Privacy policy and information handling disclosure

Table of contents

Who we are

This is Line of Action, a DBA of Genly, INC. Our website address is: https://line-of-action.com. We are a for-profit web application focused on creating a community of art students and providing our members the tools to further their art-practice.

What personal data we collect and why we collect it

Profile information

When members fill in profile data, that data is typically visible publicly on their user profile. Any information we collect about you in this way shall be used in a manner in keeping with the spirit in which the information was provided. For example, if you enter biographical information about yourself on your profile, that information shall be displayed to other users when they visit your profile. It might also be published on or off the site if you agree to be part of a student spotlight, so that other artists can learn about you.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. Your profile picture is visible to the public in the context of your profile and any communications you undertake or postings you make on Line of Action. If you change your avatar on the Gravatar service, it may take up to a week for those changes to reach Line of Action.

Comments, direct messages and forum posts

When visitors leave messages on the site we collect the data shown in the posting form, and also the visitor’s IP address to help with spam detection.

Activity

When users access the site, we record their IP address to assist in spam and fraud prevention. These IP addresses are kept for a period of 3 months and then discarded.

The date and time a user last accessed the site is kept as part of that user's information. Only one such timestamp is recorded; accessing the site removes any previous "last usage" timestamp.

We save the date and time a user last changed their study goal. This is so that we can periodically ask users to review their goals and make sure they are up to date, for the highest quality learning experience that we can provide to them.

General usage of the study tools may be saved indefinitely in the form of seconds per day, as well as which tool was being used. For logged in site visitors, this data will be associated with their user account. For logged out site visitors, this data is saved anonymously, without identifying information about the user. This also allows us to provide members with information and encouragement regarding the study goals that they have set, as well as achievement badges. It also helps us assess the popularity of various study tools so that we can plan for improvements in the future or project bandwidth and other costs associated with providing and maintaining these tools.

Achievement badges

Achievement badges may be awarded to members based on their site activity, including length of time using the study tools, number of "reactions" to messages they have sent (ex. helpful or encouraging,) and other types of site usage.

These achievement badges may be visible to the public so long as the user account remains open.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website may be able to download and extract any location data from images on the website.

Contact forms

When visitors fill out the contact form, we collect the data shown in the form, and also the visitor’s IP address to help with spam detection.

Cookies

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist until you log out or until your cookies are cleared in some other manner. If you log out of your account, the login cookies will be removed.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, advertisements, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Billing

When you enter credit or debit card data, we save ONLY the brand of that card (ie. Visa, Mastercard) and the last four digits of the card. This means we do not store enough information to actually charge the card. We only save enough to help both us and you identify the card that you are using for monthly membership payments (or other occasional purchases.)

Your actual, billable credit card information never touches our server, and is instead stored by our secure billing partner Stripe. Please see "where we send your data" for more information on this.

Student ID

If you submit a photo of your student ID to us through our Student ID discount form in order to obtain discounts, we only save that photo for as long as it takes to review your submitted information and approve or deny your request for student rates. This review process is typically completed within 24 hours, but could take up to 7 days. The expiration date of the ID, if any, will be saved to your user account to indicate how long the student discount is valid. We may store the name of the school, but we store it anonymously; the name of the school is not connected to your user account in any way, publicly or privately, unless you have chosen to write it on your own profile. For our purposes, the name of the school goes onto a list of schools to give us an idea where in the world we're being used.

Once that manual review has been conducted, the image is marked for deletion, and typically fully purged from our systems in about 48 hours.

We encourage members to always use our student ID submission form for this purpose and not email if at all possible, as email data may or may not be purged.

Analytics

We obtain anonymized usage data for the site at large through the use of Google Analytics. No personally identifying information about you will be recorded. This helps us determine the general popularity of various parts of the site so that we can plan service improvements. It may also give us general insights about the success of advertising campaigns.

When our newsletters are opened, as well as clicks on links in our newsletters may be recorded. This helps us determine the interest level of individuals subscribed to our newsletter.

How long we retain your data

If you leave a comment (including a forum or direct message,) the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

IP addresses that have been stored as part of site usage (rather than as part of the meta data of a comment) are kept for a period of 3 months and then discarded. This is to help us with spam, harassment and fraud prevention.

If you choose to delete your user account, messages that you have sent to others will remain on the site. This includes messages posted publicly, such as in the forums or on news posts. This is similar to how sending an email cannot be undone; the recipient of the message may keep it for reference or conversational continuity. This includes messages left on images, news or other blog posts, direct messages and in the forums.

Notes made by staff in a user's moderation/customer service log may be kept indefinietly.

If you have sold images through us for use in the study tools, those images cannot be removed after your first sale has been made, even if you close your user account.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

We do not view critiques or other messages you have provided to other users as personal information; however, your name may be removed from critiques and comments if you have also closed your user account with which you made those comments (if any.)

Who we share your data with

Line of Action staff members, such as administrators and moderators, can view data you provide to us or post on the site. Private information is held in confidence and not discussed outside of the staff.

However, anonymity is not a free license to mistreat other members. If a user creates multiple accounts, and makes use of those accounts to harass another member(s), we may inform the victim(s) that all the accounts were owned by the same person.

