Last updated: November 7, 2023
The Linux Foundation’s core purpose is to foster an ecosystem that supports the collaborative and public development of free and open source software projects (each, a “Project”). This privacy policy (“Privacy Policy”) describes our policies and procedures about the collection, use, disclosure and sharing, or other processing of your personal information when you use our websites (e.g., linuxfoundation.org, linux.com), our LFX platform (e.g., lfx.linuxfoundation.org) (“LFX”) or participate in or use our Project sites (collectively, the “Sites”), as well as when you interact with or participate in our events, programs, trainings and our other services and offerings, including services accessible through LFX (collectively, the “Services”). This Privacy Policy applies to activities by The Linux Foundation and its affiliates, subsidiaries and related entities (collectively “TLF,” “we” or “us”), including activities that we perform for other entities through management services agreements. The Privacy Policy does not apply to information collected about TLF employees or other TLF personnel.
For purposes of the GDPR, The Linux Foundation is the controller of your personal information. Where processing of personal information is undertaken by our affiliates, subsidiaries and related entities, they are a joint controller with The Linux Foundation for your personal information.
Capitalized terms that are not defined in this Privacy Policy have the meaning given them in our Terms of Use or, if you engage with LFX, then those defined in the LFX Platform Use Agreement (as applicable, the “Terms”). Specific details about the collection, processing and sharing of personal information by LFX is available in the LFX Privacy Policy Addendum. In this Privacy Policy, “personal information” includes references to “personal data” as defined under applicable laws. Your use of our Sites and Services, and any dispute over privacy, is subject to this Policy and the relevant Terms, including the applicable limitations on damages and the resolution of disputes. The Terms are incorporated by reference into this Policy.
Personal Information That TLF Collects
We collect personal information directly from individuals, from third parties, and automatically through the Sites and Services. You do not have to provide us your personal information. However, if you choose not to disclose certain information, we will not be able to provide you with access to certain services or features, including account registration, event registration, training and certification programs, or participation in certain aspects of our open source projects.
Registration Information. We collect personal information when you register for an account, a conference or other events or programs:
Linux Foundation ID, Account and Profile Information. Users may sign up for, request, or order our Services and may register to receive materials on our Sites. Users may also create a “Linux Foundation ID” (also called an “LF Login” or “LF ID”), which is a single sign-on account which is used for common access to many of our Services, including LFX. Personal information collected on the Sites includes community forum content, profiles, photographs, names, forwarding information for “linux.com” email forwarding, unique identifiers (e.g., social media handles or usernames), information about your current and past employment affiliations, contact and billing information (e.g., email address, preferred pronoun, postal address, telephone, fax), and transaction information. In order to access certain personalized services on the Sites, you may be asked to also create and store a username and password for an account from TLF, and/or to link your Linux Foundation ID account with other providers’ social accounts (such as Facebook, Google, LinkedIn or GitHub). Also, in order to tailor TLF’s subsequent communications to users and continuously improve the Sites’ operations and services, TLF may also ask users to provide additional optional information regarding their interests, demographics, experience and detailed contact preferences.
LFX. To register for and participate in the LFX platform and related Services, users must have an active Linux Foundation ID and account (see above for information collected related to account registration). Certain personal information is processed by LFX solely as to individuals who sign up to participate in the applicable Services, while other personal information is processed by LFX in connection with all individuals who interact with the Linux Foundation and its Projects. Specific details about the collection, processing and sharing of personal information by LFX is available in the LFX Privacy Policy Addendum.
Events Registration. When you register for one of our events (e.g., conferences and summits) to participate as an attendee, a speaker or a sponsor, we collect personal information that includes name, company, contact information, and other information. We may also collect other optional personal information such as likes, interests, preferred pronoun, dietary restriction, size preferences for conference attire gifts and other background information. In addition, if you provide it, we may collect (1) personal information about disabilities, medical conditions and allergies in order to provide appropriate accommodations for attendees, and (2) personal information about your citizenship, date of birth, and passport details if you request assistance from us with obtaining a visa letter to travel to one of our events.
For in-person events requiring attendees to be vaccinated against COVID-19, in order to provide a safer environment for attendees and staff, we may collect information to verify your identity and COVID-19 vaccination status. We may collect this information via direct verification of identity and vaccination status documents by TLF staff or third-party contractors, and/or through the use of third-party vaccination status apps and service providers.
Training and Certification Exam Registration. When you participate in one of our training or certification programs, we collect registration-related personal information that includes name, company, certifications, contact information, and other information depending on the circumstances.
Registration for Project Resources and TLF Resources. You can register to receive access to various resources provided by TLF and its Projects regarding the open source ecosystem, open source project development, collaboration and best practices. This includes providing us with personal information such as your email address and name to receive newsletters, mailing list postings and social media postings, to view webinars, and to access other resources made available by TLF and its Projects.
Your Contributions to Open Source Projects.
Attribution, Provenance and Integrity. When you contribute source code, documentation or other content to one of our Projects (whether on your own behalf or through contributions made as part of your employment services to your employer), we collect and store the information and content that you contribute. This includes the contents of those contributions, as well as information required to confirm the provenance of intellectual property contained in those contributions, and personal information that you make publicly available in the record of the contribution pursuant to sign-offs under the Developer Certificate of Origin (https://developercertificate.org/). Some Projects require additional agreements or information pursuant to their intellectual property policies; in such cases we collect and store information related to your acceptance of those agreements. We may also collect information relating to your participation in technical, governance or other Project-related meetings.
