Removing the content tag and adding the business tag.

@squeaktoy Thanks for making this issue. The team here want to ensure that we respond appropriately so we're working internally to get you a full response. Until then, stand by a lot of this seems a lot scarier than it actually is and we hope our response provides suitable information.

Clearing all assignees except me, I'll be running coms here.

Firstly, @squeaktoy, once again thank you for opening this issue, topics like these are challenging but having open discussions on them is the right thing to do. To this end we’ve prepared a response for you which I hope provides some clarification on the state of things and our plans for the future in this area.

I’d like to split your issues into a bulleted list to help structure the response. So to that end:

1. Issues with the “Intellectual Property Rights” Section 2 of the ToS
2. Issues with the “Do California Residents Have Specific Privacy Rights?” Section 12 of the Privacy Policy.
3. Other issues and Commentary

Intellectual Property Rights

This particular area of terms of services has been bothering lots of our community, which is understandable but I would like to explain what it essentially means.

In Resonite, you have the ability to submit a whole host of content and content types to our platform:

• Worlds
• Items
• Messages
• Avatars
• Pictures
• Music
• Video
• Etc.

In each of these cases you essentially hand copyrighted material(either by yourself or others) to us and say “please do something with it”. These are covered by the “Contributions” language.

As for submissions, these are more for support tickets, feedback(including your issue) and any text that you might send to us via email etc. When you “submit” content like this to us, we need the ability to use that content within our systems. For example, to implement a feature request we need the intellectual property for that feature request, otherwise we cannot implement it.

Due to the varied uses we need a variety of abilities. I’ll pick a few from the list in the Terms to explain.

Copy, Reproduce, Distribute, Store, Reformat

These are all operations we perform on any items, worlds, avatars etc that you give us in Resonite.

For example when you hand us an avatar, we reformat it to the Resonite Format, We Store it in our Database and in our Asset archive. As we have content delivery platforms in use we then copy that data to other locations in the world. Then when a user views your content, we distribute that data to other user’s computers.

Without these abilities, we wouldn’t be able to accept any content.

Publish, Broadcast, Retitle, Publicly Perform, Publicly Display, Translate, Excerpt

If you choose to publish a world to our world browser, or to make use of our public folder system then we need to do all of these things to make it appear and accessible to our users.

If you choose to speak to other users on the platform via the contacts tab, we publish and broadcast that data to the subjects of the message.

Without these abilities we wouldn’t be able to have public folders, a world browser and the contacts system. We’d probably also have to mute your microphone.

Incorporate, Derivative Works

Meta-data about your content such as Thumbnails, Tags, Size etc. Can be classified as incorporated and derivative works.

Advertising

When we want to showcase cool content on our platform to our users via social media, our twitch streams, YouTube videos etc. it can be classed as advertising. We therefore need this ability. Otherwise we’d have to never feature anything but our own content.

Sell, Resell

These two were accidentally left in the Terms of Service before publication. We currently do not sell or resell your content. However, features on our roadmap such as the Marketplace would allow users to sell their content on Resonite. As Resonite would handle the sales, we’d need this right.

I’m working on removing this from our ToS until we actually have that feature though to clear up the confusion here.

The Others

The other rights might sound drastic e.g. “Exploit” but they are really only designed to cover edge cases and other uses which might not be covered by other terms. It’s a sort of “catch-all” for any other uses that might come up.

A note on the ubiquity of these clauses

The licensing clause that we’ve just been talking about can be found on nearly every online platform’s Terms of Use. I don’t want to call out any particular platforms as that can be problematic but you should look at the Terms of Use for any of the social media, VR, Games, Email and Document platforms that you use. Search for License in them and you will find a similar set of language and abilities.

In some cases these platforms do a better job of explaining the intricacies here than we can and we’re always working to improve the language of these documents. The response to this issue is a part of that.

California Residents

As the internet grew so did the legislation around data privacy. The EU was the bigger, more notable one with the GDPR(General Data Protection Regulation) but following on from that many other countries and areas started creating their own regulations.

