What Information Do We Have?
WordPress.com has certain information from users and commenters. The following is a summary of the information that we may collect and store.
1. Basic account information, such as:
- Email address
- Phone number
2. Transaction and/or billing information (if upgrades have been purchased).
We will generally retain the above information until changed or removed by the user (if it’s possible to do so). We also collect log data, which may include a user’s IP address, browser type, operating system. We keep this information for up to 30 days as a matter of course. You can read more about how we handle preservation requests under “Preservation Requests for WordPress.com Sites” below.
3. Site creation, posting, and revision history information, such as:
- The date and time (UTC) at which a site was created
- The IP address from which a site was created
- IP address and user-agent for a post or revision
We may retain the above information, even if a site or post is deleted.
Deleted posts remain in a user’s trash folder for 30 days, after which point our servers may retain a backup for an additional 60 days.
4. Information on commenters on WordPress.com sites.
We retain commenter information until the site owner of the site on which the comment appears deletes the comment.
5. Contact information associated with a domain registration (if a user has registered a custom domain).
If a user has registered a custom domain on WordPress.com (e.g., yourgroovydomain.com rather than yourgroovysite.wordpress.com), we may have the contact information they provided for the domain registration.
More Information on Data Release and Retention
Before revealing any of this information to a party that is not the owner of the account, we require a validly issued subpoena, warrant, or court order that specifically requests it unless we have a good faith belief that there is an emergency involving death or serious physical injury. We do not voluntarily provide governments with access to data about users (private or public) for law enforcement, intelligence gathering, or other surveillance purposes. More information on our requirements for releasing private user information can be found below.
If you wish to stop using WordPress.com, you may empty your site by following these steps or contacting us. If you have registered a custom domain with us, but it is no longer active, we can delete the physical address you provided upon your request.
To remove any other profile information you’ve chosen to provide, visit the following URLs:
- https://mysite.wordpress.com/wp-admin/users.php?page=grofiles-editor (replacing “mysite.wordpress.com” with your URL)
If you are concerned about maintaining your anonymity when using our services, you may want to consider logging in and interacting with WordPress.com through a VPN. You can find more information here.
Requesting Private Information of WordPress.com Users
Safeguarding our users’ private information is a vital aspect of the trust our users place in our service to keep them safe, and in some cases, anonymous.
Automattic receives requests for information from government agencies/law enforcement as well as individuals or corporations involved in civil lawsuits.
To request information for a site hosted on WordPress.com, the site’s .wordpress.com URL (such as example.wordpress.com) must be specifically included in the request. To obtain information for a specific post or comment, the URL of that post or comment must be included in the request. We are unable to process overly broad or vague requests.
WordPress.com accounts can contain various information. This information is unverified and is provided at the user’s discretion.
If your inquiry or request brings to our attention an ongoing violation of our policies or Terms of Service, we will address it per our usual procedure. This may or may not include contacting the user regarding their misconduct, removing content, or suspending the site entirely.
If we receive information indicating that someone is using our services to engage in crime where we are the victim, we will not inspect a user’s private content ourselves. Instead, we may report the matter to law enforcement.
Requests from Government Agencies/Law Enforcement
Except in emergencies (see more below), it is our policy to turn over private user information only upon receipt of a valid subpoena, search warrant, or US Court order that complies with the Federal Rules of Criminal Procedure, the Federal Rules of Civil Procedure, and/or California state law.
If these pieces of information are available, we can provide the first and last names, phone number, email address currently assigned to a site owner, the date/time stamped IP address from which a site was created, the physical address, and the PayPal transaction information to government agencies/law enforcement upon receipt of a valid subpoena.
Except in emergencies, we require a court order or a warrant before providing additional IP addresses or information relating to a specific post or a specific comment.
We require a warrant before disclosing content of user communications to government agencies/law enforcement. We also require a warrant before providing any non-public content information (such as private or draft post content, or pending comments).
Emergency Requests from Government Agencies/Law Enforcement
As permitted by US law, we may disclose user information to the government or law enforcement, without a subpoena or warrant if we have a good faith belief that an emergency (imminent danger of death or serious physical injury) requires disclosure of information related to the emergency without delay. If you have an emergency request, please submit your request by following these steps.
Requests in Civil Cases
It is our policy to turn over private user information only upon receipt of either (1) a valid order from a US court, or (2) a subpoena served as part of an existing lawsuit that complies with Rule 45 of the Federal Rules of Civil Procedure and/or the California Discovery Act. Litigants should ensure that any such requests comply with the US SPEECH Act, 28 U.S.C. 4101 et seq.
Requests must identify the specific information (as listed above) sought. If a request is overly broad or seeks information not applicable to Automattic, we will provide the email address that is currently assigned to a site owner, the IP address from which a site was created, and the date and time (UTC) at which a site was created.
Any request for specific post or comment information must include the specific URL of each post or comment. We will not provide any content information in response to civil orders or subpoenas, pursuant to the E.C.P.A.
Please note that we charge an administrative fee of USD $125/hour for compliance with validly issued and served civil subpoenas. We will bill for and collect this fee prior to furnishing information in response to a subpoena.
