In this day & age, information about you is being inferred by 3rd parties depending on your browsing habits. It is very difficult to be truly "anonymous" on the web. The European Union is cracking down on this, as they should.
Before the GDPR went into effect, and given that Big Data is being used for sale, advertisements, and tracking people around the web, I (Criss Ittermann) decided that I would do my best to eliminate my involvement in Big Data (Google, for example — or Amazon retargeting pixels, etc.) collecting any of your browsing habits or information, as much as I could while still providing the services that I feel compelled to offer the world.
What constitutes "personal data"?
Information that allows a person to be identified whether directly or indirectly, especially by reference to any given identifier. Isn't that confusing? So, it can be your name, number, phone number, email address, your common online "username" or "handle" that may elsewhere be associated with you personally, your IP address could help identify you (or someone using your internet connection), your location information, and anything that could identify you in the future. So broadly defined, just about anything that could point back to you (and sensitive information that can become associated with the identifying information).
Of special concern to my direct Eclectic Tech services is business-based protected information including copyrightable information, trade secrets, business practices, proposed product designs, etc. that may be shared with my company so I may give you assistance in producing books, products, marketing materials, services, etc. for your business.
Also consider any information about you (even if volunteered by you) that can be used against you — your location, gender, orientation, mental health status, physical health status, politics, religion, etc. — means that, even though I'm a small 1-person operation, I still have to be extra careful with your information. This is exactly the type of information you should be able to share with your consultant or coach with reasonable confidentiality — and I have to be very careful about any note-taking or record keeping regarding any of this information.
Protecting Your Information
- Emails are inherently insecure. If you send me those details in email, please understand you are taking the risk of transmission of that information across the Internet — I have secure SMTP on my end of the email transaction, but cannot guarantee your end of the transaction is secure — it's up to your email programs, email service providers, and mail transfer agents to provide secure email connections to my secure server. My contact information for end-to-end encrypted chat or voice calls is listed in the Contact section of this document.
- See my To Do section for information about my website contact/email and comment forms as well.
Eclectic Tech practices both in-person and online. Any of my services which are conducted remotely, over 3rd party services like Fiverr, on the phone, using Voice over Internet services (like Skype), or with end-to-end encrypted voice or data transfer — it's inevitable that my customers and potential customers send me sensitive data or personal identifying information (phone number, Skype account ID, email address, a check with their address, etc.) you are likely to be sharing your legal name, password or login information for your websites and services, your phone number, email address, IP address, or more — especially if you want a quote, consulting or coaching, to ask questions, get help, or would like a reply back.
Keep in mind this is a 1-person business, and I will do whatever I can within my resources to protect your information.
What do I do with your information and data
There are more details in specific below and some tips on how to protect yourself from data collection by 3rd parties.
- I removed Google Analytics off of this site. I no longer directly track your browsing information or flow through my websites through 3rd party software.
- My dedicated server tracks IP addresses for data hits and web page requests in the server logs. I only look at the logs if there's a website issue that needs to be addressed. Logs are archived (compressed), rotated, and eventually deleted on an automatic schedule.
- My server has 2 administrators — me (Criss Ittermann) and my partner (whom I've known since 1986). I always do everything I can to keep other persons or even my own customers out of my server data. If there are legitimate other users or customers with any direct access to the server, they are in a chrooted "jail" i.e. they can only access their own section of the server, and the rest of the sever is not available to them. So for example a customer can use my webmail services or FTP files to/from their own directories, but not access the rest of the server.
- I have not had any known server/data breaches.
- If you email me through the website forms, I will get whatever information you put into the forms. Hopefully this would be obvious. My emails are generally removed from the server in 1 week, but I keep my emails on my business computer for decades. If you have ever or will ever email me, that email may very well be stored "forever". Due to having a mental health issue that sometimes interferes with my memory, especially long-term memory, I find it very helpful to be able to go back even into the 90's for email records. If you need your emails deleted per the GDPR regulations, please contact me.
