CrowdTLS/PRIVACY.md

# Privacy Policy

Last updated: June 6, 2023

Thank you for using CrowdTLS! This Privacy Policy explains how I collect, use, and disclose information when you use my addon and the official servers associated with it. I take your privacy seriously and I'm committed to protecting your personal information. By using our addon, you consent to the collection and use of your information as described in this Privacy Policy.

## Information I Collect

The addon collects collect the following information:

### SSL/TLS Certificate Data for Domains
I collect SSL/TLS certificate data associated with the fully qualified domain names (FQDNs) of the websites you visit. This data includes information exposed by security information APIs, such as `webRequest.getSecurityInfo()` for Mozilla Firefox. Please note that these APIs are managed by the browser developer (e.g., Mozilla, Microsoft, Apple, Opera) and are subject to their security and privacy practices. This explicitly does not include data associated with requests you've made to these services such as URL paths, query parameters, authentication information, cookies, or anything unrelated to the certificate data the server sends you to verify they own the domain you are visiting.

If you are browsing sites which use internal, self-signed certificates, any information included in those certificates will be sent to CrowdTLS. The content of the certificates will not be accessible by CrowdTLS end users.

**TL;DR: I collect ONLY certificate data sent to you by the web domains you visit.**

### Metadata
I log metadata associated with the traffic necessary to share the domain names and SSL/TLS certificate data with our crowd service. This minimally includes the external IP address of your internet connection (or VPN) and potentially other uncontrollable HTTP headers or web socket connection information. I do not enrich this data with the addon, but simply write normal connection metadata to a log file for review.

**TL;DR: I technically collect metadata, such as your browser's external IP address and other standard internet connection metadata, which enables the sharing of SSL/TLS certificate data.**

That's all. I do not collect any other personal information.

**TL;DR: I only collect SSL/TLS certificate data and metadata necessary to maintain the crowd service.**

## How I Use Collected Information

I use the collected information for the following purposes:

### Crowd-Source Validation Service
I provide the crowd-sourced validation service by analyzing the SSL/TLS certificate information you send against others previously collected from the crowd and provide feedback to your browser addon.

### Storage and Analysis
I store the SSL/TLS certificate data you sent for analysis indefinitely to provide the same service to other users. This keeps the service running and helps me improve the accuracy and effectiveness of the validation service.

### Usage Trends
I may use the collected information to identify broad usage trends across the world, such as the number of certificates shared from each country. These insights will help me improve service availability, latency, and understand global patterns to justify continued maintenance and server costs.

### Log Storage
I store HTTP and web socket logs for up to 30 days specifically for troubleshooting issues and identifying malicious activity. After 30 days, the logs are permanently purged from our servers unless malicious activity is identified.

**TL;DR: I use the collected information to provide the validation service, store and analyze SSL/TLS certificate data, identify usage trends, and store standard connection log metadata for a limited period.**

## Changes to This Privacy Policy

I reserve the right to modify, update, or amend this Privacy Policy from time to time to reflect changes made to our addon. When I make material changes to this Policy, I'll inform you by updating the 'Effective date' notice. It is your responsibility to review this Privacy Policy periodically or "watch" the repository for changes to stay informed of any updates. Your continued use of the addon after any modifications to this Policy constitutes your acceptance of such changes.

**TL;DR: We may change this Privacy Policy but will notify you of any significant updates. It's your responsibility to review and accept the changes.**

If you have any questions about this Privacy Policy, submit an issue for clarification.
Initial README.md and PRIVACY.md added 2023-06-06 11:11:42 -07:00			`# Privacy Policy`

			`Last updated: June 6, 2023`

			`Thank you for using CrowdTLS! This Privacy Policy explains how I collect, use, and disclose information when you use my addon and the official servers associated with it. I take your privacy seriously and I'm committed to protecting your personal information. By using our addon, you consent to the collection and use of your information as described in this Privacy Policy.`

			`## Information I Collect`

			`The addon collects collect the following information:`

Update PRIVACY to include domain names 2023-06-07 14:49:31 -07:00			`### SSL/TLS Certificate Data for Domains`
Initial README.md and PRIVACY.md added 2023-06-06 11:11:42 -07:00			I collect SSL/TLS certificate data associated with the fully qualified domain names (FQDNs) of the websites you visit. This data includes information exposed by security information APIs, such as `webRequest.getSecurityInfo()` for Mozilla Firefox. Please note that these APIs are managed by the browser developer (e.g., Mozilla, Microsoft, Apple, Opera) and are subject to their security and privacy practices. This explicitly does not include data associated with requests you've made to these services such as URL paths, query parameters, authentication information, cookies, or anything unrelated to the certificate data the server sends you to verify they own the domain you are visiting.

Add API interaction code and garbage collection 2023-06-06 15:33:17 -07:00			`If you are browsing sites which use internal, self-signed certificates, any information included in those certificates will be sent to CrowdTLS. The content of the certificates will not be accessible by CrowdTLS end users.`

Initial README.md and PRIVACY.md added 2023-06-06 11:11:42 -07:00			`TL;DR: I collect ONLY certificate data sent to you by the web domains you visit.`

			`### Metadata`
Update PRIVACY to include domain names 2023-06-07 14:49:31 -07:00			`I log metadata associated with the traffic necessary to share the domain names and SSL/TLS certificate data with our crowd service. This minimally includes the external IP address of your internet connection (or VPN) and potentially other uncontrollable HTTP headers or web socket connection information. I do not enrich this data with the addon, but simply write normal connection metadata to a log file for review.`
Initial README.md and PRIVACY.md added 2023-06-06 11:11:42 -07:00
			`TL;DR: I technically collect metadata, such as your browser's external IP address and other standard internet connection metadata, which enables the sharing of SSL/TLS certificate data.`

			`That's all. I do not collect any other personal information.`

			`TL;DR: I only collect SSL/TLS certificate data and metadata necessary to maintain the crowd service.`

			`## How I Use Collected Information`

			`I use the collected information for the following purposes:`

			`### Crowd-Source Validation Service`
			`I provide the crowd-sourced validation service by analyzing the SSL/TLS certificate information you send against others previously collected from the crowd and provide feedback to your browser addon.`

			`### Storage and Analysis`
			`I store the SSL/TLS certificate data you sent for analysis indefinitely to provide the same service to other users. This keeps the service running and helps me improve the accuracy and effectiveness of the validation service.`

			`### Usage Trends`
			`I may use the collected information to identify broad usage trends across the world, such as the number of certificates shared from each country. These insights will help me improve service availability, latency, and understand global patterns to justify continued maintenance and server costs.`

			`### Log Storage`
			`I store HTTP and web socket logs for up to 30 days specifically for troubleshooting issues and identifying malicious activity. After 30 days, the logs are permanently purged from our servers unless malicious activity is identified.`

			`TL;DR: I use the collected information to provide the validation service, store and analyze SSL/TLS certificate data, identify usage trends, and store standard connection log metadata for a limited period.`

			`## Changes to This Privacy Policy`

			`I reserve the right to modify, update, or amend this Privacy Policy from time to time to reflect changes made to our addon. When I make material changes to this Policy, I'll inform you by updating the 'Effective date' notice. It is your responsibility to review this Privacy Policy periodically or "watch" the repository for changes to stay informed of any updates. Your continued use of the addon after any modifications to this Policy constitutes your acceptance of such changes.`

			`TL;DR: We may change this Privacy Policy but will notify you of any significant updates. It's your responsibility to review and accept the changes.`

			`If you have any questions about this Privacy Policy, submit an issue for clarification.`