Hover and Your Privacy

Perhaps you’ve heard about the new General Data Protection Regulation (GDPR) that is set to start being enforced on May 25, 2018. This new set of regulations around data protection has defined new standards for how companies need to think about and protect the data that their customers have entrusted them with, and also the data that the companies themselves may have collected about their customers. Since we are a worldwide registrar, this has been a consideration with regards to Hover privacy.

Hover has been preparing for GDPR for many months. Now the bulk of our work around GDPR compliance is done. While we’ve started to release some of the new features and systems, not everything you read about here is in place just yet. We’ll be rolling things out over the next few weeks to assess the impact that some of these changes will have and make adjustments as required.

We ALL deserve privacy protections

It’s been our longstanding belief that privacy shouldn’t be a paid feature or something that was only available to some of our customers. That’s why we’ve always included WHOIS privacy for no additional cost for any TLD that allows it.

With that in mind, we made the decision very early on that we would extend these new privacy protections to all of our customers and not just those in the EU. It just makes sense to provide equal protections to all customers regardless of where they happen to live.

Hover privacy already consisted of excellent policies and processes to protect the data of our customers, but we took the opportunity to review pretty much everything we do. We recognized that we could do an even better job to further strengthen things in some areas.

Data minimization

We looked at our databases and, for each data element we store, we made a determination whether it was personally identifiable and also whether we really needed to collect it. As a result, we identified a number of pieces of personal information that we thought we could do without.

Earlier this year, we made it possible for you to delete your billing information, secondary email address and default WHOIS contact. We also delete that information automatically when an account is deemed inactive to ensure that we’re not storing information we don’t need in the event someone is no longer a customer.

Data protection

Ensuring we are protecting your personal data was a big part of our efforts and we’re proud of what we’ve built. Domain registrars have a fair bit of information about their customers just because of how domain registrations work and while we have an obligation to collect data on behalf of the registries for the domains you register, we also have an obligation to you to be exceptional stewards of that data.

We looked at how the Hover Administration area worked and realized that we could tighten up the display of customer personal information a bit more.

We already had a Hover privacy policy and system in place that required a ticket number, reason and an emailed PIN verification from a customer before we would do anything at their request in their account.

Going forward, we’ll collect very specific consent from you for whatever access you wish to allow, and without it the support agent simply won’t be able to view your personal information or access your account.

Our Support staff and others employees of Hover with Admin accounts will no longer be able to see personal data (name, email address, billing information) about any of our customers without the specific, time-limited consent of that specific customer which can be revoked at any time and lasts for seven days.

Before a support agent can sign into a customer account or a mailbox purchased from Hover to offer support, we’ll require the same specific, time-limited consent of that customer. If you have an active consent agreement, you’ll be able to view the specifics in your Hover account and revoke our access prior to the expiry, if we’re done helping you out.

As you might expect, there are overrides to these consent requirements for certain members of our team to handle things like fraud investigations or to deal with any cases where the account owner is unable to provide consent through the email consent system.

In the Hover privacy system, the ability to override consent is very tightly controlled and only available to those staff members who have a demonstrated need to have it. Additionally, those actions require a specific reason to be provided by that staff member each and every time they use the function.

All overrides are added to an audit log so we can monitor and ensure that the only time anyone from Hover is viewing your information or accessing your account is when you’ve allowed it or when an authorized and trusted employee has a very good reason to do it without asking you first.

We ask for your help and patience!

These new data protection measures have the potential to be most impacting to our ability to provide effective support. They add some complexity to support interactions as we’ll need to deal with collecting consent from you before we start to help you out.

We’re gradually rolling out these changes over the next few weeks and we ask for your patience and assistance as we figure out what the specific impacts of the new Hover privacy protocols will be on our ability to provide our usual high level of customer support.

We think that the data protection these measures provide are worth that extra effort for both for us and especially for you. Please help us out by being active participants in these new processes.

Consent to share data with third-parties

Like many businesses, we use third-party services to help us provide a great experience to our customers. These include great companies and services like Braintree (payments), Zendesk (customer support portal and ticketing), Mailchimp (email marketing), Mandrill (transactional emails) and Tucows/OpenSRS/Enom (domain registrations and also our parent company).

Some of the data we collect and also share with these companies is deemed “required” (like billing information) while other data is “optional” (like your phone number for us to send two-factor auth SMS messages).

For required data that we need to collect and share to do business with you we’ll clearly tell you what we collect, why and who we may share it with and for what reason.

Soon you’ll see an updated Terms of Service and clear consent declarations about what that data is, why we need it and who it might be shared with during the account creation process. We’ll pull out and highlight important sections to ensure you know exactly who we share your data with and why.

Over the next few weeks, we’ll begin displaying this information on the new Privacy tab in the Account Settings area of your account that we’ve started rolling out to all customers this week.

For optional data we’ll make sure you know what’s happening and help you make an informed choice.

An example of this would be if you decide to subscribe to our mailing list which involves sending your email address to Mailchimp (our marketing email provider). You deserve to know who we are sending your data to, exactly what is sent, and why. In all cases, we start from a non-consenting state and require that you indicate positively that you understand and consent to the optional sharing.

If you’ve made a decision to share optional data, you’ll be able to review those choices and see a list of exactly what data is shared with whom and why on your Privacy page. Naturally, you can change your mind at any time and we’ll make sure you know how to do that and also ensure that your data is removed from any third-party as quickly as possible.

Stay in touch and stay informed

The bulk of the work is done and currently being rolled out to all customers. But we still have some finishing work to do with Hover privacy policies leading up to the May 25, 2018 date where enforcement of GDPR takes effect. Areas like the new Privacy page will start with some data, and additional information will be added over the next few weeks.

We’ll provide further updates via the Hover blog and our newsletter and of course we’re interested to hear from you if there are any concerns or comments.