Other Project-related Content. The content you provide in relation to Projects also includes materials that you make publicly available in connection with Project development, collaboration and communication, such as on mailing lists, blogs, Project wiki pages and issue trackers, and related services.
Applicants for TLF Internships or Employment. We collect and store personal information relating to individuals who apply to participate in one or more of our Project-related internships, or for employment with TLF. Separately, as described in the LFX Privacy Policy Addendum, LFX Mentorship provides a platform for mentors and mentees to connect and conduct mentorships; however, these mentorships are not offered by, supervised by or administered by TLF, and participation in a mentorship does not constitute a form of employment or internship with or any related rights towards TLF. The personal information collected and stored for TLF Project-related internships, or for employment with TLF, may include your name, address, or other contact information. In addition, if you choose to provide it, we may collect personal information regarding your membership in a diverse or underrepresented group.
Your Content. We collect and store the information and content that you post to the Sites, including your questions, answers, comments, forum postings, and responses to surveys. Please see the section on Publicly Available Information for how the information you post will be viewed on our Sites.
Communications. When you communicate with us (via email, phone, through the Sites or otherwise), we may maintain a record of your communication.
Payment Information. To purchase Services (including registering for events, training and certification exams), users may be asked to be directed to a third-party site, such as Stripe, to pay for their purchases. If applicable, the third-party site may collect payment information directly to facilitate a transaction. TLF generally only records the result of the transaction and any references to the transaction record provided by the third-party site.
Automatically Collected Information. In addition, TLF may automatically collect the following information about users’ use of the Sites or Services through cookies, web beacons, and other technologies: your domain name; your browser type and operating system; web pages you view; when you open certain emails we send; links you click; your IP address; your country of location; the length of time you visit our Sites and or use our Services; and the referring URL, or the webpage that led you to our Sites. We may combine this information with other information that we have collected about you, including, where applicable, your user name, name, and other personal information. For some parts of the Sites, we use the Datadog and FullStory services to record session replays and data regarding a user’s interaction with the Sites for debugging and development purposes. Please see our Cookie Policy for more information about our use of cookies.
De-identified Information. We may de-identify and aggregate certain personal information we collect such that the information no longer identifies or can be linked to a particular user or an individual data subject (“De-identified Information”), subject to the terms of any applicable user agreements. We may use this information to improve our Services, analyze trends, publish market research, and for other marketing, research or statistical purposes, and may disclose such information to third parties for these specific purposes.
Performing Services for Nonprofit Entities in a Managed Services Relationship. For certain of its Projects that are structured as separate legal entities, TLF performs services as a managed services provider. In such cases, TLF collects and processes the same types of personal information as described above, doing so in the furtherance of performing services for those Project entities.
Purposes and Legal Bases for Our Using of Your Personal Information
Purposes and Legitimate Interests
TLF uses the personal information we collect for our legitimate business interests, which include the following purposes:
- Providing our Sites and Services. To provide the Services and our Sites (including LFX and its service offerings, and Project Sites), to communicate with you about your use of our Sites and Services, to respond to your inquiries, provide troubleshooting of the Sites and for other purposes to support users and the community.
- Operating our Open Source Projects. To enable communication between and among open source developers in the community; to facilitate and document Project governance and technical decision-making; to maintain, and make publicly available on a perpetual basis, records regarding intellectual property provenance and license compliance for Project contributions; and for related activities to further TLF’s core purpose of fostering an ecosystem that supports the collaborative and public development of free and open source software projects. See the “Attribution, Provenance and Integrity” section above for more information.
- Maintain our Training and Certification Programs. To maintain records about who has attended or registered to attend training programs, take certification exams and received certain certifications.
- Event Administration. To plan, organize, and facilitate access to events and related services and activities, and to carry out informative and safe events for participants, including attendees, speakers and sponsors. If you provide us information about disabilities, medical conditions and allergies, we will use this information in order to provide appropriate accommodations for attendees and to ensure their health and safety; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. If you request assistance from us for obtaining a visa letter to travel to one of our events and provide us with information required for such assistance (such as your citizenship, date of birth, and passport details), we will use this information in order to assist with providing you a visa letter; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. For in-person events requiring attendees to be vaccinated against COVID-19, we use information regarding your COVID-19 vaccination status to provide a safer environment for attendees and staff, in order to confirm vaccination status before permitting access to the event venue space.
- Internship and Employment Applications. To select participants for our Project-related internship programs or for employment, including the evaluation and selection of interns and employees from among applicants (not to be confused with LFX Mentorships). If you choose to provide information regarding your membership in a diverse or underrepresented group, we will use this information in connection with internship diversity programs we may operate; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights.
- Personalization. To tailor the content and information that we may send or display to you on our Sites and in our Services, to offer location customization and personalized help and instructions and to otherwise personalize your experiences.
- Marketing and Promotions. For marketing and promotional purposes, such as to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Projects, Services, events, trainings or other information we think may interest you related to TLF, and, subject to applicable law, our affiliates, subsidiaries and managed services entities.
- Advertising. For targeting advertising to you on our Sites and third-party sites and measuring the effectiveness and reach of ads and services (through third-party ad networks and services).
