Privacy Policy

Effective August 11, 2023

Beanbag, Inc. operates a number of online services, including:

reviewboard.org The Review Board website
reviews.reviewboard.org Public open-source Review Board server
demo.reviewboard.org Public Review Board demo
rbcommons.com Private Review Board hosting
hellosplat.com Splat, a public bug tracker
beanbaginc.com The Beanbag, Inc. website

As part of running these services, we may collect information about you. This policy explains what information is collected, how it is used, what rights you have, and what choices you may make regarding your personal information.

Information we collect

We collect and use the following information to operate and improve our services:

  • Account information:

    When creating a user account, we collect a username of your choice, an e-mail address for important notifications and team collaboration, and optionally your real name.

  • Payment information:

    When creating an account on https://rbcommons.com, or when purchasing a Power Pack license, we require providing payment information. This data is collected and managed exclusively by Stripe, our credit card processor. We may also collect your billing address and VAT ID for tax purposes.

  • User data:

    In using the services, you may provide user data such as uploaded diffs and files, comments and discussion on reviews, and team/account configuration information.

  • Usage:

    We collect information sent by your web browser, such as IP addresses and the type of browser, in order to monitor our servers for security purposes, fix bugs and outages, and otherwise improve our services for our users.

  • Cookies:

    A cookie is a small piece of data which is stored on your computer. Our services use cookies to keep track of your login session. This cookie is temporary, and you will be periodically required to log in again. This cookie is not used for tracking purposes outside of the login process.

    We also use cookies for CSRF tokens (a security measure to prevent sites from operating on your behalf) and for simple, temporary preference storage for some features. Neither of these contain any identifying information and cannot be used to track users, directly or indirectly.

    Some of our third-party processors may make use of additional cookies.

Our guaranteees

We understand that your source code is crucial to your business, and therefore we’d like to start by making a few guarantees:

  • We will never sell your private data or personal information to a third party. We will only share your data when required by law (such as to comply with warrants or subpoenas). When possible, we will notify you about any such requests for your data.
  • If you cancel your RBCommons account, we will permanently delete your data from our servers. Backups are kept for two weeks, after which they are permanently deleted.
  • We will make every effort to ensure the security of your data, including following all best practices for security.

How we use information

We use collected information in various ways:

  • To provide the services:

    We use account information and user data to provide the services to you. Many of our services offer collaboration tools which may show your account information (such as username, avatar, and e-mail address) to other users. Some services may notify you of activity via e-mail.

  • To communicate with you:

    We may use your e-mail address to send you notifications of activity, notices regarding scheduled maintenance or other service-related issues, and transactional e-mails to accomplish tasks such as resetting a password. If you have opted into our e-mail newsletters, we may send you periodic messages that we believe may be of interest.

  • To improve the services:

    We may use anonymized and aggregate data to make decisions about how to improve the services.

  • For customer support:

    We use your information to reply to support requests, monitor the services for problems, and otherwise address issues with the services.

  • Where required by law:

    We may provide your information or data when legally required to, such as when requested by law enforcement, or in the case of subpoenas or warrants. When possible, we will notify you of such requests for your data.

How we store information

We make all efforts to store your information in a safe and secure manner, and in compliance with all legal requirements and security best practices.

Account information and user data are stored on our servers in the United States. Payment information is kept solely by our billing partner, Stripe.

Most information is stored for as long as your user account is active and deleted as soon as possible after your user account has been canceled. User data submitted to public services may be kept in perpetuity (for example, code diffs published to https://reviews.reviewboard.org). Logs, analytics, and backups are kept for a limited period of time before being deleted.

Who has access to your data

Some services, including https://reviews.reviewboard.org and https://hellosplat.com, are used for public collaboration on open source projects. Information submitted to these services is visible to everyone, and may not be able to be erased completely after the fact. We encourage you to be careful in what personal information or data is shared on these services.

For accounts on RBCommons, data is visible within your registered teams but not accessible outside of it by default. Data will only be visible publicly if team administrators have requested that we make their team public.

Beanbag, Inc. employees may have access to stored data (except for payment information), depending on their role. Private data is only be accessed by Beanbag, Inc. employees for the purposes of providing customer support or as otherwise required by law.

Information shared with third parties

Beanbag, Inc. makes use of various third parties to provide parts of the services offered. This includes vendors that provide the physical infrastructure upon which our software runs. We also use third party tools for things like customer support, payment processing, and performance monitoring. In this context, some of your information or data may be transmitted to these third parties for storage or processing.

For third-party services which are not integral to our services, you have the right to consent to the sharing of your information. You will be presented with this choice when using our services. Regardless of whether you have the ability to consent, all personal data transferred to third parties occurs under the Data Privacy Framework, and Beanbag remains responsible for it.

For services which allow you to consent to the use of your data or opt out, doing so may degrade your experience with our services. For example, blocking Intercom may make it harder to access customer support.

Third party Purpose of sharing Used by Requires consent
Amazon Web Services

Computing and network infrastructure

Beanbag hosts all of its services using the infrastructure run by Amazon Web Services. Your information and data is therefore held and processed by their servers located in the United States.

Terms of Service · Privacy Policy

  • All services
No
FreshDesk

Customer Support

When you reach out to us for support via e-mail, we process those tickets using FreshDesk.

Terms of Service · Privacy Policy

  • All services
No
Google Analytics

Usage monitoring

Beanbag uses Google Analytics to monitor the use of our services. The data transmitted to Google includes the URLs of the pages you are visiting, your IP address subnet, and information about your browser.

