Rubric completed

rubric/account-deletion.toml

@@ -0,0 +1,26 @@
+category = "handling"
+slug = "account-deletion"
+text = "Does the service allow you to permanently delete your personal data?"
+notes = ["Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as \"permanently deleted\" and satisfies the parameters for this question."]
+points = 5
+
+[[options]]
+id = "no"
+text = "No"
+percent = 0
+
+[[options]]
+id = "yes-contact"
+text = "Yes, by contacting someone"
+percent = 60
+
+[[options]]
+id = "yes-automated"
+text = "Yes, using an automated mechanism"
+percent = 100
+
+[[options]]
+id = "na"
+text = "N/A"
+description = "The service doesn't collect any personal information."
+percent = 100

rubric/behavioral-marketing.toml

@@ -0,0 +1,25 @@
+category = "handling"
+slug = "behavioral-marketing"
+text = "Does the policy allow personally-targeted or behavioral marketing?"
+notes = []
+points = 10
+
+[[options]]
+id = "yes"
+text = "Yes"
+percent = 0
+
+[[options]]
+id = "yes-opt-out"
+text = "Yes, but you may opt-out"
+percent = 35
+
+[[options]]
+id = "yes-opt-in"
+text = "Yes, but you must opt-in"
+percent = 70
+
+[[options]]
+id = "no"
+text = "No"
+percent = 100

rubric/data-breaches.toml

@@ -4,6 +4,17 @@ text = "Does the policy require users to be notified in case of a data breach?"
 notes = ["Note that all companies operating in the EU are subject to [Art. 33 of the GDPR](http://www.privacy-regulation.eu/en/article-33-notification-of-a-personal-data-breach-to-the-supervisory-authority-GDPR.htm), which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it."]
 points = 7
 
+[[options]]
+id = "no"
+text = "Not necessarily"
+percent = 0
+
+[[options]]
+id = "eventually"
+text = "Yes, eventually"
+description = "Users will be notified in case of a data breach, but within an unspecified amount of time."
+percent = 70
+
 [[options]]
 id = "yes-72"
 text = "Yes, within 72 hours"
@@ -14,14 +25,3 @@ id = "na"
 text = "N/A"
 description = "The service collects so little personal data that notification would not be possible."
 percent = 100
-
-[[options]]
-id = "eventually"
-text = "Yes, eventually"
-description = "Users will be notified in case of a data breach, but within an unspecified amount of time."
-percent = 60
-
-[[options]]
-id = "no"
-text = "Not necessarily"
-percent = 0

rubric/data-collection-reasoning.toml

@@ -0,0 +1,32 @@
+category = "collection"
+slug = "data-collection-reasoning"
+text = "Is it clear why the service collects the personal data that it does?"
+notes = []
+points = 10
+
+[[options]]
+id = "no"
+text = "No"
+percent = 0
+
+[[options]]
+id = "somewhat"
+text = "Somewhat"
+percent = 30
+
+[[options]]
+id = "mostly"
+text = "Mostly"
+percent = 70
+
+[[options]]
+id = "yes"  
+text = "Yes"
+percent = 100
+
+[[options]]
+id = "na"
+text = "N/A"
+description = "The service doesn't collect any personal information."
+percent = 100
+

rubric/law-enforcement.toml

@@ -0,0 +1,38 @@
+category = "handling"
+slug = "law-enforcement"
+text = "When does the policy allow law enforcement access to personal data?"
+notes = ["Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as \"permanently deleted\" and satisfies the parameters for this question."]
+points = 5
+
+[[options]]
+id = "always"
+text = "Always"
+description = "This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service."
+percent = 0
+
+[[options]]
+id = "unspecified"
+text = "Not specified"
+percent = 0
+
+[[options]]
+id = "reasonable"
+text = "When reasonably requested"
+percent = 60
+
+[[options]]
+id = "strict"
+text = "Only when required by a court order or subpoena"
+percent = 80
+
+[[options]]
+id = "na"
+text = "N/A (no personal data to share)"
+description = "The service would have no personal data to share with law enforcement."
+percent = 100
+
+[[options]]
+id = "never"
+text = "Never (special legal jurisdiction)"
+description = "The service operates in a jurisdiction in which sharing data with law enforcement is never required."
+percent = 100

