Requesting Privacy Policy + more info on data security

First off, phenomenal app! Thank you to the Anytype team for all of their efforts! Same to the amazing test user group submitting bug reports and feature requests. I love the look and feel of Anytype and have found it super useful!

Anytype is supposed to be offline first, with data privacy at the core of its application. I think we all agree that this is exactly what we wish there was more of on the market. To me, data privacy means anything I choose to put into Anytype can be seen by only me. Not by Anytype, not by anyone else.

The more I use Anytype, the more my concern around data privacy in such a new app starts to nag at me. Specifically:

• Currently, Anytype syncs 100% of user data to Anytype’s (or third-party) servers with zero code visibility. Why is this even done??
• Anytype claims that, though everything is syncing to the ‘backup node’ server, only end-users can view their data because Anytype does not have access to the keychain phrases. Can any proof be provided that this is true? Is the data encrypted during transit? Is it encrypted at rest? Am I missing why maybe this shouldn’t be a concern at all due to the technology being used? If this is the case, is there proof?

I want SO much to love this app and to be a huge evangelist for it. I’m feeling incredibly nervous about the security of my data, though. I could literally manage my whole life and company within the thing. It really would be a great ‘OS for life.’ It doesn’t seem wise to let it become that without any guarantee that someone won’t end up with accidental or purposeful access to my personal and professional data, though.

Anytype doesn’t even have a publically available privacy policy. The “Privacy Policy” link on the website links to the Terms and Conditions doc; I read through the terms. They do not include any information on privacy or the use of user data; the terms only reference the non-existent Privacy Policy. Copied from the terms: “Any personal information submitted in connection with your use of the Service is subject to our Privacy Policy, which is hereby incorporated by reference into these Terms.”

Anytype- can you please update your website to link to an actual Privacy Policy?

Anytype or someone more technologically-minded than me- Can you please offer reassurance that user data is, indeed, secure? Is there any way to not allow the sync to Anytype’s server? Why is this needed at all for an off-line first app?

Thank you so much for any information you can provide!

Your concern has been posted by others, though no reaction accordingly yet as far as I know.

Thanks for the response, Jeroen.

Maybe I’ll read up more on encryption keys to understand how they work. I feel like there’s something here that I’m just not understanding about the platform that is either (1) a huge red flag, or (2) no big deal at all.

At this point, if Anytype could just provide a basic Privacy Policy, that’d go a long way to make the platform feel less sketchy.

Two weeks later, we still can’t get a basic privacy policy. This doesn’t look good, Anytype.

@jen we are working on a detailed document to provide all our users with a very through explanation about the alpha program, data storage and the analytics being collected during the alpha, also the future plans we have. It will take a little longer but we will have it ready in this week.

Hello,
Any update on this documentation and privacy policy ?

@sambouwer yes the privacy policy has been detailed, written and is a final drafting stage. Hope to add it to the app in the next week or so. Most likely without an announcement, it’ll just be hanging around all of a sudden.

Just checking in on this one since it’s been a few months. Has the privacy policy been approved and added somewhere for user viewing? The “Privacy Policy” link on the website is still linking to a Terms and Conditions doc that doesn’t cover privacy or data handling, which is a little nerve-wracking.

Guys.
Any update on the privacy policy?

Hey, a draft was posted internally a few days ago. Hopefully doesn’t take too long to get it out here.

That would be appreciated definitely! The sooner the better.

I’m not sure what legal team you all are using, but if it takes them 8 plus months to draft and finalize a privacy policy, you might want to consider taking your business elsewhere.

I love love love where you say you’re going with Anytype! However, I will not be touching this software until a finalized Privacy Policy detailing data handling is made available. Alpha testing phase or not, a Privacy Policy should have been available to your users/testers on day one. It’s irresponsible at best and malicious at worse that you’re multiple years into public testing without having one available for our review. (Said with the best intentions - not just to hate.)

It’s been in the final iteration stage for some time now, still needs a bit of adjustment but here is the gist:

Anytype Privacy Policy

At Anytype, we believe that both individual and collective privacy are fundamental human rights.

In this policy, we describe what data we collect in current and future versions of the product, why we collect it, how it is handled, and your rights to it. Our principle is to collect only what we need to make Anytype the best app we can.

Here, we outline the difference between alpha and beta programs with respect to data collection and your choices within each:

1600×669 56.4 KB

The below information is applicable to participants of the alpha program. Once we launch our public beta, you will be able to use Anytype without sharing any information about its usage with us.

