Privacy Policy Changes for

We’ll be making some changes to the privacy policy this month. This post outlines the changes we’ll be making, including information on data retention and erasure in what I hope is easy-to-understand language. Read on for details and if you have any feedback, questions, or suggestions, please comment on this post! 🙂

What data we collect and who can access it

The majority of what’s collected and stored on is WordCamp attendee data, through our registration plugin called CampTix. Currently we require the following information: name, email address, agreement to follow the code of conduct, whether the attendee has a life-threatening allergy, and whether the attendee needs special accommodations to participate in the WordCamp.

Local WordCamp organizing teams can (and do) collect more information than that, when they set up registration. This data can vary widely, but the reason questions are added is to help our volunteers organize an event that’s better for attendees, and to assist the growth of the WordPress community and, by extension, the WordPress open source project.

All attendee-provided data can be viewed and changed by the attendee via the Access Token URL that is emailed to confirm a successful ticket purchase.

Other than the attendee, the only people who can view attendee information are WordCamp volunteers with access to the WordCamp site’s dashboard. WordCamp volunteers are expected to access attendee data only to serve the interests of the WordCamp, not for the benefit of certain businesses or individuals. We’ll be adding a line to the speaker/sponsor/organizer/volunteer agreement to make this expectation more explicit.

Currently, WordCamp attendees are listed by default on the WordCamp attendee page, but can request to be removed by emailing the organizing team. We plan to make the Attendees page listing opt-in by the end of this month (with another one of those annoying required registration questions).

When WordCamp volunteers request reimbursement for (budgeted) out-of-pocket expenses they may have incurred while organizing WordCamp, we may also collect banking-related financial information from them so that we can reimburse them. A volunteer’s banking details and address are only visible to the user who submitted the request and the financial administrators who process the request.

How long data is retained

We’d like to keep data for as little time as possible, while still maintaining accurate business records and not limiting our ability respond to reports related to attendee safety. We don’t have a time limit on code of conduct complaints right now. If we were to delete attendee data 12 months after the event, for example, that could make it harder for the community team to respond to a code of conduct report that might come in 5 15 months after the event. So my proposal is that we hold *all* attendee data for at least three years after the WordCamp is complete. Once non-essential WordCamp attendee data is over three years old, we’ll automatically delete the answers to all but the mandatory registration questions; some examples of to-be-automatically-deleted data here include t-shirt size, meal preference, etc. We plan to retain attendee names indefinitely (unless erasure is requested), as historical records of the participants in WordPress community events.

Banking/financial data collected as part of a reimbursement request is deleted from 7 days after the request is marked paid. The reason for the 7-day retention period is to prevent organizers having to re-enter their banking details if a wire fails or if a payment was marked Paid in error.

We keep invoices and receipts related to WordCamp expenses for 7 years after the close of the calendar year’s audit, by instruction of our financial consultants (auditors & bookkeepers).

Records showing who organized, spoke at, sponsored, or volunteered at WordCamp is considered a matter of public record for the WordPress open source project, and important information to keep for historical/archival purposes. This data will be kept indefinitely, and will not be subject to erasure requests. We’ll add a line to the speaker/sponsor/organizer/volunteer agreement to make this expectation more explicit as well.

What data is subject to erasure requests

If a WordCamp attendee had no official role in the event (meaning: they were not an organizer, speaker, sponsor, or volunteer), then we will remove their data from public display after the 3 year retention period, if asked to do so. For business record-keeping purposes, the plan is to retain essential registration records indefinitely, with some data visible only to data administrators.

As mentioned above, data indicating who organized, spoke at, sponsored, or volunteered at WordCamp is considered a matter of public record for the WordPress open source project, and not subject to erasure requests. If a person whose user ID is linked to a WordCamp custom post type requests that their account be deleted, their user account will be removed from all WordCamp sites, and the authorship of any posts/pages they published will change to a text version of their display name. The text fields in the WordCamp custom post types won’t change.

Code of conduct reports will not be subject to erasure, so that we can more effectively preserve attendee safety. Emails sent to and from email addresses are not subject to erasure.

Next steps

In cooperation with the Meta team, we’re working on making all the relevant data on exportable and, where relevant, erasable. Because uses the same user tables and privacy policy as, we’ll also share a Subject Access Request form and deletion process. Our shared privacy policy will be updated by the end of this week.

I plan to publish a separate post this week, addressing communities using third-party tools like newsletter services to contact community members, so stay tuned for that. 🙂

Questions? Feedback? Concerns? Kittens? Leave a comment with any and all (except kittens), below!