Privacy Policy

Updated July 31, 2018

The Internet Security Research Group (ISRG) Privacy Policy describes how we collect, use, and disclose your information in two different contexts:

  • When you interact with an ISRG project
  • When you are a Visitor to the ISRG web site (, community discussion forum, other web pages under, and third-party social media sites on which ISRG operates an account.

ISRG Projects

The privacy policies for particular ISRG projects can be found via the following links:


When you are a Visitor browsing the ISRG web site, you have the option to make a donation. Donations are processed by our trusted payment partners including DonorBox, Stripe, and PayPal, depending on the payment method selected. We collect your name and email address when you donate. We will not use your email address to contact you without your consent. Your interactions with DonorBox, Stripe, and PayPal are governed by their respective privacy policies. We do not collect or retain any credit card or bank information related to donations. If we collect a physical address, we will only retain your physical address information for as long as is reasonably necessary to make the shipment that you requested.

If you register to use the ISRG community support forum, the personal information you provide and your actions there are governed by the privacy policy of our hosting and software provider for the forum, Civilized Discourse Construction Kit. We do not collect or maintain personal information through our offering of this support forum.

Additionally, we use Google Analytics to gauge traffic and popular pages on our web site. As part of that service, we place Google Analytics cookies on our site. These cookies do not contain personal information but can uniquely identify your browser software over time on our site. We respect the Do Not Track header by strictly limiting the information our analytics services can collect and share for all Visitors.

Law Enforcement Requests and Extenuating Circumstances

To the extent we possess it, we may disclose personally identifiable information about you to third parties in limited circumstances. Such circumstances include when we have your consent or when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order. We may also disclose account recovery information when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm.

If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited, or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by whatever means is reasonably practical. If you do not challenge the disclosure request, we may be legally required to turn over your information.

In addition, we reserve the right, solely at our discretion, to independently object to certain requests (for access to information about users of our products and technologies) that we believe to be improper.

What rights do European Economic Area users, subscribers, and visitors have under GDPR, and how can I exercise them?

We process personal data as described in this policy. We rely on your consent to send emails. When we collect IP address, we process that data based on contractual necessity of being able to demonstrate that the service performs as expected. Please note that we may be unable to delete information, including IP addresses, as this information is necessary for others to rely on in determining the trustworthiness of our certificates. In some cases, we may process personal data pursuant to legal obligation or to protect your vital interests or those of another person.

Individuals located in the European Economic Area (EEA) have certain rights in respect to their personal information, including the right to access, correct, or delete personal data we process through your use of the site. If you’re a user based in the EEA, you can:

  • Request a personal data report by emailing us at This report will include the personal data we have about you, provided to you in a structured, commonly used, and portable format. Please note that we may request additional information from you to verify your identity before we disclose any information.
  • Request that your information be corrected or deleted by contacting us at
  • Object to us processing your information. You can ask us to stop using your information, including when we use your information to send you service emails. You may withdraw your consent to receive service emails at any time by clicking the “unsubscribe” link found within ISRG emails.
  • Complain to a regulator. If you’re based in the EEA and think that we haven’t complied with data protection laws, you have a right to lodge a complaint with your local supervisory authority.

For more information, or to report a privacy issue, please contact: