Home > Privacy Policy

Protecting your privacy is important to us. We hope the following statement will help you understand how our company collects, uses and safeguards the personal information you provide to us on our site.

We have several information systems running in parallel, and each deals with customer information differently. We describe our general policy, followed by the policies for each system.

Table of Contents

  1. General Policy
  2. Discussion Forum
  3. Automated Installs
  4. Custom Installs
  5. Update Notification System
  6. Bug Report System
  7. Commerce Systems
  8. Tori Photo Gallery
  9. Web server logs

Privacy Policy: General

  1. Describe how you handle consumer inquiries about their information or your privacy policy.

    Inquiries should be directed to Zoltan Milosevic.

  2. Describe how you will make changes to your privacy policy and where consumers should look to see if changes have been made.

    Any changes will appear here.

  3. Limitations

    This privacy policy contains forward-looking statements based on current intentions and business needs. Our policy is subject to change, and, under extenuating circumstances, customer data could be used in ways other than those outlined here. For example, if we were made aware of a security hole in one of our products, we might send notices to everyone listed in our customer logs, even though we normally don't contact customers in this way. We have a separate mailing list for product updates, but in such a case we may choose to risk offending a few customers in the interests of notifying everyone who might be affected.


Privacy Policy: Discussion Forum

Refers to the Discussion Forum running at http://forum.xav.com/

  1. Describe what information is being collected online.

    Each message in the forum will include the user's nickname and posted text. The user's IP address is recorded and is publicly viewable.

    The forum system give user's the option of creating a profile that includes name, email address, and other personal information. The optional profile information will be published by the system.

  2. Describe how you use or share the information you collect.

    Discussion forum threads are usually useful only to the participants and only for the short time that the discussion is going on. Non-participants generally have no interest in reading or using the data. However, for some threads in which new problems are solved, the information exchanged may be of general interest and therefore may be summarized for use in the Frequently Asked Questions documents. In these cases, only specific questions and answers are included in the FAQ, not the identities of those involved in the discussion.

    In cases of abuse -- for example, the posting of unlawful material -- we may share private information with law enforcement and/or third parties in the context of investigating or punishing the behavior.

  3. Describe how you store the information you collect.

    Actual messages in the Discussion Forum are saved indefinitely. Everyone who signs up for the email version of the forum and all web visitors are able to view and save any message for any length of time. We have no control over their use of the data. Therefore, only post if you don't mind everyone being able to read your comments now or at any time in the future.

    Note that user's email addresses are stored but not published by the system. Users who want to send email messages to other forum participants will be routed through the phpbb messaging system. This system ensures that no outsider has access to your email address.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    Participants are welcome to use fake names and are not required to enter an email address. Participants can contribute in "guest" mode without signing up for an account.

    All information sent to the Forum is considered in the public domain and may be modified and reproduced accordingly (for example, for the help files). If you would like your data treated differently, state this clearly in your messages. We will abide by your wishes, but others who have access to the data may not do so.

    When posting a message, participants can define a password which will allow them to edit or delete their message at a later time. We encourage all participants to use this option, but they should remember that the original text of each message may be saved by those monitoring the forum, even after the original post has been editied or deleted. If a participant has not defined a password or has lost it, we can be contacted to make edits and deletions on a case-by-case basis.

  5. Describe how you protect the information online.

    Discussion Forum data is stored in a non-web-accessible mysql database on a dedicated server.

    Information like email addresses and profile passwords are kept safe in the mysql database. The text of posted messages is also stored in the mysql database, but they can be viewed by anyone who visits the forum.

    The integrity of data is not ensured, so it is possible to forge identities and to post inaccurate or misleading information. In practice these things have not been a problem.


Privacy Policy: Automated Installs

Refers to the auto-installer running at http://install.xav.com/

  1. Describe what information is being collected online.

    The installer prompts for the customer's website address, FTP credentials, and other miscellaneous details of the server configuration.

  2. Describe how you use or share the information you collect.

    We will only use this data for the purposes indicated: a computerized automated install. For successful installs, the final URL of the script, and only this piece of data, is logged. That data has never been used, but someday it might be used to track market penetration, the distribution of versions, and things like that.

  3. Describe how you store the information you collect.

    For successful installs, the final URL of the script, and only this piece of data, is logged. That data has never been used, but someday it might be used to track market penetration, the distribution of versions, and things like that.

    When the auto-installer is used to install third-party scripts (currently on James Marshall's CGI Proxy falls in this category), the log of successful install URL's is sent to the third party every month if they request it.

    No other data is stored.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    Customers always have the choice of changing their password before and after the install. Because of the small but non-zero risk of password exposure through packet sniffing or through somebody compromising our server and the installer code here, customers are encouraged to take advantage of this option.

