# Privacy Q&A
This notice describes how OpenUPM (or openupm), collects and uses data about you.
- What's most important?
- How does OpenUPM collect data about me?
- What data does OpenUPM collect about me, and why?
- Where does OpenUPM keep data about me?
- Does OpenUPM comply with the EU General Data Protection Regulation?
- How can I access data about me?
- Does OpenUPM make automated decisions based on data about me?
- Does OpenUPM share data about me with others?
- How can I find out about changes?
# What's most important?
# How does OpenUPM collect data about me?
openupm collects data about you:
npmor another program to access the openupm public registry
- when you browse the OpenUPM website, openupm.com
- when you send support, privacy, legal, and other requests to OpenUPM server
# What data does OpenUPM collect about me, and why?
# OpenUPM collects data about how you use OpenUPM software and registries.
When you use the
openupm command, the
npm command, or other software to work with the OpenUPM public registry, OpenUPM logs data that might be identified to you:
- a random, unique identifier for necessary registry actions
- the names and versions of your project's dependencies, their dependencies, and so on, that come from the OpenUPM public registry
- the versions of Node.js, the
openupmcommand, and the operating system you are using
- data about the software you're using to access the registry, such as the
- network request data, such as the date and time, your IP address, and the URL
openupm uses this data to:
- fulfill your requests, such as by sending the packages you ask for
- keep registries working quickly and reliably
- debug and develop the
openupmcommand and other software
- defend registries from abuse and technical attacks
- compile statistics on package usage and popularity
- prepare reports on trends in the developer community
- improve search results on the website
- recommend packages that may be relevant to your work
openupm usually deletes registry log entries with identifiable information within a few weeks but may preserve logs longer, as needed in specific cases, like investigations of specific incidents. OpenUPM stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
# OpenUPM collects data about how you use the website.
- your IP address
- your preferred language
- the web browser software you use
- the kind of computer you use
- the website that referred you
openupm uses data about how you use the website to:
- optimize the website, so that it's quick and easy to use
- diagnose and debug technical errors
- defend the website from abuse and technical attacks
- compile statistics on package popularity
- compile statistics on the kinds of software and computers visitors use
- compile statistics on visitor searches and needs, to guide the development of new website pages and functionality
- decide who to contact about product announcements, service changes, and new features
openupm usually deletes website log entries with identifiable information within a few weeks but keeps entries for visitors with OpenUPM accounts, and visitors using paid services like Enterprise registries, longer. OpenUPM reviews log entries for those users twice a year and delete entries when they're no longer needed.
openupm may preserve log entries for all kinds of visitors longer, as needed in specific cases, like the investigation of specific incidents. OpenUPM stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
# OpenUPM collects account data.
A few features of OpenUPM services requires a GitHub account. For example, you must have a GitHub account to submit packages to the OpenUPM public registry.
openupm publishes these account data for the whole world to see on the package detail page and contributor pages and so on.
If you preferred not to show your GitHub username, you can leave it empty when submitting packages.
openupm uses your GitHub account data to:
- add metadata to packages that you submit
- contact you in special circumstances related to your account or packages
- contact you about support requests
- contact you about legal requests, like DMCA takedown requests and privacy complaints
openupm stores that data as long as it stores the package.
# OpenUPM collects package data.
When you submit a new package to OpenUPM, OpenUPM collects the contents of the package, plus metadata, including your account data. Other OpenUPM users may also publish packages that include data about you, such as the fact that you contributed code to a package.
openupm uses data in packages to provide those packages to you and others who request them, when you publish a package to the OpenUPM public registry, or change a package from private to public, OpenUPM makes the package and metadata available to everyone, online.
Making package data available to others allows them to download, build on, and depend on your work. In the vast majority of cases, OpenUPM stores data in and metadata about every version of every package indefinitely, unless it's unpublished.
In some cases, however, package owner can unpublish packages, erasing them from the public registry. Erased packages linger on for a short time in OpenUPM's public and private caches, but eventually disappear completely from OpenUPM's storage.
# OpenUPM collects data about correspondence.
openupm collects data about you when you send OpenUPM support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address and may include your company or other affiliation.
openupm uses contact data to:
- respond to you
- compile aggregated statistics about correspondence
- train support staff and other OpenUPM personnel
- review the performance of OpenUPM personnel who respond
- defend OpenUPM from legal claims
openupm stores correspondence as long as it may be useful for these purposes.
# Where does OpenUPM keep data about me?
openupm stores account data, data about website use, data about registry use, and private packages on cloud servers.
openupm distributes package data published to the OpenUPM public registry and metadata about those packages worldwide, via content delivery networks (CDN).
# Does OpenUPM comply with the EU General Data Protection Regulation?
openupm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). Information that GDPR requires OpenUPM to give can be found throughout these privacy questions and answers.
GDPR does not apply to everyone worldwide. But OpenUPM's policy is to do its best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.
# How can I access data about me?
You can access package data by downloading the packages, as long as they're public or you have permission to access them.
You can see metadata about packages by running
openupm view $package.
# Does OpenUPM make automated decisions based on data about me?
# Does OpenUPM share data about me with others?
openupm shares account data with others as described in the Q&A.
openupm shares package data with others as described in the Q&A.
openupm publishes posts and other content you submit when necessary.
openupm does not sell information about you to others. However, OpenUPM uses services provided by other companies to provide OpenUPM services. Some of those services may collect data about you independently, for their purposes.
Some of these services may be used to collect information about your online activities across different websites.
# OpenUPM uses Google Analytics.
# OpenUPM uses HubSpot.
# OpenUPM uses Gravatar.
# OpenUPM uses content delivery networks.
# OpenUPM uses cloud computing platforms.
# OpenUPM uses GitHub.
# OpenUPM uses Azure Pipelines.
# OpenUPM uses email management services.
# How can I find out about changes?
You can review the history of changes in the GitHub page.