Privacy Policy
Last Updated: June 5, 2018
Effective: May 25, 2018
You can see our previous Privacy Policy here.
Hi there! Our Privacy Policy has recently received an update to comply with the EU’s new General Data Protection Regulation (GDPR). More information about the GDPR can be accessed here. Nothing about the way we collect and handle your data has changed, we’ve just added even more clarity about our processes. If you have any questions, feel free to email us at privacy@rememberthemilk.com or dpo-gdpr@rememberthemilk.com.
HEADS UP! We know this is a long Privacy Policy, but it has to be that way so that we can clearly and accurately give you the best information about the Personal Data that we collect from you. You must read it all to use our service. We do, though, want to call your attention to a few very important sections:
- What are your rights in relation to your Personal Data? Here you’ll get the low-down on all of your rights - don’t skip this section!
- What about the international transfer of Personal Data? This section describes how your data may sent to and processed outside of your jurisdiction.
- If you’re unhappy with the way in which we collect or process your Personal Data, how can you lodge a complaint? Just as described - if you have any issues with the way we handle your Personal Data, this section will help you through it.
At Remember The Milk, your privacy is incredibly important to us. This Privacy Policy describes what Personal Data (described further below) we collect about you, why we collect it, how we use and share it, how we store it, and how we protect it. We’ll also talk about your rights in relation to that Personal Data and what you can do if you’re unhappy with the way in which we process it.
One of the most important things we want you to know is we will never rent, sell or share your Personal Data for marketing purposes without your explicit, prior permission.
Keep in mind as you read this Privacy Policy that you might find links to other websites or mobile applications on Remember The Milk, but this Privacy Policy won’t apply to any of those linked applications or websites. We love sharing things with you, but unfortunately, we can’t control the way other organizations (besides our data processors, as we discuss below) handle user data.
This Privacy Policy also specifically incorporates by reference our Terms of Use, available here, as well as our Program Policies, available here.
Who are we and how can you contact us?
By now you know that we’re Remember The Milk - officially, we’re Remember The Milk Inc. You can reach us at the following contact points:
By Mail:
Remember The Milk
660 4th St #247
San Francisco, CA, 94107
By Email: dpo-gdpr@rememberthemilk.com
We collect and process your Personal Data, as well as manage our third-party service providers (the fancy term is “data processors”) and subsidiaries.
What Personal Data do we collect from you and why?
Through your visitation to, use of, and interaction with Remember The Milk, you will be asked for certain types of Personal Data. This section will only cover the Personal Data that we receive specifically from you.
Personal Data collected when you register with us:
When you register to use Remember The Milk, we’ll ask you for your first and last name, email address, and a username and password of your choosing. Your password will be maintained on our system in an encrypted form. You can also register through your Facebook or Google account. If you choose this method, we receive your first and last name and email address. We use the collected Personal Data that we obtain at registration, for the sole and exclusive purpose of providing our services to you and allowing you to use Remember The Milk. By registering with us, we’ll be able to better serve you, and provide a more personalized user experience for you each time that you visit us.
Personal Data collected through your use of Remember The Milk:
Remember The Milk is a task management service. Therefore, when you use our services, we collect a few different types of Personal Data from you:
Profile Information: After you register, if you’d like, you’ll be able to upload a photo, choose your language and time zone, and tell us what country you’re located in. We only ask for this information to be able to provide the best user experience possible.
Task List Usage: Because our service is primarily used to manage tasks, you’ll likely want to keep your task list with us! The content of that task list, along with the rest of your account, is stored and maintained on Remember The Milk servers. We do this so that we can provide our services to you, and so that you can access your task list whenever you want. That being said, we don’t access the content of any task lists unless you specifically ask us to do so (for example, if you’re having technical difficulties accessing your account) or if we’re required to do so by law (more on that later), to maintain our system, or to protect Remember The Milk or the public.
Public Information: Registered users on Remember The Milk can post to our forums. Please be advised that any info that you post on our forums should be considered non-proprietary, non-confidential, and public. Others will be able to see the content of your posting, as well as your username. We have this feature so that users can connect with each other about task management and our services. We urge you to be careful with any and all information you post in our forums.