    Customers can and should use the encrypted SSL version of the installer, available at https://www.xav.com/cgi-sys/cgiwrap/xav/install.cgi.

    All FTP server software records a log of every action taken by the user (each CD, GET, PUT, etc.). Customers who are concerned about sharing their FTP credentials are encouraged to request this log from their web hosting provider and review the traffic once the install is completed, to verify that the install only uploaded the appropriate files.

  5. Describe how you protect the information online.

    We protect customer data by not saving it on our system.

    In addition, the installer code runs under CGIWrap to prevent other accounts on our server from viewing or modifying its source code or the code of the software that it installs.


Privacy Policy: Custom Installs

Refers to our policy regarding customer data that is shared with us for purposes of completed a custom install. This policy also governs our handling of customer FTP credentials for debugging purposes.

  1. Describe what information is being collected online.

    We will request the customer's website address, FTP credentials, miscellaneous details of the server configuration, the customer name, and customer email address.

  2. Describe how you use or share the information you collect.

    We will only use this data for the purposes indicated: a custom install. For successful installs, the final URL of the script, and only this piece of data, may be logged. That data has never been used, but someday it might be used to track market penetration, the distribution of versions, and things like that.

    In the process of performing the install or debugging a problem, we may need to FTP to the customer's server and navigate through the folder structure to find which folder maps to the customer's web site. In rare cases where no combination of Perl settings will get our script to work, but where we can see another script in the same folder which does work, we will download that script so that we can check what is uses as it's path to Perl. In other rare cases where we cannot set file permissions over FTP, we may attempt to ssh or telnet to the web server for purposes of running the setperms.sh script. Of course if the customer prefers that we not take one of these steps, he should communicate that at the time of the install request, and we will not do it.

  3. Describe how you store the information you collect.

    For successful installs, we log the time, the final URL of the script, the version of the script, and we log the previous version of the script if it was an upgrade. That data has never been used, but someday it might be used to track market penetration, the distribution of versions, and things like that. Nothing is logged for unsuccessful installs.

    When a customer requests a custom install, the FTP username and password and other data will be sent to Zoltan Milosevic in email. All such emails are deleted immediately after the install completes, or within 72 hours, whichever comes first.

    No other data is stored.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    Customers always have the choice of changing their password before and after the install. Because of the small but non-zero risk of password exposure through packet sniffing or through somebody compromising our server and the installer code here, or through somebody compromising our email system, customers are encouraged to take advantage of this option.

    All FTP server software records a log of every action taken by the user (each CD, GET, PUT, etc.). Customers who are concerned about sharing their FTP credentials are encouraged to request this log from their web hosting provider and review the traffic once the install is completed, to verify that the install only uploaded the appropriate files.

    Please see also Guidelines on sending sensitive data

  5. Describe how you protect the information online.

    We protect customer data by not saving it on our system.


Privacy Policy: Update Notification System

Refers to the update notification system at http://www.xav.com/notify/.

  1. Describe what information is being collected online.

    The Update Notification system accepts the name and email address of users who wish to hear about product updates.

  2. Describe how you use or share the information you collect.

    Every few months, the Update Notification System sends an email describing product updates. Messages are concise and contain only product update information, with no advertisements.

    Names and addresses have not, are not, and will not be shared or sold.

  3. Describe how you store the information you collect.

    We will store email notification lists indefinitely. We remove individual email addresses from the list at the individual's request or if mail to the address bounces.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    Customers may opt-out of the Update Notification System at any time. In addition, after opting out, they may take the additional step of blacklisting their address so that it will never be added again.

    Users can opt-out using the web-based form at any time. In addition, each message includes a personalized link that can be used to unsubscribe.

  5. Describe how you protect the information.

    All names and email addresses are stored in a secured file which can only be accessed by us.


Privacy Policy: Bug Report System

Refers to the bug report form at http://www.xav.com/bug.pl.

  1. Describe what information is being collected online.

    When an internal Perl error occurs in one of our scripts, the error will be trapped by an eval handler, and then a bug report form will be displayed. The form includes a description of the internal Perl error (i.e., "unmatched right bracket on line 3242") and a submit button whereby the user can send the error details to us. The error details will include: the URL of the error; the script name and version; the version of Perl running on the server; and a copy of all FORM variables at the time of the error.

  2. Describe how you use or share the information you collect.

    We use this information to try to track down platform-specific bugs. In addition, the submitted error description will run through a series of pattern matches to determine whether the bug being reported has already been isolated and fixed. If so, the visitor will be directed to the updated version.

    We receive approximately 10 to 20 error reports each day. The vast majority come from known bugs which have been fixed in the master versions, but which still occur on customer sites because their software has not been upgraded. When a report arrives from a new site, we will often visit that site and try to reproduce the error, which might involve entering various input into the script.

