Privacy Policy

Updated June 28, 2024

The Internet Security Research Group (ISRG) Privacy Policy describes how we collect, use, and disclose your information in two different contexts:

ISRG Projects

Privacy policies for particular ISRG projects can be found via the following links:

Any ISRG project without its own privacy policy is subject to this general ISRG privacy policy.


When you are a Visitor browsing an ISRG web site, you have the option to make a donation. Donations are processed by our trusted payment partners including DonorBox, Stripe, Shopify, and PayPal, depending on the payment method selected, and stored in ISRG's Salesforce database and Sage Intacct as necessary. We collect your name and email address, and, if you provide it, your mailing address when you donate. Once you donate, we will use your information for our legitimate interest in processing and managing your contribution, including fundraising reminders and renewals. Your interactions with DonorBox, Stripe, PayPal, Shopify, Salesforce, Printful, Formstack, and Sage Intacct are governed by their respective privacy policies. We do not collect or retain any credit card or bank information related to donations.

You may provide your email address to receive communications related to ISRG projects through a signup on an ISRG web site and via other marketing materials. Any communication delivered via Salesforce and your interactions with Salesforce are governed by their privacy policies. We may occasionally use your email address to send personalized communications related to ISRG and its projects. You can request to have your email address removed by opting out via the footer of our emails or emailing us at

If you register to use an ISRG community support forum, the personal information you provide and your actions there are governed by the privacy policy of our hosting and software provider for the forum, Civilized Discourse Construction Kit. We do not collect or maintain personal information through our offering of this support forum.

We Do Not Sell Your Data or Information

We do not sell your data or information. This includes Relying Party, Subscriber, and Visitor data and information.

Use of Third-Party Analytics and Email Marketing Tools

To enhance our understanding of how our visitors engage with our websites and emails, and to improve our fundraising and marketing strategies, ISRG may from time to time deploy third-party web and email analytics tools, specifically Google Analytics for our websites and Salesforce Account Engagement for our marketing emails.

Law Enforcement Requests and Extenuating Circumstances

To the extent we possess it, we may disclose personally identifiable information about you to third parties in limited circumstances. Such circumstances include when we have your consent or when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order. We may also disclose account recovery information when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm.

If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited, or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by whatever means is reasonably practical. If you do not challenge the disclosure request, we may be legally required to turn over your information.

In addition, we reserve the right, solely at our discretion, to independently object to certain requests (for access to information about users of our products and technologies) that we believe to be improper.

What rights do European Economic Area users, subscribers, and visitors have under GDPR, and how can I exercise them?

We process personal data as described in this policy. The purpose and lawful basis for information processing is as follows:

Purpose: Providing ISRG Services

Lawful Basis: Contract, Legitimate Interests

Additional Information: We collect and process information from service subscribers in order to provide reliable and secure services, and to demonstrate to the public that our services perform as expected.

Purpose: Providing Information to Visitors

Lawful Basis: Consent, Legitimate Interests

Additional Information: We collect and process information from Visitors in order to provide information via the Web and email in a reliable and efficient manner.

Purpose: Processing Donations and Sponsorship Inquiries

Lawful Basis: Legitimate Interests

Additional Information: We collect and process information in order to process and support donations.

Purpose: Legal Obligations and Extenuating Circumstances

Lawful Basis: Legal Obligation, Legitimate Interests

Additional Information: We may collect and process information in order to comply with legal obligations and when we have a good faith belief it is necessary to prevent loss of life, personal injury, damage to property, or significant financial harm.

Please note that we may be unable to delete information, including IP addresses, as this information is necessary for others to rely on in determining the trustworthiness of our certificates. In some cases, we may process personal data pursuant to legal obligation or to protect your vital interests or those of another person.

Your personal data may be collected from or transferred to jurisdictions where we and our service providers store or process data, including the United States. These jurisdictions may not provide the same level of data protection as your jurisdiction, including the EEA. We have taken steps to ensure that our service providers provide an adequate level of protection for the personal data of EEA residents, including by entering into data processing agreements using the European Commission-approved Standard Contractual Clauses, or by using other safeguards approved by the European Commission. You have a right to obtain details of the mechanism under which your personal information is transferring outside the EU by emailing us at the contact information below.

Individuals located in the European Economic Area (EEA) have certain rights in respect to their personal information, including the right to access, correct, or delete personal data we process through your use of our sites and services. If you're an individual who is a relying party, subscriber, or visitor based in the EEA, you can:

For more information, or to report a privacy issue, please contact: