# Privacy Q&A

This notice describes how OpenUPM (or openupm), collects and uses data about you.

# What's most important?

OpenUPM is a service that encourages the use and development of the open-source unity contents. We try to minimize the information we collected while providing value for you. If you feel uncomfortable about the privacy policy, please mail to hello@openupm.com to start a conversation.

# How does OpenUPM collect data about me?

openupm collects data about you:

# What data does OpenUPM collect about me, and why?

# OpenUPM collects data about how you use OpenUPM software and registries.

When you use the openupm command, the npm command, or other software to work with the OpenUPM public registry, OpenUPM logs data that might be identified to you:

  • a random, unique identifier for necessary registry actions
  • the names and versions of your project's dependencies, their dependencies, and so on, that come from the OpenUPM public registry
  • the versions of Node.js, the openupm command, and the operating system you are using
  • data about the software you're using to access the registry, such as the User-Agent string
  • network request data, such as the date and time, your IP address, and the URL

openupm uses this data to:

  • fulfill your requests, such as by sending the packages you ask for
  • keep registries working quickly and reliably
  • debug and develop the openupm command and other software
  • defend registries from abuse and technical attacks
  • compile statistics on package usage and popularity
  • prepare reports on trends in the developer community
  • improve search results on the website
  • recommend packages that may be relevant to your work

openupm usually deletes registry log entries with identifiable information within a few weeks but may preserve logs longer, as needed in specific cases, like investigations of specific incidents. OpenUPM stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.

# OpenUPM collects data about how you use the website.

When you visit openupm.com (opens new window), and other OpenUPM websites, OpenUPM uses cookies, server logs, and other methods to collect data about what pages you visit, and when. OpenUPM also collects technical information about the software and computer you use, such as:

  • your IP address
  • your preferred language
  • the web browser software you use
  • the kind of computer you use
  • the website that referred you

openupm uses data about how you use the website to:

  • optimize the website, so that it's quick and easy to use
  • diagnose and debug technical errors
  • defend the website from abuse and technical attacks
  • compile statistics on package popularity
  • compile statistics on the kinds of software and computers visitors use
  • compile statistics on visitor searches and needs, to guide the development of new website pages and functionality
  • decide who to contact about product announcements, service changes, and new features

openupm usually deletes website log entries with identifiable information within a few weeks but keeps entries for visitors with OpenUPM accounts, and visitors using paid services like Enterprise registries, longer. OpenUPM reviews log entries for those users twice a year and delete entries when they're no longer needed.

openupm may preserve log entries for all kinds of visitors longer, as needed in specific cases, like the investigation of specific incidents. OpenUPM stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.

# OpenUPM collects account data.

A few features of OpenUPM services requires a GitHub account. For example, you must have a GitHub account to submit packages to the OpenUPM public registry.

openupm publishes these account data for the whole world to see on the package detail page and contributor pages and so on.

If you preferred not to show your GitHub username, you can leave it empty when submitting packages.

openupm uses your GitHub account data to:

  • add metadata to packages that you submit
  • contact you in special circumstances related to your account or packages
  • contact you about support requests
  • contact you about legal requests, like DMCA takedown requests and privacy complaints

openupm stores that data as long as it stores the package.

# OpenUPM collects package data.

When you submit a new package to OpenUPM, OpenUPM collects the contents of the package, plus metadata (opens new window), including your account data. Other OpenUPM users may also publish packages that include data about you, such as the fact that you contributed code to a package.

openupm uses data in packages to provide those packages to you and others who request them, when you publish a package to the OpenUPM public registry, or change a package from private to public, OpenUPM makes the package and metadata available to everyone, online.

Making package data available to others allows them to download, build on, and depend on your work. In the vast majority of cases, OpenUPM stores data in and metadata about every version of every package indefinitely, unless it's unpublished.

In some cases, however, package owner can unpublish packages, erasing them from the public registry. Erased packages linger on for a short time in OpenUPM's public and private caches, but eventually disappear completely from OpenUPM's storage.

# OpenUPM collects data about correspondence.

openupm collects data about you when you send OpenUPM support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address and may include your company or other affiliation.

openupm uses contact data to:

  • respond to you
  • compile aggregated statistics about correspondence
  • train support staff and other OpenUPM personnel
  • review the performance of OpenUPM personnel who respond
  • defend OpenUPM from legal claims

openupm stores correspondence as long as it may be useful for these purposes.

# Where does OpenUPM keep data about me?

openupm stores account data, data about website use, data about registry use, and private packages on cloud servers.

openupm distributes package data published to the OpenUPM public registry and metadata about those packages worldwide, via content delivery networks (CDN).

# Does OpenUPM comply with the EU General Data Protection Regulation?

openupm respects privacy rights under Regulation (EU) 2016/679 (opens new window), the European Union's General Data Protection Regulation (GDPR). Information that GDPR requires OpenUPM to give can be found throughout these privacy questions and answers.

GDPR does not apply to everyone worldwide. But OpenUPM's policy is to do its best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.

# How can I access data about me?

You can access package data by downloading the packages, as long as they're public or you have permission to access them.

You can see metadata about packages by running openupm view $package.

# Does OpenUPM make automated decisions based on data about me?

openupm may use data in packages and data about how you use OpenUPM software and the public registry to make decisions about whether the packages you submit are spam, promote scams, abuse others, or otherwise violate our terms of use.

# Does OpenUPM share data about me with others?

openupm shares account data with others as described in the Q&A.

openupm shares package data with others as described in the Q&A.

openupm publishes posts and other content you submit when necessary.

openupm does not sell information about you to others. However, OpenUPM uses services provided by other companies to provide OpenUPM services. Some of those services may collect data about you independently, for their purposes.

Some of these services may be used to collect information about your online activities across different websites.

# OpenUPM uses Google Analytics.

openupm's website uses Google Analytics to collect and analyze data about visitors to its websites. You can read the privacy policy for Google Analytics online (opens new window). You can opt-out of Google Analytics by installing a free browser extension (opens new window).

# OpenUPM uses Gravatar.

The website uses Gravatar (opens new window), a free online service from Automattic (opens new window) for hosting user avatar pictures. When you request a page on the OpenUPM website that shows an avatar, your computer also sends a request to Gravatar. You can read the privacy policy for Gravatar online (opens new window).

# OpenUPM uses content delivery networks.

openupm uses DigitalOcean Space (opens new window) to distribute copies of packages and other data worldwide so that others can download it quickly from a server near them. You can read the privacy policy for DigitalOcean (opens new window) online.

# OpenUPM uses cloud computing platforms.

openupm uses DigitalOcean (opens new window) servers and services, in-service regions all across the world, to power the OpenUPM public registry, the website, and other OpenUPM services. You can read the privacy policy for DigitalOcean (opens new window) online.

# OpenUPM uses GitHub.

openupm uses GitHub (opens new window) to manage package requests and issues. You can read the privacy policy for Github (opens new window) online.

# OpenUPM uses Azure Pipelines.

openupm uses Azure Pipelines (opens new window) to manage the build pipelines. You can read the privacy policy for Azure Pipelines (opens new window) online.

# OpenUPM uses email management services.

openupm uses MailChimp (opens new window) to send emails to users, such as newsletters. You can read the privacy policy for MailChimp online (opens new window).

# How can I find out about changes?

You can review the history of changes in the GitHub page (opens new window).