- Analytics. To gather metrics to better understand how users access and use our Sites and Services and participate in our Projects; to evaluate and improve the Sites, including personalization, to develop new services; and to understand metrics regarding the community health of our Projects. If a user voluntary provides and explicitly consents to our processing of personal information regarding their demographics and socioeconomics, we process such personal information for the specific purposes for which you have consented, which may include for the purpose of compiling, analyzing and disclosing aggregate statistics regarding diversity of participation in open source projects and communities (including in LFX projects and LFX Mentorship opportunities), to help track progress towards meeting TLF’s commitment to diversity initiatives and subject to your consent.
- Compliance. To comply with legal obligations and requests. For example, to comply with laws that compel us to disclose information to public authorities, courts, law enforcement or regulators, maintain records for a certain period, or maintain records demonstrating enforcement and sublicensing of our trademarks and those of our Projects.
- Business and Legal Operations. As part of our general business and legal operations (e.g., accounting, record keeping, and for other business administration purposes), and as necessary to establish, exercise and defend (actual and potential) legal claims.
- Prevent Misuse. Where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of the relevant Terms or this Privacy Policy.
Purposes and Legal Bases
Purposes of Processing(see above) |
Legal Bases of Processing (EU Users) |
Providing our Sites and Services, including through LFX |
- Our Legitimate Business Interests
- Where Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)
- Compliance with Law
- Where permitted, with Your Consent (where we process any sensitive personal information you voluntarily provide – e.g., for diversity-related purposes)
|
Operating our Open Source Projects |
- Our Legitimate Business Interests
- Where Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to enable your participation in the Projects or to make the Services available)
- Compliance with Law
- As Necessary to Establish, Exercise and Defend Legal Claims
|
TLF Internship and Employment Applications |
- Our Legitimate Business Interests
- Where Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary relating to Your application for a TLF internship or employment position)
- Compliance with Law
- Where permitted, with Your Consent (where we process any sensitive personal information you voluntarily provide – e.g., for diversity-related purposes)
|
Event Administration |
- Our Legitimate Business Interests
- Where Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)
- Compliance with Law
- With Your Consent (in particular regarding your sensitive personal information – e.g., disability and medical conditions, COVID-19 vaccination status, and information related to a visa letter request)
- Where Necessary in Order to Protect the Vital Interests of You or of Another Natural Person, and for Reasons of Public Interest in the Area of Public Health (regarding COVID-19 vaccination status)
|
Offer Training and Certification Programs |
- Our Legitimate Business Interests
- Where Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)
|
Personalization |
- Our Legitimate Business Interests
|
Marketing and Promotions |
- Our Legitimate Business Interests
- With Your Consent
|
Advertising |
- Our Legitimate Business Interests
- With Your Consent
|
Analytics |
- Our Legitimate Business Interests
- Where permitted, with Your Consent (where we process any sensitive personal information you voluntarily provide – e.g., for diversity-related purposes)
|
Compliance |
- Our Legitimate Business Interests
- Compliance with Law
- As Necessary to Establish, Exercise and Defend Legal Claims
|
Business and Legal Operations |
- Our Legitimate Business Interests
- Compliance with Law
- As Necessary to Establish, Exercise and Defend Legal Claims
|
Prevent Misuse |
- Our Legitimate Business Interests
- Compliance with Law
- As Necessary to Establish, Exercise and Defend Legal Claims
|
Sharing of Personal Information
We disclose personal information as set forth below, and where individuals have otherwise consented:
- Publicly Available Information, including Your Contributions to Open Source Projects. User names, other user ids, email addresses and other attribution and affiliation information related to the information and contributions that a User posts in conjunction with or subject to an Open Source license are publicly available in the relevant Project source code repositories. Your contributions to Open Source Projects, and certain of your other Content such as comments and messages posted to public forums, are available to other participants and users of our Projects and of our Services, and may be viewed publicly. In some cases you may be able to provide Project or contribution-related information directly to third-party sites and services; these third parties are independent data controllers and their use of your personal information is subject to their own policies.
- LFX. Within LFX, in addition to the other specific disclosures set forth in this Privacy Policy, we disclose certain of your information in order to enable you to receive, participate in and make use of the LFX Services, including engagement with open source projects and communities through LFX, as set out in the LFX Privacy Policy Addendum.
- Service Providers. We may share your information with third party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, contractors and consultants.
- Affiliates. The information collected about you may be accessed by or shared with subsidiaries and affiliates of TLF, whose use and disclosure of your personal information is subject to this Privacy Policy, unless an affiliate has its own separate privacy policy.
- Organizational Events. We may disclose or transfer information, including personal information, as part of any merger, sale, and transfer of our assets, or restructuring of all or part of our business operations, bankruptcy, or similar event, including in negotiations, due diligence, and integrations related to such transactions.
- Event Participants. If you register for an event, we may ask for your consent to share your personal information with third party sponsors and other participants; for example, to facilitate your ability to swipe your badge or visit and interact with a virtual booth to easily sign up for or participate in activities, events and gifts offered by third parties participating in the event, or to give you the option to be listed on the attendee list that is available to other attendees, sponsors and participants. We will not share your event information with third parties without your consent, and in particular you have the choice whether or not to permit your badge to be swiped by any third party participating in the event, or to visit and interact with a third party’s virtual booth. For in-person events requiring attendees to be vaccinated against COVID-19, we may use third-party service providers to validate your identity and COVID-19 vaccination status.