Notification to WordPress.com Users and Transparency
We aim for total transparency with our users when requests or complaints affect their sites, accounts, or information. It is our policy to notify users and provide them with a copy of any civil or government legal process regarding their account or site (including formal requests for private information), unless we are prohibited by law or court order from doing so. In those cases, we will notify users and provide them with a copy of the legal process when the prohibition expires.
If a request for information is valid, we will preserve the necessary information before informing the user. In most cases, upon notification to the user, that user will be provided with either 7 days or the amount of time before the information is due, whichever is later, during which time the user may attempt to quash or legally challenge the request. If, prior to the deadline, we receive notice from user that he or she intends to challenge a request, no information will be delivered until that process concludes. We also review the information requests received and may lodge our own challenge to the scope or validity of legal process received, on behalf of a user, whether or not the user pursues his/her own legal challenge.
As mentioned above, we notify users and provide them with a copy of any legal process regarding their account or site unless we are prohibited by law or court order from doing so. In those cases, we will notify users and provide them with a copy of the legal process when the prohibition expires.
In light of the October 19, 2017 DOJ guidance on nondisclosure orders, we request that you include a specific end date for the nondisclosure in any proposed order associated with this request that is no later than one year after the order.
Preservation Requests for WordPress.com Sites
Requests for the preservation of information must originate from a law enforcement agency.
Our notification policy with regards to preservation requests is meant to protect user privacy and promote transparency, while also avoiding interference with legitimate investigations of criminal activity.
We notify users of preservation requests. When law enforcement requests that a preservation request remain confidential, we keep it confidential for 45 days, with the expectation that they will be serving a valid US subpoena or search warrant that includes the required certification (2705(b)) or court-ordered non-disclosure provision. If the certification or court order is obtained, we will keep the preservation request secret under the same conditions as the subpoena/warrant. If, after 45 days law enforcement has not served a subpoena or search warrant, has served one without the required certification or secrecy order, or has not withdrawn the request, we inform the user of the request.
Enforcing Protection Orders Against WordPress.com Users
WordPress.com is not responsible for enforcing protection orders that apply to users on our service. If you represent a client with an active protection order that may apply to a WordPress.com site, please contact the appropriate court or law enforcement agency for assistance.
Who Is Liable for Sites Hosted on WordPress.com?
WordPress.com will respond only in compliance with US law and in reply to valid legal process as stated in our policies.
WordPress.com, as a United States-based internet service provider, is protected by the safe harbor provisions of §230(c) of the United States Communications Decency Act, which states that internet service providers cannot be held liable for the contents (including allegedly harassing, defamatory, inaccurate, or offensive content) posted to our service by our users.
WordPress.com does not and will not exercise editorial oversight on the millions of sites hosted on our service, nor are we considered the author, editor, or publisher of that content in any way.
Requests for Takedown of Copyrighted Content
WordPress.com complies with properly formatted notices sent in accordance with the Digital Millennium Copyright Act. More information about our DMCA process can be found here.
Requests for Takedown of Other Content
WordPress.com strongly believes in freedom of speech. We have a vast audience spread across many cultures, countries, and backgrounds with varying values and our service is designed to let users freely express any ideas and opinions without us censoring or endorsing them. We review and investigate all complaints that we receive. If we determine that reported content violates our Terms of Service, we will take action as appropriate. Regardless of whether or not we take action, we may forward a copy of the complaint to the site owner.
If we receive a complaint and are not in a position to make a determination (for example whether something is defamatory or not), we defer to the judgment of a court.
Serving Process on WordPress.com and Making Inquiries
Any request for user information must include a valid email address for us to return the information or contact with questions. WordPress.com communicates only via email.
Legal process can be served by mail to:
60 29th Street #343
San Francisco, CA 94110
If you need to serve us personally, you can do so at:
C T Corporation System
818 West Seventh Street – Suite 930
Los Angeles, California 90017
Where permitted, we also accept service via email to email@example.com.
General inquiries regarding our policies can be sent via email to firstname.lastname@example.org.
WordPress.com vs. WordPress.org
If you’re inquiring about a site that has been built using WordPress or mentions that it’s “Powered by WordPress,” please note that this means that site is using the WordPress.org software, which can be downloaded and installed on any web host. If you’re seeking information about a site powered by WordPress (rather than one on WordPress.com), please contact the host of the site.
You can learn more about the difference between WordPress.com and WordPress.org here.
A Note on Back Doors, Encryption
We furnish user information to law enforcement agencies via the processes described in these legal guidelines. We do not provide access to user data through “back doors” in our systems.
Similarly, we support and promote encryption of user data. We encrypt all traffic (serve over SSL) for all WordPress.com sites, by default.
Some governments have recently sought to weaken encryption, in the name of law enforcement. We disagree with these suggestions and do not believe that it’s feasible to include any deliberate security weaknesses or other back doors in encryption technologies, even if “only” for the benefit of law enforcement. As a wise man said, “there is no such thing as a vulnerability in technology that can only be used by nice people doing the right thing in accord with the rule of law.” We agree wholeheartedly.