California is included in this and therefore we needed to add this section into our privacy policy as we have california residents in our user base.

The language in this section that you’re referring to does have some issues, we’ll aim to clean it up in the next revision. But to break it down, part of the California Regulations are that we must notify you if we have either sold(given data to a third party in exchange for money) or disclosed(transferred or allowed access to) data of California residents and if we have we must state what Category of data we have disclosed.

This is why the section highlighted is in two parts its:

• Selling
• Disclosing

As the statement says, we haven’t sold any data in the last 12 months, we’ve only been in operation for a week.

As for disclosing, the commercial part of this statement is probably where you’re getting the contradiction from. This isn’t a contradiction though.

If you read on through the next section I’ll be using the words “disclose” to explain each category’s data and why/how we disclose it.

A very important part of this list to note is that these are just categories of data. A category appearing does not necessarily mean that we are disclosing each item in the list. The categories are just defined by the regulations. It’s similar to how you might categorise business types or video games if we disclose any item in the category we have to list the category.

Data Categories

A Identifiers

We disclose your Account Name so that users can find and talk to you in and out of Sessions. It's included in the name plate above your head and in your user profile.

When you connect to another session in Resonite, we disclose your Internet Protocol Address so that that session knows where to send the data.

We also disclose your Email Address and in some cases your real name if you use our support ticketing system to 3rd party Support Agents. (Please see the note on third parties below).

B Personal information categories

We disclose your Name and contact information to 3rd Party Support Agents. Please see the note on third parties lower down).

C Protected classification characteristics under California or federal law

We store your Date of Birth in order to comply with our minimum account age requirement (16).

We on some occasions may disclose your Date of Birth to 3rd Party Moderation Agents Please see the note on third parties lower down).

D Commercial information

We store your patreon information such as how much you’ve contributed to our patron, and when etc. These are used to give you your patreon benefits.

We disclose these to 3rd Party Support Agents so they can assist you with any account linking issues. (Please see the note on third parties below).

F Internet or other similar network activity

This one is a sort of catch all for anything like “Browsing” so when you browse worlds, items, sessions etc within our systems we collect data in our server logs about you doing that. Things like “You searched for “Tutorial Worlds”” etc.

We disclose this to third parties because we tally up how many people have visited a particular world, this is displayed in the world orb.

G. Geolocation data

Our legal team deemed that IP Address could constitute Geolocation data as you can GeoLocate someone's approximate location from an address. So read above regarding IP Addresses.

H. Audio, electronic, visual, thermal, olfactory, or similar information

If you talk to someone in-game, we’re storing, processing and sending audio data. If you share a video or a screenshot it is visual data. These are all stored/processed by us and disclosed to people you send them to.

K. Inferences drawn from other personal information

Our legal team advised us to include this one as a user’s profile is drawn from multiple other categories. Your user profile contains for example a Profile Picture and an Account Name which are Categories A and K. In the future we’d like to expand the profile section to include more items that might be covered here too.

This data is disclosed to third parties when they search for your profile in the contacts screen.

Why aren’t we more explicit?

It’s very difficult to be explicit about what is and isn’t stored on a platform like Resonite. For any given user it is difficult to understand or predict what data we may or may not store on them.

Additionally being more explicit just lengthens these documents and makes them even more unreadable.

Therefore we choose to be generic while still meeting other requirements. If there are significant changes such as the marketplace we will overhaul the documents to ensure they’re up to that feature etc.

A note on 3rd Parties

Yellow Dog Man Studios s.r.o. Is incorporated in the Czech Republic. We have volunteers all over the world including in: Canada, America, Europe, Australia etc.

These volunteers all are classified as 3rd parties because they are not directly employed by Yellow Dog Man Studios in the Czech Republic.

Most of the Yellow Dog Man Studios team is included in this as although most of us own the company, we are not considered employees.

