The landing page looks nice and clean. But even if I wanted to try and use your SaaS, I couldn't responsibly do so: Your privacy policy does not comply to the GDPR, and I cannot find any information about the person or company providing this service.
Also, from your Terms of Service:
>If you have any questions about these Terms of Service, please contact us at [email protected].
This makes it look like you have just been using a pre-made template (or even software?) to launch your SaaS.
Glad to see Dropshare (my app) as an example for data ownership here. :)
While we had our own cloud storage provider for a while, Dropshare was always about "bring your own storage", because I sincerely believe in the importance of "owning your data". The first supported storage provider in the app 10 years ago was SCP over SSH (basically "bring your own server").
Funny you ask, me and other people built something like this a few years (actually 7 years…) ago. It never really got past a few hundred initial users, thus has been shut down meanwhile.
Wow, there we have it, a person who has already implemented this idea a long time back. So what made you shutdown the service? Would you be willing to share your experience?
I’d like to quickly clarify that the initial statements are untrue. The Webserver is used as communication bridge between the Share Extension and the app. It only accepts requests with a signature. It cannot delete, share or else manage any uploaded files, and has no code that could potentially cause any harm on your server (e.g. by executing things). It only accepts file urls from your local machine to be uploaded and again, only with a properly signed request.
It is unfair to compare this to the Zoom case since there is no potential vulnerability and other than you explain, there is no danger involved with someone making damage to files on your server or whatsoever.
Best,
Timo
P.S.: Of course in case you think you did find indeed a vulnerability I am not aware of, please get in touch via [email protected] according to responsible disclosure.
How can a website / service be operated in 2015 without any contact or legal information? How am I supposed to use this for my personal information without being able to read the privacy statements or knowing who's operating the service to what purpose?
Edit: To make the reason for my comment clear, there was no link in the footer like there is now at the time I wrote it.
As someone who recently launched a service — among a zillion things you have to do to deploy a software application online this one seems markedly less important, especially if you are launching an MVP on a small budget.
If your MVP won't fly, legal info won't help and is a waste of time and resources. If it will, you can always add it in the future. The percentage of people who will complain or not use the service at all without reading the Terms of Use first is… well, I have no idea what it is, but let's just say it won't move the needle.
Contact information is more important, and easy to add, so it should be there.
So, good observation in the abstract, but:
1) you're responding to someone who said "some jurisdictions"
2) siavosh's Twitter profile suggests that they're in San Francisco.
While it's true that it may not be a legal requirement (in some jurisdictions) to post a privacy policy, it's probably not a good idea to trust a service without one, particularly if said service is designed for posting potentially private personal information.
In other words: They should post a privacy policy - not because it's a legal requirement (though it may be) - but because it's good business. And no one will trust them otherwise.
Serious question: Do people treat privacy policies any different than EULA's? (To wit: Abstruse legalese that doesn't really tell anyone anything?)
I can summarize 95% of privacy policies right here:
* We won't sell your info (directly)
* We "may" provide your info to third parties based on ill-defined criterion
* We can change this at any time without telling you first
* If we get bought (which is likely), this is all rendered invalid
* If we break our word here, your recourse is precisely jack
If any user of the service is in California, then the state can potentially take legal action against you.
Whether this really matters to a particular company depends on where they are, but full-faith-and-credit means that at a minimum anyone based in the US has to worry about it.
Has the State of California ever taken legal action against any company located outside of CA for not complying with this regulation or is it just another one of those laws that are on the book but are never enforced?