Pro-Level Users: If you decide you want to sign up for our “Pro”-level accounts (in other words, to get more features and benefits), you can, but we’ll need some billing information first. We use Stripe, PayPal, and the Apple App Store to process payments. These services will generally ask you for your credit card information (including the expiration date and verification code). We only ask for this Personal Data so that we can provide the Pro-level services to you, upon your request.
Personal Data collected when we’re communicating:
As a user of Remember The Milk, we may communicate with you about your account with us. These communications specifically won’t be marketing communications, but will rather be informational items, such as updates to our policies or other privacy-related matters (in other words, you won’t be able to opt-out of these really important messages). You may also be asked questions about how to improve Remember The Milk, or you may, at some point, communicate with our representatives because of questions that you have. We consider this information Personal Data. We collect this information so that we can help with anything you need and continue improving our service.
What Personal Data do we collect about you that we get from other sources and why?
Geo-location data: We may collect information about your location depending on the permissions you have set on your device. We solely and exclusively use this information to provide you with our services, including to update your time zone for accuracy. You can enable or disable location services when you use our services at any time, through your device settings.
Usage Data: We may also collect information about the use of your account, such as how much storage you are using, how often you log in, and other information related to your registration and use of Remember The Milk. Information displayed or clicked on in your Remember The Milk account (including UI elements, links, and other information) is also recorded. We use this information internally to deliver the best possible service to you, such as improving the Remember The Milk user interface.
Personal Data from cookies: We use essential cookies, functionality cookies, and analytics cookies. Cookies are small files stored on your computer or mobile device which collect information about your web behavior (we’ll call this “Automatic Data”). These cookies do not access information which is stored on your device. Our cookies include an identification number that is unique to the device you are using. This identifier helps us to better understand our user base and how they are using our site and services. We use cookies for a number of reasons, such as recognizing you when you visit the site, displaying the site according to your chosen user settings for language, and maintaining the security of your account. We may also use the cookies to collect aggregated information about the use of Remember The Milk to maintain, analyze and improve the service.
What can I do about cookies in general?
Most Internet browsers accept cookies automatically, although, you are able to change your browser settings to control cookies, including whether or not you accept them, and to remove them. Unfortunately, if you set your browser so that it refuses cookies, you will not be able to use the Remember The Milk service. You can visit http://www.whatarecookies.com for further information.
Log data: When you use your Remember The Milk account, we collect certain information (often called “log data” or “log information” - the same information that most websites log when they are accessed). This information, contained in the "header" of your request to access the Remember The Milk page, usually includes the browser type you used, your Internet Protocol ("IP") address, and the date and time of day. In addition, we log the unique ID provided by our cookies and the URL of the last site you visited ("referrer"). As a basic matter, we need this information to help us provide our services to you. For example, if we need to validate your identity in order to maintain the security of your task lists. We would also need to know what IP address your query came from so we could send the appropriate pages back to you. In addition, we log this information for internal business purposes. For example, this log information helps us determine how well our services are working so that we can continually improve the quality of Remember The Milk. The log information is also important for security, audit, quality improvement, and other internal business purposes.
What is our legal basis for processing your Personal Data?
We respect data minimization principles, which is a fancy way of saying we only collect the minimal amount of Personal Data required for legitimate business purposes. In other words, we need the Personal Data that we do to effectively run our business and we don’t collect more than is necessary. The Personal Data you provide to us voluntarily (such as through registration, use, and communication with us) is up to you (with the notice, however, that you won’t be able to use our service unless you register). That said, we may still process automatic Personal Data, such as that received through cookies, regardless of how you interact with Remember The Milk.
We also, though, want to ensure that you feel we’re always treating your voluntary Personal Data - in other words, that data that we ask you for - just that way you’d expect. Because of that, before you use or access any of our services, you’ll be directed to this Privacy Policy. You should take the time to read and review it carefully, and then feel free to reach out to us with any questions. We’ll ask you to indicate that you’ve read this Privacy Policy in full and that you agree to the processing of your Personal Data as we’ve described here.
