WSO2 Identity Server (referred to as “WSO2 IS” within this policy) is an open source Identity Management and Entitlement Server that is based on open standards and specifications.
This policy describes how WSO2 IS captures your personal information, the purposes of collection, and information about the retention of your personal information.
Please note that this policy is for reference only, and is applicable for the software as a product. WSO2 Inc. and its developers have no access to the information held within WSO2 IS. Please see the Disclaimer section for more information
Entities, organisations or individuals controlling the use and administration of WSO2 IS should create their own privacy policies setting out the manner in which data is controlled or processed by the respective entity, organisation or individual.
What is personal information?
WSO2 IS considers anything related to you, and by which you may be identified, as your personal information. This includes, but is not limited to:
- Your user name (except in cases where the user name created by your employer is under contract)
- Your date of birth/age
- IP address used to log in
- Your device ID if you use a device (e.g., phone or tablet) to log in
However, WSO2 IS also collects the following information that is not considered personal information, but is used only for statistical purposes. The reason for this is that this information can not be used to track you.
- City/Country from which you originated the TCP/IP connection
- Time of the day that you logged in (year, month, week, hour or minute)
- Type of device that you used to log in (e.g., phone or tablet)
- Operating system and generic browser information
Collection of personal information
WSO2 IS collects your information only to serve your access requirements. For example:
- WSO2 IS uses your IP address to detect any suspicious login attempts to your account.
- WSO2 IS uses attributes like your first name, last name, etc., to provide a rich and personalized user experience.
- WSO2 IS uses your security questions and answers only to allow account recovery.
WSO2 IS collects your information by:
- Collecting information from the user profile page where you enter your personal data.
- Tracking your IP address with HTTP request, HTTP headers, and TCP/IP.
- Tracking your geographic information with the IP address.
Use of personal information
WSO2 IS will only use your personal information for the purposes for which it was collected (or for a use identified as consistent with that purpose).
WSO2 IS uses your personal information only for the following purposes.
- To provide you with a personalized user experience. WSO2 IS uses your name and uploaded profile pictures for this purpose.
- To protect your account from unauthorized access or potential hacking attempts. WSO2 IS uses HTTP or TCP/IP Headers for this purpose.
- This includes:
- IP address
- Browser fingerprinting
- Derive statistical data for analytical purposes on system performance improvements. WSO2 IS will not keep any personal information after statistical calculations. Therefore, the statistical report has no means of identifying an individual person.
- WSO2 IS may use:
- IP Address to derive geographic information
- Browser fingerprinting to determine the browser technology or/and version
Disclosure of personal information
WSO2 IS only discloses personal information to the relevant applications (also known as âService Providersâ) that are registered with WSO2 IS. These applications are registered by the identity administrator of your entity or organization. Personal information is disclosed only for the purposes for which it was collected (or for a use identified as consistent with that purpose), as controlled by such Service Providers, unless you have consented otherwise or where it is required by law.
Please note that the organisation, entity or individual running WSO2 IS may be compelled to disclose your personal information with or without your consent when it is required by law following due and lawful process.
Storage of personal information
Where your personal information is stored
WSO2 IS stores your personal information in secured databases. WSO2 IS exercises proper industry accepted security measures to protect the database where your personal information is held. WSO2 IS as a product does not transfer or share your data with any third parties or locations.
WSO2 IS may use encryption to keep your personal data with an added level of security.
How long your personal information is retained
WSO2 IS retains your personal data as long as you are an active user of our system. You can update your personal data at any time using the given self-care user portals.
WSO2 IS may keep hashed secrets to provide you with an added level of security. This includes:
- Current password
- Previously used passwords
How to request removal of your personal information
You can request the administrator to delete your account. The administrator is the administrator of the tenant you are registered under, or the super-administrator if you do not use the tenant feature.
Additionally, you can request to anonymize all traces of your activities that WSO2 IS may have retained in logs, databases or analytical storage.
Changes to this policy
Upgraded versions of WSO2 IS may contain changes to this policy and revisions to this policy will be packaged within such upgrades. Such changes would only apply to users who choose to use upgraded versions.
- WSO2, its employees, partners, and affiliates do not have access to and do not require, store, process or control any of the data, including personal data contained in WSO2 IS. All data, including personal data is controlled and processed by the entity or individual running WSO2 IS. WSO2, its employees partners and affiliates are not a data processor or a data controller within the meaning of any data privacy regulations. WSO2 does not provide any warranties or undertake any responsibility or liability in connection with the lawfulness or the manner and purposes for which WSO2 IS is used by such entities or persons.