If you’re just browsing the website, we collect the same basic information that most websites collect. We use common internet technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they have an account or not.
The information we collect about all visitors to our website includes the visitor’s browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.
WHY WE COLLECT THIS INFORMATION
We collect this information to better understand how our website visitors use DCR and to monitor and protect the security of the website.
INFORMATION FROM USERS WITH ACCOUNTS
If you create an account, we require some basic information at the time of account creation. You will create your own user name and password, and we will ask you for a valid email address and your full name. You also have the option to give us more information if you want to, and this may include “User Personal Information.”
“User Personal Information” is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as a user name and password, email address, a real name, and a photograph are examples of “User Personal Information.” User Personal Information includes Personal Data as defined in the General Data Protection Regulation.
User Personal Information does not include aggregated, non-personally-identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.
WHY WE COLLECT THIS INFORMATION
- We need your User Personal Information to create your account, and to provide the services you request, including providing the DCR service, or responding to support requests.
- We use your User Personal Information, specifically your user name, to identify you on DCR.
- We use it to fill out your profile and share that profile with other users if you ask us to.
- We will use your email address to communicate with you if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. Please see our section on email communication for more information.
- We use User Personal Information and other data to make recommendations for you, such as to suggest projects you may want to follow or contribute to. For example, when you fill out an interest survey at account creation, we learn from it — as well as from your public behavior on DCR, such as the graphs you star or like — to determine your interests, and we recommend similar graphs. These recommendations are automated decisions, but they have no legal impact on your rights.
- We use your User Personal Information for internal purposes, such as to maintain logs for security reasons, for training purposes, and for legal documentation.
- We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first. You can always see what information we have, how we’re using it, and what permissions you have given us in your user profile.
OUR LEGAL BASIS FOR PROCESSING INFORMATION
Under certain international laws (including GDPR), DCR is required to notify you about the legal basis on which we process User Personal Information. DCR processes User Personal Information on the following legal bases:
When you create a DCR account, you provide your user name, real name, and email address. We require those data elements for you to enter into the Terms of Service agreement with us, and we process those elements on the basis of performing that contract. We also process your user name and email address on other bases. If you have a DCR Organizational, or other paid account with us, there will be other data elements we must collect and process on the basis of performing that contract. DCR does not collect or process a credit card number.
When you fill out the information in your user profile, you have the option to provide User Personal Information such as your full name, an avatar which may include a photograph, your biography, your location, your company, and a URL to a third-party website. You have the option of setting a publicly visible email address here. We process this information on the basis of consent. All of this information is entirely optional, and you have the ability to access, modify, and delete it at any time (while you are not able to delete your email address entirely, you can make it private).
Generally, the remainder of the processing of personal information we perform is necessary for the purposes of our legitimate interests. For example, for security purposes, we must keep logs of IP addresses that access DCR, and in order to respond to the legal process, we are required to keep records of users who have sent and received DMCA takedown notices.
If you would like to request the erasure of data we process on the basis of consent or object to our processing of personal information, please use our Privacy contact form.
WHAT INFORMATION DCR DOES NOT COLLECT
We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although DCR does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account, such as in a category or in your public profile. If you store any sensitive personal information on our servers, you are responsible for complying with any regulatory controls regarding that data.
If you’re a child under the age of 18, you may not have an account on DCR. DCR does not knowingly collect information from or direct any of our content specifically to children under 18. If we learn or have reason to suspect that you are a user who is under the age of 18, we will unfortunately have to close your account. We don’t want to discourage you from learning to code, but those are the rules. Please see our Terms of Service for information about account termination. Other countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not use DCR without obtaining your parents’ or legal guardians’ consent.
We do not intentionally collect User Personal Information that is stored in your repositories or other free-form content inputs. Information in your repositories belongs to you, and you are responsible for it, as well as for making sure that your content complies with our Terms of Service. Any personal information within a user’s category or in a graph is the responsibility of the category or graph owner.
DCR employees do not access private categories or graphs unless required for security reasons, to assist the category or graph owner with a support matter, or to maintain the integrity of the service. Our Terms of Service provides more details.
If your category is public or shared, anyone (including us and unaffiliated third parties) may view its contents. If you have included private or sensitive information in your public category, such as email addresses or passwords, that information may be indexed by search engines or used by third parties. In addition, while we do not generally search for content in your categories or graphs, we may scan our servers for certain tokens or security signatures, or for known active malware.
Please see more about User Personal Information in public categories.
HOW WE SHARE THE INFORMATION WE COLLECT
We do share User Personal Information with your permission, so we can perform services you have requested or communicate on your behalf. For example, if you purchase or use products from our AppStore, we will share your account name to allow the integrator to provide you services. Additionally, you may indicate, through your actions on DCR, that you are willing to share your User Personal Information. For example, if you join an organization, the owner of the organization will have the ability to view your activity in the organization’s access log. We will respect your choices.
