TL;DR: Fly.io is now an active participant under the Data Privacy Frameworks that apply to customers in the EU, UK, and Switzerland. Huzzah.
This is about privacy policies (the boring contractual stuff): our overarching principles of “we want only as much data as is necessary to deliver our services to you, we want to keep that data safe, and we have no desire to sell or exploit that data” remain unchanged.
US/EU/UK/Swiss data protection history speedrun
In 1995 the EU’s Data Protection Directive came into effect. Under the Directive, personal data may only be transferred to countries outside the EU if the receiving country had similar levels of data protection. In 2000, the International Safe Harbor Privacy Principles established a method for US companies to be compliant with EU and Swiss privacy laws (basically, by agreeing to 7 privacy principles). All was good, for a time.
Jump ahead to 2015. Facebook is Facebooking and Snowden has done his thing. Attention turns back to the International Safe Harbor Privacy Principles and they’re tossed out. They’re replaced with the EU–US Privacy Shield which goes into effect in 2016 and is more-or-less immediately challenged. Switzerland follows close behind with the Swiss-U.S. Privacy Shield in 2017. Meanwhile, the Brexit machine grinds into action. Come 2018, the Data Protection Directive is formally replaced by the General Data Protection Regulation (GDPR) and, while technically still EU’d, the UK parallels the GDPR with their Data Protection Act 2018. 2020 comes, the UK is now outside the EU, and the EU-US Privacy Shield and the Swiss-U.S. Privacy Shield are both declared invalid. Things fall apart, the center cannot hold.
Come 2023 and the EU–US Data Privacy Framework is on the scene! Switzerland, (by virtue of not being in the EU), and the UK (having left the EU) want in on the party. So in addition to the EU-US Data Privacy Framework there is also the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. All is calm again…for now.
Which brings us to today
You can read all about the various DPF flavors here and look up Fly.io on the list to confirm we’re active. As a summary, here’s what we say:
- We’re covered under all 3 DPFs (EU-US, UK, Swiss) as of 9 August 2024
- We collect HR and non-HR data
- A summary of the what-and-why of the data we collect and how we use and share it (basically a rehash of Fly.io Privacy Statement · Fly Docs)
- For non-HR (e.g customer) data we have our
- Main privacy policy Fly.io Privacy Statement · Fly Docs
- DPF-specific privacy policy language Data Privacy Framework Privacy Policy · Fly Docs
- For internal HR and non-HR data, we have a policy on our internal wiki
- If you have questions or complaints you can contact me (!!)
- Your recourse mechanisms are, depending on where you’re located, one of:
Wait… HR data? Isn’t Fly.io a US company?
Under the DPF, HR data refers to personal data about employees, past or present, collected in the context of the employment relationship. Though we’re US-based, we have employees all around the world (check out our collection of flags).
What does this mean for me?
Are you outside the EU, UK, or Switzerland? Nothing. Otherwise, not too much: basically, you just have us stating in one easy-to-reference place that we agree to abide by the Framework, the details of what data we collect (and how it’s used and possibly shared), who you can ask questions of or complain to, and identified third-parties that you can escalate concerns to.