Last Updated: November 18, 2020
pod.inrupt.com and inrupt.net presently are intended for research, prototype development, and experimentation. At the current time, we ask all users not to use Solid Pods to store any personal data, such as real names, email addresses or telephone numbers. Solid Pods should not host any data that is otherwise sensitive, confidential, or intended in any way for commercial use.
Inrupt provides its users (“Clients”) with Solid Pods, which enable them to store data and choose who to share that data with and when to share it. A Solid Pod can be owned and controlled by a single individual or by an organization or legal entity. In order to function, a Pod must be associated with a corresponding WebID.
Inrupt’s mission of “personal empowerment through data” is enabled by Solid, the open technology created by our co-founder, Sir Tim Berners-Lee. We believe that Solid provides a better way to structure data, applications and identities on the web.
What Personal Data Does Inrupt Collect and Why?
The personal information that Inrupt gathers from Clients allows us to provide our Services. For example, it allows us to set up a Solid Pod when a Client registers, provide them support, enable payment for those Services, and otherwise stay in contact with our Clients about our Services.
Information Clients Provide to Inrupt
We receive and store the information you supply to us, such as name, email address, phone number, and company name, when you sign up to use a Solid Pod and when you communicate with us by email, chat, telephone, or social media.
Clients can sign up for our Services through our website, which requires you to create an account and collects WebID, name and email address and creates an authentication token that we may check periodically. We enable Clients to create a unique login and password to ensure that you can use our Services securely. We do not store passwords. Clients may also choose to login using a third party identity provider that supports OIDC and is registered as trusted.
We also collect email addresses when users email us for information or sign up for our newsletters or email updates. You can unsubscribe from newsletters or updates at any time by clicking “Unsubscribe” at the bottom of the email.
From time to time we may provide an opportunity for Clients to answer questionnaires or surveys to help improve our services by collecting user experience information or assessing Client interests and needs. Any such questionnaires or surveys will be voluntary and ask for consent. The purpose and intended use of the information being collected will be explained in the survey itself.
Information We Collect Automatically from Clients
We also collect certain information automatically:
- Audit Log Information. When you use our Services, we may automatically collect and store certain personal data in our audit logs. This may include which users (by username) are accessing the Services, how users are accessing these Services (including device-specific information and integration), the dates and times users access the Services, and from where users are accessing the Services (by IP address). Audit logs are not used as part of our normal operations but are used to support audit or security investigations. In order to troubleshoot or provide help to a user, and with that user’s consent, we may associate this information with the user’s personal information (by WebID). Access to audit log data is strictly restricted to personnel with audit rights.
- Device Information. We also collect information specific to a device used in order to provide support for our Services and optimize them for geographic location. This includes information such as the hardware model, operating system, screen resolution, as well as unique device identifiers. In order to troubleshoot or provide help to a user, and with that user’s consent, we may associate this information with the user’s personal information (by WebID).
- Aggregate usage data for our Solid Pods, to enable us to understand how our Solid Pods are being used and to develop and refine them to better serve our Clients.
Storing and Processing Data on Behalf of Our Clients
Inrupt enables its Clients to store their own data in a Solid Pod. In doing so, Inrupt empowers its Clients to determine what data they will store, if that data should be shared and with whom, and for what purposes.
When a Client uses pod.inrupt.com to store the Client’s own data, the Client acts as the data controller and Inrupt processes personal data on the Client’s behalf, as a data processor. Inrupt does not use this Client data for any purposes other than to provide the contracted services and we do not share Client or user data with third parties except for the limited purposes described below.
Clients have the responsibility to understand what data they are storing in their Pod, whom that data is shared with, and what, if any, data they have made public.
At present, each Solid Pod has its data encrypted at rest with AES-256 using a managed Relational Database Service (RDS). Data in transit is encrypted with TLS v1.2. Data only is unencrypted in memory and while being processed.
Our Legal Bases for Processing Personal Information
For personal data under the control of Inrupt, we rely on several bases to lawfully obtain and process personal information. First, where Clients have given us valid consent to use their data in particular ways, we rely on that consent.
Second, certain information is necessary for us to perform the contract between you and us and to allow us to comply with certain legal obligations.
Third, as described in more detail below, in certain cases we may process information where this is necessary to meet legal obligations, such as compliance with law enforcement subpoenas or warrants, and/or further legitimate interests, so long as any such legitimate interests are not overridden by your rights or interests.
How and When Do We Share Information?
As set out below, we only share information on a limited basis in order to enable us to offer our services. We do not otherwise make Client data available to third parties. We do not sell information or share it for advertising or marketing purposes.
