Last updated: 25 Aug 2022

We value your privacy and strive to protect your personal information. Please read this Policy to understand what types of information we collect from you, for what purposes and what choices you have regarding our collection of your information.

This policy covers Drupal.org website and all *.drupal.org subsites (collectively, the "Website"). By accessing, using or posting information to this Website, you agree to this Privacy Policy and the Terms of Service.

As stated in Section F of our Terms of Service, Drupal.org serves an international community, and so we are committed to complying with any applicable data protection laws and regulations, such as the EU's General Data Protection Regulation(GDPR). Note that some regulations exempt non-profit organizations, including the California Consumer Privacy Act(CCPA)

Human Readable Summary

Disclaimer: This summary is not itself a part of the Privacy Policy and is not a legal document. It is simply a handy reference for understanding privacy rights and regulations. Think of it as the user-friendly interface to the legal language of our Privacy Policy.

In plain language, regulations such as GDPR define the following roles, rights, and responsibilities:

  • Data Subject - this is you, the end user.
  • Data Controller - this is us, the Drupal Association as the owners and operators of Drupal.org and its sub-sites.
  • Data Processor - any other organization that processes personal data on behalf of the Data Controller.

Rights of the Data Subject

  • Right to be Informed - A data subject has the right to know whether personal information is being processed; where; and for what purpose.
     

    This information is outlined in the section below titled "Information We Collect About You" and "How we Use Your Information".

  • Right to Access - A data subject has a right to access the information about them that is stored by the Data Controller.
     

    This information is outlined in the section below titled "Information We Collect About You" and "How we Use Your Information".

  • Right to Rectification - A data subject has the right to correct any errors in the data about them. This can be done by editing your user account, or contacting the Drupal Association directly.
     
  • Right to Restrict Processing - A data subject has the right to request that data not be processed, and yet also not be deleted by the Data Controller.
     
  • Right to Object - A data subject has the right to opt out of marketing, processing based on legitimate interest, or processing for research or statistical purposes.
     
  • Right to be Forgotten - Also known as the right to revoke consent, the right to be forgotten states that a data subject has the right to request erasure of data, the cessation of processing by the controller, and halting processing of the data by third party processors.

    The conditions for this, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.

    It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

    This information is outlined in the sections below titled "Accessing and Correcting Your Information".

  • Data Portability - A data subject has the right to receive a copy of their data in a 'commonly used and machine readable format.'

    This information is outlined in the sections below titled "Your Choices About Use and Disclosure of Your Information" and "Accessing and Correcting Your Information".

Responsibilities of the Data Controller and Data Processors

  • Privacy by Design - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 of the GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties, as well as limit the access to personal data to those who need it to carry out these duties.
     
  • Breach Notification - The Data Controller must notify the appropriate data processing authority and any affected end user of any breach that might result in 'risk to the rights and freedoms of individuals' within 72 hours of becoming aware of the breach.

    A Data Processor must notify the Data Controller of any breach 'without undue delay.'

  • Data protection officer - A Data Controller or Processor must appoint a Data Protection Officer when: a Data Controller represents a public authority; or the core operations of the Controller require regular and systematic monitoring of Subjects on a large scale; or when the Controller's core operations depend on processing a large scale of special categories of data (including but not limited to health data, criminal conviction information, etc).

    The Drupal Association's core operations do not require the Association to establish a Data Protection Officer.

Information We Collect About You

We collect several types of information from and about you, including:

1. Your email address and password. We treat this information as "Personally Identifiable Information" or "PII". We never store passwords in plain text format, only secure password hashes.

2. Non-personally identifiable information, information about your computer system or device, your preferences, your online activity, and your location information ("Non-Personally Identifiable Information" a "Non-PII"). Non-PII, by itself, does not identify you, but it can be combined with other information in way that allows you to be identified. If this happens, we will treat the combined information as PII.

We may collect information from or about you in the following ways:

  • Information Provided by You. We collect information provided by you when you (1) create your public profile; (2) communicate with us or request information about or from us by e-mail or other means; (3) participate in our online forums or post content on this Website ("User Contributions"), (4) fill out forms or fields on this Website; (5) sign-up for any of our newsletters, materials or our services on this Website or other sites; or (6) participate in our online surveys or questionnaires.
  • Automatic Information Collection. We also use automatic data collection technologies to collect and store certain information about your equipment, browsing actions and patterns when you interact with this Website through your computer or mobile device. In addition, we may allow third party ad networks to use automatic data collection technologies to collect similar information about you for purposes of providing interest-based ads.

