SPI Privacy Policy

THE SPI VICE PRESIDENT RESOLVES THAT

Software in the Public Interest, Inc. ("SPI," "we," or "us") is committed to respecting and protecting the privacy of individuals who interact with us. This Privacy Policy ("Policy") describes how SPI collects, uses, retains, and discloses personal information provided by members, donors, affiliated projects, contractors, and board members.

This Policy applies to personal information collected and voluntarily provided to SPI through activities such as joining as a member, affiliating a project, participating in mailing lists or governance processes, or making a donation. Such information is processed on the basis of informed consent and used solely for purposes aligned with SPI's nonprofit mission. SPI retains personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with applicable legal obligations, or to protect SPI's legitimate operational interests.

SPI's member projects may also collect data and have their own privacy policies which specify what they do with the data they collect.

By engaging with SPI through any of these means, you acknowledge and accept the practices described in this Policy.

Types of Information We Collect

SPI does not collect or process personal information from visitors to its website (https://www.spi-inc.org/), other than the technical data strictly necessary to facilitate a secure and functional connection (such as IP addresses for basic server logs). SPI does not engage in user profiling, ad targeting, or behavioral tracking through its website.

Our data collection is limited to information voluntarily submitted by individuals who engage with us in the context of project sponsorship, membership registration, or financial contributions.

The categories of information collected may vary according to context and necessity, but generally include:

  1. Full name
  2. Email address
  3. Mailing address and country of residence
  4. Phone number
  5. Financial details related to donations or reimbursements
  6. Affiliation with sponsored projects

SPI usually does not collect sensitive data as defined by applicable laws (e.g., race, ethnicity, gender, political opinion). However, financial data is handled with heightened confidentiality and care to reduce risks of unauthorized access or disclosure.

All data is collected with the informed consent of the individual and used strictly within the scope of SPI's nonprofit mission.

How we collect information

Information may be collected in the following ways:

  1. Direct communication via e-mail with SPI staff, Board members, or administrative contacts;
  2. Mailing lists, when individuals subscribe or post messages using their personal email addresses;
  3. Project affiliation requests, which may include documentation and identification of project representatives;
  4. Donation processing, through platforms that require submission of payment and contact information;
  5. Administrative and operational tools used by SPI, including GitLab (for internal use and public repositories), RT, and IRC channels used for coordination and governance.

Use of Personal Information

Specifically, we may use your information to:

  1. Administer memberships and project affiliations;
  2. Process donations and issue related documentation, including receipts and acknowledgments;
  3. Maintain accurate records for financial, tax, and reporting purposes;
  4. Facilitate reimbursements, stipends, or other approved disbursements;
  5. Communicate with you regarding SPI's governance, policies, or sponsored activities;
  6. Respond to lawful requests from public authorities when legally required.

In institutional processes such as membership or project affiliation reviews, SPI may handle or receive additional biographical and administrative information voluntarily provided, but this does not constitute mandatory personal data collection, nor does SPI profile or retain such information beyond what is necessary for governance, transparency, and regulatory compliance.

Sharing and Disclosure of Information

SPI does not disclose personal data to third parties except in narrowly defined and purpose-specific circumstances that are consistent with its mission and the expectations of the data subject.

SPI may share personal data only as necessary in the following situations:

  1. With service providers acting as data processors, who perform limited functions on our behalf (e.g., payment processing, bookkeeping, secure communications infrastructure). Such processors are granted access only to the data strictly required for the execution of their contracted duties and are contractually obligated to implement appropriate data protection safeguards and to refrain from further processing;
  2. With designated representatives of affiliated projects, solely when the data subject has voluntarily provided the information in the context of project affiliation and where the disclosure is necessary to facilitate legitimate communication or operational needs related to the sponsored project;
  3. To attribute your contributions to mailing lists, source repositories, etc.
  4. With governmental or regulatory authorities, when SPI is required to comply with a legal obligation, subpoena, court order, tax audit, or other enforceable demand under applicable law or international cooperation treaties.