If you don’t understand this Privacy Policy or you’re not sure about anything we’ve described here, please reach out to us so that we can help. If you’re still unsure, it’s best not to use any of our services until we can answer all of your questions.
Additionally, if we collect or process your Personal Data in any way not indicated by this Privacy Policy in the future, we will seek your explicit prior consent. To be clear, consent will be sought if we wish to provide you with direct marketing communications, if we transfer your data to third parties not indicated here, or if we otherwise significantly amend or change this Privacy Policy.
Will your Personal Data ever be shared and if so, how and with whom?
Third-Party Service Providers: We use third party service providers (those “data processors” we mentioned earlier) to help us operate Remember The Milk, but we’ll never share your Personal Data other than as described here without your explicit consent. The third party service providers that we use help run the business, so your data will pass through them, but we don’t provide your data for intentional access (like for marketing list purposes, for example) to anyone.
The third party service providers we currently use help us with data services, payment processing (as described above), disaster recovery, information technology, content delivery, email services, customer support and communication, and DNS services. For the third parties that we utilize who also process your Personal Data, we have appropriate security and contractual measures (like encryption and data processing agreements) to ensure that your Personal Data always gets treated in compliance with the policies laid out here as well as applicable law.
Other Disclosures: In certain cases, we may have to disclose your Personal Data to third parties outside those above. We limit that disclosure to the following circumstances:
- To satisfy any local, state, or Federal laws or regulations;
- To respond to requests, such discovery, criminal, civil, or administrative process, subpoenas, court orders, or writs from law enforcement or other governmental or legal bodies;
- To bring legal action against a user who has violated the law or violated our Terms of Use;
- In the case of any business transfer, sale, or transfer of assets of the Remember The Milk (we’ll notify you if this happens);
- To generally cooperate with any lawful investigation about our users; or
- If we suspect any fraudulent activity on Remember The Milk.
Your Consent: Otherwise, if we you get your explicit, unambiguous, and prior consent to share your Personal Data with anyone, we’ll do so.
Do we ever send you marketing communications?
We don’t send you marketing communications, such as newsletters and brochures, but we may send updates about our service to registered users. If we ever did want to send you a marketing communication, we’ll specifically ask you to opt-in to the communications you want to receive. In other words, we’re never going to automatically add you to a mailing list or other marketing communication list.
We may send emails including information about new features. We may also send emails as you onboard to our service, to help you become more proficient in using our service. You can opt-out of these at any time.
We may send emails asking if you want to test new features (as part of our Pro Tester Program), but this is only after you’ve specifically opted-in, and you can revoke your consent and remove yourself from the list at any time.
How do we store and protect your Personal Data?
Personal Data Storage: We only store your Personal Data as long as it is necessary for providing you with the requested services or until you stop using our services and request deletion of your data. We may also store your Personal Data for any applicable legal record-keeping, including after the closure of your account (as described below), or for additional business purposes (e.g., maintaining our accountancy records, enforcing our Terms of Use, or otherwise maintaining the safety and security of our Remember The Milk for a time period permitted by applicable law).
Personal Data Protection: We employ organizational and technical security measures to protect your Personal Data, such as limiting access to your Personal Data, secured networks, and encryption.
We also use secure physical and digital systems to store your Personal Data. We ensure that your Personal Data is protected against unauthorized access, disclosure, or destruction by utilizing practices that are consistent with standards in the industry to protect your privacy.
Please note, however, that no system involving the transmission of information via the Internet or the electronic storage of data is completely secure, no matter what reasonable security measures are taken. Although we take the protection and storage of your Personal Data very seriously, and we take all reasonable steps to protect your Personal Data, we cannot be responsible for data breaches that occur outside of our reasonable control. We will, however, follow all applicable laws in the event a data breach occurs, including taking reasonable measures to mitigate any harm as well as notifying you of such breaches as soon as possible, but in no event, later than two (2) weeks time.
What are your rights in relation to your Personal Data?