Drupal Association Membership

  • When you purchase a membership or donate on drupal.org, we will collect additional information about you, such as your name, address, etc. We treat this information as nonpublic, "Personally Identifiable Information" or "PII".
  • All credit card transactions happen via payment services such as Chargify, Braintree, Authorize.net or PayPal. We do not store any credit card information you provide during purchase. We recommend that you review the privacy and security policies of these payment services to determine how they handle information they may collect from or about you.

Sub-sites

We may collect additional information from and about you when you visit certain *.drupal.org sites and perform certain activities. Detailed information per site below.

Jobs.drupal.org

  • When you create a Drupal Jobs job seeker profile, we collect additional information about you, such as: your name, address, previous job experience, CV, etc. We treat this information as nonpublic, "Personally Identifiable Information" or "PII".
  • Information on your job seeker profile is only available to Employers if you opt-in to share it with them.
  • All credit card transactions happen via payment services such as Authorize.net or PayPal. We do not store any credit card information you provide during purchase. We recommend that you review the privacy and security policies of these payment services to determine how they handle information they may collect from or about you.

Events.drupal.org

  • When you purchase a registration, membership or other products on DrupalCon site, we will collect additional information about you, such as your name, address, etc. We treat this information as nonpublic, "Personally Identifiable Information" or "PII".
  • All credit card transactions happen via payment services such as Authorize.net or PayPal. We do not store any credit card information you provide during purchase. We recommend that you review the privacy and security policies of these payment services to determine how they handle information they may collect from or about you.
  • We may also collect registration information related to your attendance at DrupalCon events, including travel information, scheduling information, food preferences or allergies, and accessibility requests.
  • We may also collect personal information about your citizenship, date of birth, and passport details if you request assistance from us with obtaining a visa letter to travel to DrupalCon.
  • We may also collect demographic information during the registration. All data is kept confidential and only reported in aggregate. Our goal is to better understand our conference community and ultimately address the diversity disparity within Drupal.
  • We may also collect and store information that you provide to us about other people (for example, when buying a registration for them), including their name, postal address, telephone number, mobile number, and email address.

Updates.drupal.org

Your Drupal site may send anonymous usage stats including your website's ip address and information about your currently installed modules and their versions to updates.drupal.org when checking for available updates. Statistics may be aggregated so that the updates system could identify changes in the use of modules over the lifetime of each anonymized site. Those statistics do not contain personally identifiable information and are used for providing usage data on Drupal.org project pages, as well as anonymized reports shared via blog posts and other channels.

User Contributions

Your public profile that you create on this Website will be visible to all users of this Website. Your User Contributions are posted on this Website and transmitted to others at your own risk. Please see our Terms of Service for more information concerning User Contributions.

Service providers and partners

We use a number of service providers to help us operate the site and provide high quality user experience to our visitors. Some of those providers can access Non-PII about you via automatic data collection technologies.

Automatic Information Collection Technologies

The information that we collect about your equipment, browsing actions and patterns includes, but is not limited to, traffic data, location data, logs, the resources that you access, search queries, as well as information about the computer or device you are using and the Internet connection, including your IP address, operating system and browser type.

This automatically collected information typically does not include PII, but we may maintain it or associate it with your personal information collected in other ways. Collection of this type of information helps us to improve this Website and to deliver a better and more personalized service by enabling us to, among other things: (1) estimate our audience size and usage patterns; (2) store information about your preferences, allowing us to customize this Website according to your individual interests; (3) speed up your searches; and (4) recognize you when you return to this Website.

The automatic collection technologies we or our service providers use for this automatic information collection may include:

  • Cookies (or browser cookies). This Website may use two types of cookies (small data files placed on the hard drive of your computer when you visit a website): a "session cookie," which expires immediately when you end your browsing session and a "persistent cookie," which stores information on your hard drive so when you end your browsing session and return to this website later, the cookie information is still available.
  • Web Beacons. Pages of this Website and any e-mails sent to you may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened our e-mails.

