Page MenuHomeMiraheze

Add Scryfall to CSP whitelist
Open, NormalPublic

Description

I plan to use the card images hosted on Scryfall in my wiki to provide a visual reference in addition to the card text provided by their API.

  • Is the site equipped with a privacy policy? Yes
  • Does the site attempt to comply with the GDPR? Can European Union inhabitants invoke their individual rights? Yes, see above
  • Does the site provide a list of personal data being collected by using the service? Yes, see "Analytics Data" in page linked above
  • Is the website owner known to have a bad reputation regarding privacy? No
  • Can wikis use the external service, even if the visitor wants to deny any cookies or other form of tracking? Yes
  • Will wikis stay usable, even if the visitor blocks the external resource by using an ad blocker? Yes
  • Is there a Data Protection Officer and/or Privacy Team that can be contacted by Miraheze? Company is very small, so it seems like they don't have a dedicated person/team for that. Their general support can be contacted here
  • Is the site equipped with a security policy? There is a brief section about security in their Privacy Policy
  • Does the site clarify their security measures to protect collected user data? Can the site assure measures are being taken to protect code injection into the loaded external resources? The site is hosted on Heroku, and is subject to their security practices
  • Is the website owner known to have a bad reputation regarding information security? No
  • Is there a Chief Information Security Officer and/or Security Team that can be contacted by Miraheze? No specific person/team for this, but support can be contacted.

Event Timeline

Artillect updated the task description. (Show Details)
Reception123 triaged this task as Normal priority.Jan 1 2023, 13:59

Regarding GDPR compliance, I don't see any explicit mentions of it. Yes you can delete your data but there still doesn't seem to be any clear compliance with the GDPR or any similar laws since it is a US based company.

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Ah, you're right. Since the website's data is hosted through Heroku Postgres, which does have a commitment to GDPR compliance, I assume they would comply with the GDPR, but I understand if the lack of an explicit mention of it is an issue. What do you suggest I should do here? Should I contact them and ask about GDPR compliance?

Contacting them would probably be a good idea. As long as there is GDPR compliance I'd be fine with approving on my end and letting Trust & Safety review.

@Reception123 I can contact them myself if you want.