Last updatedDec 16, 2019

What is Personal Data and Why Does It Matter?

GDPR compliance and badging only applies to public Power-Ups.Public Power-Ups need only to poll the /1/plugins/ route to stay compliant.

Trello is committed to compliance with the General Data Protection Regulation (GDPR).The regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

Because Trello provides access to a user's personal data via our API and platform, when a user makes a request to Trello to be forgotten, it is Trello's responsibility to pass that request along to third-party applications storing the data so that the applications can also respect the user's request.

Personal data (PD) is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data, such as these fields from Trello's API and Power-Ups Platform: email, avatar, username, full name, and bio.

If your Power-Up stores any personal data, you'll need to read through this page to understand the requirements we've set out for you to be in compliance with our policies and practices regarding GDPR and users' right to be forgotten.

If your Power-Up or application doesn't store personal data, then all you need to do is register to let us know! You can skip ahead to the registration section.

Storing personal data for your application may be unavoidable. If this is the case, you will need to follow the requirements outlined below in PD Storage Compliance Requirements.

Best Practices

Ideally, your application doesn't need to store PD. Instead, it should make requests to the API at time-of-need and use the response from the request to display the necessary data to the user. By using the data straight from the API, you won't be responsible for meeting compliance requirements for storing PD and you'll always have the most up-to-date information for the user.

Additionally, you should be refreshing user data frequently and at minimum every 30 days. This ensures that you always have the most up-to-date information about a user. Any data about the user that has changed or that you no longer have access to should be deleted.

PD Storage Compliance Requirements

If your public Power-Up stores personal data outside of Trello for more than 14 days, you must comply with the requirements outlined in this section.

Overview

There are three parts to complying with Trello's data storage policy. Simply put they are:

  • Registration: Register whether or not your are storing PD.
  • Polling: Poll at least every 14 days for Right to be Forgotten and Right to Rectification notifications
  • Badging: We'll show users whether or not you are in compliance.

A more in-depth overview:

Registration: When creating/updating a Power-Up in the admin portal, you will be prompted to answer whether your Power-Up stores personal data or not. If it does store personal data, you must provide the API key your Power-Up uses.

Polling: When a Trello user requests their account to be deleted and forgotten or when they have updated their profile information, Trello will make that user's member ID available via an API. Power-Ups should regularly poll for member IDs; when they detect an ID of a member for which they are persisting data any data associated with the user should be deleted. Power-Ups that are registered as storing personal data are expected to poll the compliance API at least every 14 days to determine whether there are users whose data should be forgotten or whose member profile information should be updated.

Badging: When a user is shown information regarding the application, for instance, when a user is prompted to enable a Power-Up, those Power-Ups that have polled regularly will include copy on the prompt indicating as much. Those who have not polled appropriately will be shown to not be in compliance with Trello's data policies.

Registration

In the Power-Up Admin Portal (https://trello.com/power-ups/admin) you will be prompted with the following:

1
2
3
Does your Power-Up store any Trello customer personal data?

Personal data is any data that can be used directly or indirectly to identify a user such as a Trello user’s avatar, email, username, full name, bio, and locale.

You should select the box appropriate to what your application does. Failure to register whether an application stores PD will result in the application being considered not in compliance.

If your Power-Up does store personal data, you must register the API key used to access the Trello API. You will use the API key's secret when polling.

Compliance Polling API

/1/applications Polling Route Deprecated

If you are currently also polling /1/applications/{key}/compliance/memberPrivacy this is no longer required, and the route may be deprecated and removed at some point in the future.

Public Power-Ups must poll the /1/plugins/{idPlugin}/compliance/memberPrivacy along with their API secret at least once every 14 days to remain in compliance.

There is a single compliance route for public Power-Ups that accepts a since and limit query parameter. It returns records that include IDs for Trello Members that have been deleted as well as notifications for members who have updated their profile. The routes return the records ascending by date and return a maximum of 1000 records.

Power-Ups Compliance API

The Power-Ups compliance route is located at: /1/plugins/{id}/compliance. It accepts both the since and limit query parameter. It requires that the secret belonging to the API registered be included as a query parameter. The secret is the same as the oauth secret and can be found on the bottom of the app-key page.

An example request to poll on behalf of the plugin with ID 5a3972294816f458a0451dd4 looks like this:

1
curl https://api.trello.com/1/plugins/5a3972294816f458a0451dd4/compliance/memberPrivacy?limit=2&since=2018-10-22%2000:59:01Z&secret=d818d7a1cb6d8c89210e1b02533f100ze6b372e50dd7a1cb0f3b49c48

And the response:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[
  {
    "id": "5bce1f1a46e91b8d13738bf4",
    "date": "2018-11-11T21:19:57.671Z",
    "event": "accountDeleted"
  },
  {
    "id": "5be535b7362ce488fde19961",
    "date": "2018-11-11T21:21:00.795Z",
    "event": "accountDeleted"
  },
  {
    "id": "5b575b205f34f90c743e8e04",
    "date": "2019-04-04T21:48:36.811Z",
    "event": "tokenRevoked",
    "identifier": "Server Token"
  },
  {
    "id": "5b575b205f34f90c743e8e04",
    "date": "2019-04-05T02:03:32.520Z",
    "event": "accountUpdated",
    "alteredFields": ["bio"]
  },
  {
    "id": "5b575b205f34f90c743e8e04",
    "date": "2019-04-06T10:48:36.111Z",
    "event": "tokenExpired",
    "identifier": "Matt's App"
  }
]

There is a maximum of 1,000 records returned from the route. The since and limit params can be used to page through the results, if needed.

