- When, as a Relying Party, you visit a web site secured with HTTPS that uses a certificate from Let’s Encrypt,
- When you are a Subscriber, i.e., when you request and use certificates from Let’s Encrypt,
- When you are a Visitor to the Let’s Encrypt web site, community discussion forum, other web pages under letsencrypt.org, and third-party social media sites on which Let’s Encrypt operates an account.
Let’s Encrypt is a service provided by Internet Security Research Group, a California (United States) Nonprofit Public Benefit Corporation.
When you use an HTTPS web site or other TLS service with a Let’s Encrypt certificate, your browser (or TLS client) may query Let’s Encrypt to check whether the certificate has been revoked (“OCSP request”). If your browser makes an OCSP request, our servers will automatically record your IP address, browser, and operating system in temporary server log files. We do not use data from OCSP requests to build profiles or identify individuals. Temporary server logs are used for operational purposes only and are normally deleted in less than seven days. We may retain a subset of server logs for longer periods in order to investigate software failures or abuse. If we do so, we will delete any stored logs when we are done investigating. We may also compute, retain and publish aggregate information from server logs, such as which certificates generate the largest volume of requests. We will always strive to ensure that such datasets do not contain information about the activities of identifiable users or devices.
If you are a Subscriber, you are requesting a trusted certificate from Let’s Encrypt intended to publicly vouch that you control a certain domain name or names that are reachable on the Internet. As part of the process of proving that control, Let’s Encrypt will collect various information related to certificate authentication and management. That information includes the IP addresses from which you access the Let’s Encrypt service; all resolved IP addresses for any domain names requested; server information related to any validation requests; full logs of all inbound HTTP / ACME requests, all outbound validation requests; and information sent by or inferred from your client software. We will store this information for a minimum of seven years per trusted root program requirements. This information will be stored for a maximum of ten years.
We need to be able to demonstrate to the public, including those who rely on the trustworthiness of our certificates, that our services perform as expected. As a result, we may be unable to delete information, including IP addresses. This information may be made public in a number of ways, including via public API, public repositories, and/or public discussions.
You may have the option to provide contact information, such as your email address, for account service and recovery purposes. Your contact information will not be made public, and it will only be shared per “Law Enforcement and Extenuating Circumstances,” below. By providing your email address, you are consenting to receive service-related emails from us. You may unsubscribe from service-related emails at any time by clicking the “unsubscribe” link at the bottom of our emails or by contacting us at email@example.com. We will not use your contact information for marketing or promotional purposes.
When you are a Visitor browsing the Let’s Encrypt web site, you have the option to make a donation. Donations are processed by our trusted payment partners including DonorBox, Stripe, Shopify, and PayPal, depending on the payment method selected. We collect your name and email address when you donate. We will not use your email address to contact you without your consent unless we feel it’s necessary to resolve an issue related to a particular donation. Your interactions with DonorBox, Stripe, and PayPal are governed by their respective privacy policies. We do not collect or retain any credit card or bank information related to donations. If we collect a physical address, we will only retain your physical address information for as long as is reasonably necessary to make the shipment that you requested.
Additionally, we use Google Analytics to gauge traffic and popular pages on our web site. As part of that service, we place Google Analytics cookies on our site. These cookies do not contain personal information but can uniquely identify your browser software over time on our site. We respect the Do Not Track header by strictly limiting the information our analytics services can collect and share for all Visitors.
We Do Not Sell Your Data or Information
We do not sell your data or information. This includes Relying Party, Subscriber, and Visitor data and information.
Law Enforcement Requests and Extenuating Circumstances
To the extent we possess it, we may disclose personally identifiable information about you to third parties in limited circumstances. Such circumstances include when we have your consent or when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order. We may also disclose account recovery information when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited, or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by whatever means is reasonably practical. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we reserve the right, solely at our discretion, to independently object to certain requests (for access to information about users of our products and technologies) that we believe to be improper.
What rights do European Economic Area relying parties, subscribers, and visitors have under GDPR, and how can I exercise them?
We process personal data as described in this policy. The purpose and lawful basis for information processing is as follows:
Purpose: Providing Certificate Status (OCSP) Information
Lawful Basis: Legitimate Interests
Additional Information: We collect and process information from Relying Parties in order to reliably provide certificate status information.
Purpose: Providing Certificate Issuance and Management Services
Lawful Basis: Contract, Legitimate Interests
Additional Information: We collect and process information from Subscribers in order to provide reliable and secure certificate issuance and management services, and to demonstrate to the public that our services perform as expected.
Purpose: Providing Information to Visitors
Lawful Basis: Consent, Legitimate Interests
Additional Information: We collect and process information from Visitors in order to provide information via the Web and email in a reliable and efficient manner.
Purpose: Processing Donations and Sponsorship Inquiries
Lawful Basis: Legitimate Interests
Additional Information: We collect and process information in order to process and support donations.
Purpose: Legal Obligations and Extenuating Circumstances
Lawful Basis: Legal Obligation, Legitimate Interests
Additional Information: We may collect and process information in order to comply with legal obligations and when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm.
Please note that we may be unable to delete information, including IP addresses, as this information is necessary for others to rely on in determining the trustworthiness of our certificates. In some cases, we may process personal data pursuant to legal obligation or to protect your vital interests or those of another person.
Your personal data may be collected from or transferred to jurisdictions where we and our service providers store or process data, including the United States. These jurisdictions may not provide the same level of data protection as your jurisdiction, including the EEA. We have taken steps to ensure that our service providers provide an adequate level of protection for the personal data of EEA residents, including by entering into data processing agreements using the European Commission-approved Standard Contractual Clauses, or by using other safeguards approved by the European Commission. You have a right to obtain details of the mechanism under which your personal information is transferring outside the EU by emailing us at the contact information below.
Individuals located in the European Economic Area (EEA) have certain rights in respect to their personal information, including the right to access, correct, or delete personal data we process through your use of our sites and services. If you’re an individual who is a relying party, subscriber, or visitor based in the EEA, you can:
- Request a personal data report by emailing us at firstname.lastname@example.org. This report will include the personal data we have about you, provided to you in a structured, commonly used, and portable format. Please note that we may request additional information from you to verify your identity before we disclose any information.
- Request that your information be corrected or deleted by contacting us at email@example.com.
- Object to us processing your information. You can ask us to stop using your information, including when we use your information to send you service emails. You may withdraw your consent to receive service emails at any time by clicking the “unsubscribe” link found within Let’s Encrypt emails.
- Complain to a regulator. If you’re based in the EEA and think that we haven’t complied with data protection laws, you have a right to lodge a complaint with your local supervisory authority.
For more information, or to report a privacy issue, please contact: firstname.lastname@example.org