GDPR and requiring consent banners
The intent of the GDPR is to protect the privacy of EU citizens, and we agree with that (our whole software product is built around accomplishing this goal).
We have a lawful basis for the processing we do. And we run privacy risk assessments whenever we need to make a significant change (e.g. when we had to enable basic, heavily redacted IP access logs after we were DDoS attacked).
We go into considerable detail on this on our Data journey page, but some key pieces for GDPR are as follows:
- We process personal data (IP Address and User-Agent) on your behalf.
- We keep pseudo-anonymized data for around 48 hours. After that, the hash salts (explained here) are removed from our system, and there’s no reasonable way for anybody to brute force them.
What about Schrems II?
Schrems II was a massive ruling for the world. We’ve gone into it on our blog, and we’ve invented EU Isolation to address the complexities that Schrems II has introduced.
If you still have questions or require help with anything, please reach out to us and we'll happily get things sorted out for you.