Individuals may request that their data be handled with enhanced confidentiality. While SPI does not currently execute formal data processing agreements with affiliated projects, we commit to honoring confidentiality requests where operationally and legally feasible and to limiting access to such data on a strict need-to-know basis.

Data Retention and Storage

SPI retains personal information only as long as necessary to achieve the purposes for which it was collected, or to meet legal and financial obligations. While SPI does not currently have a formal retention policy, it follows a reasonableness principle guided by transparency and risk minimization.

Retention timeframes for member data, including removal from active systems or backups, must be defined by the SPI Board and are not operationally enforced until formally determined.

Data is stored in secure platforms used by SPI, including institutional email systems, GitLab, RT, and encrypted cloud storage services.

Data Security

SPI applies reasonable technical and organizational measures to protect the integrity, availability, and confidentiality of all personal data under its control. While no system can guarantee absolute security, SPI strives to mitigate risks through access control, secure communication tools, and limitation of data sharing.

Our website uses Secure Socket Layer (SSL) technology, which encrypts your personal data when you send your personal information on our website.

Donations

When you make a donation to SPI -- whether directed to the organization generally or earmarked for a specific affiliated project -- your personal information is processed exclusively for the purpose of administering the donation, complying with tax and regulatory obligations, and, where applicable, issuing acknowledgments or receipts.

SPI does not sell, lease, or exchange donor information under any circumstances. Donor data is shared only with SPI's Treasurer, Board of Directors, and relevant members or project teams when necessary for internal administration or financial reporting.

Donors who wish to remain anonymous may request this at the time of donation, and SPI will make reasonable efforts to respect such requests. Donations processed through third-party platforms such as PayPal or Click & Pledge are subject to the privacy policies of those providers; SPI only receives the information those services transmit. Donation records are retained for as long as required by applicable law, including for tax and audit purposes. Donors may contact SPI at privacy@spi-inc.org to request access to, correction of, or limitations on the use of their personal data.

For more information about SPI's donation policies and procedures, please visit: https://www.spi-inc.org/donations

Membership Registration

SPI offers a membership program for individuals who wish to formally associate with the organization and participate in its governance. Membership registration is managed through a dedicated portal at https://members.spi-inc.org, which requires users to create a personal profile including their name, email address, a secure password and other informations.

Applicants initially register as non-contributing members. Once their email address has been verified and the application is accepted, members may access their account to update personal details, monitor application status, and, if eligible, submit a request to become a contributing member with voting rights.

Personal data collected during the membership process is used solely for administrative purposes, including application management, eligibility verification, and maintenance of membership records.

If a user no longer wishes to maintain an account, they may request deletion by contacting privacy@spi-inc.org.

International Data Transfers

SPI is a United States - based organization, headquartered in New York. In the course of its nonprofit activities, SPI interacts with individuals, projects, and collaborators located in various jurisdictions, including the European Union and countries with differing data protection standards. As such, personal data may be transferred to, accessed from, or stored in countries outside the jurisdiction where the data subject resides.

When SPI transfers personal data internationally, such transfers occur in connection with the administration of donations, project sponsorships, community engagement, or compliance with applicable legal obligations. While SPI strives to handle data in accordance with recognized privacy principles, it is possible that certain overseas recipients or systems involved in processing data may not be subject to the same level of statutory protection as those required under the laws of your country of residence. In some cases, those recipients may be subject to local laws requiring disclosure to foreign authorities. Where transfers involve personal data originating from the European Economic Area, SPI will adopt reasonable contractual, technical, or organizational safeguards to ensure that such data remains protected in line with applicable legal standards.

SPI commits to cooperating in good faith with lawful and proportionate inquiries from foreign authorities and to applying appropriate data protection safeguards consistent with its nonprofit mission and operational capacity.

