While intended only for United States residents (as stated in our terms), Open Humans is committed to empowering you to access and control your personal data. (Indeed, this is arguably interchangeable with our mission!) As such, we strive to meet the standards of the European Union General Data Protection Regulation (GDPR). We also provide features to enable projects using Open Humans to follow GDPR standards, but cannot guarantee that projects running in the site are GDPR compliant.
As a modest nonprofit open source project, we are not ready to make a legal claim of GDPR compliance. Instead, we've documented below how our features support user rights enumerated in GDPR, and we invite your feedback on how to improve this overview, offers of assistance, & and what further improvements we might make.
To contact our individual(s) serving in the role of Data Protection Officer regarding these and other issues described by the GDPR, please email firstname.lastname@example.org and include "GDPR" somewhere in the subject line. We also encourage you to create issues in our Github repository, and chat with us in our Slack chatroom, which you can join via slackin.openhumans.org.
Most personal data managed by Open Humans is added to your account via a data source activity. This can range from genetic data to social media and more.
Access: If and when an activity adds data to your account, this is immediately and always available as a file you may download on the activity page.
Control of content: Adding data via activities is an opt-in process: you must join an activity to authorize it to add data to your account.
Sharing: As described in our Data Use Policy, Open Humans will not share individual personal data with others without your authorization. You can choose to share subsets of your data with activities that request authorization. You can rescind this at any time by deauthorizing the relevant activity. In addition, if you activate the public data sharing feature, you turn public sharing status on & off on an activity page.
Deletion: You can delete data at any time by deauthorizing an activity (which prevents new data from being added) and electing to remove associated data.
We also collect some data related to your public profile, including: username, name, bio, profile image, and participation in projects. If you have activated the public data sharing feature this may also contain personal data you have chosen to publicly share. Private account data includes your email and account configurations (e.g. news & updates, allowing other members to contact you).
Access: You can see your own public profile, and the information you see in it is the same as is presented to other users. Your settings are available in your member settings page.
Control of content: You can edit public profile content, and adjust settings on your account settings page. If you are publicly sharing data from an activity, you can control public sharing status on the activity's page. Membership status for specific activities (the "badges" on your profile) can be made visible or hidden via an option on the activity page.
Sharing: Your public profile data is shared publicly. Unless you authorize it, your private account data (including your email address) will not be shared with third parties, except according to exceptions described in our Data Use Policy.
Deletion: Some of these data can be removed by you changing the content or setting. All data can be deleted with an account deletion, which deletes these entries in our database.
We strive to follow best practices with security, including keeping our software tools up-to-date. We use third party service providers when we judge them to be a more secure solution. ("Do it yourself" approaches can be a major cause of security issues.)
Encrypted traffic: Open Humans enforces the use of HTTPS to encrypt traffic user-facing and API web traffic.
Data encrypted at rest: Our database is managed by Heroku and is encrypted at rest. Files are managed by Amazon web services Secure Simple Storage (S3) and are also encrypted at rest.
Limited logging: We limit retention of server access logs to a maximum of 120 days.
Projects in Open Humans have the ability to add data to you account, and/or access data you authorize us to share with them. The following features help enable projects to meet GDPR requirements.
Data deletion in Open Humans: Projects can delete any data they have deposited in Open Humans. This allows them to complete data deletion requests made by users.
Project member removal: Projects can further honor deletion requests by removing authorizations and membership status of a project member.
Data and user deletion outside Open Huamns: We provide a webhook that notifies projects when a member rescinds project authorization within Open Humans, enabling the project to perform account and/or data deletion for users on their end.