- My emails are stored on my business computer and in onsite & offsite backups/cloud backups of my computer. If you absolutely need me to erase a specific email sent by you, you may have to provide me with exactly what information you put into it, your email address, and approximate dates so I can locate it in my enormous email warehouse. Your IP address should be tracked on my server, but is not sent to me in the emails sent by the webform which just becomes an email from my server to me with your information from the form in the body of the email. The email may tell me which webpage you were on which helps give me context if you have a question or concern — so I know what you were looking at when you contacted me.
- Where you are tracked is if you leave comments on the blogs or pages on this website. You can choose whatever name to sign your comments with, and provide a "spoof" email address that doesn't exist. Your IP address — i.e. your computer routing information — is saved when you post comments to the site. It is used to stop abuse of the site and is available if the authorities insist by way of a warrant to get information from my server. I would do everything in my legal power to keep them from having this information, but tracking that information is necessary for protecting myself from harassment or attack, or protecting the community from perpetrators. If someone is violative, exploitative, etc. I might volunteer their information to the authorities to help protect potential future victims. In the past, all I've used the information for is blocking that IP address from accessing my server.
Coaching & Consulting Data Storage
I'm just going to use "Coaching" to mean either coaching or consulting here, because it's a copy-paste from one of my other sites.
Coaching customers need to be tracked, and data transmitted for billing, appointments, session notes, between-appointment communications, and the actual coaching session. Clients may also be given an intake questionnaire, feedback forms, homework handouts, sent links or homework reminders, asked to watch videos or read articles, etc. all to facilitate the coaching relationship.
- Session, intake & meeting notes: I moved to electronic hand-written notes in MyScript Nebo on my iPad Pro which is encrypted and has biometric protection on it. I do not upload the notes to the Cloud. There are iPad backups on my main business computer system. If you are in the EU, I will have to ask you for permission to take notes during our meetings. I can (per GDPR policy) delete my notes, and will periodically delete older notes that are no longer needed or relevant for any purposes. If you want my coaching notes deleted, I may ask permission to keep your generic session information on-file (name, contact info, date of session, length of session) for tracking hours for additional coaching certifications.
- Appointment data, billing data, payment information - these need to be tracked so I can keep my appointments, log my coaching hours for certification, make sure I get paid, track my income, and pay income taxes. These are on my main business desktop computer, backed-up on the cloud (Carbonite), and appointments (iCloud) and my billing system (Dropbox) are sync'd to my other devices. My contact list with your phone number, email address (Mac/iOS Contacts), or other contact information (Skype, Keybase, Signal) is used to keep appointments with customers. Manager.io is the software I'm using for billing, no data is sent to Manager.io; it's all stored on my computer not in the Cloud.
- Design Files & other Documents: This is where things get hairy. Many times I've had clients and customers ask me for files from their client folders or even backups and archives up to 5 years or longer after the files were created: design files, or to make a 2nd book in a series look like their first book in a series. It's hard to say exactly when a clients' business or author assets & files have reached their end-of-life in order for the data to be destroyed or deleted. So I've purchased additional storage media to house client archives at my own expense for my customers' convenience. The GDPR requires that EU customers' data/files only be stored while they're of use, and only as long as you have explicit permission to store them. This is a real conundrum for EU customers, repeat clients, or potential repeat clients. Unfortunately, at the end of the day I have to protect myself and my business because the EU laws impose such a steep financial penalty against storing other people's information. So, if you're a client in the EU I won't store your information for months or years. Maybe a month or two. Maybe a little longer if you are definitely a repeat customer and/or working on a series and you'll be back. I'll happily bundle up all your related assets and files for you and let you have them — but I'm not paying €20M for violating the GDPR. I hope you understand.
3rd Party Tracking
I do not send your meeting notes/data directly to any 3rd parties. Appointments are synced via iCloud (see above), devices and computers are backed up to Carbonite (above), and appointments may be tracked at Acuity Scheduling (see "Appointment Scheduling Software" below).
The following are ways you may be tracked or identified on 3rd party platforms as having an association with EclecticTech.net:
- Referring Site Data. Any offsite links you click to follow may show what webpage address you clicked on to follow the link (called the "referring" webpage link). To go to a link without the "referring page" information, right-click, grab the website address, open a new tab, and paste the address into a new browser window. You'll go straight to the link without the tracking information of what webpage referred the link. I don't control this — web browsers send this information silently when you click on links. I just thought you might want to know this.
