Effective Date: November 29, 2023
Privacy Policy of LF Charities, Inc.
LF Charities, Inc. (“LFC”) is an organization devoted to empowering people and communities to engage in the creation and development of open source technology (e.g. open source software, hardware and data) that is freely shared with the world to help overcome societal challenges and inequalities. It is the mission, duty and purpose of LFC to educate, inspire, and empower technologists and their communities in their endeavor to create a shared, public commons for open source technology that advances interests for society at large. To support this mission LFC hosts various technical projects focused on the open development of technology (each a “Project”).
This privacy policy (“Privacy Policy”) describes our policies and procedures about the collection, use, and disclosure, or other processing of your personal information when you use our websites (e.g., lfcharities.dev), or participate in or use our Project sites (collectively, the “Sites”), as well as when you interact with or participate in our events, programs, trainings and our other services and offerings. Services that you access through the Linux Foundation, such as the LFX platform, are governed by the terms of the Linux Foundation privacy policy. This Privacy Policy applies to activities by LFC and its Projects.
For purposes of the GDPR, LFC is the controller of your personal information. Where processing of personal information is undertaken by our affiliates, subsidiaries and related entities, they are a joint controller with LFC for your personal information.
Capitalized terms that are not defined in this Privacy Policy have the meaning given them in our Terms of Use (as applicable, the “Terms”). In this Privacy Policy, “personal information” includes references to “personal data” as defined under applicable laws. Your use of our Sites and any dispute over privacy, is subject to this Privacy Policy and the relevant Terms, including the applicable limitations on damages and the resolution of disputes. The Terms are incorporated by reference into this Privacy Policy.
Personal Information That LFC Collects
We collect personal information directly from individuals, from third parties, and automatically through the Sites. You do not have to provide us your personal information. However, if you choose not to disclose certain information, we will not be able to provide you with access to certain services or features, including account registration, event registration, training and certification programs, or participation in certain aspects of our open source projects.
Registration Information. When you register with us (e.g., to create an account, attend our events, engage in our trainings and/or certification programs, etc.), we collect certain personal data from you, such as your name, username, email address, and other contact information.
Your Contributions to Open Source Projects.
Attribution, Provenance and Integrity. When you contribute source code, documentation or other content to one of our Projects (whether on your own behalf or through contributions made as part of your employment services to your employer), we collect and store the information and content that you contribute. This includes the contents of those contributions, as well as information required to confirm the provenance of intellectual property contained in those contributions, and personal information that you make publicly available in the record of the contribution pursuant to sign-offs under the Developer Certificate of Origin (https://developercertificate.org/). Some Projects require additional agreements or information pursuant to their intellectual property policies; in such cases we collect and store information related to your acceptance of those agreements. We may also collect information relating to your participation in technical, governance or other Project-related meetings.
Other Project-related Content. The content you provide in relation to Projects also includes materials that you make publicly available in connection with Project development, collaboration and communication, such as on mailing lists, blogs, Project wiki pages and issue trackers, and related services.
Your Content. We collect and store the information and content that you post to the Sites, including your questions, answers, comments, forum postings, and responses to surveys. Please see the section on publicly available information for how the information you post will be viewed on our Sites.
Communications. When you communicate with us (via email, phone, through the Sites or otherwise), we may maintain a record of your communication.
Audio/Video Recordings. When you engage in developer meetings through communication platforms such as Zoom, we may record the audio and video of such meetings or enable the creation of generated transcripts of such meetings for purposes of maintaining records of those calls and the information shared.
Payment Information. To make donations or other financial contributions, users may be asked to be directed to a third-party site, such as Stripe, for payment. If applicable, the third-party site may collect payment information directly to facilitate a transaction. LFC generally only records the result of the transaction and any references to the transaction record provided by the third-party site.
Transaction Data. We collect information related to the Projects you engage in and other purchasing or engagement histories or tendencies.
Personal Information Collected from Third Parties. We may collect lead and prospect information from third parties about prospective customers that may be interested in our Projects. We may also engage third parties to provide information to us so that we can better understand how our users interact with us and engage in the Projects.
Automatically Collected Personal Information. In addition, LFC may automatically collect the following information about users’ use of the Sites through cookies, web beacons, and other technologies: your domain name; your browser type and operating system; web pages you view; when you open certain emails we send; links you click; your IP address; your country of location; the length of time you visit our Sites; and the referring URL, or the webpage that led you to our Sites. We may combine this information with other information that we have collected about you, including, where applicable, your username, name, and other personal information. For some parts of the Sites, we use the FullStory service to record session replays of a user’s interaction with the Sites for debugging purposes. Please see our Cookie Policy for more information about our use of cookies.