Sharing Data With Applications, Groups and Individuals: By default, all data contained within a Client’s Solid Pod is private and cannot be accessed by other individuals or parties. Clients are given the opportunity and choice to “opt in” and share their data with other applications, groups, or individuals. This decision is made by the Client and controlled by the Client. A Client can decide to share, or unshare, data from its Solid Pod at any time.
Service Providers: We employ other organizations and service providers to perform certain functions on our behalf. This includes cloud infrastructure services (IaaS), usability analysis, log analysis, issue ticketing and alerting. These third parties have only limited access to your information, may use your information only to perform these tasks on our behalf, and are obligated to Inrupt not to disclose or use your information for other purposes.
If you have any questions or would like further information about the service providers we use, please contact us at firstname.lastname@example.org.
Legal Compliance, Protection of the Public and Our Business, and Legitimate Interests: We may be required to release personal and account information in response to lawful requests by public authorities, including to meet legitimate national security or law enforcement requirements; to protect, establish, or exercise our legal rights or defend against legal claims; to comply with a subpoena, court order, legal process, or other legal requirement; or when we believe in good faith that such disclosure is necessary to comply with the law, prevent imminent physical harm or financial loss, or investigate, prevent, or take action regarding illegal activities, suspected fraud, threats to our property, or violations of our Terms of Service.
However, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from Clients for commercial purposes in violation of the commitments set forth here.
If Inrupt undertakes or is involved in a reorganization, merger, acquisition, sale of assets, bankruptcy, or insolvency event, then we may transfer, share or sell some or all of our assets, including Client information, in connection with this transaction or in contemplation of this transaction. If we do so, we will provide notification of any changes to the control of your information, as well as any choices you may have.
Our services are not designed for, and are not marketed to, people under the age of 18 (“minors”). We do not knowingly collect or ask for information from minors, and we do not knowingly allow minors to use our services. By using our services or accessing our websites, Clients represent that they are at least the age of majority in their country, state and/or province of residence.
If your personal data originates in the EEA, the United Kingdom, or Switzerland, and is shared with a third party service provider outside of these countries, we establish the necessary means to ensure an adequate level of data protection. This may be an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or an agreement on the basis of the EU Model Clauses (a set of clauses issued by the European Commission).
How Secure Is Your Information?
We maintain administrative, technical and physical safeguards designed to protect the privacy and security of the information we maintain about you. When you provide us with personal information, the connection between your computer and our server is encrypted using Transport Layer Security (TLS) to protect that information. We use a Digital Certificate so secure pages can be identified with a padlock sign and “https://” in the address bar. We store our data in protected databases on secured servers with restricted access. We also use hardware and software firewalls, screen for viruses and malware, and utilize live 24/7 monitoring services to mitigate threats. However, no method of transmission or storage is 100% secure.
Client accounts are protected by a password of the Client’s choice. It is very important for Clients to protect against the theft or unauthorized access of this login and password.
What Are Your Rights?
Inrupt enables our Clients to exercise a number of fundamental rights in relation to their data.
For data stored in Solid Pods, Clients can exercise these rights directly through the control of their Pod. For example, Clients can:
- Decide what data they store in their Pod and if or when they choose to share it
- Rectify inaccurate or incomplete information
- Access the data in their Pod
- Port their data, by copying it and writing it to another provider
- Delete their data, should they choose to do so.
For data in the possession of Inrupt for which Inrupt is the controller -- such as your contact information -- Inrupt will provide you with such information, correct it, or delete it, upon request. Subject to relevant legal rights, you have the right to object to the processing of such personal information, to request changes, corrections, or the deletion of this personal information, and to obtain a copy of it. In order to do this, Clients can contact us at email@example.com. We will respond to requests within a reasonable timeframe and may need to take reasonable steps to confirm identity before proceeding.
If we are processing your personal information based on your consent then you may withdraw your consent at any time. Note that if you withdraw your consent to the use or sharing of your personal information for the purposes set out in this policy, we may not be able to provide you with our services. In certain cases we may continue to process your information after you have withdrawn consent and requested that we delete your information if we have a legal basis/need to do so.
For personal data under its control, Inrupt will retain such data only for as long as is necessary for the purposes set out in this policy or as needed to provide Clients with our services.
Clients can delete the data in their Pod directly and delete their account, should they choose to do so. If a Client no longer wishes to use our services then it may close its account and delete its Pod at any time.
When a Client closes their account, we retain the data in that account for two years so that the Client may recommence using our services should they choose to do so. However, if a Client wishes to delete the data in its Solid Pod then the Client may do so anytime.
Notwithstanding the above, Inrupt may need to retain and use Client information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may also retain log files for the purpose of internal analysis, for site safety, security and fraud prevention, to improve site functionality, or where we are legally required to retain them for longer time periods.
If you have any questions, comments or suggestions about how we handle personal information you can contact Inrupt at firstname.lastname@example.org.