
Ask HN: What do you look for in a privacy policy? - dmitryminkovsky
I am launching a messenger-like product and am wondering what members of this community look for in a privacy policy. Privacy is a top priority and it&#x27;s imperative that the privacy policy really makes this clear. The product will be centralized, so I won&#x27;t be able to please the &quot;must be decentralized&quot; crowd, but otherwise I want to make sure anyone who can stomach centralized communications will be maximally satisfied when they look at the privacy policy.
======
cimmanom
I don't. I assume any service I use has the policy that they'll sell any and
all data they collect to the highest bidder. (And the lowest bidder, and
anyone else willing to give them a few cents for it.)

Reading and parsing 10 pages of legalese (which I can understand but - not
being a lawyer - am never sure I understand all the implications of anyway) is
just not worth an hour of my time if I'm willing to accept the worst case
scenario regardless.

I suspect this is also how most internet users solve the problem. A privacy
policy is a CYA document for the website/app owner, nothing more. It's
vanishingly unlikely that you can make it any sort of selling point or
competitive advantage for a website or app unless you're in a tiny niche
specifically targeting extremely technically and legally savvy users.

If there were an expectation that every privacy policy be prefixed with a
bullet point summary in plain simple English, I might take a different
approach.

------
hluska
If it's a critical product/relationship, the biggest thing that I look for is
an intelligent statement around third party access to my data/use of the
application.

There are three possible outcomes:

1.) The privacy policy does not mention third party access. This is bad
because frankly, so many third parties (ie - Google Analytics) provide an
incredibly useful service. If third party access is omitted, it means they
either have no plans of getting the benefits of a third party (which I think
means they're less likely to stay in business), or they haven't even thought
through the privacy implications of using a third party (which again means I
think they're less likely to stay in business).

2.) A vague statement about third parties. My favourite example is "from time
to time, this Service may contract to send application data to a third party
in order to improve the Service. When we do use a third party, your data will
be kept in accordance with their privacy policies." From a corporate point of
view, writing a statement like this makes a lot of sense, but from a user
point of view, I like to see evidence that the company thinks about third
parties at the policy level, not just the operational.

3.) A more concrete statement about third parties. An example would be "This
application is hosted on {{vps provider}} and because of how it is
architected, it means that {{service provider}} will get access to data about
your usage. Their collection and use of your personal information is governed
by their privacy policy located at {{url}}."

#3 is asking for a lot and when I've worn the founder's hat, I've often
hesitated to put this much detail in. It makes even less sense when I've been
in a situation where it makes sense to run every change by a lawyer. But, as a
user, particularly if I fell into the referenced "must be decentralized"
crowd, I'd feel most comfortable with a detailed privacy policy like this.

~~~
dmitryminkovsky
Thank you for this detailed comment. Having looked at the GitHub ToS which
includes a statement about third parties and Google Analytics I was wondering
how important that was to people. Makes sense it would be very important. I
appreciate also your perspective that having third parties might even be
considered a positive thing for business prospects. Seems like a balance needs
to be struck. Anyway my application will launch with only GA as a third party.

