a copy, and you'd never know.