Our Privacy Policy
The We Assume Breach team is constantly infuriated by the cookie collection prompts that pop up as soon as you open a new website. Not because we don’t believe consumers should be informed of what happens to their data, of course they should. Rather it is the dark patterns you encounter afterwards that really drive us crazy. Often clicking on “our privacy policy“ or “customize your choices“ will lead you to a new page that has a series of toggles, sliding it on means that they can collect your data, and sliding it off means they can’t. Wait, or is it the other way around? Therein lies the problem, it is not at all clear which is which, a deliberate decision on the part of the designers. One way keeps your data private, the other makes the website a quick buck tracking your movements and selling your personal data. We endeavor not to do that.
Now, we are new to the website game, and are using Squarespace as our domain host, so we are doing everything in our power to turn off the settings that track your movements cross sites or tell us personal details about you. This is one of the reasons we don’t have a mailing list, while it would help us keep you up to date with our new posts it would also give your email to Squarespace who could store it at their leisure.
The one place where we have had to compromise is with our merch. We have neither the capital nor the space to pre-buy and store our merchandise, so we rely on drop-shipping. The company we chose for this is Printful, as our options were limited, the choice came down to the fact that Printful keeps all printing and shipping in house which means your data will be accessed by fewer third-party companies.
We also use Stripe and PayPal for payment processing as well as TaxJar to determine the sales taxes required for remittance in your specific state.
When you email us we will be able to see your name and email but we promise to delete your email as soon as our correspondence is finished (unless we have to keep it for legal reasons, please don’t sue us). Please be aware though that our domain @WeAssumeBreach.org is through google workspace, it is a business account so google should not be keeping your data, but as a group of cybersecurity professionals and paranoid privacy mavens we know to always be skeptical of that.
As for what we ourselves have access to, we aren’t entirely sure yet, the only data we want to know is how many people visit our site, how many people bought merch, and what the most popular item bought is. Everything else we will turn off if possible. If categories beyond this are not customizable we will note what we can see within this privacy policy.
Update from 9/14/22
We have determined that we need to turn off the activity log to feel less creepy. While we normally advocate for logs of all kinds, but in this instance we felt that it gave us too much information on random strangers without a notable benefit to balance out the creep factor. It may help us track and pinpoint the origin of DDOS attacks, but since we do not run our own servers we would not be able to remedy these attacks on our own anyway. Keep in mind though, that while we have elected to turn off the activity log Squarespace is still recording and storing this information. They also show us the generally location of where our clicks are coming from, meaning that if you are in Huntington Beach we see a click from Los Angeles. This is also how we can tell that while Squarespace thinks that we have had 335 unique visitors (since we have turned off cookies) we can proudly report that it is more like 7, and we are happy to have you.
Now the amount of information that we can see about you changes wildly if you buy something from us, either through the WeAssumeBreach.Org site or our Etsy store. We (and Printful) will see your full name, address and what you purchased. Unfortunately there really isn’t anyway for us to change this, but we are researching how long we need to keep a log of that information and whether we can delete the data after the purchase has been delivered. We will keep you updated on what we find, but we hope this doesn’t deter you from buying some swag from us and supporting our team.
Update from 8/28/22
We recently disabled all analytic cookies regardless of your acceptance of our cookie policy banner. We also attempted to disable the activity log although there is some debate about whether we did that correctly as we identified that toggle as a dark pattern. By turning off these analytics we won’t be able to see how many visitors we actually have visit the site, but we value the privacy of our visitors more then we desire to know that information.
We also found the list of “functional and required“ cookies, according to Squarespace and are listing them here since we cannot remove them:
Name: _acloggedin
Purpose, Type, and Duration:
Supports login by Scheduling client if the client has an account
Cookie
January 1, 2025
Name:_client_acloggedin
Purpose, Type, and Duration:
Supports login by Scheduling client if the client has an account
Cookie
January 1, 2025
Name:algoliasearch-client-js
Purpose, Type, and Duration:
Add auto-populated suggestions to address fields in Scheduling to help clients complete forms faster
localstorage
Persistent
Name:CART
Purpose, Type, and Duration:
Shows when a visitor adds a product to their cart
Cookie
Two Weeks
Name:CHECKOUT_WEBSITE
Purpose, Type, and Duration:
Identifies the correct site for checkout when checkout on your domain is disabled
Cookie
Session
Name:client_username
Purpose, Type, and Duration:
Remembers a logged in Scheduling client’s username between visits
Cookie
One year
Name:Commerce-checkout-state
Purpose, Type, and Duration:
Stores state of checkout while the visitor is completing their order in paypal
sessionstorage
session
Name:Crumb
Purpose, Type, and Duration:
Prevents cross-site request forgery (CSRF)
Cookie
Session
Name:hasCart
Purpose, Type, and Duration:
Tells Squarespace that the visitor has a cart
Cookie
Two Weeks
Name:Locked
Purpose, Type, and Duration:
Prevents the password-protected screen from displaying if a visitor enters the correct site-wide password
Cookie
Session
Name:PHPSESSID
Purpose, Type, and Duration:
Securely authenticates a visitor during their checkout in Scheduling
Cookie
One month
Name:RecentRedirect
Purpose, Type, and Duration:
Prevents redirect loops if a site has custom URL redirects. Redirect loops are bad for SEO
Cookie
30 Minutes
Name:remember_client
Purpose, Type, and Duration:
Remembers Scheduling client’s login details if they have an account
Cookie
365 days
Name:siteUserCrumb
Purpose, Type, and Duration:
Prevents cross-site request forgery (CSRF) for logged in site users
Cookie
Three years
Name:SiteUserInfo
Purpose, Type, and Duration:
Identifies a visitor who logs into a customer account
Cookie
Three Years
Name:SiteUserSecureAuthToken
Purpose, Type, and Duration:
Authenticates a visitor who logs into a customer account
Cookie
Three years
Name:squarespace-announcement-bar
Purpose, Type, and Duration:
Prevents the announcement bar from displaying if a visitor dismisses it
localstorage
Persistent
Name:squarespace-likes
Purpose, Type, and Duration:
Shows when you’ve already “liked“ a blog post
localstorage
Persistent
Name:squarespace-popup-overlay
Purpose, Type, and Duration:
Prevents the promotional pop-up from displaying if a visitor dismisses it
localstorage
Persistent
Name:squarespace-video-player-options
Purpose, Type, and Duration:
Remembers video player selected preferences (volume, playback speed, and quality) for videos uploaded directly to Squarespace
localstorage
Persistent
Name:ss_cookieAllowed
Purpose, Type, and Duration:
Remembers if a visitor agreed to placing analytics cookies on their browser if a site is restricting the placement of cookies
Cookie
30 days
Name:ss_sd
Purpose, Type, and Duration:
Ensures that visitors on the Squarespace 5 platform remain authenticated during their sessions
Cookie
Session
Name:Test
Purpose, Type, and Duration:
Investigates if the browser supports cookies and prevents errors
Cookie
Session
Name:TZ
Purpose, Type, and Duration:
Enables a Scheduling client’s appointments to display correctly based on their time zone preferences
localstorage
Persistent