Terms of Service · Privacy Policy

  • All services
No
Gravatar

User avatar pictures

Several of Beanbag's services allow you to display a photo or picture representing yourself. By default, these services use Gravatar, a third-party service which can provide avatar images across the web. If you consent to this use, our services will send a hashed version of your e-mail address to Gravatar. While this contains no directly identifiable information, that hash could theoretically be used to track your activity across the web. Gravatar will only have an avatar for you if you've set one using their service.

Terms of Service · Privacy Policy

  • rbcommons.com
  • reviews.reviewboard.org
  • demo.reviewboard.org
  • hellosplat.com
Yes
Intercom

Customer support

RBCommons uses Intercom to provide on-line chat support. If you consent to this sharing, we send your username, full name, and basic information about your RBCommons team. Intercom will also infer your general location from your IP address and attempt to search for public social media accounts linked to your e-mail address.

Terms of Service · Privacy Policy

  • rbcommons.com
Yes
Mailchimp

E-mail newsletters

Beanbag offers opt-in e-mail newsletters to make announcements and share tips and tricks for development and code review. If you join these newsletters, your e-mail address and name will be shared with Mailchimp.

Terms of Service · Privacy Policy

  • rbcommons.com
  • reviewboard.org
Yes
Mailgun

Transactional e-mail delivery

Several of our tools use e-mail to notify you of activity or to handle transactional items such as account verification and password resets. These e-mails are delivered using Mailgun, and so your information and user data will be transmitted to them.

Terms of Service · Privacy Policy

  • rbcommons.com
  • reviews.reviewboard.org
  • hellosplat.com
No
PagerDuty

Alerting

PagerDuty notifies us of certain high-priority support tickets. These alerts may include your name and e-mail address.

Terms of Service · Privacy Policy

  • All services
No
Papertrail

Log aggregation

Beanbag keeps logs of usage and operation of our services in order to debug problems, keep audit trails, and maintain security. All logs are shared with Papertrail in order to aggregate and analyze them.

Terms of Service · Privacy Policy

  • All services
No
Slack

Team communication

Beanbag runs public instances of the Review Board and Splat tools for the purposes of open-source development activities. Internally, Beanbag uses Slack for team communication. The public servers have been connected to Slack, so any data which you voluntarily provide when submitting an open-source contribution will be sent to Slack.

Terms of Service · Privacy Policy

  • reviews.reviewboard.org
  • hellosplat.com
No
Stripe

Payment processing

Beanbag uses Stripe to do payment processing for RBCommons or online purchases of Review Board Power Pack. When you enter your payment information, it is sent directly to Stripe and no sensitive cardholder information is stored on Beanbag's servers.

Terms of Service · Privacy Policy

  • rbcommons.com
No
Twilio

Two-factor authentication text messages

If you've turned on two-factor authentication via text message on RBCommons, we'll use Twilio to send those text messages. They'll receive your phone number.

Terms of Service · Privacy Policy

  • rbcommons.com
Yes
Quaderno

Global tax compliance

For team billing administrators, some aspects of your billing information such as your name and address, and your IP address location are shared with Quaderno in order for us to determine applicable sales taxes and VAT.

  • rbcommons.com
No

Some services may have optional integrations with other third-party tools. No data is shared automatically with these tools, but if you configure them, account information and user data may be shared with them. For a full list of the possible integrations, see https://www.reviewboard.org/integrations/

Your rights and choices

You have several rights regarding the treatment of your information: to request a copy of your information, to correct or object to our use of your information, or to request the deletion or restriction of your information. These rights may be limited in the case where it would divulge another user's information, or where we are legally required to keep records.

You have choices about what data is collected and how it is used. When creating accounts or using the services, you can choose what information to provide (for example, deciding whether or not to show your full name). Profile and other user information can be changed in your user profile settings screens.

For optional data shared with third parties, we will request your affirmative consent when you use our services. Denying consent will prevent sharing of any of your information, but may degrade your experience of the service.

To make requests regarding your information or data, please contact us at support@beanbaginc.com.

EEA, UK, and Switzerland

By choosing to use any services offered by Beanbag, Inc., you consent to the transfer and storage of any provided information on our servers located in the United States. These data transfers are governed by the Standard Contractual Clauses (SCC) as defined by the European Union. These clauses are available upon request.

Beanbag, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Beanbag, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Beanbag, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Beanbag, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Beanbag, Inc. at support@beanbaginc.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Beanbag, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

In some circumstances, EU, UK, or Swiss individuals make invoke binding arbitration as a last resort if all other forms of dispute resolution have been unsuccessful.

Beanbag, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Consistent with the DPF principles, Beanbag, Inc. may transfer information to third parties, including transfers from one country to another. Beanbag, Inc. remains responsible and liable if that third party processes that information in a manner inconsistent with the DPF principles.

If there is any conflict between the terms of this Privacy Policy, the SCC, and the DPF, the SCC will take precedence, followed by DPF.

Changes

If we are involved in a merger, acquisition, or other reorganization, your information may be transferred as part of that deal. We will notify you of any such deal and outline your choices at that time.

Beanbag, Inc. may periodically make changes to this policy. We will notify you of any significant changes via an e-mail to the address associated with your account.

Contact us

If you have any questions or concerns about this privacy policy or how your data is used, please contact us at support@beanbaginc.com.