Voluntary Correspondence:

Waitlist Signup

When you sign up for our alpha program we ask for your e-mail address.

We use your email address so we can send you an invitation code to access the app and educational tips to get started. After this, we will only use your e-mail to notify you of feature releases and updates on the research & development of Anytype.

Below you will find the links to the privacy policies of our e-mail service providers. You may opt out of our mailing list by unsubscribing from the e-mails you receive.

• Sendgrid Privacy Policy
• Mailchimp Privacy Policy

Email Exchange

After signup, when you write to us at Anytype with a question, we keep that correspondence - including your email address - so that we have a history of past correspondence for reference if you contact us in the future.

Involuntary Correspondence:

Web Site Interactions

When you browse our website or any domain of anytype.io, your device automatically shares certain information, such as which operating system and browser you are using. We track the number of website visitors and conversion rates to waitlist signup and download, as well as page load times.

We do not track cookies on our website, nor do we collect any characteristics of protected classifications, including age, race, gender, religion, sexual orientation, gender identity, or gender expression.

You may provide this data voluntarily, for example if you include a pronoun preference in your email signature when writing to our support team.

Here, you can find the privacy policy of our website analytics provider:

• Fathom Analytics Privacy Policy

Product Analytics

Each user is assigned a unique Anytype ID when they install the app, which consists of a string of numbers and letters that cannot personally identify you. Based on these IDs, we are able to observe product metrics such as session length, number of sessions, and number of Objects, Types, and Templates created.

Our analytics don’t reveal any actual content, only the actions you perform in Anytype.

Here, you can find the privacy policy of our app analytics provider:

• Amplitude Analytics Privacy Policy
  

Once our open beta is launched, you will be able to self-host software and by default the analytics will be disabled.

Anytype Backup Node

For alpha testers, any data created within the app is encrypted by the key generated on users device before being sent to our backup node (‘Cafe node’). This way we don’t have any technical ability to read the content stored on our caffe node. Our Cafe node stores:

1. The technical information of each user needed for our sync mechanisms to function properly, including:

• ID of user (public key). We use this to confirm that users’ data has not been compromised by other users.
• ID of user’s devices (public keys). We use this to confirm that the user’s data was not compromised by other devices of the same user.
• Date of activation of each account and device.
• Hashes and sizes of pinned (stored) encrypted files you attach to the objects. This allows us to understand how many files each user is storing within Anytype and protects it from malicious use. This also allows us to remove all your files from the backup nodes when requested to do so.
• IDs of objects in anytype. This allows us to remove all of your Objects (and the data therein) when you request us to do so.
• Backed up encrypted objects may contain the last IP address of your devices. P2P network setup requires us to store the address of nodes for connectivity purposes. We don’t use it for any other reason.

2. Encrypted, backed up data from your account. All data created via the Anytype app is stored with encryption in our Cafe node, except for userID and deviceIDs, for resolvability purposes.

Your data can’t be accessed nor collected - only stored. When you need to access it, it is sent back to your device and decrypted locally using your Recovery Phrase. During the alpha program, as we’re testing our backup node and seeking to ensure its reliability, sync with our backup node cannot be turned off. Anytype has access to the backup node, but the data is encrypted and we have no private key.

• Our Cafe node contains only encrypted backups and nothing else.
• Whatever information is created through the app will be stored in Anytype’s backup node.

What happens when:

You delete data from your account:

In our application, we give you the option to delete data from your Anytype account and bin. Anything you delete will remain accessible to you for 30 days. After that, this data will no longer be accessible through the application and will be deleted from our backup node.

We also have additional backups in case the cafe node is corrupted, which are kept for another 30 days. In total, when data is deleted from your application, it is purged within 90 days from all our systems and records. Data recovery for a single account from a backup is prohibitively expensive, so if you change your mind, you will need to do so before your data is deleted from our backup node.

Law enforcement requires us to share data:

When authorized law enforcement has a necessary warrant, criminal subpoena, or court order requiring us to share data, we must comply. Otherwise, we categorically reject requests from local and federal law enforcement authorities when they seek data.

Unless we are legally prevented from doing so, we will always inform you when such requests are made. However, with lack of proof of your identity, we cannot share encrypted data. We have never received a National Security Letter or a Foreign Intelligence Surveillance Act (FISA) order.