Third Party Advertising Partners and Interest-Based Ads

We use third party ad networks to display advertisements on this Websites and to advertise to certain Drupal.org visitors while they are on other websites. These third parties also may use cookies, web beacons and other automatic collection technologies to collect information about you when you visit this Websites for purposes of determining your preferences in order to deliver interest-based advertising and other targeted content to you.

We do not provide any PII to these third party advertising partners, but they may combine the non-PII collected on the Website with PII they collect directly from you or receive from other sources. We do not have access to or control over the automatic collection technologies that these third party advertisers or any third party websites may use, and the information practices of these third party advertisers and third party websites are subject to these parties' respective privacy policies, not this Privacy Policy.

This Website and some of our electronic communications to you, may contain links to other websites that are owned and operated by third parties. Links to third parties from this Website are not an endorsement by us. We do not control, and are not responsible for, the privacy and security practices of these third parties. We recommend that you review the privacy and security policies of these third parties to determine how they handle information they may collect from or about you.

This Website may also include social media features, such as the Facebook Like button, Google Plus, and Twitter widgets. These features may collect information about your IP address and the page you are visiting on this Website, and they may set a cookie to make sure the feature functions properly. Your interactions with these features and the information from or about you collected by them are governed by the privacy policies of the companies that provide them.

How We Use Your Information

We use your information, including any PII, to:

  • Provide information and services requested by you;
  • Provide service and support, such as sending confirmations, invoices, and administrative messages, and customer support, including responding to your requests and questions and troubleshooting and resolving problems or complaints;
  • Verify the information you provide to us;
  • Communicate with you;
  • Understand and anticipate your use of or interest in, our services, and content, and the products, services, and content offered by others;
  • Develop and display products, services, and content tailored to your interests on our websites and other websites;
  • Provide you with promotional materials and Newsletters in case you opt-in to receive those;
  • Measure the overall effectiveness of our online, content, and programming, and other activities;
  • Manage our business and operations;
  • Protect the security and integrity of this Website;
  • Carry out our obligations and enforce our rights arising from any contracts entered into between you and us;
  • Use or post user contributions as permitted in our Terms of Service; and
  • Fulfill any other purposes for which you provide your information and for any other purpose as described to you at the time your information is collected or for which your consent is given.

Disclosure of Your Information

We may disclose and share aggregated non-PII about you at our discretion.

We may disclose or share your PII only in limited circumstances:

  • With any Drupal Association employee or agent for support of our internal and business operations or to respond to a request made by you.
  • We may disclose information we collect from or about you when we believe disclosure is appropriate to comply with the law, to enforce agreements, or to protect the rights, property, or safety of users of this Website, the Association, or other persons or organizations.
  • If some or all of our business assets are sold or transferred as a result of any corporate change (merger, consolidation, reorganization, bankruptcy, etc.), we may transfer the corresponding information regarding our customers and users of Drupal.org and its subsites, including PII. We also may retain a copy of such information. Nothing in this Privacy Policy is intended to interfere with our ability to transfer all or part of our business, equity interests, or assets (including this Website) to an affiliate or unaffiliated third party at any time, for any purpose, without any limitation, and without notice or any compensation to you.

Disclosure of DrupalCon Attendee Information

DrupalCon attendees may opt-in on their ticket registration to be displayed on the public attendee page for DrupalCon. Users may also update their public Drupal.org profiles to indicate which DrupalCons they have attended. We do distribute attendee information in certain limited cases:

  • Some sponsors get a list of attendee names, but it does not include any contact information. We request that sponsors only contact people via the public profiles on the event site or D.O as people have opted in to being public.
  • We do not distribute anyone's email addresses to sponsors.

If you're getting "spam" type solicitations from companies or aggressive inquiries, feel free to let us know at https://events.drupal.org/contact-us

Children's Personal Information

We do not knowingly collect personal information from children under 16 without prior verifiable parental consent. If we learn that a child under the age of 16 has submitted personally identifiable information online without parental consent, we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose (except where necessary to protect the safety of the child or others).

If you believe that a child under the age of 16 has provided us with personal information without verification of parental consent, please contact us at help@drupal.org.

