I’m currently working on a FOSS Discord bot. When I host an official instance of said bot, do I need a TOS and or Privacy Policy, or is a link to the license (in my case GPLv3) enough?
I live in Germany, if that makes a difference.
Definitely take this all with a grain of salt—I am by no means a legal expert, this is just my advice.
Privacy Policy
Required by law in Germany if you are collecting any sort of data about your users (even if it is being collected by a third party through your app, or if it is entirely anonymous data).
Data Processing Agreement
Required by law in Germany for the same reasons as the Privacy Policy. This agreement makes it clear how your users’ data is used.
Cookie Policy
Required by law in Germany if your application uses cookies of any kind (mostly applies to web app and web technologies)
Terms of Service
Highly recommended. This may protect you immensely if and when you end up in a legal situation down the road.
Other
Otherwise, you should look into these as well if applicable:
- EULA (if distributing your app to be run on someone else’s device)
- DCMA Policy (if you host and share any user-generated content)
- Return Policy (if you are selling anything)
These documents matter most if (1) there is money involved or (2) when you are receiving, processing, storing, or sharing user-submitted content or any data about your users. This is because you are less likely to end up in a legal mess if you’re not taking people’s money or data.
Starting out, you can find templates for these online. A template will be better than nothing at all. Then, if you are able down the road, you can hire a legal professional to write and review your documents for you. A legal professional might recommend more specific documents or different versions of the same document as well.
Not sure about Germany, but in the United States it’s fairly inexpensive to start an LLC. You can then put legal documents under that new entity instead of your own personal name. This can protect you and your own belongings from any unfortunate financial or legal situations.
Again, if you’re not receiving money or any user data, you don’t have to worry quite as much. However, it never hurts to play it safe. Mistakes happen and anyone can get sued.
tyvm! This helps a lot!
Just a quick note for the Privacy Policy, Data Processing Agreement and Cookie Policy: this EU law (GDPR) and is mandatory for all EU states. So its not specific to Germany.
Disclaimer: also Hobby person but did some more reading on that topic in the past. . Think about what those things are then decide:
The tos are your conditions: I as provider of this service will reserve the right to x. When a user does y I will do z. It’s cover your ass for businesses.
A privacy policy on the other hand might be required by law as soon as you process user data in any way. This is something that I would look into your jurisdiction and their requirements. I’d guess Germany is more on the formal side on things (clichés and everything)
In short: you don’t need a tos but most likely want one. You don’t want a privacy policy but most likely need one. :)
tyvm!
Code is not a human/lawyer readable policy, so if you access any sort of user data (and being a Discord bot that people interact with, you do), you’ll likely need one. At least for Discord’s legal purposes when you register the bot, I would assume.
Play Store also requires one even if it’s open-source. They just blanket require one even if it literally says “this app is a wallpaper and it doesn’t even have internet access nor collect any data”.
Big companies just can’t understand or picture that some apps are well behaved and don’t scrape every bit of data they can get their hands on.
Can confirm Discord requires a public-facing privacy policy at least for public bots. Can’t remember at what point I had to make one, but it is required for at least some cases.
IANAL either but do have a ToS. Like slapping, say, a GPLv3 on your code, a ToS defines what users are allowed to do with your service. Imagine if someone found a way to use your bot to steal users’ data, or harass people online, etc. - you’d be angry because they are not supposed to use your bot for that.
IANAL, and a bit unsure about the following information, but I think you do need a privacy policy if you process someones elses data(like for example their login data, private messages, etc) You may also need an Impressum when hosting the official website for the bot(germany specific, maybe look it up if you actually need to do this)
I dont think you need a TOS.
I do not need an imprint, since I do not make any money from my bot. (Imprint is only required, if the website / service has a profit intensive. Atleast thats the case in Gemany). You are probably right about the privacy policy though.
Tyvm for your comment
That’s not the correct criterion. There are multiple German laws that require imprint-style disclosures.
Some of them are indeed specific to commercial activities.
But the Impressumspflicht typically means §5 TMG which requires an Impressum for
geschäftsmäßige, in der Regel gegen Entgelt angebotene Telemedien
Rough English translation:
Telemedia offered in a business-like manner, typically for remuneration
Critically, “geschäftsmäßig” does not mean “commercial” or “profit-oriented”. In particular, nonprofit organizations also act geschäftsmäßig.
