Privacy Policy

This Privacy Policy explains how the BPM project (“we”, “us”, “our”) collects, uses, and shares information when you use the BPM command-line interface (bpm), the BPM registry, our website, and related services (collectively, the “Services”).

Effective date: September 10, 2025

1) Scope & Principles

We collect only what we need to provide the Services safely and reliably.
We do not sell personal data.
Registry publishing is a public act: package metadata you choose to publish may be visible to others.

2) Information We Collect

About telemetry: The BPM CLI does not send usage telemetry by default. If we ever introduce optional diagnostics, it will be opt-in and documented in CLI help. You can always review and change such settings locally.

Account data (when you create one): name, username, email, authentication tokens, and settings.
Registry & package data you publish: package names, versions, manifests, integrity hashes, readme and other metadata, and your publisher ID.
Service logs: IP address, user agent, request path, timestamps, and status codes—used for security, abuse prevention, and reliability.
Website data: basic analytics about page views and referrers; cookie preferences (see Section 7).
Support communications you send to us (e.g., emails to support/security/legal).
Billing data (only if paid features are enabled in the future): transaction details from our payment provider, not full card numbers.

3) How We Use Information

Provide the Services: account management, package publishing and distribution, search, documentation.
Secure the Services: detect abuse and fraud, prevent spam/malware, investigate incidents.
Improve reliability and performance through aggregate analytics and quality metrics.
Communicate with you about changes, security notices, and important updates.
Comply with legal obligations and enforce our Terms & Conditions.

4) Legal Bases (where applicable)

Contract: to provide the Services you request.
Legitimate interests: to secure, maintain, and improve the Services.
Consent: for optional features (e.g., diagnostics) or marketing communications.
Legal obligations: to comply with applicable laws and valid requests.

5) How We Share Information

We do not sell personal data.

Public registry data: package names, versions, and metadata you publish are visible to others and may be indexed by search engines.
Service providers (processors): trusted vendors for hosting, email delivery, analytics, and payments (if applicable), bound by contracts to protect data.
Legal & safety: if required by law or to protect rights, security, and integrity of users and the Services.
Mergers/organizational changes: your information may be transferred if governance of the project changes; we will provide notice where feasible.

6) Data Retention

Account data: kept while your account is active; deleted or anonymized within a reasonable period after you delete your account (subject to legal/operational needs).
Service logs: typically retained for up to 90 days; security logs may be kept up to 12 months.
Published packages & metadata: retained to preserve registry integrity and historical records (including dependency graphs).
Backups: stored for a limited time and then rotated (usually 30–90 days).

7) Cookies & Similar Technologies

Essential cookies: required for login, CSRF protection, and security.
Preference cookies: remember settings like theme and language.
Analytics cookies: help us understand site usage in aggregate; you can opt out through your browser settings or “Do Not Track” preferences (honored where technically feasible).

8) Your Rights & Choices

If you are in a region with specific data rights (e.g., EEA/UK/California), you may have additional rights such as data portability, restriction, or objection. We will honor valid requests subject to verification of identity and applicable law.

Access, correct, or delete your account information, subject to registry integrity constraints.
Export or back up your project data locally; request a copy of your account data via email.
Opt out of non-essential emails and any optional diagnostics (if introduced later).
Revoke registry tokens and rotate credentials stored in your local config (e.g., ~/.bpmrc.json).

9) International Transfers

We may process data on servers or via providers located in different countries (for example, in Asia, the EU, or the US). Where required, we use appropriate safeguards (such as standard contractual clauses) to protect personal data transferred across borders.

10) Security

We implement technical and organizational measures to protect data (access controls, encryption in transit, least-privilege access, monitoring). No system is perfectly secure; we cannot guarantee absolute security. If you discover a vulnerability, please report it to [email protected].

11) Children’s Privacy

The Services are not intended for children under 13. If you believe a child provided us personal data, contact us and we will take appropriate steps to remove it.

12) Third-Party Links & Packages

Our website and registry may link to third-party sites or host packages published by independent authors. Their privacy practices are not governed by this Policy. Review third-party policies before using their services or code.

13) Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide reasonable notice (for example, on this page or within the Services). Your continued use of the Services after changes take effect constitutes acceptance.