Hi, while we don't have a statement about GDPR at this time, all data is stored on US-based servers — meaning the GDPR does not apply in this circumstance
Hi Monica, Thanks for your reply. Unfortunately the data location is not the issue. If you have users based in Europe you will need to comply (https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#35770e1a6ff2). We also need to comply (we have European users) and so I am in the process of check that the external providers we are using will allow us to do that. I don't actually think it is that onerous, the right to export and delete your data being the functionality issues that need to be addressed.
OK, so I've completely misunderstood GDPR compliance or rather confused it with something else entirely. GDPR compliance memos hadn't hit my desk yet so I was caught a bit unaware. The good news is that it seems as if everyone else was on the ball and I got a whole lot of information as to how it affects Muut and what we're doing. I hope the below information will give you some clarification: First, regarding a user getting access their posts. A user can get all their data by simply going to their profile view. That shows all their content, when it was posted, etc. For sites that use secure embedding as well as only commenting (with no forum view) we advise you to include a profile view/link available to users from a page on your site. There may be additional changes here, but for now this works in the most user friendly way. As far as the user information we store, the only applicable content we have is the publicly viewable forum content (which they can view and download freely) and their user account (email, username, display name, and avatar). We do not store non-a nonymized behavior data (or any other non-anonymized data for that matter) on our end. And finally regarding a user deleting their data. For the non-anonymized content — we will be adding a delete user information option which will remove the email address, login capability, and update username/displayname to an anonymized string. The posts themselves, however, will remain. For now, our plan is to leave control over forum content to the forum owner. Where they can better make assessments on GDPR and if it applies to the forum content and remove or not remove it accordingly.
Thanks for this update. Its great to hear that Muut are working on this. The main issue for me is dealing with the prospect of an active forum user (i.e. lots of posts) requesting a full data deletion. I can see that I could view their profile to see all their posts relatively easily. The prospect of manually removing them one at a time is slightly concerning! I don't anticipate this being a common request, but I have a feeling it will happen. In my case I am using an embedded forum (I don't use comments) and most posts are replies so removing them has less consequences for the forum integrity. Ideally I would have the option to anonymise or delete all a users contributions with a simple interface.
I'll mention that concern to the rest of the team :)