Legal:Data retention guidelines

Introduction

Data is important. It is one of the ways we can learn and grow as an organization and a movement, and how we can help make the projects better for those who use them to create, learn, and share. At the same time, we are committed to keeping your private data "for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the Wikimedia Sites, and our obligations under applicable U.S. law" (quote from the Wikimedia Foundation Privacy Policy).

This document helps explain how we fulfill this commitment, by describing our guidelines for data retention, system design, and ongoing auditing and maintenance. These guidelines are meant to be a living document — they will be updated over time to reflect current retention practices.

To what data do these guidelines apply?

These guidelines apply to all non-public data we collect from Wikimedia Sites covered by the Privacy Policy.

How long do we retain non-public data?

Unless otherwise indicated, we retain the following types of data for no more than the following periods of time:

Data type		Examples	Maximum Retention Period
Personal information	Collected from user	IP addresses of site visitors (operational data) IP addresses of A/B test subjects (analytical data)	After at most 90 days, it will be deleted, aggregated, or anonymized
Personal information	Provided by a user	Email address in account settings	Indefinitely
Non-personal information associated with a user account*	Collected from user	Data collected by MediaWiki about a user account's activity (e.g. first time a user goes to an edit page, date and time that a user verifies their email address) Data collected by EventLogging and associated with their user ID (e.g. whether an account was created on mobile, A/B test data for Getting Started)	Indefinitely
Non-personal information associated with a user account*	Provided by a user	Logs of terms entered into the site's search box	After at most 90 days, it will be deleted, aggregated, or anonymized
Non-personal information not associated with a user account*	Collected from user	Counts of how many times certain events have occurred (e.g. successful HTTPS requests)	Indefinitely

*For the purposes of this table, “user account” means username, user ID, or IP address.

Definitions

For the purposes of these guidelines, "personal information" means information you provide us or information we collect from you that could be used to personally identify you. To be clear, while we do not necessarily collect all of the following types of information, we consider the following to be "personal information" if it is otherwise nonpublic:

(a) your real name, address, phone number, email address, password, identification number on government-issued ID, IP address, credit card number;

(b) when associated with one of the items in subsection (a), any sensitive data such as date of birth, gender, sexual orientation, racial or ethnic origins, marital or familial status, medical conditions or disabilities, political affiliation, and religion; and

(c) any of the items in subsections (a) or (b) when associated with your user account.

Some examples of information considered to be “public” under these guidelines include: (a) your IP address, if you edit without logging in; (b) your gender, if it is disclosed under your user profile; (c) any personal information you disclose publicly on the Wikimedia Sites, such as your real name or age. Some examples of types of information that are considered to be “nonpublic” include: (a) your IP address, if you edit while logged in; (b) your email address, if you provided one to us (but didn’t post it publicly); and (c) your location information. The types of information that are considered “nonpublic” as opposed to “public” are more fully explained in our Privacy Policy.

Terms that are not defined in this document have the same meaning given to them in the Privacy Policy.

Exceptions to these guidelines

If we make exceptions to these guidelines, we will notify the community by describing the exception on this page.

Data may be retained in system backups for longer periods of time.

Audits for existing systems

These guidelines are based on practices that the Foundation has generally followed for many years, particularly the 90-day rule for IP addresses and similar personal information in our server logs. However, our older systems may not always comply with these new guidelines, particularly for personal information other than IP addresses. As a result, once these guidelines are adopted, WMF’s technology teams plan to audit our existing systems and bring them into compliance. Because of the size and scope of these systems, this audit will necessarily occur in a gradual fashion.

Design of new systems

In order to support these data retention periods and our overall privacy policy, new tools and systems implemented by the Foundation will be designed with privacy in mind. This will include:

inclusion of these data retention guidelines as requirements during the design process
legal consultation during the design and development process
inclusion of privacy considerations in the code review process

Ongoing handling of new information

Despite our best efforts in designing and deploying new systems, we may occasionally record personal information in a way that does not comply with these guidelines. When we discover such an oversight, we will promptly comply with the guidelines by deleting, aggregating, or anonymizing the information as appropriate.

Contact us

If you think that these guidelines have potentially been breached, or if you have questions or comments about compliance with the guidelines, please contact us at privacy@wikimedia.org.