Privacy Questions and Answers
<p>This notice describes how npm, Inc., or <em>npm</em> for short, collects and uses data about you.</p>
<p>Skip to:</p>
<ul>
<li>What's most important?</li>
<li>How does npm collect data about me?</li>
<li>What data does npm collect about me, and why?</li>
<li>Does npm share data about me with others?</li>
<li>How can I make choices about data collection?</li>
<li>Where does npm keep data about me?</li>
<li>How does npm handle data under the EU General Data Protection Regulation?</li>
<li>How does npm handle data under the California Consumer Privacy Act?</li>
<li>How can I see what data is publicly available about me?</li>
<li>How can I change data about me?</li>
<li>What is npm's policy on unpublishing packages?</li>
<li>How does npm notify others about published data that's erased?</li>
<li>What happens if npm merges with or is bought by another company?</li>
<li>What are npm's information practices regarding information belonging to children?</li>
<li>Who can I contact about npm and my privacy?</li>
<li>How can I find out about changes?</li>
</ul>
What's most important?
<p>That depends on your personal situation, which is why you should read on
and decide for yourself.
But at a minimum, absolutely every npm user
should understand:</p>
<p>
<em>The npm public registry is for making software available to everyone
online.</em>
</p>
<p>But: <em>Software comes from people, and says something about us.</em>
</p>
<p>So: <em>Think carefully about what packages to publish, what data you put
in those packages, and what others might do with that data.</em>
</p>
<p>When you create an account, certain contact information is displayed
publicly in the npm platform.
And when you upload a package, your name
and contact information may become associated with that package.</p>
<p>If you find yourself in a jam, email privacy@npmjs.com.</p>
How does npm collect data about me?
<p>npm collects data about you:</p>
<ul>
<li>
<p>when you use the npm command, the npx command or another program to access the npm public registry, Enterprise registries that npm hosts, private packages, such as when you're publishing a software package, and APIs for functionality like account and permissions management</p>
</li>
<li>
<p>when you browse the npm website, npmjs.com</p>
</li>
<li>
<p>when you use either the npm command or the website to create an npm account, update your account, and sign up for npm services</p>
</li>
<li>
<p>when you send support, privacy, legal, and other requests to npm</p>
</li>
<li>
<p>when working with and researching current and potential customers</p>
</li>
</ul>
<p>When researching potential customers, npm staff sometimes search the
public World Wide Web or paid business databases.
Otherwise, npm
doesn't buy or receive data about you from data brokers or other
private services.</p>
<p>npm may inadvertently collect data about you if it is included in
software packages that you or others upload.</p>
What data does npm collect about me, and why?
npm collects data about how you use npm software and registries.
<p>When you use the <code>npm</code> command, the <code>npx</code> command, or other software to work
with the npm public registry, an Enterprise registry that npm hosts, or
private packages, npm logs data that might be identified to you:</p>
<ul>
<li>
<p>a random, unique identifier, called <code>npm-session</code>, for each time you
run commands like <code>npm install</code>
</p>
</li>
<li>
<p>the names and versions of your project's dependencies, their
dependencies, and so on, that come from the npm public registry,
but not of other dependencies, like Git
dependencies</p>
</li>
<li>
<p>the versions of Node.js, the npm command, and the operating system
you are using</p>
</li>
<li>
<p>an <code>npm-in-ci</code> header, showing whether the command was run on a
continuous integration server</p>
</li>
<li>
<p>the scope of the package for which you ran <code>npm install</code>, as an
<code>npm-scope</code> header</p>
</li>
<li>
<p>a <code>referrer</code> header that shows the command you ran, with any file or
directory paths redacted</p>
</li>
<li>
<p>data about the software you're using to access the registry, such
as the <code>User-Agent</code> string</p>
</li>
<li>
<p>network request data, such as the date and time, your IP address,
and the URL</p>
</li>
</ul>
<p>npm uses this data to:</p>
<ul>
<li>
<p>fulfill your requests, such as by sending the packages you ask for</p>
</li>
<li>
<p>send you alerts about security vulnerabilities that may affect the
software you're building, when you run <code>npm install</code> or <code>npm audit</code>
</p>
</li>
<li>
<p>keep registries working quickly and reliably</p>
</li>
<li>
<p>debug and develop the <code>npm</code> command and other software</p>
</li>
<li>
<p>defend registries from abuse and technical attacks</p>
</li>
<li>
<p>compile statistics on package usage and popularity</p>
</li>
<li>
<p>prepare reports on trends in the developer community</p>
</li>
<li>
<p>improve search results on the website</p>
</li>
<li>
<p>recommend packages that may be relevant to your work</p>
</li>
</ul>
npm collects data about how you use the website.
