Automattic

Automattic and the General Data Protection Regulation (GDPR)

Europe’s General Data Protection Regulation (aka GDPR) is a new and far-reaching privacy regulation. We are committed to operating in accordance with the GDPR, and to giving you tools and resources to help you better understand and comply with the law on your own site.

We value the privacy and security of our users’ data. We’ve always had privacy protection in place to help you control your content, keep it secure, or even move your site to another WordPress host. We’ve put a lot of time, thought, and effort into building tools and documentation to help our products comply with the new law. Please visit privacy.blog for more information about the new features and tools we are launching, with your privacy in mind.  

The below FAQ provides more specific detail about the law and how we are implementing the GDPR’s principles.


General Questions

>> What is the GDPR?

The GDPR, among other things, requires companies and site owners to be transparent about how they collect, use and share personal data. It also gives individuals more access and more choice when it comes to how their own personal data is collected, used, and shared.

You can read the full text of the law here. We also found these resources helpful in understanding the principles and specific requirements of the law:

>> When does the GDPR take effect?

The law took effect on May 25, 2018.

>> Who does the GDPR apply to?

The GDPR is a European law that grants personal data rights to individuals in the European Union. However, its requirements apply to all sites and online businesses who collect, store, and process personal data about individuals in the EU.

>> How can I get in touch with you with a GDPR related request?

You can contact us through any of the following channels:


Questions About Your Rights As A User of our Services

>> What rights does the GDPR give me?

The GDPR gives EU individuals rights to their personal data. There are some exceptions/exemptions to the rights granted by the GDPR, but in general it includes rights to:

  • request access to the data we store about you
  • request updates/changes to your personal data
  • request the deletion of your personal data
  • take your personal data to a new service
  • request we limit our collection and use of your personal data (e.g., opt out of being tracked by our first party analytics tool)

Although GDPR is a law that only applies within the European Union, we are offering tools to manage your personal data to all of our users.

Additionally, you can expect that we as a company will work to protect the privacy of your personal data, will only collect the data when we have a reason to do so, and will delete your personal data once we no longer have a need for it.

>> How do I request access to my personal data? How do I request changes to it?

If you’d like to know what personal data we have stored about you, please contact us with your request. If upon reviewing that data you need to request changes to it, please let us know and we will work with you to make the necessary corrections.

>> How do I take my data to a new service?

Your site is yours and your content belongs to you. We hope you find our services and products useful, but if you are currently hosted with us and have decided to move elsewhere, we provide you with the tools you need to easily move your site without any extra charges from us. If your site is self-hosted, you can work with your hosting company to move your site.

>> How do I delete my personal data?

Although we’d be very sad to see you go, you can close your WordPress.com account by following the instructions on this page. This will also close your account on any of our services that use your WordPress.com account for your login, including WooCommerce.com, Gravatar, PollDaddy, Jetpack, and Akismet.

>> How do I opt out of being tracked when I use Automattic’s services?

We offer an opt-out from our first party analytics tool for WordPress.com users in your user Privacy Settings.

>> How else are you protecting my privacy and my personal data?

User privacy is critically important to us at Automattic. Our privacy principles align with many of the GDPR principles, and we built our products and services with those principles in mind.

  • Control of Your Content. We aim to give you as much control as possible over who can see your content. For example, the WordPress.com Privacy Settings give you choices to make your site public, private, or hidden from search engines, and Page Visibility gives you options about who can see specific pages on your site.
  • Strict Guidelines on Providing User Information to Governments. We understand that safeguarding our users’ private information is a vital aspect of the trust our users place in our services to keep them safe, and in some cases, anonymous. Our Legal Guidelines describe when we will disclose user information in response to requests from law enforcement or from complainants in civil litigation. (And we have a reputation for challenging overbroad requestsーfor example, we successfully argued to lift non-disclosure orders on National Security Letters from the U.S. government that prohibited us from revealing information about those requests to our users).
  • Your Security is Our Priority. While no online service can ever be 100% secure, we work very hard to protect your information from unauthorized access. We support and promote encryption of user data and we encrypt all traffic (serve over SSL) for all WordPress.com sites, by default. You can read more about our WordPress.com security features and Jetpack Security Features. We also offer and *highly encourage* you to use our advanced security settings, like Two Step Authentication for your WordPress.com account, to help protect your account and your data.

Questions About Your Responsibilities as a Site Owner

>> What Tools Do You Offer to Help Me Comply with GDPR?

We have written guides, and developed tools, to help you with your efforts to implement the GDPR principles on your site. You can find those guides and tools at:

Plus, several of our other products now have self-service options to let you manage access and deletion requests.

>> What is a Data Processing Agreement (or amendment) and do I need one?

DPAs are contractual tools for web sites and companies to make commitments to their customers, vendors, and partners that their data handling complies with the law. It is not relevant or needed for the typical free site owner or hobbyists.

We are able to provide data processing amendments to users of our paid plans/products on WordPress.com, Jetpack, WooCommerce.com, Akismet, or PollDaddy. If your site has an active upgrade on one of these services, please contact us to let us know what you need.

Having a DPA does not change any of our practices regarding your site or your visitors. Everyone using our service gets the same high standards of privacy and security.

 


Data Collection Questions

>> What data do your various services collect about me?

We have always tried to collect the minimal amount of data that’s necessary. For example, when you sign up for WordPress.com, we ask only for limited information needed to set up your WordPress.com account. We require an email address and a username, nothing more. If you purchase a paid plan, we’ll need additional information to process your payment. You are welcome to add other information to your public profile and account settings, but we don’t require you to give us any other personal information to get your account up and running. The same principle applies to all our products and services.

For a more detailed description of the data we collect, please refer to our respective policy pages at https://automattic.com/privacy/, https://jetpack.com/support/privacy/, and https://docs.woocommerce.com/documentation/get-help/woocommerce-com/privacy/.

>> Does Automattic sell or give away my personal data? What about the personal data of my site’s visitors?

We do not sell private personal information.

We will share information about you, or your site’s visitors, in limited circumstances, and with appropriate privacy safeguards. You can read more details of when we share your information, and what we share, in our privacy policies. You can find similar information about the data we collect on your site’s visitors in our privacy notice.

>> How long do you keep logs? Where are your servers located?

Automattic’s servers are all over the world, but at present all personal and site data is stored exclusively on US based servers. Our system logs, which record information about visitors to Automattic’s websites, are kept for 30 days.