- Training and Program Sponsors. If you participate in one of our certification or training programs that a third party has sponsored or engaged us to provide to you and others (e.g., your employers), we may receive attendee list information from them and may share information about your completion of the program, including confirmation of your participation and your certification exam results, as applicable; these third parties are independent data controllers and their use of your personal information is subject to their own policies. You may also elect to provide third parties (e.g., your employers or your prospective employers) with information that will enable them to look up your certification exam status; if you do so, we may share your certification exam status with such third parties.
- Legally Required. We may disclose your information if we are required to do so by law (including to law enforcement in the U.S. and other jurisdictions).
- Protection of Rights. We may disclose information where we believe it necessary to respond to claims asserted against us or, comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation, and protect the rights, property or safety of TLF, its Users, participants in its events or Projects, or others.
- Anonymized and Aggregated Information. We may share aggregate or De-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.
Cookies, Tracking, and Interest-Based Ads
We and our third-party providers use cookies, clear GIFs/pixel tags, JavaScript, local storage, log files, and other mechanisms to automatically collect and record information about your usage and browsing activities on our Site and across third party sites or online services. We may combine this information with other information we collect about users. Below, we provide a brief summary of these activities. For some parts of the Sites, we use the Datadog and FullStory services to record session replays and data regarding a user’s interaction with the Sites for debugging and development purposes. For more detailed information about these mechanisms and how we collect activity information, see our Cookie Policy.
- Cookies. These are small files with a unique identifier that are transferred to your browser through our websites. They allow us to remember users who are logged in, to understand how users navigate through and use the Sites, and to display personalized content and targeted ads (including on third party sites and applications).
- Pixels, web beacons, clear GIFs. These are tiny graphics with a unique identifier, similar in function to cookies, which we use to track browsing activities. We use these as part of our Training Affiliate Program. We also use these in our emails to let us know when they have been opened or forwarded, so we can gauge the effectiveness of our communications.
- Analytics Tools. We may use internal and third-party analytics tools, including Google Analytics. The third-party analytics companies we work with may combine the information collected with other information they have independently collected from other websites and/or other online products and services. Their collection and use of information is subject to their own privacy policies.
Please note that TLF does not respond to browser “do not track” signals or other similar mechanisms intended.
Targeted Ads. As discussed in our Cookie Policy, we may work with third party advertisers to display more relevant ads on our website and on third party sites; these third parties may display ads to you based on your visit to our Sites and other third party sites. For more information about this and how you can opt out of such ads, please see our Cookie Policy.
Data Security
We have implemented commercially reasonable precautions designed to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our best efforts, no data security measures can guarantee 100% security.
You should take steps to protect against unauthorized access to your passwords, phone, and computer by, among other things, signing off after using a shared computer, choosing robust passwords that nobody else knows or can easily guess, not using a password for more than one site or service, and keeping your log-ins and passwords private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity. We ask you to promptly notify us if you become aware that any information provided by or submitted to our Sites or through our Services is lost, stolen, or used without permission at privacy@linuxfoundation.org.
Marketing Choices
You may opt out of or withdraw your consent to receive direct marketing emails from us by using the unsubscribe or opt out mechanisms included in our marketing emails or by emailing privacy@linuxfoundation.org. You may also unsubscribe from mailing lists via the applicable mailing list’s subscription website or, in some cases, by using the unsubscribe mechanisms included in such emails.
Retention of Your Personal Information
We generally keep personal information only for as long as required to fulfill the purposes for which it was collected. However, in some circumstances, we may retain personal information for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request, for so long as required. In specific circumstances, we may also retain your personal information for longer periods of time corresponding to a statute of limitation, so that we have an accurate record of your dealings with us in the event of any complaints or challenges.
International Transfers
If you are located within the European Economic Area, the United Kingdom or Switzerland, you should note that your personal information will be transferred to countries outside these jurisdictions, including the United States where TLF is located. The U.S. is deemed by the European Union to provide inadequate data protection. However, we have put in place European Commission approved Standard Contractual Clauses to provide for adequate safeguards to protect personal information transferred outside these jurisdictions, including between TLF entities. In addition, if personal information is transferred to third party service providers located outside these jurisdictions, we will take steps to ensure that your personal information receives the same level of protection as if it remained within these jurisdictions, including by entering into data transfer agreements, using the European Commission approved Standard Contractual Clauses or other safeguards as approved by the European Commission. You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EU by emailing gdpr@linuxfoundation.org.
Children’s Privacy
Except as specifically indicated within a Site, we do not knowingly collect or solicit personal information from anyone under the age of sixteen (16), or knowingly allow such persons to register. If we become aware that we have collected personal information from a child under the relevant age without parental consent, we take steps to delete that information. Where we specifically indicate that we collect personal information from children under 16, we will obtain the parent or guardian’s consent and provide adequate notice.
Links to Third Party Sites and Services
The Sites may contain links to third party sites or online services. Please refer to the privacy policies of the relevant third party websites or services to find out more about how they process and handle personal information.
Your Rights
Access and Amendment. If you have registered with us and created a Linux Foundation ID profile or an LFX Account wish to access or update certain personal information contained therein, you may do so online by visiting the “My Profile” or “My Account” settings in your respective account or by visiting https://myprofile.linuxfoundation.org. You may also contact our privacy coordinator, as set forth below, to access or amend your personal information.