    In rare cases we encounter orphaned scripts, which are installed but are not being maintained. These scripts may still have blank or default administrative passwords. In these cases we will try to contact the site owner about the potential security hole, and if that fails, we may set the password to something tricky just to prevent access by bad people.

  3. Describe how you store the information you collect.

    The reports are deleted as soon as they have been investigated, usually within a few days.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    The bug reports can be generated by anyone who visits the script when it encounters an error. Sometimes this will be our direct customers, but most times it will be a visitor to our customer's web site. If the customer really doesn't want anyone submitting bug reports from their server to ours, they should remove the bug report form from the script (it is defined at the very bottom of the main script file).

  5. Describe how you protect the information.

    Bug reports are sent to us via email from the bug report form. No data is stored on our server. The emailed reports are deleted every few days.


Privacy Policy: Commerce Systems

Refers to the transaction providers we use: Digibuy.com; Clickbank.com; Paypal.com; and Yahoo! PayDirect.

  1. Describe what information is being collected online.

    The transaction provider (a trusted third party) will collect the customer's name, billing address, and payment information.

    Only the customer name, email address, and transaction record are shared with us. Payment information, like the credit card number, is not shared with us. Digibuy shares the customer shipping address and IP address with us, while the other providers do not.

  2. Describe how you use or share the information you collect.

    We use the customer's name and email address to generate a registration key and thank-you email, which we send to the customer within two or three days. We also use customer data in a statistical way to make charts of sales volume over time, and sales volume by region.

    We do not have control over what the transactions providers do with your data. Most are fairly well-behaved and publish their own privacy policies. Paypal.com will try to get customers to sign up with an account on their system, and may send follow-up email. Customers who wish to avoid that fate should not use Paypal.com.

  3. Describe how you store the information you collect.

    Commerce data will be stored forever.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    All customers are expected to provide a name and email address so that we can enter them into our billing system and generate a registration key. Customers can use fake names if they want, because we're cool with that.

    Payments can be made by direct wire transfer and by postal mail, bypassing the transaction provider and their information systems.

  5. Describe how you protect the information.

    All commerce logs are stored in secured files which can only be accessed by us.


Privacy Policy: Tori Photo Gallery

Refers to the Tori Photo Gallery at http://nickname.net/tori/.

  1. Describe what information is being collected online.

    Participants in the Dent Forum may share their screen name, photograph, and other information with other users.

    The IP address of those who post profiles will be recorded, but not shared as part of the public profile.

  2. Describe how you use or share the information you collect.

    Participants' information is published in their profile. We make no use of this information. The profile is accessible to the public and we have no control over how the public uses this information.

    If an inappropriate profile is posted -- i.e., using offensive language or images, or using screen names or photos of other members without their consent -- then the IP address of the original poster may be banned, and may be shared with other parties.

  3. Describe how you store the information you collect.

    By default, profile data will be stored forever. Individuals may request that their profile data be updated or removed.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    Participants may omit any information, other than screen name and photograph.

    Participants may update their information or delete their profile at any time, although this is a manual process on our end and may take a few days to complete.

    As mentioned before, the profile is accessible to the public and we have no control over how the public uses this information. If somebody gains access to your profile information, they may save the data separately, and future updates or deletions from our system will not take the information away from them. Therefore, please only post information if you don't mind everyone being able to see what you have to say, now or at any time in the future. Note that search engines may index your profile page and all data on it, including your name, and so people on the Internet who have never heard of the Dent Forum or the Photo Gallery might still find your profile data by searching on your name or other data fields.

  5. Describe how you protect the information.

    Profile data is not protected; it is available to anyone who wishes to access it.

    Furthermore, the integrity of data is not ensured, so it is possible to forge identities and to post inaccurate or misleading information. We will deal with these problems on a case-by-case basis.


Privacy Policy: Web server logs

Refers to the HTTP server logs for xav.com and nickname.net

  1. Describe what information is being collected online.

    The logs contain the IP address, browser, referrer, and file requested from all HTTP requests.

  2. Describe how you use or share the information you collect.

    Log data is used to track total software downloads, total referring sites, and bandwidth usage. Log data is not cross-referenced with personal identities.

    HTTP logs are saved indefinitely.

    User agents making certain request patterns (i.e., "GET /_vti_bin/") which appear to be hostile probes may be blacklisted from the site.

  3. Describe how you store the information you collect.

    HTTP logs will be stored forever.

  4. Describe the choices available to consumers regarding the uses of the collected information.

    All traffic is logged. Customers cannot opt out, but since the logging is anonymous, this shouldn't be a problem.

  5. Describe how you protect the information.

    All HTTP server logs are stored in secured files which can only be accessed by us.