The response to the API includes the time at which the event took place. This date value can be used as the value for the since query parameter. This allows you to filter the response to a time-window smaller than 14 days. Any value greater than 14 days ago will be ignored and the last 14 days worth of data will be returned.

Special Polling Rate Limit

The polling route is rate limited differently than the standard API. To protect Trello's infrastructure and encourage good practices this route is limited to 6 requests per minute.

Please do not poll more frequently than once every 10 seconds or you will receive a 429 error response.

Paging Example

Let's imagine that we wanted to get only two records to process at a time, we would use both the since param and the limit param to page through the results. Our initial request would be:

1
curl https://api.trello.com/1/plugins/5a3972294816f458a0451dd4/compliance/memberPrivacy?limit=2

This gives us the two oldest records:

1
2
3
4
5
6
7
8
9
10
11
12
[
    {
        "id": "5bce1f1a46e91b8d13738bf4",
        "date": "2018-11-11T21:19:57.671Z",
        "event": "accountDeleted"
    },
    {
        "id": "5be535b7362ce488fde19961",
        "date": "2018-11-11T21:21:00.795Z",
        "event": "accountDeleted"
    }
]

We can use the date for the last result to get the next page of results:

1
curl https://api.trello.com/1/plugins/5a3972294816f458a0451dd4/compliance/memberPrivacy?limit=2&since=2018-11-11T21:21:00.795Z

And that will get us the next page of results:

1
2
3
4
5
6
7
8
9
10
11
12
[
    {
        "id": "5be535b7362ce488fde19961",
        "date": "2018-11-11T21:21:00.795Z",
        "event": "accountDeleted"
    },
    {
        "id": "5be8973b791d0d5cca9c789a",
        "date": "2018-11-11T21:27:02.904Z",
        "event": "accountDeleted"
    }
]

If you are paging through responses, you should de-duplicate records. In our example above, the record for member ID 5be535b7362ce488fde19961 occurs twice.

Events and Expected Actions

The following for event types are returned from the compliance polling route: accountDeleted, tokenRevoked, tokenExpired, and accountUpdated. As a developer, you should take specific actions in your systems based on the event types. Below we'll outline the purpose of the event and the action we expect you to take.

Event Name | Expected Action accountDeleted Right to Be Forgotten | A Trello user's account has been deleted and should be forgotten. Within a timely manner, you should remove all personal data you have stored for this user. accountUpdated Right to Rectification | A Trello user has updated their member profile. Within a timely manner, you should ask the Trello API for updated information and delete any old data or data you no longer have access to. tokenRevoked | A Trello user has revoked access to their data via Trello's API. Within a timely manner, you should remove all personal data you have stored for this user. tokenExpired | The API token you had for a user has expired. You should ask the user to grant access again. If you are not granted access again in a timely manner, you should delete the personal data stored for that user.

Compliance Badging

When a user is shown information regarding an application or Power-Up, specifically when they are granting access to an application or adding a Power-Up to a board, Trello will include the following copy and information to indicate whether the application is in compliance with Trello's data privacy practices outlined on this page.

For those who have registered as storing personal data and are in compliance via polling, the user will be shown the following:

{Power-Up name} stores personal data and is in compliance with Trello's [data and privacy practices](https://help.trello.com/article/1118-trello-and-gdpr-our-commitment-to-data-privacy)

For those who have registered as not storing personal data, the user will be shown the following:

{Power-Up name} does not store personal data and is in compliance with Trello's [data and privacy practices](https://help.trello.com/article/1118-trello-and-gdpr-our-commitment-to-data-privacy)

For those who have registered as storing personal data but are not in compliance via polling, the user will be shown the following:

{Power-Up name} stores personal data and is not in compliance with Trello's [data and privacy practices](https://help.trello.com/article/1118-trello-and-gdpr-our-commitment-to-data-privacy)

Failure to register whether an application stores PD will result in the application being considered not in compliance. In this scenario, the user will be shown the following:

{Power-Up name} may store personal data and is not in compliance with Trello's [data and privacy practices](https://help.trello.com/article/1118-trello-and-gdpr-our-commitment-to-data-privacy)

The badge will be shown based on whether the lastPolled date for the application is within the past 14 days. You can check the lastPolled date for your Power-Up by making a request to the /1/plugins route. For example, the following request:

1
GET https://api.trello.com/1/plugins/{IdPlugin}/

Returns a JSON payload that includes the following object:

1
2
3
4
5
"compliance": {
  "lastPolled": {
    "memberPrivacy": "2019-01-14T16:44:31.083Z"
  }
}