Additional Rights. Individuals in the European Economic Area (and other jurisdictions where applicable) have additional rights under applicable law:
- to obtain a copy of your personal information together with information about how and on what legal basis that personal information is processed;
- to rectify inaccurate personal information (including to have incomplete personal information completed);
- to erase your personal information (in limited circumstances, such as where it is no longer necessary in relation to the purposes for which it was collected or processed);
- to restrict processing of your personal information under certain circumstances;
- to export certain personal information in machine-readable format to a third party (or to you) when we justify our processing on the basis of your consent or the performance of a contract with you and the processing is carried out by automated means;
- to withdraw your consent to our processing of your personal information (where that processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal);
- to obtain, or see a copy of the appropriate safeguards under which your personal information is transferred to a third country or international organization; and
- to object to our use and processing of your personal information that is conducted on the basis of our legitimate interest. You also have the right to object at any time to any processing of your personal information for direct marketing purposes, including profiling for marketing purposes.
Lodging a Complaint. You also have the right to lodge a complaint with your local supervisory authority for data protection, or privacy regulator. A list of data protection supervisory authorities is available here.
Submitting a Request. To exercise the above rights or contact us with questions or complaints regarding our treatment of your personal information, contact us at gdpr@linuxfoundation.org.Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, especially if your request is manifestly unfounded or excessive. We will respond to your request within the applicable timeframes set out by law.
California Privacy Rights
California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the types of personal information disclosed to those parties. If you are a California resident and would like to request this information, please submit your request in an email to privacy@linuxfoundation.org. We may ask you to verify your California residency.
Contact Us
If you have any questions about our practices or this Privacy Policy, please contact us at privacy@linuxfoundation.org, or write to us at: The Linux Foundation, Attn: Legal Department, 548 Market St, PMB 57274, San Francisco, California 94104-5401, USA.
You can also reach our EU representative, Linux Foundation Europe, whose registered address is Avenue des arts 56, 1000 Bruxelles, Belgium.
Changes to the Privacy Policy
This Policy is current as of the effective date set forth above. If we change our privacy policies and procedures, we will post those changes on this page and/or continue to provide access to a copy of the prior version. If we make any changes to this Privacy Policy that materially change how we treat your personal information, we will endeavor to provide you with reasonable notice of such changes, such as via prominent notice on our Sites or to your email address of record, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.
Last updated: November 7, 2023
This addendum to the Privacy Policy of The Linux Foundation (the “Privacy Policy”) provides additional specific details regarding the LFX platform and its processing of personal information. It is subject to the other provisions set forth in the Privacy Policy.
The LFX platform components described below include the applications that data subjects and users directly interact with, as well as underlying architectural components that power those applications.
For each of the LFX platform’s components described below, this addendum describes:
- the category of data subjects whose personal information is processed;
- the types of personal information that is collected;
- the purposes and legal bases for which it is processed;
- the service providers who process it in connection with providing the component; and
- the other third parties with which it is shared.
Please contact us at privacy@linuxfoundation.org or at the other addresses set forth in the Privacy Policy with any questions.
LFX Crowdfunding
1. Category of Data Subjects |
- Funding contributors: individuals who contribute funding to an open source project on Crowdfunding
- Funding recipients: individuals who receive reimbursements or stipends from project funds via Crowdfunding, including mentees on LFX Mentorships who receive stipends for their mentorships
|
2. Types of Personal Information Collected |
- Account information: name, email address, LF ID, unique path / slug, and image / avatar.
- Funding contributor financial transaction data: ledger entry unique ID, Stripe customer and transaction IDs, contribution amount, and transaction date.
- Funding recipient financial transaction data: ledger entry unique ID, bank account details (for US-based recipients), W-9 tax forms (for US-based stipend recipients for Mentorships), wire transfer details (for international recipients), reimbursement amount, and transaction date.
- Some data is temporarily processed by Crowdfunding as a frontend to the Stripe user interface to enable user edit or deletion, but is not stored or cached by Crowdfunding: credit card name, type (e.g. Visa, Mastercard, American Express), and last 4 digits.
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling contribution and receipt of funds via an open source crowdfunding effort with a public ledger; ensuring compliance with laws applicable to the user’s contribution of funds and receipt of reimbursements and stipends; ensuring accurate accounting records; and preventing fraud.
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- Bill.com: internal finance account management for payment reimbursement
- DocuSign: signing, transfer and storage of W-9 tax forms and wire transfer forms
- Elastic.co: caching of application database for performance
- Expensify: processing reimbursements for funding recipients
- Google: email and spreadsheet for communication and status tracking; analytics for insights into users’ interaction with the platform
- Mailchimp: delivery of application notification emails
- NetSuite: internal finance account management for payment reimbursement
- Retool: data storage and processing for support staff dashboard access
- Stripe: credit card transaction processing for funding contributors
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the Crowdfunding application
- End users: Public visibility of ledger with details about contributions and reimbursement / stipend payments.
If you donate to or receive reimbursements from a project through LFX Crowdfunding, we make a record of your transaction publicly visible in that project’s funding ledger, for purposes of ensuring transparency and trust in the funding streams for that project. |
LFX EasyCLA
1. Category of Data Subjects |
- Project administrators: LF staff members and other external community members who oversee the maintenance of contributor license agreement (CLA) configuration on behalf of their projects.
- Contributors: individuals who, on their own behalf or on behalf of their employer, contribute content to projects utilizing EasyCLA for CLA management.
- CLA Managers: individuals who, on behalf of their employer, manage the lists of their employer’s authorized contributors to projects utilizing EasyCLA for CLA management.
