Privacy Policy

Last updated: April 14, 2026

Summary: We don't collect personal data. No cookies. No cross-site tracking. No PII.

1. What We Collect

1.1 BotConduct.org Website Visitors

When you visit botconduct.org, we collect standard web server logs (IP address, User-Agent, requested URL, timestamp). These logs are used for security monitoring and bot behavior analysis. Logs are retained for 14 days.

1.2 Bot Test Environment

When a bot operator submits their bot for testing, we collect:

Bot name and operator name (provided voluntarily)
Contact URL, declaration URL, report URL (if provided)
Bot's HTTP requests during the test (User-Agent, headers, paths visited, timing)

This data is used to calculate the BCS score and generate the certification report. Test data is stored for the duration of the certificate (90 days).

1.3 Tracker Script (tracker.js)

The BCS tracker script, installed by website owners on their own sites, collects the following non-personally-identifiable signals from visitors:

User-Agent string
Screen dimensions and color depth
Browser language and timezone
WebDriver flag (bot detection signal)
Plugin count
WebGL and Canvas support (boolean only, no fingerprint hash)
Touch capability
Connection type
Cookie and Do-Not-Track settings
Page URL and referrer

The tracker does NOT collect:

Names, email addresses, or any personal information
IP addresses (not forwarded from the client script)
Cookies or persistent identifiers
Cross-site tracking data
Keystroke or form input data
Canvas or WebGL fingerprint hashes

Data collected by the tracker is used solely to classify whether a visitor is a bot or human and to identify known bot signatures. Website owners can view this data in their BCS dashboard.

1.4 Waitlist and Contact Forms

If you voluntarily provide your email address (waitlist, contact), we store it to send relevant updates. You can request removal at any time by emailing hello@botconduct.org.

2. How We Use Data

Calculate bot conduct scores
Maintain the public bot registry
Help website owners understand their bot traffic
Improve the BCS standard and scoring methodology
Security monitoring of our own infrastructure

3. Data Sharing

We do not sell data. We do not share individual visitor data with third parties.

The public bot registry contains bot names, operators, scores, and certification status. This is public by design — it is the purpose of the standard.

4. Data Retention

Server logs: 14 days
Test session data: 90 days (certificate validity period)
Tracker data: 30 days of recent visits per site
Registry data: as long as the bot has a valid or historical certificate
Waitlist emails: until you request removal

5. Your Rights

If you are a bot operator and want to:

Update your registry listing — run a new test or contact us
Remove your listing — email hello@botconduct.org
Access your test data — email hello@botconduct.org

If you are a website visitor and want to:

Opt out of tracker classification — the tracker respects Do-Not-Track headers
Remove your email from the waitlist — email hello@botconduct.org

6. Security

Data is stored on secured servers with firewall protection, encrypted connections (TLS), and access controls. We follow security best practices including regular updates, fail2ban, and rate limiting.

7. Changes

We may update this policy. Material changes will be noted on this page with an updated date.

8. Contact

Data questions: hello@botconduct.org