Announcements may be made about corrective action taken against an account and why, especially if the infractions were public. (ex. "So and so's account was closed and their IP has been banned, due to the harassing posts made yesterday.")

Any message sent using Line of Action may be reviewed by Line of Action staff. This includes direct messages, especially if we have any reason to suspect rule-breaking, harassment, law-breaking activity or other abuse of our service.

We never sell or trade your information to third-parties.

In the few and rare cases where information is shared with third parties, it is with the understanding that that information be used solely to assist us in providing you with the services associated with Line of Action. See "where we send your data" below for more on this topic.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

We make use of the email service Mailgun to send our newsletters and other announcements. If you have opted-in to our newsletter, we may sync some basic information about you to Mailgun to help us address our emails to you. Mailgun may not use or distribute this information for any reason other than delivering the emails from us to you. You may unsubscribe from our newsletter at any time to stop receiving these emails.

We use Stripe as our credit and debit card processor. Stripe offers safe, secure storage of credit card data. We may also share your name and email address with Stripe for the sole purpose of identifying payments made by you, to make it possible for us to look up charges to your account, double-check their accuracy, and refund them if requested. You may occasionally receive subscription receipts or notices about charges failing or your credit card expiration approaching. See Stripe's privacy policy here.

Your contact information

On rare occasions, we may use your provided contact information (email) to contact you off-site. This includes "transactional" messages (such as receipts,) notifications that you have requested (such as alerts about new posts in forum topics you have subscribed to,) and questions or notices regarding your account.

If you've entered links to social media sites on your public profile, site visitors may be able to find and contact you on those sites. Please use your best judgement about whether or not you wish to publicly share contact information.

Additional information

How we protect your data

Securing a website requires many different types of threats to be minimized and prepared for. This includes securing the website code, the server that the website is hosted on, and the transfer of data between the user's access device and our service. It also includes having appropriate data-handling policies in place and a culture of security for staff that must handle user data. We've made efforts to address all of these areas, and continue to educate ourselves on evolving best-practices and update our procedures or code accordingly.

All connections to the site are done via https:// with a valid third party SSL certificate to prevent attackers from "listening in" or changing data as it is sent between your computer and our server, and vice versa.

All passwords are stored using one-way encryption; not even the staff here at Line of Action can see your password. In addition, access to even the encrypted passwords is restricted to a very small number of staff members whose jobs absolutely require interacting with the database.

We have taken steps to shield all users from Cross-Site Request Forgery (CSRF) attacks through the use of identifying tokens at every step of submitting information or action requests to our site.

Our customer service procedures are written to require that when someone contacts us about an account, we may only discuss account information or provide password resets or other assistance with the email address associated with the account. If for some reason this is not possible, then other methods of identification must be provided. Simply telling us you no longer have access to your email account is insufficient, as anyone could tell us this. If a member is requesting assistance changing the email associated with their account, we will email the old email address first, in addition to asking for other methods of identification.

We keep our underlying software updated with all necessary security patches.

We have worked with the hosting company that owns the server that Line of Action is hosted on to ensure that our hosting server has been properly hardened against attackers, and have received assurances that if a security breach occurs on their end we will be immediately notified.

Your credit card data never touches our server and instead goes directly to Stripe's storage vault. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. See Stripe's security information.

In addition to our continued efforts to keep the site safe and secure, we urge our users to make use of good password hygeine practices, including not re-using passwords between different sites or accounts. This is one of the most important steps an individual can take to avoid losing control of more sensitive accounts, such as email and banking.

What data breach procedures we have in place

If we discover or suspect that a data breach has taken place, we will notify all potentially affected users as soon as possible, and no later than 24 hours after becoming aware of the data breach. This will allow potentially affected users to take immediate action to protect themselves such as by changing their passwords on any other site where they re-used their Line of Action password.

We will thoroughly investigate the breach or potential breach, and provide further updates to affected members should any new information of relevance come to light. We will also take corrective action to prevent a similar breach from re-occurring. However, these remedies will not delay our initial alert to members.

If we have a reason to suspect that an individual account has been compromised on the user's end (ex. having your laptop that was logged into our service stolen, having your password known or guessed by a jealous ex) we may initiate a password reset and contact the account owner.

What third parties we receive data from

We receive anonymized data from Google Analytics regarding where people are accessing the site from, what browsers and devices are used when accessing the site, what portions of the site see the most traffic, and durations of sessions. This information is not personally identifiable to you and instead gives us an "in general" data view about how the site is used over time.

Gravatar provides us with the images that have been associated with an email account, presumably by the email account owner. We use these provided images as user account avatars, assuming you do not override this by uploading one directly to our site.

What automated decision making and/or profiling we do with user data

The goals you set may cause us to give you different recommendations and tips in an effort to support your goals. For example, we may recommend different reading material, and show different in-class tips or "focus suggestions."

If you have not changed your practice goal in some time, our system may prompt you to review and update it. We hope that this helps keep your practice fresh and your progress steady.

If your critiques are routinely flagged as "discouraging," our system may alert the moderators to perform a review of your site activity to make sure it is in keeping with our community guidelines.

Other

You may also want to review the site terms and conditions.

Last updated 1/4/2019 - updated to more fully explain how student ID information is kept confidential, and to reflect our changes to email handling to reduce the amount of information gathered about members.