De-identified Information. We may de-identify and aggregate certain personal information we collect such that the information no longer identifies or can be linked to a particular user or an individual data subject (“De-identified Information”), subject to the terms of any applicable user agreements. We may use this information to improve our Sites, analyze trends, publish market research, and for other marketing, research or statistical purposes, and may disclose such information to third parties for these specific purposes.
Purposes and Legal Bases for Our Use of Your Personal Information
LFC uses the personal information we collect for our legitimate business interests, which include the following purposes:
- Providing our Sites. To provide the Sites (including LFX and its service offerings and Project Sites), to communicate with you about your use of our Sites, to respond to your inquiries, provide troubleshooting of the Sites and for other purposes to support users and the community. (Legal Bases: our legitimate interest in efficiently managing customer relationships and/or requests in order to satisfy expectations and expand our business, to enter into or perform a contract with you when you engage in a Project or a service offered by LFC, to comply with applicable law, and your consent.)
- Operating our Open Source Projects. To enable communication between and among open source developers in the community; to facilitate and document Project governance and technical decision-making; to maintain, and make publicly available on a perpetual basis, records regarding intellectual property provenance and license compliance for Project contributions; and for related activities to further LFC’s core purpose of fostering an ecosystem that supports the collaborative and public development of free and open source software projects. See the “Attribution, Provenance and Integrity” section above for more information. (Legal Bases: our legitimate interest in efficiently managing Projects in order to satisfy expectations and expand our business, to enter into or perform a contract with you when you engage in a Project or a service offered by LFC, to enter into or perform a contract with you, to comply with applicable law, and your consent.)
- Maintain our Training and Certification Programs. To maintain records about who has attended or registered to attend training programs, taken our certification exams, and received certain certifications. (Legal Bases: our legitimate interest in ensuring that our trainings and certification programs are well managed in order to satisfy expectations and maintain our reputation and to enter into or perform a contract with you.)
- Event Administration. To plan, organize, and facilitate access to events and related services and activities, and to carry out informative and safe events for participants, including attendees, speakers and sponsors. If you provide us information about disabilities, medical conditions and allergies, we will use this information in order to provide appropriate accommodations for attendees and to ensure their health and safety; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. If you request assistance from us for obtaining a visa letter to travel to one of our events and provide us with information required for such assistance (such as your citizenship, date of birth, and passport details), we will use this information in order to assist with providing you a visa letter; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. For in-person events requiring attendees to be vaccinated against COVID-19, we use information regarding your COVID-19 vaccination status to provide a safer environment for attendees and staff, in order to confirm vaccination status before permitting access to the event venue space. (Legal basis: our legitimate interest in ensuring that events generate interest and participation and are well-managed, in order to satisfy expectations and maintain our reputation.)
- Internship Applications. To select participants for our Project-related internship programs, including the evaluation and selection of interns from among applicants. If you choose to provide information regarding your membership in a diverse or underrepresented group, we will use this information in connection with internship diversity programs we may operate; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. (Legal Basis: to enter into or perform a contract with you).
- Marketing and Promotions. For marketing and promotional purposes, such as to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Projects, services, events, trainings or other information we think may interest you related to LFC, and, subject to applicable law, our affiliates, subsidiaries and managed services entities. (Legal Bases: our legitimate interest in promoting our products and services in order to expand our business and increase our revenue and, where required by law, your consent.)
- Analytics. To gather metrics to better understand how users access and use our Sites and participate in our Projects; to evaluate and improve the Sites, including personalization, to develop new services; and to understand metrics regarding the community health of our Projects. If a user voluntary provides and explicitly consents to our processing of personal information regarding their demographics and socioeconomics, we process such personal information for the specific purposes for which you have consented, which may include for the purpose of compiling, analyzing and disclosing aggregate statistics regarding diversity of participation in open source projects and communities (including in LFX projects and LFX Services), to help track progress towards meeting LFC’s commitment to diversity initiatives and subject to your consent. (Legal Bases: our legitimate interest in improving our products and services in order to expand our business and increase our revenue and your consent.)
- Compliance. To comply with legal obligations and requests. For example, to comply with laws that compel us to disclose information to public authorities, courts, law enforcement or regulators, maintain records for a certain period, or maintain records demonstrating enforcement and sublicensing of our trademarks and those of our Projects. (Legal basis: To comply with an EEA or UK legal obligation, or in reliance on our legitimate interests in conducting our business in a lawful manner and protecting our rights and interests as well as those of our stakeholders and society at large where we need to comply with non-EEA or UK law.)
- Business and Legal Operations. As part of our general business and legal operations (e.g., accounting, record keeping, and for other business administration purposes), as necessary to establish, exercise and defend (actual and potential) legal claims, and to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions. (Legal basis: Our legitimate interests in organizing our business efficiently.)