IANAL, but it doesn’t sound like your service wouldn’t be geschäftsmäßig.
All of this is irrelevant anyway because you very likely have to publish a privacy notice per Art 13 or Art 14 GDPR. This must include the identity and contact details of the data controller (i.e., you). The German data protection authorities expect that the identity includes your real name and a ladungsfähige Anschrift (address where you can be served), so pretty much exactly what would be included in an Impressum anyway.
Thank you for your comment.
Tbh, I dont see why my service would be geschäftsmäßig. I don’t collect donations, I don’t offer any way to pay me and I do not offer any telemedia in a business-like manner. Though I could not find a good definition for geschäftsmäßig, so if you found one, please link me to it.
About the GDPR: God damn it. I completely forgot about that. Thanks for bringing it to my attention. Though it is probably possible to use a P.O. box in order to not leak my home address.
I found an academic article (Vogel et al 2019) that analyses this phrase. Key points:
-
when the German legislator uses geschäftsmäßig, this demonstrates a clear difference in intention from gewerbsmäßig or gewohnheitsmäßig
-
the article quotes Franz von Liszt 1881, and this definition seems to be accepted to this day:
Die Gewerbsmäßigkeit charakteriſiert ſich einerſeits durch die auf öftere Wiederholung gerichtete Abſicht, andrerſeits durch die Abſicht des Thäters, ſich durch dieſe Wiederholung eine, wenn auch nicht regelmäßig oder dauernd fließende Einnahmsquelle zu verſchaffen […].
Die Geſchäftsmäßigkeit teilt mit der Gewerbsmäßigkeit die auf regelmäßige Wiederholung gerichtete Abſicht, dagegen fehlt die Abſicht, ſich eine ſtändige Einnahmsquelle zu eröffnen. Ob die einzelnen Handlungen honoriert werden oder nicht, iſt gleichgültig.
-
the term geschäftsmäßig is significant for §5 TMG, but has also reached wider attention in the discussion around the decriminalization of assisted suicide.
So the key defining aspect is the auf regelmäßige Wiederholung gerichtete Absicht, the intention directed towards regular repetition.
This meaning in legalese German is divorced from everyday language.
§ 5 TMG has the interesting construction of “geschäftsmäßige, in der Regel gegen Entgelt angebotene Telemedien”. So the TMG does not seem to care whether you have a profit motive, only that other people might provide this kind of service for a profit motive. If other people would provide instances of Discord bots in order to get donations, that might already bring you in scope.
This is not legal advice, but it seems like your options are to either avoid running an instance of the bot, only running it in a private context without access from a wider public, or sucking it up and providing the necessary documentation.
And no, it is probably not possible to use a PO box because you don’t live or work at that address. The general expectation seems to be for the address in an imprint to be ladungsfähig, so that you can be served there. This random lawyer’s website writes:
Unter der Anschrift in diesem Zusammenhang ist die Postleitzahl, der Ort, die Straße und die Hausnummer zu verstehen, nicht ausreichend ist die Angabe eines Postfachs.
Thank you. This is very helpfull.
I think I’ll have to sleep on this one.
It sucks that I have to dox myself in order to provide a free service, where I don’t receive any economic benefits. It doesn’t seem fair.
-
My experience is Australian, but given we have weaker laws than you, its probably the baseline experience.
If your bot is a very small bot, for personal use, no. But once you go over 75 servers, discord will require you to submit both a privacy policy and a terms of service.
They dont seem to care about the content of the docs, they just have to exist. There are tools to generate both docs. They serve a very different purpose to a licence, so that is not sufficient.
Removed by mod
What do you mean by this?
Many things in life come with legal, moral or financial requirements and obligations. The OP presumably wishes to know whether there are any that they might not yet have considered in their situation.
Removed by mod
We don’t need to presume anything, OP can speak for themselves.
Sure they can! Until they do, there’s my helpful take for the meantime.
But don’t take my word for it, you could also piece together their intent by them thanking all the other helpful responses in this thread that happen to elaborate on legal obligations 😄