GDPR timings? It is needed

To Pickaxe team.

I know this topic Is coming back like returns from Novak Djokovic, but it is important for EU users of your app. When reallisticaly you will be fully GDPR compilant? This year? Next year? I need to know if I will stay with you or I will look for other solutions on the market. I run my busines solely in EU so I need to be sure that I’m on the safe side of regulations. Im not in super hurry with it, but it is just good to know how high priority you have on this topic. Thank you.

Sometime this year. Though as we’ve mentioned in other places, there are ways for your studios to approach GDPR compliance today, if you use the right set of tools and manage them properly.

As already mentioned, what is still missing (and cannot be implemented with other tools or in the studio):

• The user must have control over their data and be able to independently delete both their history and their account.
• All pages of the studio must be able to include links to the imprint and privacy policy, and when creating an account, there should be a checkbox to confirm acceptance of the privacy policy.
  I am happy to help achieve GDPR compliance if I can, just let me know.

At the present moment

1. Deletion has to be through the owner, as you say, but setting up a button for them to press in the UI that notifies you as the owner to do the deletion is completely acceptable and doable within the current framework. This would comply completely, as the deletion doesn’t have to be automatic or instant, it just has to work without an email on their part.
2. You can add privacy policy as a content page, in which case it will be linked from every page.
3. You can add JS (and several users have) to include a popup box that requires affirmative consent before continuing.

With these three aspects in mind, I re-affirm that it is indeed possible to be compliant (while maybe not convenient) with the current system. Though let me know if there’s anything else.

What about servers in EU?

I am not a lawyer, this is not legal advice

The most recent decision from 2023 is that the “United States ensures an adequate level of protection” in the context of GDPR. This is the “adequacy decision” you may have heard about.

Thus servers based in the EU are likely not needed for GDPR compliance as of 2023.

Even in the case that this decision is overturned, you as a provider can still engage in a contract with your users as part of the above mentioned terms and privacy policy to allow transfer of data to US servers.

Data privacy law is complicated, and that is one of the reasons that we (unlike many other companies) don’t publicly say that we’re compliant.

But in the context of your studios, though there are many hoops that you as a builder have to jump through, to my understanding as of the present date compliance is indeed technically possible.

Pickaxe has no plans at this time to start using servers in the EU. All our servers are US based.

Indeed. Chris from France . I’d strongly suggest European Pickaxe builders to grab a plan with Concord. You’ll get cookie banner / consent / blocker, and you’ll be able to manage Data deletion request from your users.
As said by @nathanielmhld, data deletion has not to be automatic upon the press of a button. Your users can ask you to get or delete their data, and you will act, yourself.

@chrishk What do you mean by “plan with Concord”?

Subscribe to a Concord.tech plan. Their free plan is generous enough to start, you could or should give it a try.

Here: https://www.concord.tech/

I use it for my start-up (located in France for French audience). I plan to use it too for my new idea of AI powered book writing app (not “60 pages books”, real books).

Let me know should you need any additional info. Concord is honestly the best data privacy solution I found and use.

Thank you Chrishk!
Is Concord like Axeptio or iubenda?

Concord doesn’t generate your terms and policies, but they do all the rest : cookies blocker, privacy requests from users…

Give it a try

Thank you. I will try.
Axeptio free has only 200 visits/month vs 5K for Concord!
Do you think that for GDPR we can make Pickaxe compliant through these cookie plugins?
(I’m also French)

Bonjour Philippe, (et @nathaniel)

I’ve been analyzing Pickaxe’s privacy policy to determine its compatibility with GDPR, which is crucial for managing AI chatbots in France.

1. Consent : GDPR requires explicit and informed consent before collecting personal data. Pickaxe’s policy mentions rights that users can exercise, but it needs to explicitly state how consent is obtained, managed, and how users can withdraw it. We can’t do it for Pickaxe in our own policy.
2. Individual Rights : GDPR grants specific rights like access, rectification, erasure, and data portability. While Pickaxe mentions these, ensuring users can easily exercise these rights is crucial.
3. Data Minimization : According to GDPR, only data necessary for specific purposes should be collected. Pickaxe’s policy should justify the collection of each data type and ensure only necessary data is collected.
4. Transparency : Their policy provides detailed information on data types and usage, aligning with GDPR’s transparency requirement. However, this information must be easily accessible and understandable.
5. Data Security : GDPR demands appropriate security measures to protect personal data. While Pickaxe mentions “commercially reasonable” measures, specifying these and ensuring they meet GDPR standards would be beneficial.
6. Data Breach Notification : Pickaxe’s commitment to notifying users in case of a data breach aligns with GDPR.
7. Third-party Processing : GDPR requires safeguards when sharing data with third parties. The policy should include details on how subcontractors are selected and monitored.

So …

Necessary actions for me, you and any other European:

1. Evaluate legal frameworks : Ensure that we have a data processing agreement with Pickaxe that meets GDPR requirements, especially regarding third-party data processing.
2. Implement a consent management tool : Integrate a solution like Axeptio, Iubenda, or Concord to manage cookie consent and data collection. These tools help obtain and document explicit user consent.
3. Update our policies : Publish a clear and detailed privacy policy on our website. It should inform our users about data processing by our tools based on Pickaxe.

Necessary actions for Pickaxe ( Hey Pickaxe team! )

1. Enhance transparency : Clarify and further detail consent processes and data security measures in their privacy policy.
2. Provide compliance tools : Offer built-in features to facilitate GDPR compliance, such as tools for managing user rights requests (access, erasure, etc.). Can already be managed manually, and not sure we want our users to manage these actions directly with Pickaxe, or with a Pickaxe branding

So yes, using Pickaxe while ensuring GDPR compliance is feasible, but it will require some adjustments.

GDPR sucks! And it’s not just the US - the way non-European countries handle personal data isn’t much better either! Between the endless consent forms and LLMs that seem to know more about us than our own friends, sometimes it feels like our data is more popular than we are!

Chris-anonymous

Oh cool, I received this Concord Product News email 5 minutes ago, announcing a great new feature : cookies policy generator, and more !

https://ml.concord.tech/emails/webview/180239/144753849197921586

To subscribe to a Concord subscription plan

I’m also looking for information on GDPR and ensuring compliance. Unfortunately needs to be in place even with just one EU visitor. I like the look of Pickaxe and would like to weigh up the effort and additional products needed vs using a different product that is complaint.

Is there any step-by-step guide somewhere for what we individually need to do to make our Pickaxes compliant? eg the 1-2-3 @nathaniel - is there a guide for setting this up?

In terms of updates planned for Pickaxe itself, that would also be helpful as I’m not likely to launch until late March / early April.