It’s also fairly common for small companies not to bother until space becomes an issue (and with storage space so cheap these days, that can be a looong time).
I am a web programmer, it can get complicated managing deletes when not doing it at the time of request (deferring and deleting by script can get complicated, especially when dealing with millions of records). Often easier to just not bother.
Could they have an automated solution in place that Dan neglected to mention? Sure.
Could they be managing it manually? Sure.
But by user investigation, and Dan’s statement that they persist indefinitely, it doesn’t seem like it. They’re Terms of Service are also a little bit too permissive for GF in this count as well, when considering user’s possibility of uploading sensitive information.
I wonder, as an aside, if a doctor were to print something for his own use or a patient’s that had PII embedded in it, if GF would be required to be HIPPA compliant as they’re transmitting and storing that information electronically.
I believe it’d be up to the doctor to comply with HIPAA, in that case, including choosing not upload it somewhere that may not be HIPAA. Glowforge only must comply with HIPAA if they claim to be compliant. You can make a storage service that is not HIPAA compliant, you just can’t sell it as such to medical professionals and institutions. (I am not a lawyer and so this is not legal advice, but the topic comes up a from time to time in the due diligence work I do, though lately GDPR is often the bigger concern.)
HIPAA is a little challenging – one example I know well: if you run a transportation service that a client uses to come and go to their health professionals, then any info you store at the transportation agency in relation to that client and those trips means the computer systems and data must be HIPAA compliant…
and to further that, at least the dr’s know they have patients. I would assume the services probably don’t know or definitely don’t care the addresses are for medical reasons. It’s just another drop off/pick up for them.
Mostly it comes down to knowing the purpose of the trip – and this applies to a Human Services Transportation primarily, Taxi services per se just know a destination and so aren’t really bound by HIPAA – the call center that arranges the trip has more information because they arrange the trip and pursue the funding for it from the appropriate Human Service provider (Medicaid, Veteran’ Admin, ADA Paratransit provider, etc.).
A friend of mine (now deceased) used to make his living this way.
He used to intercept unencrypted patient data on unsecured wifi and gently point out to the doctors involved how illegal this was. He would offer to provide them the software, installation and support to make it all compliant.
He said he would literally go only days between work because the problem was so widespread.
It’s been a little while since I’ve seen any replies on this thread so I’m going to close it. If you still need help with this please either start a new thread or email support@glowforge.com.