We do not share, sell, rent, or trade User Personal Information with third parties for their commercial purposes, except where you have specifically told us to (such as by buying an integration from DCR Appstore).
We do not host advertising on DCR. We may occasionally embed content from third-party sites, such as YouTube, and that content may include ads. While we try to minimize the number of ads our embedded content contains, we can’t always control what third parties show. Any advertisements in DCR categories are not sponsored by or tracked by, DCR.
We do not disclose User Personal Information outside DCR, except in the situations listed in this section or in the section below on Compelled Disclosure.
We do share certain aggregated, non-personally identifying information with others about how our users, collectively, use DCR, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the usage of categories and graphs across DCR. However, we do not sell this information to advertisers or marketers.
We do share User Personal Information with a limited number of third-party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement by signing data protection agreements. Our vendors perform services such as customer support ticketing, network data transmission, and other similar services. When we transfer your data to our vendors under any data protection regulation, we remain responsible for it. While DCR processes all User Personal Information in the European Union, our third-party vendors may process data outside of the European Union. If you would like to know who our third party vendors are, please see our page on Subprocessors.
We do share aggregated, non-personally-identifying information with third parties. For example, we share the number of likes for a graph, or in the event of a security incident, we may share the number of times a particular file was accessed.
We may share User Personal Information if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of User Personal Information, and we will notify you on our website or by email before any transfer of your User Personal Information. The organization receiving any User Personal Information will have to honor any promises we have made in our Privacy Statement or in our Terms of Service.
PUBLIC INFORMATION ON DCR
Much of DCR is public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service, such as by viewing your profile or categories or graphs or pulling data via our API. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations, to compile public-facing DCR information. Other third parties, such as data brokers, have been known to scrape DCR and compile data as well.
Your Personal Information, associated with your content, could be gathered by third parties in these compilations of DCR data. If you do not want your Personal Information to appear in third parties’ compilations of DCR data, please do not make your Personal Information publicly available, and be sure to configure your email address to be private in your user profile.
Similarly, categories and graphs on DCR may include publicly available Personal Information collected as part of the collaborative process. In the event that a DCR project contains publicly available Personal Information that does not belong to DCR users, we will only use that Personal Information for the limited purpose for which it was collected, and we will secure that Personal Information as we would secure it any User Personal Information. If you have a complaint about any Personal Information on DCR, please see our section on resolving complaints.
You have the option of enabling or adding third-party applications, known as “Developer Products,” to your account. These Developer Products are not necessary for your use of DCR. We will share your User Personal Information with third parties when you ask us to, such as by use or purchasing a Developer Product from the AppStore; however, you are responsible for your use of the third-party Developer Product and for the amount of User Personal Information you choose to share with it. You can check our API documentation to see what information is provided when you authenticate into a Developer Product using your DCR profile.
You also have the option of adding applications from DCR, such as our Windows Application for DCR Active Repository, or other account features, to your account. These applications each have their own terms and may collect different kinds of User Personal Information; however, all DCR applications are subject to this Privacy Statement, and we will always collect the minimum amount of User Personal Information necessary, and use it only for the purpose of which you have given it to us.
HOW YOU CAN ACCESS AND CONTROL THE INFORMATION WE COLLECT
If you’re already a DCR user, you may access, update, alter, or delete your basic user profile information by editing your user profile or contacting DCR Support. You can control the information we collect about you by limiting what information is in your profile, by updating out-of-date information, or by contacting DCR Support.
As a DCR User, you can always take your data with you. You can manually export your categories and graphs to your desktop.
DATA RETENTION AND DELETION OF DATA
Generally, DCR will retain User Personal Information for as long as your account is active or as needed to provide you services.
We may retain certain User Personal Information indefinitely unless you delete it or request its deletion. For example, we don’t automatically delete inactive user accounts, so unless you choose to delete your account, we will retain your account information.
If you would like to cancel your account or delete your User Personal Information, you may do so in your user profile. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 90 days. You may contact DCR Support to request the erasure of the data we process on the basis of consent within 30 days.
After an account has been deleted, certain data, such as contributions to others’ repositories and comments in others’ issues, will remain. However, we will delete or de-identify your personal information, including your user name and email address, from the author field of issues, pull requests, and comments by associating them with the ghost user.
DCR uses various cookies as described below. We also list our third-party analytics and service providers and detail exactly which parts of our website we permit them to track.