By using Remember The Milk, you can exercise the following rights:
-
REFUSING TO PROVIDE YOUR PERSONAL DATA: The voluntary Personal Data you provide to us is an integral part of your use of Remember The Milk. You can choose to forego the provision of that data, but you will be restricted from using our services.
-
ACCESSING, OBTAINING, MODIFYING, AND DELETING YOUR PERSONAL DATA: Through your use of Remember The Milk, you can access and amend your own data at any time through your account settings page, and you can, of course, amend and delete your tasks as you like. If you’d like to delete your account, you can visit the account deletion page for your account. You’ll have to check a box and press a button to confirm that you want your information deleted and then we’ll typically deactivate your account within two (2) business days of receiving such a request. After deletion of your account, we keep your information in our system for our business records for 60 days. At that point, it will be deleted from our system but kept in encrypted backups for an additional 30 days. After that, you will be scrubbed from our system and backups. You can also export all of your data via the export function of Remember The Milk.
-
SUBMITTING A COMPLAINT: If you would like to submit a complaint to us about the way in which your Personal Data is handled, please contact us by using any of the contact details located in this Privacy Policy. After you submit such a complaint, we will contact you within three (3) business days confirming that we have received your complaint. Afterwards, we will investigate your complaint and provide you with our response within a reasonable timeframe but in no event later than two (2) weeks.
-
LAUNCHING A COMPLAINT WITH A DATA PROTECTION AUTHORITY: If you are a resident of the European Union and you are not satisfied with the outcome of your complaint submitted to us, you have the right to lodge a complaint with your local data protection authority.
How exactly can you launch a complaint, if you’re unhappy with the way in which we collect or process your Personal Data?
As noted elsewhere in this Privacy Policy, you can reach out to us anytime you are unhappy with the processing of your Personal Data. You can also undertake the following:
U.S. Residents: If you’re located in the United States, the collection of your Personal Data, as well as our commitment to the EU-U.S. and Swiss-U.S. Privacy Shield, as discussed below, is subject to investigation and enforcement by the Federal Trade Commission (“FTC”). In compliance with the Privacy Shield Principles, we’re committed to resolving any complaints about the handling of your Personal Data as quickly and efficiently as we can, but if you’re not happy, you can lodge a complaint with the FTC.
California Privacy Rights: California Civil Code Section § 1798.83 permits users of Remember The Milk that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@rememberthemilk.com.
E.U. and Swiss Individuals: If you are a resident of the European Union or Switzerland and you are not satisfied with the outcome of your complaint as you submitted it to us, you have the right to lodge a complaint with your local data protection authority. Remember The Milk has also committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, you may visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint (free of charge). To facilitate fast and convenient resolution of complaints, you agree to participate in online dispute resolution through JAMS Online Mediation (Endispute).
You may also be able to invoke binding arbitration before a Privacy Shield Panel created by the U.S. Department of Commerce and European Commission, under certain conditions as detailed in the Privacy Shield (further discussed below).
What happens if we modify or revise this Privacy Policy?
We do reserve the right to modify, revise, or otherwise amend this Privacy Policy at any time and in any manner, but if we make any significant changes or otherwise change the way that we process your Personal Data, we’ll let you know via email or an in-app notification feature. We’ll also change the date this Privacy Policy was last updated at the top of this document. We will also post a prominent notification in the Remember The Milk web and desktop applications, alerting you to changes in, and relating to, the Privacy Policy.
What about the international transfer of Personal Data?
We are based in the United States. In other words, your Personal Data may be transferred from the location in which you reside to our physical location in the United States. It may also be transferred to third parties, as described above, located in the United States. The risks of transferring data outside of your jurisdiction to the United States include the possibility of data breaches and loss. However, as an appropriate safeguard, we’ve committed to the EU-U.S. and Swiss-U.S. Privacy Shield, as we discuss further below.
Do we collect any Personal Data from minors?
We do not allow use of Remember The Milk or any of our services by users under the age of sixteen (16), even users located in the EU. As such, we don’t collect, store, or otherwise use any Personal Data from any minors. If you are a parent or guardian, and you learn that your children have provided us with Personal Data, please contact us immediately. If we become aware that we have collected Personal Data from children without verification of parental consent, we will immediately take steps to remove that information from our servers.