- Prevent Misuse. Where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of the relevant Terms or this Privacy Policy. (Legal basis: Our legitimate interests in conducting our business in a lawful manner and protecting our rights and interests as well as those of our stakeholders and society at large.)
Sharing of Personal Information
We disclose personal information as set forth below, and where individuals have otherwise consented:
- Publicly Available Information, including Your Contributions to Open Source Projects. Usernames, other user IDs, email addresses and other attribution information related to the information and contributions that a user posts in conjunction with or subject to an Open Source license are publicly available in the relevant Project source code repositories. Your contributions to Open Source Projects, and certain of your other Content such as comments and messages posted to public forums, are available to other participants and users of our Projects, and may be viewed publicly. In some cases you may be able to provide Project or contribution-related information directly to third-party sites and services; these third parties are independent data controllers and their use of your personal information is subject to their own policies.
- Service Providers. We may share your information with third party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, contractors and consultants.
- Affiliates. The information collected about you may be accessed by or shared with subsidiaries and affiliates of LFC, whose use and disclosure of your personal information is subject to this Privacy Policy, unless an affiliate has its own separate privacy policy.
- In Support of Business Transfers. We may disclose or transfer information, including personal information, as part of any merger, sale, and transfer of our assets, or restructuring of all or part of our business operations, bankruptcy, or similar event, including in negotiations, due diligence, and integrations related to such transactions.
- Event Participants. If you register for an event, we may ask for your consent to share your personal information with third party sponsors and other participants; for example, to facilitate your ability to swipe your badge or visit and interact with a virtual booth to easily sign up for or participate in activities, events and gifts offered by third parties participating in the event, or to give you the option to be listed on the attendee list that is available to other attendees, sponsors and participants. We will not share your event information with third parties without your consent, and in particular you have the choice whether or not to permit your badge to be swiped by any third party participating in the event, or to visit and interact with a third party’s virtual booth. For in-person events requiring attendees to be vaccinated against COVID-19, we may use third-party service providers to validate your identity and COVID-19 vaccination status.
- Training and Program Sponsors. If you participate in one of our certification or training programs that a third party has sponsored or engaged us to provide to you and others (e.g., your employers), we may receive attendee list information from them and may share information about your completion of the program, including confirmation of your participation and your certification exam results, as applicable; these third parties are independent data controllers and their use of your personal information is subject to their own policies. You may also elect to provide third parties (e.g., your employers or your prospective employers) with information that will enable them to look up your certification exam status; if you do so, we may share your certification exam status with such third parties.
- Legally Required. We may disclose your information if we are required to do so by law (including to law enforcement in the U.S. and other jurisdictions).
- Protection of Rights. We may disclose information where we believe it necessary to respond to claims asserted against us or, comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation, and protect the rights, property or safety of LFC, its users, participants in its events or Projects, or others.
- Anonymized and Aggregated Information. We may share aggregate or De-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.
Cookies and Tracking
We and our third-party providers use cookies, clear GIFs/pixel tags, JavaScript, local storage, log files, and other mechanisms to automatically collect and record information about your usage and browsing activities on our Site and across third party sites or online services. We may combine this information with other information we collect about users. Below, we provide a brief summary these activities. For some parts of the Sites, we use the FullStory service to record session replays of a user’s interaction with the Sites for debugging purposes. For more detailed information about these mechanisms and how we collect activity information, see our Cookie Policy.
- Cookies. These are small files with a unique identifier that are transferred to your browser through our websites. They allow us to remember users who are logged in and to understand how users navigate through and use the Sites.
- Pixels, web beacons, clear GIFs. These are tiny graphics with a unique identifier, similar in function to cookies, which we track browsing activities. We use these as part of our Training Affiliate Program. We also use these in our emails to let us know when they have been opened or forwarded, so we can gauge the effectiveness of our communications.
- Analytics Tools. We may use internal and third-party analytics tools, including Google Analytics. The third-party analytics companies we work with may combine the information collected with other information they have independently collected from other websites and/or other online products and services. Their collection and use of information is subject to their own privacy policies. You can learn more about how Google uses your data at www.google.com/policies/privacy/partners/ (“How Google uses information from sites or apps that use our services”). You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.
- Industry Ad Choice Programs. You can also control how participating third-party ad companies use the information that they collect about your visits to our website, and those of third parties, in order to display more relevant targeted advertising to you. For more information and to opt out of receiving targeted ads from participating third-party ad networks go to aboutads.info/choices (Digital Advertising Alliance) (you can also download the DAA AppChoices tool in order to help control interest-based advertising on apps on your mobile device).