rubric/noncritical-purposes-control.toml

@@ -0,0 +1,31 @@
+category = "collection"
+slug = "noncritical-purposes-control"
+text = "Does the service allow the user to control whether personal data is used or collected for non-critical purposes?"
+notes = ["Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements."]
+points = 10
+
+[[options]]
+id = "no"
+text = "No"
+percent = 0
+
+[[options]]
+id = "opt-out-some"
+text = "On an opt-out basis, but only for some non-critical data/uses"
+percent = 30
+
+[[options]]
+id = "opt-out-all"
+text = "On an opt-out basis, for all non-critical data/uses"
+percent = 60
+
+[[options]]
+id = "opt-in"
+text = "On an opt-in basis"
+percent = 60
+
+[[options]]
+id = "na"
+text = "N/A (no data used for non-critical purposes)"
+percent = 100
+

rubric/personal-data-list.toml

@@ -0,0 +1,34 @@
+category = "collection"
+slug = "personal-data-list"
+text = "Does the policy list the personal data it collects?"
+notes = []
+points = 10
+
+[[options]]
+id = "no"
+text = "No"
+description = "The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects."
+percent = 0
+
+[[options]]
+id = "summarily"
+text = "Only summarily"
+description = "The policy uses overly vague language to provide a summary of the types of collected personal data."
+percent = 30
+
+[[options]]
+id = "generally"
+text = "Yes, generally"
+description = "All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data)."
+percent = 70
+
+[[options]]
+id = "exhaustively"
+text = "Yes, exhaustively"
+description = "All types of collected personal data are listed specifically"
+percent = 100
+
+[[options]]
+id = "na"
+text = "N/A (no personal data is collected)"
+percent = 100

rubric/security.toml

@@ -23,17 +23,17 @@ percent = 60
 [[options]]
 id = "yes-audits"
 text = "Yes, including audits"
-description = "The policy provides only a very vague overview of its security practices."
-percent = 75
+description = "\"Reviews,\" \"monitoring,\" etc. also count as audits."
+percent = 80
 
 [[options]]
-id = "na"
-text = "N/A"
-description = "The service doesn't collect any personal information."
+id = "yes-independent-audits"
+text = "Yes, including independent audits"
+description = "Independent \"reviews,\" \"monitoring,\" etc. also count as independent audits."
 percent = 100
 
 [[options]]
-id = "yes-independent-audits"
-text = "Yes, including independent audits"
-description = "Independent 'reviews,' 'monitoring,' etc. also count as independent audits."
+id = "na"
+text = "N/A"
+description = "The service doesn't collect any personal information."
 percent = 100

rubric/third-party-access.toml

@@ -0,0 +1,39 @@
+category = "handling"
+slug = "third-party-access"
+text = "Does the service allow third-party access to private personal data?"
+notes = [
+"""This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a [plethora](https://en.wikipedia.org/wiki/Google_Analytics#Privacy) of user information).
+
+Note that whether the policy allows sharing aggregated user data does not affect this question.
+
+If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).
+
+If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question)."""
+]
+points = 10
+
+[[options]]
+id = "yes-unspecified"
+text = "Yes"
+description = "The policy allows sharing personal data with third-parties (not just critical service providers), and does not explicitly list the third-parties."
+percent = 0
+
+[[options]]
+id = "yes-specified-noncritical"
+text = "Yes, all parties specified (including non-critical service providers such as advertisers)"
+percent = 30
+
+[[options]]
+id = "yes-unspecified-critical"
+text = "Yes, not all parties specified (but only to critical service providers)"
+percent = 70
+
+[[options]]
+id = "yes-specified-critical"
+text = "Yes, all parties specified (only to critical service providers)"
+percent = 80
+
+[[options]]
+id = "no"
+text = "No"
+percent = 100

src/templates/pages/index.hbs

@@ -16,13 +16,13 @@
 
   <hr class="h-16 sep">
 
-  <div class="grid gap-6 md:hidden">
+  <div class="grid gap-6 sm:hidden">
     {{#each (first featured 3) as |product|}}
     {{> includes/card product=product }}
     {{/each}}
   </div>
 
-  <div class="hidden grid-cols-3 gap-6 md:grid">
+  <div class="hidden grid-cols-2 gap-6 md:grid-cols-3 sm:grid">
     {{#each featured as |product|}}
     {{> includes/card product=product }}
     {{/each}}