- CLA Signatories: individuals who sign corporate CLAs (CCLAs) on behalf of their employer.
|
2. Types of Personal Information Collected |
- CLA Signature data: name, email address, LF ID, signature and signing date; for CCLAs: company name, company address, and job title; for certain Projects: mailing address, country, and phone number.
- CLA Manager data: name, email address, LF ID, employer, authorization activities for managed CCLAs.
- Contributor data: name, email address; username for source code repository hosting service (e.g. GitHub handle, GitLab handle or LF ID); for CCLAs: employer and authorization records for contributions to managed projects.
|
3. Purposes and Legal Bases for Processing |
- Purposes: retention and storage of executed intellectual property license agreements in the context of open source Projects to which the signatory and/or their company is contributing; management of lists of authorized contributors under signed CCLAs; maintaining provenance of contributions to Projects utilizing CLAs by ensuring that contributions are made under signed CLAs.
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law.
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- Datadog: log information management and website / login monitoring and user behavior such as page navigation
- Docraptor: conversion of CLA templates into PDF files
- DocuSign: signing, transfer and storage of CLAs
- GitHub: API integration to utilize EasyCLA for GitHub-hosted Projects
- GitLab: API integration to utilize EasyCLA for GitLab-hosted Projects
|
5. Other Third Parties |
- Project administrators: Visibility about the contributors, CLA Managers and CLA Signatories for the Projects they manage.
- End users: Public visibility of CI/CD checks indicating that the CLA signature process has been completed or is still pending
|
LFX Individual Dashboard
1. Category of Data Subjects |
- LF ID holders: Individuals who have created a Linux Foundation ID account.
|
2. Types of Personal Information Collected |
- Essential Account data: name, email addresses, LF ID, phone number, employer / affiliated organizations, job title.
- Optional Profile data: profile public visibility settings (including visibility of your TLF-related activities), badges for TLF-related activities and contributions to open collaboration projects, user-defined biography, technical skills, photo URL, personal pronoun, social media IDs / links (GitHub, LinkedIn, Google, Facebook).
- Open Collaboration Project Participation data:
- project committee roles
- conference and webinar attendance
- affiliation with employers, including employer name, job title, start / end date, and data obtained from LinkedIn APIs (location, industry, number of connections, professional summary, and employment positions); and
- Project contribution information, including name, email address, username, relevant Project tool, and counts of contributions.
- TLF Offering Fulfillment data:
- event and conference information:
- T-shirt size
- previously-attended and currently scheduled events
- presentation and speaking experience: title, slides URLs and recording URLs
- travel fund request information: name, email address, LF ID, availability of employer assistance, details about the user’s diversity and membership in an underrepresented group, if applicable and solely where provided by the data subject
- visa letter application information: name, email address, LF ID, passport information, date and country of birth, phone number, mailing address, employer, job title, and travel details
- training and certification exam information: training enrollments and status; issued certifications; coupon codes
- Individual Supporter and Enrollment purchases: linux.com email alias / forwarding address; individual supporter enrollments for The Linux Foundation and OpenJS Foundation; auto-renewal status
- internal business contact information
- list of purchases and transactions
- Technical Operations data: password reset details; log information from Individual Dashboard interactions
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling control of a data subject’s own personal profile regarding their participation in Linux Foundation offerings such as events, trainings and certification exams, and contributions to open collaboration projects hosted by the Linux Foundation, including profile visibility settings; maintaining accurate contact information in connection with Linux Foundation offerings and operations; and (with regards to special categories of data where voluntarily disclosed in connection with travel fund requests) enabling and increasing attendance at LF events by participants from diverse and underrepresented communities.
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to special categories of data where voluntarily disclosed in connection with travel fund requests).
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- ClearBit (APIHub, Inc.): enrichment data source for data subjects
- Credly: badging for user accomplishments and activities
- Datadog: log information management and website / login monitoring and user behavior such as page navigation
- FullStory: real user monitoring of user activity and user behavior such as page navigation
- HubSpot: real user monitoring of user activity
- Nubela (ProxyCurl): enrichment data source for data subjects
- SalesForce: database for contact information and related data
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the LFX platform
- Company administrators: Access to certain data by designated administrator for user’s employer
- End users: Public visibility of user profiles where user elects to make their profile public
|
LFX Insights
1. Category of Data Subjects |
- Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
- Recipients of LF Offerings: Individuals who have participated in or received Linux Foundation offerings, such as events, trainings or certification exams.
- LF ID holders: Individuals who have created a Linux Foundation ID account.