Your Rights with Respect to Your Information

At Anytype, Inc., we apply the same data rights to all customers, regardless of their location. Currently, some of the most important privacy regulations in place are the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) in the United States. Anytype Inc. recognizes all rights granted in these regulations including:

Right to Know: You have the right to know what personal information is collected, used, shared or sold. In this privacy policy, we outline both the categories and specific data we collect, as well as how it is used.

Right of Access: This includes your right to access the personal information we collect about you, and your right to obtain information about the sharing, storage, security, and processing of that information.

Right of Correction: You have the right to request correction of your personal information.

Right to Erase / “Be Forgotten”: This is your right to request, subject to certain limitations under applicable law, that your personal information be deleted from our possession and, by extension, from all of our service providers. Fulfilling some data deletion requests may prevent you from using Anytype Inc. services because our requests may then no longer work. In such cases, a data deletion request may result in the closure of your account.

Right to Complaint: You have the right to make a complaint about our handling of your personal information with the appropriate supervisory authority. To identify your specific authority or learn more about this right, EU individuals should go to Our Members | European Data Protection Board.

Right to Restrict Processing: This is your right to request to restrict how and why your personal information is used or processed, including the option not to sell personal information. (Again: We never have and never will sell your personal information).

Right to object: You have the right, in certain situations, to object to how or why your personal information is processed.

Right to Portability: You have the right to receive the personal information we hold about you and the right to transmit it to another party.

Right not to be subject to automated decision making: You have the right to object and prevent any decision that could have a legal, or similar, effect on you from being made solely on the basis of automated processes. This right is limited, however, if the decision is necessary for the performance of any contract between you and us, is permitted by applicable law, or is based on your explicit consent.

Right to non-discrimination: This right stems from the CCPA. We do and will not charge you a different amount to use our products, offer you different discounts, or give you a lower level of customer service because you have exercised your data privacy rights. However, the exercise of certain rights (such as the right to “be forgotten”) may, by virtue of exercising those rights, prevent you from using our Services.

Many of these rights can be exercised by signing in and updating your account information accordingly. If you have questions about exercising these rights or need assistance, please contact us at support@anytype.io.

To identify your specific authority to file a complaint or learn more about GDPR, EU individuals should go to Our Members | European Data Protection Board.

Privacy Governance

EU-US and Switzerland-US Privacy Protection Policy

The GDPR requires that data transfers outside the EU occur only in countries deemed to have adequate data protection laws. The United States generally does not meet this requirement. The Privacy Shield is an agreement between certain European jurisdictions and the United States that permits the transfer of personal data from the EU to the United States. Participation in the Privacy Shield program is voluntary.

We comply with the frameworks for data from the EU, UK and Switzerland that is transferred to the United States.

Anytype Inc. complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States, respectively. We certify to the Department of Commerce that we adhere to the Privacy Shield Principles. If there is any conflict between the terms of this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles take precedence. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Anytype Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to the Privacy Shield Framework.

The Privacy Shield Frameworks support specific principles, many of which are already described in the section on your rights. For clarity, under the Privacy Shield Framework, the following principles apply to all data from the EU, UK, and Switzerland that has been transferred to the United States:

You have the right to access your personal data and to update, correct and/or change incomplete information.

You also have the right to request the erasure of personal information that has been processed in violation of the Principles. If you wish to exercise these rights, you may do so by signing in and updating your account information directly. If you have questions about exercising these rights or need assistance, please contact us at support@anytype.io.

Commitment to resolve all complaints

In accordance with the EU-US and Swiss-US Privacy Shield Principles, we are committed to resolving complaints about your privacy and our collection or use of your personal information. Individuals from the European Union, United Kingdom or Switzerland with inquiries or complaints regarding this privacy policy should first contact support@anytype.io.

Anytype Inc. has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive a timely acknowledgement of your complaint, or your complaint is not satisfactorily addressed, please visit Process For Consumers for more information and to file a complaint. This service is provided at no cost to you. Please do not send GDPR complaints to BBB EU Privacy Shield.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual complaints not resolved by other redress mechanisms. To learn more, please see Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Location of the Site and Data

Our products and other web properties are operated in the United States. If you are located in the European Union or elsewhere outside the United States, please be aware that any information you provide to us will be transferred to the United States. By using our site, participating in any of our services and/or providing us with your information, you consent to this transfer.

Changes and questions

We may update this policy as necessary to comply with relevant regulations and to reflect any new practices. In case of doing so, we will inform you ahead of time and keep previous versions accessible to you.