So if anyone, other than employees in the Czech Republic, respond to a support ticket, respond to a moderation ticket, investigate a crash log from you, investigate or read feedback from you(including your issue), then it’s a 3rd party data disclosure.

If this is to help us operate a business, for example helping you gain access to your account then it's a business purpose.

If this is to help us and you with your patreon benefits which you pay for then it's a commercial purpose.

When it comes to volunteers that have access to the information I just listed(support tickets, moderation tickets, backend systems etc), those volunteers all have NDAs and other legal contracts in place to protect your data.

We hope that this will improve with time with us being able to employ more people and therefore having less “3rd parties” but it's likely we’ll always have some amount of “3rd Party” Volunteers so this section will likely remain for a long time.

(Side note for volunteers reading, we really appreciate your work and love having you around. I apologise for the 3rd party wording in this area.)

Other Issues

You mentioned other issues in your response, if you have more concerns we’d love to hear about them. I hope the response above to the first two issues helped.

I like the response here, and it does a lot to reduce my fears from reading the privacy policy, but I still have some concerns. I don't think a perpetual license to:

"unrestricted, unlimited, irrevocable, perpetual, non-exclusive, transferable, royalty-free, fully-paid, worldwide right, and license to: use, copy, reproduce, distribute, sell, resell, publish, broadcast, retitle, store, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part), and exploit your Contributions (including, without limitation, your image, name, and voice) for any purpose, commercial, advertising, or otherwise, to prepare derivative works of, or incorporate into other works"

is strictly necessary to, for example, transmit my voice data from person (A) through Resonite (B) to person (C).

I can completely understand your need to reformat some data for transmission between clients.
I don't, however, think a catch-all for all types of data submitted, especially concerning a person's likeness is appropriate as a service agreement, and especially with a license to sell and create derivative works of a person's personal data.
To be clear, with 'personal data' I don't mean identifying information, but data dear (personal) to someone.

Notable here is 'prepare derivative works of'. If I create a persona for myself and I would like to use it on the Resonite services, I must give Resonite a 'perpetual license' to essentially use, modify, portray, sell and use for any purpose that persona, completely outside of my control. I do not see any provision to disagree with how that could be used and I can't reconcile the potential for harm that could arise. If this is not the case please modify the terms to show this.

This is especially concerning in regards to my real voice, information about my body, 3D avatars I might import, et cetera.

Even if you have no intentions to misuse the granted ablities, the potential for misuse that comes with 'exploit for any purpose' is not reconcilable.

You mentioned that many other social media companies have the same licenses. So, I've looked up the Facebook ToS for comparison.
https://www.facebook.com/legal/terms
For convenience, here is the link to the Resonite ToS.
https://support.resonite.com/policies/TermsOfService.html

I don't see any mention in the Facebook ToS of such a permissive license to use the personal data of its users.

I will cite their policy here:

[...]

Specifically, when you share, post, or upload content that is covered by intellectual property rights on or in connection with our Products, you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content (consistent with your privacy and application settings). This means, for example, that if you share a photo on Facebook, you give us permission to store, copy, and share it with others (again, consistent with your settings) such as Meta Products or service providers that support those products and services. This license will end when your content is deleted from our systems.

The content will be retained for no longer than is necessary for the purposes for which it has been retained (the exact duration will vary on a case-by-case basis).

[...]

Content will not be deleted within 90 days of the account deletion or content deletion process beginning in the following situations:
where your content has been used by others in accordance with this license and they have not deleted it (in which case this license will continue to apply until that content is deleted);

[...]

Keep in mind, this is Facebook we're talking about, and despite that, I would be more willing to agree to their policy than this one.
They do state that sublicensees need to delete the data themselves in order for the license to fully terminate, but at least a framework is present and at least they make a guarantee that data stored is only stored for as long as it is necessary to serve a given function.

Your policy is less restrictive as to what you can do with my data than Facebook.

If I can make a suggestion, please do not use a cover-all policy wherever possible. Please be more explicit in how you process data.
Describe what is being used and in what ways it may only be used.