<p>When you visit www.npmjs.com,
docs.npmjs.com, and other npm
websites, npm uses cookies, server logs, and other methods to collect
data about what pages you visit, and when.
npm also collects technical
information about the software and computer you use, such as:</p>
<ul>
<li>
<p>your IP address</p>
</li>
<li>
<p>your preferred language</p>
</li>
<li>
<p>the web browser software you use</p>
</li>
<li>
<p>the kind of computer you use</p>
</li>
<li>
<p>the website that referred you</p>
</li>
</ul>
<p>npm uses data about how you use the website to:</p>
<ul>
<li>
<p>optimize the website, so that it's quick and easy to use</p>
</li>
<li>
<p>diagnose and debug technical errors</p>
</li>
<li>
<p>defend the website from abuse and technical attacks</p>
</li>
<li>
<p>compile statistics on package popularity</p>
</li>
<li>
<p>compile statistics on the kinds of software and computers visitors
use</p>
</li>
<li>
<p>compile statistics on visitor searches and needs, to guide
development of new website pages and functionality</p>
</li>
<li>
<p>decide who to contact about about product announcements, service
changes, and new features</p>
</li>
</ul>
npm collects account data.
<p>Many features of npm services require an npm account.
For example, you
must have an npm account to publish packages to the npm public registry.</p>
<p>To create an npm account, npm requires a working email address and an
available user name.
npm uses this data to provide you access to
features and identify you across npm services, publicly and within npm.</p>
<p>You do not have to give your personal or legal name to create an npm
account.
You can use a pseudonym instead.
You can also open more than
one account.</p>
<p>If you sign up for an account, then npm will publish account data for
the whole world to see on user pages like this one.
npm also publishes account data through the npm public registry, which is available for everyone to see, and Enterprise registries that npm hosts for others to
find with commands like npm owner ls tap.</p>
<p>If you give npm a personal name or names on social media like
GitHub and
Twitter through the website, like
when you include this on your profile or user page, npm publishes that
data along with the email address and user name for the account.
You
don't have to give npm a personal name or any social media names, and
you can remove this data at any time by updating your user page.</p>
<p>npm uses your email to:</p>
<ul>
<li>
<p>notify you about packages published using your account</p>
</li>
<li>
<p>reset your password and help keep your account secure</p>
</li>
<li>
<p>add metadata to packages that you publish</p>
</li>
<li>
<p>contact you in special circumstances related to your account or packages</p>
</li>
<li>
<p>contact you about support requests</p>
</li>
<li>
<p>contact you about legal requests, like DMCA takedown requests and privacy complaints</p>
</li>
<li>
<p>announce new npm product offerings, service changes, and features</p>
</li>
<li>
<p>send you tips about how to better use free and paid services</p>
</li>
<li>
<p>send you messages about paid services you might want</p>
</li>
</ul>
npm collects package data.
<p>When you use npm publish or other software to publish packages to the
npm public registry, an Enterprise registry that npm hosts, or as a
private package, npm collects the contents of the package, plus
metadata,
including your account data.