|
2. Types of Personal Information Collected |
- Data processed internally as analytics for aggregate, anonymized dashboard displays:
- Details regarding personal traits: current and past company affiliation and industry; job function and level; location by country; and gender
- Details regarding contributions of source code, documentation and other content to projects, including date and time of contributions
- Details regarding other project contribution-related activities, such as Issue and PR submissions, reviews and related matters
- Data regarding participation in LF Offerings:
- Events: Attendance; whether the data subject was a speaker
- Webinars: Attendance; whether the data subject registered
- Training: Enrollment in training courses
- Certification exams: Enrollment and successful passage of certification exams
- Data processed for profile and affiliation matching: name, email address, LF ID, application user IDs (e.g. GitHub, Gerrit), application from which user identity information was gathered, user’s role for project repositories, whether a user’s identity information was gathered using a bot and/or has been verified, user profile picture avatar
- Data displayed publicly via dashboard displays:
- Name and user profile picture avatar
- Contributor data: LF ID, application user IDs (e.g. GitHub, Gerrit), project contribution activity counts (e.g. # of commits authored, lines of code added / deleted, # of Issues and PRs)
- Data displayed publicly via “top 10” leaderboards:
- name, company affiliation, user profile picture avatar
- Contributor data: LF ID, application user IDs (e.g. GitHub, Gerrit), last project activity date, project contribution activity counts (e.g. # of commits authored, lines of code added / deleted, # of Issues and PRs), “drifting away” status
- Event data: # of LF events attended, date of last event attended
- Webinar attendee data: # of webinars attended, % of webinar registrations actually attended
- Training data: # of training course enrollments
- Certification exam data: # of certification exams passed, date of last certification exam passed
- Log data: API access log details
|
3. Purposes and Legal Bases for Processing |
- Purposes: Providing transparency into details about the collective participation in Linux Foundation offerings and contributions to Linux Foundation projects; maintaining and providing accurate and updated data regarding affiliation between contributors and their employers, in connection with corporate contributions to projects.
- Lawful bases: our legitimate business interests.
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Crowd.dev: enrichment data source for data subjects
- Cube.js: application layer for data processing
- SalesForce: database for contact information and related data
- Snowflake: engagement and activity data source for data subjects and organizations
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the LFX platform
- Community Managers: Project maintainers and administrators reviewing and curating data on behalf of their project community
- End users: Public visibility of “top 10” leaderboards for users with LF IDs
|
LFX Mentorships
1. Category of Data Subjects |
- Project administrators: LF staff members and other external community members who oversee the enrollment and maintenance process on behalf of their projects
- Mentors: LF staff members and other external community members who participate in selecting, advising and evaluating mentees during their mentorships
- Mentees: external community members who are in the early stages of participating in open source development, and who apply to participate in one or more LFX Mentorships
|
2. Types of Personal Information Collected |
- User Account and Mentorship Activity Information: name, email address, LF ID, external profile links (LinkedIn, GitHub), unique path / slug, image / avatar, mailing address, phone number, mentorship application status, mentorship and task completion status, and IP address.
- Programming Experience: Biography / user description, skills, and resume.
- Financial Information: bank account details, tax form information, and stipend payment amount details, in connection with payment of stipends via LFX Crowdfunding (see above).
- Optional User Demographics data: age, racial / ethnic identity, gender, socioeconomic class, and education level.
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling participation in a community-operated open source mentorship program; ensuring compliance with laws applicable to the user’s receipt of stipends; ensuring accurate accounting records; preventing fraud; and (with regards to Optional User Demographics data) compiling, analyzing and disclosing aggregate statistics regarding diversity of participation in open source projects, to help track progress towards meeting the Linux Foundation’s commitment to diversity initiatives.
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to Optional User Demographics Data).
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- Bill.com: internal finance account management for stipend payments
- DocuSign: signing, transfer and storage of offer letters, stipend payment instructions, W-9 tax forms and wire transfer forms
- Elastic.co: caching of application database for performance
- Expensify: processing stipend payments
- Google: email and spreadsheet for communication and status tracking; analytics for insights into users’ interaction with the platform
- Mailchimp: delivery of application notification emails
- NetSuite: internal finance account management for stipend payments
- Retool: data storage and processing for support staff dashboard access
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the Crowdfunding application
- Mentors: Evaluation of applicants and conducting of mentorships for accepted mentees
- End users: Public visibility of prospective and actual mentee and mentor profile pages, and (via LFX Crowdfunding) of ledger with details about stipend payments
If you register with LFX Mentorship as a potential mentee or mentor, we make certain of your information available to mentees, mentors and/or projects as part of the evaluation for your participation in a mentorship, as well as enabling public visibility of your profile page.If you are accepted to participate in a mentorship through LFX Mentorship, we may make information related to your participation publicly available on LFX Mentorship pages related to that project.If you graduate from a mentorship and choose to have your information shared as part of a connection with one or more potential third-party employers through LFX Mentorship, we may enable sharing of that information accordingly. |
LFX Organization Dashboard
1. Category of Data Subjects |
- Corporate Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation or participated in other TLF-related activities, where such contributions are noted as being affiliated with a company rather than on their own individual behalf.
- Company Administrators: Individuals who have been designated by their employer as having “administrator” rights to manage their company’s account on the LFX platform.
|
2. Types of Personal Information Collected |
- User LF account and profile data:
- Employee information: name, email address, GitHub username, photo / avatar URL, social media links
- Information for aggregate company statistics: industry, geographical location by country, job level, gender
- List of users believed to be associated with the company
- Company Administrator status details
- User interactions with LF Projects and Offerings:
- Count of numbers of code contributions per project, events attended, total/breakdown activities, sponsorship approved won count (submitter name), training courses taken and certification exams passed
- Lists and corresponding dates of events attended, training courses taken and certification exams passed
- Social media interactions and followers
- Additional Organization-related data: Contact and identity details for organization account owner, Company Administrator contact, billing contacts, committee members and other organizational contacts
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling association between individual LF accounts and their employer’s organizational accounts for purposes of providing visibility into employee use of LF offerings and project participation, including activities performed on behalf of their employer (such as committee participation).
- Lawful bases: our legitimate business interests.