Your Choices About Use and Disclosure of Your Information

We strive to provide you with choices regarding our use of your personal information. Below are some mechanisms that provide you with control over your information:

  • Promotional and Informational e-mails. We do not send any promotional or informational emails without your opt-in first. If you do not wish to receive promotional e-mails from us, follow the unsubscribe process at the bottom of the promotional e-mail.
  • Note that even if you opt-out, you may still receive transactional e-mails from us (e.g., e-mails related to the completion of your registration, abandoned cart reminders, correction of user data, password reset requests, notification/alert/reminder e-mails that you have requested, and any other similar communications essential to your transactions on this Website).
  • Automatic Information Collection Technologies and Advertising. The "help" function of your browser should contain instructions on how to set your browser to not accept new cookies, to notify you when a cookie is issued, or how to disable cookies altogether. If you disable or refuse cookies, please note that some parts of this Website may be inaccessible or not function properly.
  • Google Analytics. You can opt out from Google Analytics tracking via your browser privacy settings or by using a browser addon.
  • Audience Extension. You can opt out from Audience Extension retargeting by Perfect Audience either via your browser privacy settings or by using the following link. Note that authenticated users are excluded from this tracking automatically.

Accessing and Correcting Your Information

The appropriate method(s) for accessing your information, if any, will depend on which of our websites and services you have visited or used. Depending on the website and service, you may have the ability to view or edit some of your information online, by logging into the website and visiting your account profile page. If you remove information from your user profile, it will stay in backups on our servers for 2 weeks, after which it will be completely removed.

To request access to, correct, or delete any personal information that you have provided to us you may contact us at help@drupal.org. You may also request a notice disclosing the categories of personal information we have shared with third parties for their direct marketing purposes during the preceding calendar year by contacting help@drupal.org or in writing to: Drupal Association, Attn: Customer Support - Privacy Inquiry, 3439 NE Sandy Blvd #269, Portland, OR 97232, United States of America. Please allow 30 days for a response.

We cannot delete your personal information except by also deleting your account. We also may not accommodate a request to change or delete information if we believe the change would violate any law or legal requirements, be contrary to our Terms of Service or any other applicable agreement between you and us, or cause the information to be incorrect.

Upon deletion all private and personally identifying information from your profile will be deleted. The data will stay in backups on our servers for 2 weeks, after which it will be completely removed.

Public content you created, such as issues, forum posts, projects, documentation page revisions, etc. won’t be deleted. All this content will be attributed to ‘Anonymous’ user.

Once deleted, your account is gone and can not be restored.

Personally Identifiable Information (PII) Committed to Repositories

All users acknowledge that some personal identifiable information may be included in code repositories, in particular: names and email addresses associated with commit history.

In accordance with regulations such as GDPR, it is the Drupal Association's position that there is an overriding public interest in the availability of the data included in and associated with commits to our repositories. Because commits to these repositories are decentralized and irrevocable, all users waive the right to be forgotten from repository history, as well as the right to revoke future consent.

If a user wants to protect their PII from being committed to repositories they are encouraged to use a pseudonym and the Drupal.org no-reply email address in their git configuration.

Protection of Your Information

We use reasonable security measures to protect your information collected through this Website. We do not store passwords in plain text format, only secure password hashes. However, no method of transmission or electronic storage is 100% safe, and we cannot guarantee absolute security. Therefore, your use of this Website is at your own risk and we do not promise or guarantee, and you should not expect, that your information will always and absolutely remain private and secure. We are not responsible for the circumvention of any privacy settings or security measures contained on or concerning this Website. You are also responsible for taking reasonable steps to protect your personal information against unauthorized disclosure or misuse.

Visiting this Website from Outside the United States

If you are visiting this Website from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated. The information protection laws of the United States might not be as comprehensive or protective as those in your country. By using this Website and our services, you understand that your information may be transferred to our facilities and to third parties as described in this Privacy Policy.

Changes to this Privacy Policy

We may update or amend this Privacy Policy at any time. This Privacy Policy will reflect the date it was last updated or amended. If we make any material amendments, we will notify you by sending an email to the address, associated with your user account, and/or posting a notification on Drupal.org as the updated Privacy Policy is being published on the Website. All amendments will take effect immediately upon our posting of the updated Privacy Policy on this Website. Your continued use of this Website (publishing content) will indicate your acceptance of the changes to the Privacy Policy.

Contacting Us

If you have questions or concerns about this Privacy Policy, our information practices, or wish to make a request regarding your information, please contact us at any of the following:

Via postal mail:

Drupal Association
3439 NE Sandy Blvd #269, Portland, OR 97232,
United States of America

Via e-mail:
help@drupal.org