Please note that LFC does not respond to browser “do not track” signals or other similar mechanisms intended.
Data Security
We have implemented commercially reasonable precautions designed to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our best efforts, no data security measures can guarantee 100% security.
You should take steps to protect against unauthorized access to your passwords, phone, and computer by, among other things, signing off after using a shared computer, choosing robust passwords that nobody else knows or can easily guess, not using a password for more than one site or service, and keeping your log-ins and passwords private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity. We ask you to promptly notify us if you become aware that any information provided by or submitted to our Sites is lost, stolen, or used without permission at privacy@lfcharities.dev.
Marketing Choices
You may opt out of or withdraw your consent to receive direct marketing emails from us by using the unsubscribe or opt out mechanisms included in our marketing emails or by emailing privacy@lfcharities.dev. You may also unsubscribe from mailing lists via the applicable mailing list’s subscription website or, in some cases, by using the unsubscribe mechanisms included in such emails.
Retention of Your Personal Information
We generally keep personal information only for as long as required to fulfill the purposes for which it was collected. However, in some circumstances, we may retain personal information for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request, for so long as required. In specific circumstances, we may also retain your personal information for longer periods of time corresponding to a statute of limitation, so that we have an accurate record of your dealings with us in the event of any complaints or challenges.
International Transfers
If you are located within the European Economic Area, the United Kingdom or Switzerland, you should note that your personal information will be transferred to countries outside these jurisdictions, including the United States where LFC is located. The U.S. is deemed by the European Union to provide inadequate data protection. However, we have put in place European Commission approved Standard Contractual Clauses to provide for adequate safeguards to protect personal information transferred outside these jurisdictions. In addition, if personal information is transferred to third party service providers located outside these jurisdictions, we will take steps to ensure that your personal information receives the same level of protection as if it remained within these jurisdictions, including by entering into data transfer agreements, using the European Commission approved Standard Contractual Clauses or other safeguards as approved by the European Commission. You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EU by emailing gdpr@linuxfoundation.org.
Children’s Privacy
Except as specifically indicated within a Site, we do not knowingly collect or solicit personal information from anyone under the age of sixteen (16), or knowingly allow such persons to register with LFC for Projects, training, certifications, etc. If we become aware that we have collected personal information from a child under the relevant age without parental consent, we take steps to delete that information. Where we specifically indicate that we collect personal information from children under 16, we will obtain the parent or guardian’s consent and provide adequate notice.
Links to Third Party Sites and Services
The Sites may contain links to third party sites or online services. Please refer to the privacy policies of the relevant third-party websites or services to find out more about how they process and handle personal information.
Your Privacy Rights (EU and UK Residents)
Individuals in the European Economic Area and UK have additional rights under applicable law:
- Access: to obtain a copy of your personal information together with information about how and on what legal basis that personal information is processed;
- Rectification: to rectify inaccurate personal information (including to have incomplete personal information completed);
- Erasure: to erase your personal information (in limited circumstances, such as where it is no longer necessary in relation to the purposes for which it was collected or processed);
- Restriction: to restrict processing of your personal information under certain circumstances;
- Portability: to export certain personal information in machine-readable format to a third party (or to you) when we justify our processing on the basis of your consent or the performance of a contract with you and the processing is carried out by automated means;
- Withdrawal of consent: to withdraw your consent to our processing of your personal information (where that processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal); and
Lodging a Complaint. You also have the right to lodge a complaint with your local supervisory authority for data protection, or privacy regulator. A list of data protection supervisory authorities is available here.
Submitting a Request. To exercise the above rights or contact us with questions or complaints regarding our treatment of your personal information, contact us at gdpr@linuxfoundation.org. Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, especially if your request is manifestly unfounded or excessive. We will respond to your request within the applicable timeframes set out by law.
If you are not happy with how your rights are handled, you can submit a complaint with the relevant data protection authority of your habitual residence, your place of work or the place of the alleged infringement/violation of your rights. This link will redirect you to the European Data Protection Board Website with an up-to-date list of all European Union Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en. The UK authority, the ICO, can be reached here: https://ico.org.uk/.
Contact Us
If you have any questions about our practices or this Privacy Policy, please contact us at privacy@lfcharities.dev, or write to us at: LFC, Attn: Legal Department, 548 Market St, PMB 57274, San Francisco, California 94104-5401, USA.
Changes to the Privacy Policy
This Policy is current as of the effective date set forth above. If we change our Privacy Policy, we will post those changes on this page and/or continue to provide access to a copy of the prior version. If we make any changes to this Privacy Policy that materially change how we treat your personal information, we will endeavor to provide you with reasonable notice of such changes, such as via prominent notice on our Sites or to your email address of record, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.