Use API to get users email


#1

Hi everyone,

The API allows developer to access every users in the authenticated user’s workspace. Is there any good practice/recommandation from Asana about using those emails? Are we allowed to invite them to the service if the connected user gave us approval?

Thanks a lot, have a nice week.


#2

Hi @Bastien_Siebman. The primary resource I’d direct you to is Asana’s Statement on Security

I recommend that you prioritize security, privacy, and user permission for any PII that you come across.


#3

I don’t understand your point, what specific section of the security answers my question? Thanks


#4

@Alexis I am still confused by your answer, can you clarify please?


#5

I recommend that you do not take action on email addresses you find and that you instead keep the information secure. However, that is my personal recommendation. For Asana’s official recommendation about security-related questions, please see Asana’s statement on security. I imagine that @Matt_Bramlage or @Jeff_Schneider will have a recommendation, as well.


#6

The thing I don’t understand is that my question does not relate to security in my opinion. Am I allowed to show to Brian a button saying “Invite Bob to discover Templana” and if he clicks, sends an email to Bob. I will wait on Matt or Jeff answer then.


#7

Interesting question! :thinking:

I don’t think we have a policy about this specifically, but I asked the team what they thought about it and we sort of built an impromptu set of guideines :slight_smile: We think that this is probably OK if you ensure a couple of things:

  • Make sure the email comes from a clear and non-spammy app email address, such as "invite@templana.com" or similar, so that people know that it’s a real thing and don’t get emails from "haxx04s@hotmail.com" or some other scary sounding address.
  • Ensure folks that you’re not going to sell their information on with something like “Templana will never share your email with an outside party” to assuage fears that spam will flood their inbox / indicate that if and when spam inevitably does show up, it wasn’t from Templana or Asana.
  • And, you know, actually stick to that - don’t sell their contact info.
  • Send the email in response to a specific user action on behalf of an existing user in the organization. The idea of a button click is totally fine, but don’t auto-mail all users in the organization.
  • Indicate that a specific user action was involved; say, language in the email to Bob saying “Your colleague Brian has invited you to use Templana with Asana”, so people know that Brian triggered the email and you’re just sending it for that person. (You don’t strictly have to say that the invite involves Asana, but if it makes sense and is clearer to what tools the invite is for, it’s probably a good idea).

We may come up with more guidelines if apps end up abusing this (worst-case scenario is someone builds a spam app specifically for this, but we can always ban such apps) In the end, though, a polite invite sounds like a great idea for Asana (to increase platform adoption) and apps built on Asana!


#8

Great thanks. I think I will create a task instead of sending an email, that would make more sense. I will keep you posted if I ever implement such a feature.