Other npm users may also publish packages
that include data about you, such as the fact that you contributed code
to a package.</p>
<p>npm uses data in packages to provide those packages to you and others
who request them:</p>
<ul>
<li>
<p>When you publish a package to the npm public registry, or change a
package from private to public, npm makes the package and metadata
available to everyone, online.</p>
</li>
<li>
<p>When you publish a package to an Enterprise registry that npm hosts,
or as a private package, npm makes all of that data available to
other users according to how the registry or the private packages
account is configured.
You may be able to configure who can access
the package, or that may be up to others, such as the
administrator of your company's Enterprise registry.</p>
</li>
</ul>
<p>Making package data available to others allows them to download, build
on, and depend on your work.</p>
npm collects payment card data.
<p>To sign up for paid services, npm requires your payment card data.
npm
itself does not collect or store enough information to charge your card
itself.
Rather, Stripe collects
that data on npm's behalf, and gives npm security tokens that allow npm
to create charges and subscriptions.</p>
<p>npm uses your payment card data only to charge for npm services.</p>
<p>npm instructs Stripe to store your
payment card data only as long as you use paid npm services.</p>
npm collects data about current and potential customers.
<p>npm's sales and marketing teams collect information about npm users who
might like to try npm paid services, as individuals or through
organizations.
npm also collects data about customer personnel, such as
lists of people who need Enterprise registry accounts or access to
channels for technical support.
When npm's sales and marketing teams
send email to current and potential customers, they collect data about
whether those messages get read, and whether readers follow hyperlinks.</p>
<p>npm's sales team also uses public World Wide Web searches and paid
business databases to research who users work for, and their positions,
based on account data like name or email address.
The vast majority of
this data is publicly available.</p>
<p>npm uses data about current and potential customer personnel to:</p>
<ul>
<li>
<p>ensure npm meets its obligations to provide access, support, and
other services under contracts for paid services</p>
</li>
<li>
<p>decide which people to contact about product announcements, service
changes, and new features</p>
</li>
<li>
<p>ensure that people who opt out do not receive any more messages
about npm services and upgrades</p>
</li>
<li>
<p>keep track of how users express interest in npm products and
services over time</p>
</li>
<li>
<p>decide who should receive email about product announcements, service
changes, and new features</p>
</li>
</ul>
npm collects data about correspondence.
<p>npm collects data about you when you send npm support requests, legal
complaints, privacy inquiries, and business inquiries.
Those data
usually include your name and email address, and may include your
company or other affiliation.</p>
<p>npm uses contact data to:</p>
<ul>
<li>
<p>respond to you</p>
</li>
<li>
<p>compile aggregate statistics about correspondence</p>
</li>
<li>
<p>train support staff and other npm personnel</p>
</li>
<li>
<p>review the performance of npm personnel who respond</p>
</li>
<li>
<p>defend npm from legal claims</p>
</li>
</ul>
npm collects data about use of npm.community.
<p>npm collects data about visits, user accounts, and forum data on
npm.community, the discussion
forum for users of npm products and services.
npm uses data from
npm.community to collaborate with the development community, and to
inform development decisions about the command-line interface and other
software.</p>
Does npm share data about me with others?
<p>npm shares account data with others as mentioned in the section about
account data.</p>
<p>npm shares package data with others as mentioned in the section about
package data.</p>
<p>npm publishes posts and other content you submit to npm.community.</p>
<p>npm does not sell information about you to others.
However, npm uses
services provided by other companies to provide npm services.
The types
of service providers that npm uses include:</p>
<ul>
<li>
<p>Companies that enable us to offer features on our website, such as to display your avatar</p>
</li>
<li>
<p>Companies that facilitate the efficient distribution of content</p>
</li>
<li>
<p>Cloud computing platforms and services that host our discussion forums</p>
</li>
<li>
<p>Services that assist with the detection of spam, scams, abuse
others, or other violations of our terms of service</p>
</li>
<li>
<p>Payment processors</p>
</li>
<li>
<p>Companies that assist us with marketing, such as to store data about
current and potential customers or to enable us to send email to users, such as newsletters</p>
</li>
<li>
<p>Platforms to help us receive, manage, and respond to support requests</p>
</li>
<li>
<p>Platforms for internal communication</p>
</li>
</ul>
npm uses cookies.