- Email lists. Iif you sign up on my email list, it's hosted at MailChimp, since I can't bulk email from my personal or business accounts. Those data protection policies are covered by MailChimp. They have whatever information you submit to their webforms on my site(s).
- Amazon Links and Purchases. My Amazon affiliate links (for book purchases) only track you if you click on them. I get a tiny commission on the sale of the book, but it does not change your price. Amazon will be able to see which site referred you on their end of the click (as stated above), and will also know I referred you to that book because you clicked my affiliate link. You can go to Amazon directly by opening a new browser tab and search for the book's title or my name as an author to avoid this. Even if I give a non-affiliate link they would still know you clicked the link from my site unless you copy it and paste it into a new browser window — that information is sent to their server by your browsing software (as outlined under "Referring Site Data" above) and has nothing to do with my site or programming on my site.
- Videos. YouTube and other sites may track you if you open a page with the embedded player. The data is streaming from their site, but they may know the URL of the page requesting the video feed or embedded player, and your IP address, or login credentials stored in their own cookies from Google/Gmail/YouTube. I don't control this.
- Feedback Questionnaire. I may have a session feedback questionnaire that is in Google Forms and stores submitted information to a Google Sheet. The information is directly transmitted through the Google Drive and their security and GDPR compliance will apply to the data stored on their system. Google may know who you are via your Google login information stored in a cookie from Google.
- Paypal Tracking. - most clients pay me via PayPal for everyone's security and convenience. I do not take credit cards directly. Please do not send me any credit card information. I can arrange other 3rd party processors if you are not comfortable with PayPal. I send you a simple paypal.me link to pay your invoice, but I do not put the invoice information into PayPal unless requested (and even then the PayPal invoice may just refer to paying the billing system's invoice number). Your invoice, if required or requested, will be send via either an email or a more secure method (Dropbox link, Signal connection, Keybase, etc.). Many of Eclectic Tech's services are due upon invoicing, some require a deposit or a payment agreement. Coaching services and brainstorming sessions are paid in advance.
- Appointment Scheduling Software. Setting appointments can be done with us manually, or you can opt to use my scheduler which is on AcuityScheduling.com. They get my "busy" information from the iCloud server, but not the appointments from my manual calendar. If you use AcuityScheduling.com to schedule appointments, they will have collected information from you to send you text or email reminders, whatever name you give them, etc. Manual scheduling can be used to circumvent AcuityScheduling having any access to your personal information. Most Eclectic Tech appointments are manually scheduled (unlike Liberated Life Coaching appointments).
- Coaching Session Logging. While I intend to question and fight this policy, there is a requirement from coaching certification bodies to hand over client session information and personal identifying information to "prove" how many hours of coaching a coach has completed to earn certifications. I debate whether or not to bow to that practice, and plan to fight it. However, if permissible, I would appreciate permission to share that information. Feel free to lodge a formal protest with us.
I have several websites to work on, so here's what I have not discussed or maybe not discussed in enough detail yet:
- Device security, email storage, site backups, etc. — more about biometrics and Apple's protections?
- Backups — Why I back up email why I back up the devices & client notes on my desktop.
- I am NOT set up for https (secure web browsing) yet, this is in-progress. So your connection to my website is not secure, and your connection to my email and comment forms on my website is not ensured. Once you fill in the forms, the form sends the email directly to my secure email account on the same server, or the comment form information is added to the website on the back-end and I manually approve the comment to go public. What you submit into my forms could be captured while being sent to this website without my server being breached. Fixing this is in progress in June 2018 and I hope to have this security issue fixed by end of July 2018.
- Because Gumroad is not compliant with the GDPR, our products have been disabled until they rectify the issue.
If you need information removed from my website, or have any other privacy/data concerns, please let us know by phone or email. If you need end-to-end secure/encrypted communications with us, I am available through my phone number on Signal, and as "crisses" on Keybase.io (with credential proofs to kinhost.org & my other sites), and you can set the conversation to wipe after a set time.
We can be reached at:
Eclectic Tech, LLC
PO Box 225
New Hampton, NY 10958