DCR COOKIES (FIRST-PARTY COOKIES)
Overview of the specific first-party cookies used by DCR:
Google maintains an updated list here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
The storage of cookies and the exchange of data with Google Analytics can also be prevented by enrolling in the opt-out option provided above.
TRACKING AND ANALYTICS
We use a number of third-party analytics and service providers to help us evaluate our users’ use of DCR; compile statistical reports on activity; and improve our content and website performance. We only use these third-party analytics providers on certain areas of our website, and all of them have signed data protection agreements with us that limit the type of personal information they can collect and the purpose for which they can process the information. In addition, we use our own internal analytics software to provide features and improve our content and performance.
We do not currently respond to your browser’s Do Not Track signal, and we do not permit third parties other than our analytics and service providers to track DCR users’ activity overtime on DCR. We do not track your online browsing activity on other online services over time.
HOW DCR SECURES YOUR INFORMATION
DCR takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.
DCR enforces a written security information program. Our program:
- aligns with industry-recognized frameworks;
- includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of our users’ data;
- is appropriate to the nature, size, and complexity of DCR’s business operations;
- includes incident response and data breach notification processes; and
- complies with applicable information security-related laws and regulations in the geographic regions where DCR does business.
In the event of a data breach that affects your User Personal Information, we will act promptly to mitigate the impact of a breach and notify any affected users without undue delay.
Transmission of data on DCR is encrypted using SSH, HTTPS, and SSL/TLS. While our data is not encrypted at rest, we manage our own cages and racks at top-tier data centers with excellent physical and network security, and when data is stored with a third-party storage provider, it is encrypted.
No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. For more information, see our security disclosures.
DCR’S GLOBAL PRIVACY PRACTICES
We store and process the information that we collect in the European Union in accordance with this Privacy Statement (our subprocessors may store and process data outside the European Union). However, we understand that we have users from different countries and regions with different privacy expectations, and we try to meet those needs even when the European Union does not have the same privacy framework as other countries.
We provide the same standard of privacy protection — as described in this Privacy Statement — to all our users around the world, regardless of their country of origin or location, and we are proud of the levels of notice, choice, accountability, security, data integrity, access, and recourse we provide. We have appointed a Privacy Counsel and we work hard to comply with the applicable data privacy laws wherever we do business, and our Privacy Counsel also acts as our Data Protection Officer, part of a cross-functional team that oversees our privacy compliance efforts. Additionally, if our vendors or affiliates have access to User Personal Information, they must sign agreements that require them to comply with our privacy policies and with applicable data privacy laws.
- DCR provides clear methods of unambiguous, informed consent at the time of data collection when we do collect your personal data using consent as a basis.
- We collect only the minimum amount of personal data necessary for our purposes unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.
- We offer you simple methods of accessing, correcting or deleting the User Personal Information we have collected.
- We provide our users notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our users a method of recourse and enforcement. These are the Privacy Shield Principles, but they are also just good practices.
HOW WE RESPOND TO COMPELLED DISCLOSURE
DCR may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.
In complying with court orders and similar legal processes, DCR strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.
For more information, see our Guidelines for Legal Requests of User Data.
HOW WE, AND OTHERS, COMMUNICATE WITH YOU
We will use your email address to communicate with you if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. For example, if you contact our Support team with a request, we will respond to you via email. You have a lot of control over how your email address is used and shared on and through DCR. You may manage your communication preferences in your user profile.
If you would like your email address to remain private, even when you’re commenting on public categories or graphs, you can create a private email address in your user profile. You should also update your local DCR configuration to use your private email address. This will not change how we contact you, but it DCR affect how others see you. We set current users’ email addresses private by default, but legacy DCR users may need to update their settings. Please see more about email addresses in commit messages here.
Depending on your email settings, DCR may occasionally send notification emails about new features, requests for feedback, important policy changes, or offer customer support. We also send marketing emails, but only with your consent, if you opt into our list. There’s an unsubscribe link located at the bottom of each of the marketing emails we send you. Please note that you can not opt-out of receiving important communications from us, such as mails from our Support team or system emails, but you can configure your notifications settings in your profile.
Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted emails.
Third-party service providers we use to communicate with you is:
If you have concerns about the way DCR is handling your User Personal Information, please let us know immediately. We want to help. You may contact us by filling out the Privacy contact form. You may also email us directly at firstname.lastname@example.org with the subject line “Privacy Concerns.” We will respond promptly — within 45 days at the latest.
CHANGES TO OUR PRIVACY STATEMENT
Although most changes are likely to be minor, DCR may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending an email to the primary email address specified in your DCR account. We will also update our Site Policy on our website.
This Privacy Statement is licensed under this Creative Commons Zero license.
Questions regarding DCR’s Privacy Statement or information practices should be directed to our Privacy contact form.