<p>npm's website uses Google Analytics to collect and analyze data about
visitors to its websites.
You can read the privacy policy for Google
Analytics online.
You can opt out of Google Analytics by installing a free browser
extension.</p>
<p>npm uses
HubSpot
to track which parts of npm websites you visit so we know which updates
and service email messages to send you.
We also use HubSpot to track
when you create accounts and Orgs, when you change Orgs from free to
paid, and when you add seats to Orgs, in order to share tips on how to
use Orgs, to send you marketing messages about the benefits of paid
services, and to notify our sales team that you might want paid
services.
Finally, HubSpot collects data from forms on our website that
you must fill out to access some marketing content.
You can read the
privacy policy for HubSpot
online.</p>
How can I make choices about data collection?
<p>You choose what data the npm publish command includes in package data.
You can use an .npmignore
file in your package to keep specific files out of the package.
You can
also use a files list in package.json
files to
instruct npm to include only specific files that you name, in addition
to standard files like <code>README</code> files, <code>LICENSE</code> files, and package.json.</p>
<p>To double check the data that you will share in a package that you plan
to publish, run the <code>npm publish --dry-run</code> command.
If you are running
an older version of the npm command, run the npm pack command to create a
tarball,
then check its contents, such as with <code>tar tvzf $tarball</code>.</p>
<p>To publish a package to the npm public registry, npm's terms of service
require you to license npm to share it.
If a package is made public, it is available for everyone online to see.
However, your choice of public license for your package
may affect what others can do with data about you in your package.</p>
<p>npm does not respond to the Do Not Track HTTP header.</p>
Where does npm keep data about me?
<p>npm stores account data, data about website use, data about registry
use, and private packages on servers in the United States of America.
metadata about those packages worldwide, via content delivery
networks.</p>
<p>npm stores package data published to Enterprise registries that npm
hosts, plus metadata about them, in cloud computing zones of customers' choosing.</p>
<p>By using the npm platform, you consent to the collection and storage of
your data as outlined in this section.</p>
How does npm handle data under the EU General Data Protection Regulation?
<p>npm respects privacy rights under Regulation (EU) 2016/679,
the European Union's General Data Protection Regulation (GDPR).
npm
processes "Personal Data" on the following legal bases: (1) with your
consent.
(2) as necessary to perform our agreement to provide our
services.
and (3) as necessary for our legitimate interests in providing
our services where those interests do not override your fundamental
rights and freedom related to data privacy.
Information we collect may
be transferred to, and stored and processed in, the United States or any
other country in which we or our affiliates or subcontractors maintain
facilities, as described above.</p>
<p>If you reside in the EEA, Switzerland, or United Kingdom, you are
entitled to certain rights, like the right to:</p>
<ul>
<li>
<p>complain about our data collection or processing actions with the
supervisor authority concerned.
You can find a list of data
protection authorities here.</p>
</li>
<li>
<p>access to information held about you.</p>
</li>
<li>
<p>ask us to correct or amend inaccurate or incomplete information we have about you.</p>
</li>
<li>
<p>ask us to erase data that under certain circumstances, like (1) when
it is no longer necessary for the purpose for which it was
collected, (2) you withdraw consent and no other legal basis for
processing exists, or (3) you believe your fundamental rights to
data privacy and protection outweigh our legitimate interest in
continuing the processing.</p>
</li>
<li>
<p>request that we restrict our processing if we are processing your
data based on legitimate interests or the performance of a task in
the public interest as an exercise of official authority
(including profiling).
using your data for direct marketing
(including profiling).
or processing your data for purposes of
scientific or historical research and statistics.</p>
</li>
</ul>
<p>When you exercise your rights, npm may need to verify your identity and
provide us with information before we access records containing your
information.