External Links and Third-Party Services

SPI's website and communications may contain links to third-party websites, services, or tools that are not operated or controlled by SPI. Please be aware that SPI is not responsible for the privacy practices or content of those third parties. If you have questions about the data collection procedures of linked sites, please contact those sites directly.

Public Records and Community Forums

SPI maintains several platforms that facilitate public collaboration and community transparency, including mailing list archives, Git repositories, IRC logs, and public meeting notes. These spaces are integral to our open governance and software freedom mission, and contributions made within them are typically retained as public records.

Please be aware that any personal information voluntarily disclosed in these forums becomes part of the public domain and may be accessible indefinitely. Users should exercise discretion and carefully consider the level of personal detail shared in these contexts. SPI does not remove or anonymize public contributions retroactively, except where required by law.

SPI reserves the right to moderate public forums to preserve their integrity and purpose. This includes, but is not limited to, the removal of content that is unlawful, abusive, or inconsistent with SPI's community values. These actions are taken in pursuit of SPI's legitimate interest in fostering constructive dialogue, ensuring historical consistency, and supporting scientific and organizational accountability.

Managing Your Personal Information

Individuals who have submitted personal information to SPI -- such as members, project representatives, or donors -- may request to access, correct, or update their data at any time by contacting us at privacy@spi-inc.org. We will take reasonable steps to verify your identity and process your request promptly, subject to applicable legal or operational constraints. SPI does not operate user accounts through its public website.

Please note that publicly archived contributions (such as mailing list posts, commit logs, or meeting minutes) are considered part of the public record and generally cannot be altered or removed retroactively, except where legally required. We encourage users to carefully consider what personal information they disclose in public or semi-public forums affiliated with SPI.

Cookies and Technical Information

SPI may also use cookies -- small data files stored on your device -- to support core functionalities, such as session authentication and access to personalized or restricted content. These cookies do not track user behavior across services, nor are they used for marketing, profiling, or analytics.

SPI's online infrastructure, may automatically collect certain technical information from your browser or device in order to maintain operational security and system functionality. This may include IP addresses, browser type, access timestamps, and referring URLs, which are used strictly for diagnostic purposes, server maintenance, and to ensure a secure connection.

SPI website access logs are rotated and deleted every 2 weeks. SPI does not retain these logs beyond rotation for institutional purposes, and there is currently no statutory obligation under United States law to retain them for longer periods.

By using SPI's online services that require authentication or interactive participation (e.g., community account login or member area access), you consent to the placement of essential cookies necessary for those features to function. If you prefer not to accept cookies, most browsers offer settings to block, notify, or delete them. Please note, however, that disabling cookies may impair your ability to use certain SPI services as intended.

Commitment to Children's Online Privacy

SPI does not knowingly collect, store, or solicit personal information from children under the age of 13. Our services and platforms are intended for use by individuals who are at least 13 years of age. We do not support registration, donation, or community account access by minors.

If we become aware that personal data from a child under 13 has been inadvertently collected, we will take reasonable steps to delete such data promptly. Parents or legal guardians who believe that SPI may have collected information from a minor may contact us at privacy@spi-inc.org to request its removal.

In accordance with international data protection standards, including the GDPR, SPI also does not accept data submissions from individuals under the age of 16 residing in the European Union.

How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way SPI handles your personal information, please contact us at: privacy@spi-inc.org

We are will make reasonable efforts to respond promptly to inquiries or concerns regarding our privacy practices..

Changes to this Privacy Policy

SPI reserves the right to update or modify this Privacy Policy at any time, in order to reflect changes in legal requirements, organizational practices, or the scope of our activities. Any material changes will be clearly posted on our official website at https://www.spi-inc.org.

The data controller of your personal information is:

Software in the Public Interest, Inc.
1632 1st Ave #20327
New York, NY 10028
United States

If you have any questions or concerns about this privacy policy, please contact us via email at privacy@spi-inc.org.