It's my responsibility to myself to assume that you will process my data in the most damaging way that can be interpreted, not the inverse, and reducing that will not only allow me to use your service worry-free, but make for a good reputation.

I completely trust the current team to make right decisions and not do anything bad with the copyright Resonite got granted, but if the platform goes under in the future and is sold to some other owner, all the content including personal avatars could get resold entirely legally, and not only in Resonite, but in all other platforms too, without giving any credit to original artist. I'm an amateur 3D artist, but imagine how damaging this would be to professional artists for whom 3D art is their livelihood.
I think there should be some protections for artists there too, especially for the scenario outlined above.

As said by Pell on Resonite Discord:

Deviantart and other services have had this figured out for a while. Their TOS have a few things I'm sure Resonite users would like to see:
You can revoke the rights by removing your content
They are pretty explicit about the rights only being used to provide a service, and do not eternally take commercial rights.

For a example of much nicer ToS that balance rights of artist with necessary permissions for the platform, take a look at how FA did it:

When you upload content to Fur Affinity via our services, you grant us a non-exclusive, worldwide, royalty-free, sublicensable, transferable right and license to use, host, store, cache, reproduce, publish, display (publicly or otherwise), perform (publicly or otherwise), distribute, transmit, modify, adapt, and create derivative works of, that content. These permissions are purely for the limited purposes of allowing us to provide our services in accordance with their functionality (hosting and display), improve them, and develop new services. These permissions do not transfer the rights of your content or allow us to create any deviations of that content outside the aforementioned purposes.

Another example is from Discord Tos:

Thanks for the feedback everyone, as described in my original post, I'm working on some updates. these will likely come in two chunks due to the complexity here:

1. Removal of "Sell" "Resell" and "exploit" from the Tos
2. Further research and implementation of Termination/delete based clauses.

Lots of the issues here are caused by that document largely needing to be in lawyer speak, we do have plans to make a human language version at some point but this needs to be saved for once the content is more stabilized as these items need to stay in sync.

These changes do take awhile as we have to run them around various flag poles and they require a huge amount of concentration. I'll keep this issue up to date.

Thank you for working with us on this.

2. Further research and implementation of Termination/delete based clauses.

Good termination and delete clauses would resolve my concerns. I believe that current Resonite team won't misuse the rights that ToS grants them, but my worry is about possiblity of the platform being sold or taken over in the future and then ToS being used for monetizing user content and personal data in horrible ways.

I've got the updates for my first chunk prepped and we're reviewing them as a team.

My first chunk is now live, you can read it here: https://resonite.com/policies/TermsOfService.html

With a changelog here: https://resonite.com/policies/Changelog.html

Thank you!
While this changes language to be less concerning, the meaning doesn't change at all. Would there be chance to add termination/deletion clauses like mentioned before?

As mentioned, the termination clauses are more complicated so require further research and a second update.

As mentioned, the termination clauses are more complicated so require further research and a second update.

That's understandable, especially since they would have to protect both artists (for example in the case platform gets bought/taken over and brutally monetized in the future), and Resonite platform - for example it should continue granting rights for promotional materials that were already created.

Thank you for the update and transparency about the whole process.

For an example of how good termination/deletion clause looks like look at VRChat ToS, "9.6. Deleting User Content".

I'm satisfied with the changes that were made as of October 18th, 2023.
I sent off a 'is this still worked on?' reply as the links above still link to the old policy, but I checked again and found the new policy here:
https://resonite.com/policies/TermsOfService.html
whereas the old policy is still here:
https://support.resonite.com/policies/TermsOfService.html#ip
I'd recommend adding a big banner to the top of the old one that redirects to the new one, so people don't get confused.

Thanks for listening!

Your second link should not even work, I'll dig into that.

I've removed the old policy files from your second link, if there are broken links anywhere let me know and I'll get them updated to point to our main policies page.

Thank you.

Since this was not resolved for such time, and my concerns were dismissed, I scheduled my account for deletion, so from my side this issue is resolved now.