If you want to exercise your rights, please contact npm at
email privacy@npmjs.com.
We
may have a reason under the law why we do not have to comply with your
request or may comply with it in a more limited way than you
anticipated.
If we do, we will explain that to you in our response.</p>
How does npm handle data under the California Consumer Privacy Act?
<p>npm respects the rights of California residents under the California
Consumer Privacy Act
(CCPA)].
Where we collect information that is subject to the
CCPA, that information we collect and your rights are described below.</p>
<p>Categories of personal information we collect:</p>
<ul>
<li>
<p>
<em>Personal Identifiers</em>:</p>
<ul>
<li>
<p>Name and email address when you create an account.
You will also
be asked to create a username and we will assign one or more
unique identifiers to your profile.
We use this information to
provide our services, respond to your requests, and send
information to you.</p>
</li>
<li>
<p>We also collect your social media handle and basic account
information if you provide it to us or interact with our
services, such as our help desk, through social media.</p>
</li>
<li>
<p>We collect your payment information through our service
provider, Stripe, as described above.</p>
</li>
</ul>
</li>
<li>
<p>
<em>Internet or Other Electronic Network Activity Information</em>: device
identifiers such as IP address and user agent.
the assigned unique
IDs in cookies (as described below).
information about how you
arrived at and navigated through our Services.</p>
</li>
<li>
<p>
<em>Geolocation Data:</em> We do not collect your specific longitude and
latitude.
However, we do collect imprecise location (e.g., your IP address).</p>
</li>
<li>
<p>
<em>Professional or employment-related information:</em> If you apply for
employment with us, information about your employment history.</p>
</li>
<li>
<p>
<em>Education information:</em> If you apply for employment with us,
information about your educational history.</p>
</li>
</ul>
<p>We may collect any other information about you contained in software
packages uploaded to our site, as described above under the "npm
collects package data" section.
We also collect the contents of your
communications with us, e.g., when you submit a question to us through
a web form or comments to us on social media.</p>
<p>We may disclose any of the categories of personal information listed
above and use them for the above-listed purposes or for other business
or operational purposes compatible with the context in which the
personal information was collected.
Our disclosures of personal
information include disclosures to our "service providers," which are
companies that we engage for business purposes to conduct activities
on our behalf.
The categories of service providers with whom we share
information and the services they provide are described below.</p>
<p>Rights under CCPA:</p>
<ul>
<li>
<p>
<em>Access/Right to Know</em>: You have the right to request access to
personal information we collected about you and information
regarding the source of that personal information, the purposes
for which we collect it, and the third parties and service
providers with whom we share it.</p>
</li>
<li>
<p>
<em>Deletion</em>: You have the right to request that we erase data we have
collected from you.
Please note that we may have a reason to deny
your deletion request or delete data in a more limited way than
you anticipated, e.g., because of a legal obligation to retain it.</p>
</li>
</ul>
<p>To exercise your rights above, you can email us at
privacy@npmjs.com.
When we
process your request, we must verify your identity by asking you to
(1) provide personal identifiers that we can match against information
we may have collected from you previously.
and (2) confirm your
request using the email stated in the request.</p>
<p>Opt-out of sale:</p>
<p>California residents have the right to request that we stop "selling"
their personal information.
A "sale" of personal information is
defined broadly: "selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise
communicating orally, in writing, or by electronic or other means, a
consumer's personal information by the business to another business or
a third party for monetary or other valuable consideration." We do not
sell your information as defined by the CCPA.</p>
<p>Please note that your right to opt out does not apply to our sharing
of personal information with service providers, who are parties we
engage to perform a function on our behalf and are contractually
obligated to use the Personal Information only for that function.</p>
<p>We may also disclose information to other entities who are not listed
here when required by law or to protect our Company or other persons,
as described in our Privacy Policy.</p>
How can I see what data is publicly available about me?
<p>You can access your account data at any time by visiting your account
page on www.npmjs.com.