Do you have any questions, comments, or concerns about this privacy policy, your data, or your rights with respect to your information? Please contact us at support@anytype.io and we will be happy to answer.

Hi,
I cannot live without a note taking app. I went through Cherry tree, Evernote, Onenotes and Notion. I really find the product is cool. I am quite happy to find a true efficient local first and privacy first app.

If only, it is really privacy first. So, by the hell, when you are living in Berlin, why to put your fate between US government and Amazon hands ? I wonder how will this be compliant with the promise to create “The new Internet” based on “Trust” ?

Hoping comming times will bring more clarity on this as I am really fond of your work.

Hey, while Berlin is the location of the Anytype Inc. The most team members aren’t there.

I just assume that for the most parts things were built as easy as possible, which can be the reason for Amazon.

But the team seems to work on those things. A new website is being worked on with improvements on the privacy side.

But this is just info from a mod. Can’t speak for the team.

Hey! I’ve read through the Privacy Policy once it was posted, and it looks very good – certainly better than competing services and looks fairly solid. But, after coming back to it and reading through it again, I have some feedback and nitpicking regarding the Privacy Policy and some inconsistencies that probably won’t be a problem legally, but is inconsistent with the behavior of the application and service. Again, not a huge problem and probably not a legal issue, but it’d be nice to see the feedback be considered when the privacy policy is up for its next revision.

Each user is assigned a unique Anytype ID when they install the app, which consists of a string of numbers and letters that cannot personally identify you

I’m pretty sure that the ID is assigned upon account creation and not just on app installation meaning that it persists across installations if you use the same Account – if that is the case, updating the wording to say that “… is assigned a unique Anytype ID when they create an account…”

Also, I believe the Anytype ID can be connected with personally identifying information (the Email), as it looks like MailChimp ties the Anytype ID (and the ID used in Amplitude too) to your email, which I’d say is probably PII. The Privacy Policy might be able to be updated to clarify that, or better – if the information is removed. (Or, maybe if that information will be removed when the alpha program is over)

It might also be useful to mention that the Anytype ID is sent to Amplitude as well and that your email is also used for the purposes of data measurement, but not a huge deal overall.

Law enforcement requires us to share data:

I’d be really surprised to hear if Anytype receives a legal request at this stage, but I have some small amount of feedback about this section: it might be informative to clarify that certain classes of information (e.g: such as Object content but not the User Object and mailing list info) is encrypted and unable to be accessed even under a Law Enforcement request unless the user voluntary chooses to do so. I see that you’ve put this in the “Anytype Backup Node” section, but adding it to the LE page may be informative too.

ProtonMail also does this in their Legal section of their Privacy Policy– they clarify that they cannot:

" Under no circumstances can Proton decrypt encrypted message content and disclose decrypted copies.

(Whether they actually don’t have the technical capability to serve a backdoored client is questionable of course, but assuming the user doesn’t log in after the data request…)

Other feedback:

• Having some additional information about the retention of information aside from when content is deleted from the Backup Node may be useful, like how long you keep email correspondence.
• It might be beneficial to have a central list of data processors aside from the e-mail and analytics providers, like cloud service providers or country of employees who have access to data.
• Some information about data handling in the Typeform may be useful.
• Although Amplitude is used in the product, it’s probably not much use linking the Amplitude Privacy Policy, as in their Privacy Policy they state:

This Privacy Notice does not apply to Customer End User Data or Customer Applications. With respect to Amplitude’s Customers, Amplitude is a processor, and Amplitude processes the Personal Data collected by our Customers and sent to the Amplitude platform only in accordance with the instructions of our Customers. Our Customers may integrate into their mobile applications, websites or other services (collectively, "Customer Applications ") certain aspects of our Product in order to understand how their own users ("Customer End Users ") engage with the Customer Applications ("Customer End User Data ").

Perhaps in this case, it would be best to list them as a sub-processor in a dedicated section.

I agree, I’m curious as to whether the compelled handing over of data means handing over encrypted data, or whether a mechanism is assumed that would allow it to be decrypted. Elsewhere it has been suggested that Anytype doesn’t have this possibility, but it would be useful to be explicit on this point.

Thank you @edwards for taking the time to read it over and bring attention to some points of concern. I’ve added it to our agenda to clarify these aspects of the Privacy Policy

@edwards Some of the changes you suggested seem to have made it into a new version of the Privacy Statement as posted here:

Anytype Privacy Statement

image974×216 33.7 KB

image1014×271 46.7 KB