Privacy Policy

The GnuPG project runs several web sites on different technical platforms.

We do not track the use of these sites or store data of users except to fulfill the user requested actions, to aid in fixing technical problems and due to financial accounting requirements.

No data is ever shared with external parties unless explicitly requested by the user. We use cookies only for session management without any personal data and at dev.gnupg.org to store the name of a registered user.

Find below details for all provided services; the responsible person for data privacy can be found at the end of this page.

Website www.gnupg.org

This website uses log files to identify problems with the site and to monitor traffic. The raw log files are kept for a week and are then deleted. For web analytic the data from the log files is anonymized by truncating the IP addresses to 40 bit for IPv6 and 20 bits for IPv4 and send to another machine. Reports on the use of this site will always be fully anonymized and may be published at one of our servers.

Neither the raw log files nor the anonymized data from the log files are shared with anyone; however within the first week system administrators have access to the log files to solve technical problems. In exceptional cases stripped down copies of the log files may be stored for longer to analyze problems spanning more than a week. These copies are deleted as soon as the problem has been solved.

Donation system at www.gnupg.org

For the donation system we use several external payment processing services and submit data entered by the user pertaining to the donation. For bookkeeping and administrative needs we store and process this data:

  • The name of the user if given by the user. This is not shared with the payment processing service.
  • A contact mail address if given by the user. This is not be shared with the payment processing service.
  • A message text if given by the user. This is not be shared with the payment processing service.
  • The mail address or user name as returned by the payment processing service.
  • The amount of data.
  • Transaction IDs.

The data is stored in a local data base and in donation log files. Log files which are older than a week are encrypted in a way that only the back office is able to decrypt them. Access to this data is only granted to system administrators and staff responsible for the donations. We do not share this information with anyone else. Data will be deleted according to general bookkeeping rules. If the user has opted for publication, we put the entered name on our donation thanks page.

Our payment service providers are:

  • PayPal for PayPal based donations. Click here for their privacy policy.
  • Stripe for credit card based donations. Click here for their privacy policy.
  • SEPA. This is not a real payment service; instead we send only a random number to the user which allows us to match the stored information with an actual payment.

Mailing lists

The mailing list as listed at https://lists.gnupg.org/mailman/listinfo/ are used for discussions between users. Reading the archives of the mailing lists keeps no personal data other then IP address as described above under Website. Anyone may subscribe to a mailing list using a valid mail address. This can be done using the web interface or by sending special mail to the system. Unsubscribing is also a self-service using the same web interface; a link to the web interface if shown in the footer of all for warded mails.

We store the subscription mail address and a user given password and optionally a name. The mail address is used to deliver mails to the user and for no other purpose. The password is required for unsubscribing or temporary disabling message delivering. The password does not protect any personal information but protects against malicious unsubscribing requests.

Users who want to post to the list send a mail through our mail system (see below) which is then forwarded to all users and stored in a public mail archive. All information send by the user is forwarded to all users; this includes all information which are send in a standard mail. The content of the mail is considered to be in the public domain with the exception of code snippets and patches which are subject to their respective license. As a public visible service we have no control whatsoever where these mails and the mail archives are copied to. Thus it is not possible to retract a one posted message. In exceptional cases and for illegal posted content we are able and will redact a message stored in our mail archive. Please contact as at the mail address five at the end of the page.

Mailing system

All mails to gnupg.org and related sites are passing through our mail servers. We keep log files for 10 days to analyze technical problems and for spam prevention. The IP addresses and sender addresses of incoming mails are compared to addresses we have on local black- and whitelists. We also compare them using DNS based list of known spamming addresses. All mail is conveyed using TLS encryption if supported by the peer.

FTP Server

The FTP server ftp.gnupg.org is similar to the Web server and can be used to download files and other material. The logs are kept for 7 days and carry the IP address of the requested, the requested file and an error code. For access analytic the same system and properties as used by the web server are in place. All files on the FTP server are also available via the more secure HTTPS protocol using the address https://gnupg.org/ftp/ which is served by our web server.

Git repository

This is a public service which carries all published code along with the names and mail addresses of their authors. This is required for technical and legal (copyright) reasons.

Bug tracker dev.gnupg.org

The system https://dev.gnupg.org is a general purpose bug track er which is in general visible to everyone. No registration is required to view the public data, similar to the web server. To file a bug report a user must be registered; this is only done to avoid misuse of the server by spammer. A user who registered must provide a valid mail address and an arbitrary name for his account. A user may remove personal data and disable his own account but can't delete any data entered into the system. This is required for proper documentation and the overall security of the software developed by the GnuPG project and according to the exceptions in Art. 17 para. 3 lit. a), b), d) and e) GDPR.

Only available to the administrators of the system are the IP addresses and login times of the users. We need to keep them to help preventing abuse of this public service. No such data is ever shared with any 3rd party or used for other purposes.

All user entered content is considered to be in the public domain with the exception of code snippets and patches which are subject to their respective license.

Responsible person for data protection

If you have any questions about our privacy policy or need to get information on the data stored about you, write to

Werner Koch, data-privacy at gnupg dot org (OpenPGP key)
g10 Code GmbH
Bergstr. 3a
40699 Erkrath
Germany

You can expect a response within a week. If exceptionally you don't get a timely response please send a reminder or call us at the phone number given in the imprint.

History

2018-05-18
Revamped the page. No actual policy changes.
2014-03-12
Removed the Piwik web analytics software and changed the policy to allow for log file based analytics.
2013-11-07
Installed Piwik web analytics software and wrote a privacy policy.

We have not been forced by any court order or other means not to obey to the above rules.