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- Datadog: log information management and website / login monitoring and user behavior such as page navigation
- FullStory: real user monitoring of user activity and user behavior such as page navigation
|
5. Other Third Parties |
- Company administrators: Access to certain data by designated administrator for user’s employer
- Contractors: Contractors providing development and operational services to manage the LFX platform
|
LFX Project Control Center
1. Category of Data Subjects |
- Project Committee members: Individuals who participate as members of committees, boards and other governance roles for open collaboration projects hosted by the Linux Foundation.
- Project mailing list subscribers: Individuals who subscribe to technical mailing lists for open collaboration projects hosted by the Linux Foundation.
- Project meeting participants: Individuals who join meetings facilitated by the Program Managers
|
2. Types of Personal Information Collected |
- Project Committee member data: name, email address, employer, job title, address, phone number, t-shirt size
- Project mailing list subscriber data: name, email address, employer, job title, delivery mode, moderator status
- Project Meeting participant data: meetings joined, join time, leave time, frequency joined, name used in Zoom account, email address, employer, job title
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling management of open collaboration project community activities, including maintenance of project committees, governance and technical mailing lists, including activities performed on behalf of their employer (such as committee participation).
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available).
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Atlassian: connection to support ticketing service and wiki
- Auth0: authentication and user access management
- Crowd.dev: enrichment data source for data subjects
- Datadog: log information management and website / login monitoring and user behavior such as page navigation
- FullStory: real user monitoring of user activity and user behavior such as page navigation
- GitHub: syncing data regarding repositories and organizations
- GitLab: syncing data regarding repositories and organizations
- Groups.io: syncing data regarding mailing lists
- Snowflake: engagement and activity data source for data subjects and organizations
- SurveyMonkey: create, send and analyze surveys
- Zoom: manage meetings and retrieve meeting statistics
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the LFX platform
- Community Managers: Project maintainers and administrators managing their project community
|
LFX Security
1. Category of Data Subjects |
- Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
|
2. Types of Personal Information Collected |
- Code secret and non-inclusive language committer data: name, email address, GitHub username, details about commit findings
|
3. Purposes and Legal Bases for Processing |
- Purposes: Enabling open collaboration project maintainers to receive information about security vulnerabilities, code secrets and non-inclusive language contributed to their projects, and to facilitate communications with contributors to address findings.
- Lawful bases: our legitimate business interests.
|
4. Service Providers |
- Amazon Web Services (AWS): cloud infrastructure and storage
- Auth0: authentication and user access management
- Datadog: log information management and website / login monitoring and user behavior such as page navigation
- GitHub, Snyk and Blubracket (HashiCorp) are used as third-party sources of data for the processing purposes described above.
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the LFX platform
- Project maintainers: Project maintainers managing contributions to their project
|
Additional details regarding LFX Platform Infrastructure
1. Category of Data Subjects |
- Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
- Recipients of LF Offerings: Individuals who have participated in or received Linux Foundation offerings, such as events, trainings or certification exams.
- Other community participants: Individuals who have publicly interacted with Linux Foundation projects, such as by posting about a project or reacting to messages on mailing lists or social media platforms.
- LF ID holders: Individuals who have created a Linux Foundation ID account.
|
2. Types of Personal Information Collected |
In addition to the specific data described herein, personal information in the following general categories may be collected:
- Essential Account data
- Optional Profile data
- Open Collaboration Project Participation data
- Project Ecosystem Involvement data
- Offering Fulfillment data
- Technical Operations data
- Diversity and Inclusion data
- Marketing and Communications data
- Business and Legal Operations data
|
3. Purposes and Legal Bases for Processing |
- Purposes:
- Essential Account data: Enabling an individual to operate their LF ID and LFX user account.
- Optional Profile data: Enabling an individual to fill in details about their LF ID and LFX user account profiles, including determining whether to make their LF ID and LFX user account profiles publicly visible.
- Open Collaboration Project Participation data: Enabling the relation of an individual to their activities and involvement in open collaboration projects hosted by the Linux Foundation, including their contributions and governance roles relating to projects and their related affiliation with employers and similar organizations.
- Project Ecosystem Involvement data: Enabling the Linux Foundation to correlate information about other community participants’ public postings, contributions to LF projects, and engagement with LF projects and offerings, to use such data to better understand LF project communities; to contact key participants in those communities; and to make certain of such information available publicly and/or to individuals’ employers.
- Offering Fulfillment data: Enabling the Linux Foundation to make available and provide its offerings to participants, such as events and conferences; training courses; certification exams; project corporate memberships; and project individual supporter enrollments; and making information about use of such offerings available to individuals’ employers.
- Technical Operations data: Providing the backend technical infrastructure that operates the LFX services, enabling user personalization and interaction with LFX, and preventing misuse.
- Diversity and Inclusion data: Compiling, analyzing and disclosing de-identified, aggregate statistics regarding diversity of participation in open source projects and communities, to help track progress towards meeting the Linux Foundation’s commitment to diversity initiatives.
- Marketing and Communications data: Enabling delivery of marketing and promotional information regarding projects, the Linux Foundation and its offerings, and enabling user control over subscriptions and communications.
- Business and Legal Operations data: Enabling the Linux Foundation to conduct its legitimate internal business operations and protect its legal interests.
- Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to special categories of data where voluntarily disclosed for the diversity and inclusion purposes described above).
|
4. Service Providers |
In addition to the service providers listed above:
- Census
- Fivetran
- FontAwesome (Fonticons, Inc.)
- Stop Forum Spam
|
5. Other Third Parties |
- Contractors: Contractors providing development and operational services to manage the LFX platform
|