Privacy Bulletins

Our normal data collection practices are described in the FAQ. Whenever we need to temporarily change (increase) our data collection, we will describe here what we're doing and what the impact is.

2020-06-19: Privacy exception: Accidental user IP retention

What happened
We use AWS S3 to host websites, client applications, and remote server lists. We discovered that logging had been enabled for many of our S3 resources since June 2015. These logs include IP addresses of users who accessed those resources.
Impact
We have no indication that any logs were obtained by any external party, so this is not a user data breach. However, it is a violation of our Privacy Policy.
Resolution
Logging has been disabled for user-accessible S3 buckets and all logs have been deleted. We are working on a system to keep track of privacy exceptions and issues, and investigating AWS resource auditing.

2019-12-11: Temporary data retention extension

What we're doing
We are temporarily halting User Activity Data pruning, effectively extending the data retention period.
Why we're doing it
We need to keep granular activity data longer to give us time to analyze recent censorship events.
When we're doing it
This will be in effect starting 2019-12-12T00:00Z. It will be in effect for one month. We will update this bulletin if it needs to be extended beyond that.
ምስ ግዜ ዝኸይድ ሓበሬታ
User activity data retention was returned to normal by 2020-04-10.

2019-12-11: Privacy Policy update

What we're doing
We are updating our Privacy Policy. We are changing the retention period of User Activity Data from 60 days to 90 days. We also expanded the information about Privacy Bulletins. For the exact changes, see the GitHub commit.
Why we're doing it
To ensure the Privacy Policy accurately reflects our data practices.
When we're doing it
This will be in effect on 2019-12-12T00:00Z.

2015-06-01: Privacy Policy update

What we're doing
We are updating our Privacy Policy. This includes merging into it the answer to the FAQ question "What information does Psiphon collect?".
Why we're doing it
The Privacy Policy page is now the only place users need to check for Psiphon's privacy and data collection policies. It has been updated to reflect use of advertisements, analytics, and logging for some of our websites.
When we're doing it
This is in effect by at least 2015-06-01T00:00Z.

2014-04-17: Enable S3 bucket logging

What we're doing
We are enabling access logging for one website Amazon S3 "bucket" (i.e., storage container). (For technical reasons, we run dozens of copies of the website in different S3 buckets.)
Why we're doing it
We are doing this to determine how many accesses there are to the "remote server list" stored in the bucket. This will help to give us an idea of how many users are failing to connect.
When we're doing it
Logging will be enabled from 2014-04-17T15:00Z to 2014-04-18T15:00Z.
What user data will be collected
The logging will collect IP addresses, user agents, and timestamps of access to one website. When that data is processed, we will have a count of users divided by geographic region that have accessed the file in question.
How long the data will be retained
The data will be retained no more than one week. We will be keeping the count of users longer -- possibly indefinitely.
How many users are affected
We don't know for sure yet how many users will be affected (that's why we're doing this), but we suspect it will be fewer than 10,000 users.
Who besides Psiphon Inc. will see this data
The access logs are also stored in an Amazon S3 bucket, so Amazon will have access to the logs. (However, Amazon serves the files, so they can already access this information.)