Dude, where’s your Privacy Policy?

Having just published an item concerning GDPR, this may be a good opportunity to pre-empt an obvious question and explain why RISCOSitory currently has no Privacy Policy published on the website.

The simple answer is that the site does not collect any personally identifiable information (with the exception of IP addresses in site logs, handled by the site’s hosting company). There are no user logins, so no visitor email addresses or other details stored, and the site does not store cookies on your computer. It does not need any of this, so does not collect or do any of it – and that’s all there is to it1.

However, there is also the sister domain to this one, RISCOSitory.co.uk, which is used to host RISC OS-related mailing lists. When you subscribe to a mailing list, you must provide an email address, because that’s pretty much fundamental to how the system works: any message sent by a subscriber to the list is then sent out to all the other members on the list. In addition, that email is then added to the list archive, and that email address will therefore also be present, but in a munged form.

There can be no real expectation of privacy on a mailing list because what you send to it, you are sending to any number of other people – so there is an onus on you to ensure you take care in that respect, and you should probably make a sensible choice about what email address or addresses you use – but there does need to be an official Privacy Policy developed for this site that would encompass the mailing lists, so one will appear as soon as possible.

The RISC OS Awards website, on the other hand, does collect data through the voting form (when it is live).

When a visitor casts a vote and submits the form, their IP address (and that of any proxy) is squirrelled away with their votes, and a name or email address if they chose to provide one. This is used purely at the processing stage to weed out duplicates, or superseded votes (a visitor can vote more than once, but it is always their final vote that counts).

Once the votes (and survey answers) have been suitably processed – even if they haven’t been fully processed to the point of publishing (i.e. the survey results for every poll since the first) – that personally identifiable data is no longer needed, and it gets deleted. This is explained at the bottom of the voting form, before the box in which an email address can be typed, which is in turn before the button that needs to be clicked to cast a vote.

For all intents and purposes that, right there, is the RISC OS Awards website’s Privacy Policy.

A more formal one should be written – but it will ultimately only say the above, but using many more words, and will be utterly boring to read. However, since the current poll will be closing this Saturday, after which no further data will be collected until the next one, it can wait. A proper Privacy Policy will appear at a later date, before the next poll takes place.


  1. It’s worth noting here that the same is also true of other sites owned and run by Soft Rock Software – so if anyone asks about those, I can point them at this post for the time being.

Related posts