Are we certified to the EU-US Privacy Shield?
We comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from EU and Swiss individuals, as described throughout this Privacy Policy. We have certified our commitment to the Privacy Shield Principles, as discussed below, to the U.S. Department of Commerce. If there is any conflict between the terms in this Privacy Policy, and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. More information about the Privacy Shield can be found at www.privacyshield.gov. Our Privacy Shield certification can be found at www.privacyshield.gov/list.
As described throughout this Privacy Policy, we adhere to the Privacy Shield Principles as follows:
-
Notice: This Privacy Policy provides clear, concise, and transparent notice to our users regarding all of our data practices, including how we collect, use, process, and store Personal Data. This Privacy Policy also clearly describes how we disclose Personal Data to third parties, the purposes for which we do so, and your rights in relation to your Personal Data. As described further below, users are given choices and information about limiting the use and disclosure of their Personal Data, as well as information about how we can be contacted for any inquiries.
-
Choice: If the Personal Data we collect, covered by this Privacy Policy, is to be used for any purpose materially different from the purposes described here, or disclosed to a third party that is not acting as our agent, in a manner other than as disclosed here, we’ll always give you an opportunity to opt-out of this materially different use or disclosure.
-
Accountability for Onward Transfer: If we transfer any of your Personal Data to a third party acting as a controller of your information (in other words, a third party that is making decisions about the purposes of your Personal Data and the means by which they are processed) outside of what we’ve disclosed in this Privacy Policy, we’ll only do so after we get your explicit consent. We’ll also make sure that the third party controller only processes your Personal Data for limited and specific purposes as outlined in the explicit consent given, and that they’ll provide the same level of protection as consistent with the Privacy Shield Principles. If they can’t do this, we’ll ask them to notify us and then we’ll ensure they stop processing your Personal Data. For agents, we’ll make sure that they only process Personal Data for limited and specific purposes, and that they provide the same level of privacy protection that is consistent with the Privacy Shield Principles. Just like third party controllers, if our agents can’t do this, we’ll ask them to notify us so that we can take steps to stop the processing of your Personal Data. Regardless, however, we remain liable if one of our agents processes your Personal Data in a way that’s not consistent with the Privacy Shield Principles (unless we can clearly prove that we’re not responsible for that particular event or circumstance).
-
Security: As we note in our section, “How do we store and protect your Personal Data?,” we take reasonable and appropriate measures to protect your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data on the Internet.
-
Data Integrity and Purpose Limitation: As we note in our section, “What is our legal basis for processing your Personal Data?”, we limit the collection of Personal Data to information relevant for the purposes of processing. We don’t process such Personal Data in a way that is incompatible with the purposes for which it has been collected or authorized by you. We take reasonable steps to ensure your Personal Data is reliable for its intended use, as well as accurate, complete, and current. We take reasonable and appropriate measures to comply with the Privacy Shield requirement to retain your Personal Data in an identifiable form only for as long as it serves the purpose of processing as outlined in this Privacy Policy, unless a longer retention period is required or permitted by law or by the Privacy Shield Principles. We will adhere to the Privacy Shield Principles for as long as we retain the Personal Data collected.
-
Access: As described in our section, “What are your rights in relation to your Personal Data?,” you have the right to access your Personal Data, and to correct, amend, or delete it if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to your privacy, or where the rights of other people would be violated). To exercise any of these rights, you can email us at privacy@rememberthemilk.com.
-
Recourse, Enforcement, and Liability: As noted above, our participation in the EU-U.S. and Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission in the United States. You also have the option of the independent recourse mechanism we describe above. Our section, “If you’re unhappy with the way in which we collect or process your Personal Data, how can you lodge a complaint?,” gives you all of the information that you need to know about recourse.
Because the Privacy Shield Principles are very important to us, and we want to remain certified, we periodically review and verify our compliance. In case any issues arise with our compliance, we’re committed to correcting them as soon as possible.