Your
account page also lists all the packages published under your account or
other accounts.</p>
<p>You can access package data by downloading the packages, as long as
they're public or you have permission to access them.</p>
<p>You can see metadata about packages by running npm info $package, or by
accessing the appropriate registry's
API.
Registry APIs provide metadata in standard JSON
format, and packages as
tarballs).</p>
How can I change data about me?
<p>You can change your personal account data and payment card data at any
time by visiting your account settings page on
www.npmjs.com.
You can change
account and payment data for Enterprise by contacting support.</p>
<p>You can close your npm account at any time by e-mailing
contacting support.
Closing
your account removes the profile from the public registry but does not
automatically erase packages published under your account.
We may retain
some data about you internally even where you close your account.</p>
<p>npm's unpublish policy
determines when you can erase packages from the npm public registry.
The
unpublish policy strikes a difficult balance between the purpose of
publishing and hosting packages, others' reliance on what has been made
public, and individual rights and freedoms.</p>
<p>If another user improperly publishes personal data about you, in a
package or otherwise, email
privacy@npmjs.com.</p>
<p>Please note that while npm publishes notices about published data
that's been erased,
npm can't make everyone who has downloaded published package data or
account data erase that data on your behalf.
Choosing a public
license, such as an open source software license,
may encourage and allow storage, distribution, and use of package data
indefinitely.
Nearly all popular open source software licenses actually
require preserving personal data that attributes the software to you,
such as copyright notices, as a condition of permission for the
software.</p>
What is npm's policy on unpublishing packages?
<p>Please see our policy on "unpublishing" packages or
our terms of service for more
information on erasing packages].</p>
<p>If you accidentally publish a package that threatens your privacy, or
discover someone else has published a package that does, email
privacy@npmjs.com immediately.
npm can and will take down packages in specific, exceptional situations
to protect you, especially if others violate your privacy.
Using npm to
violate others' privacy is against our terms of
service.</p>
How does npm notify others about published data that's erased?
<p>npm takes a few steps to notify others who may be copying data from the
npm public registry that published data has been erased:</p>
<ul>
<li>
<p>npm publishes new placeholder versions of some erased packages, with
<code>README</code> files that mention the package has been erased, and why.</p>
</li>
<li>
<p>npm's registry APIs,
special software services that others use to copy data from the
npm public registry, send update messages about packages that have
been erased.</p>
</li>
</ul>
What happens if npm merges with or is bought by another company?
<p>We may transfer to another entity or its affiliates or service providers
some or all information about you in connection with, or during
negotiations of, any merger, acquisition, sale of assets or any line of
business, change in ownership control, or financing transaction.
We
cannot promise that an acquiring party or the merged entity will have
the same privacy practices or treat your information the same as
described in this Policy.</p>
What are npm's information practices regarding information belonging to children?
<p>npm's site and services are intended for users age sixteen and older.
npm does not knowingly collect information from children.
If we discover
that we have inadvertently collected information from anyone younger
than the age of 16, we will delete that information.</p>
Who can I contact about npm and my privacy?
<p>You may email us directly at privacy@npmjs.com
with the subject line "Privacy Concerns." You may also contact our Data
Protection Officer directly.</p>
<p>Our United States HQ:</p>
<p>GitHub Data Protection Officer<br>Attention: npm Data Protection<br>88 Colin P.
Kelly Jr.
St.<br>San Francisco, CA 94107<br>United States</p>
<p>or our EU Office:</p>
<p>GitHub BV<br>Vijzelstraat 68-72<br>1017 HL Amsterdam<br>The Netherlands</p>
How can I find out about changes?
<p>This version of npm's privacy questions and answers took effect June 3, 2020.</p>
<p>npm will announce the next version on the npm blog.
In the meantime, npm may update its contact information
by updating the page at
https://www.npmjs.com/policies/privacy,
without an announcement.
npm may change how it announces changes in
future privacy versions.</p>
<p>You can review the history of changes in the Git repository for npm's
public policies.</p>