WBSP Privacy Notice
Version: 1.0
Effective date: 13 July 2026
Operator / data controller: Tooltwist Pte Ltd ("Tooltwist", "we", "us", "our")
Platform: The World's Biggest Software Project ("WBSP"), including the website at wbsp.ai, the git service at git.wbsp.ai, the container registry at registry.wbsp.ai, and any related deployment, runtime, hosting, catalog, store, directory, and collaboration services.
This Privacy Notice is the "privacy notice" referred to in Section 14 of the WBSP Terms of Service. It explains what personal data we collect when you use WBSP, why, who we share it with, how long we keep it, and the choices and rights you have. Capitalised terms not defined here have the meanings given in the Terms of Service.
Note on this document. This notice is drafted to be comprehensive and to reflect how the Platform actually works, but it is not a substitute for advice from a qualified privacy lawyer. Tooltwist should have it reviewed by counsel — and reconciled with its actual data-processing practices and subprocessor list — before it is relied upon in production.
Part A — In plain English
This section is a friendly summary. If it ever seems to disagree with Part B, Part B governs.
- What we collect. The basics of your account (like your email and sign-in details), the profile and directory information you choose to publish, the content you put on the Platform (code, images, docs, listings, messages), and technical records of how you use it (including logs of who accessed or pushed to which repository, and from what IP address).
- Why we collect it. To run the Platform, sign you in, protect it, let you collaborate and be discovered, keep the audit trail that access control depends on, and comply with the law.
- A lot of it is meant to be public. Directory listings, public profiles, public projects, references, ratings, and similar content are visible to others by design. Don't put anything in those places that you don't want seen.
- Who we share it with. Other users (according to how you've configured sharing), the service providers who help us run the Platform (such as our cloud, git, and authentication providers), and anyone we're legally required to share with. We don't sell your personal data.
- Where it goes. We operate from Singapore and use infrastructure that may store or process data in other countries, so your data may be transferred across borders.
- How long we keep it. For as long as we need it to run the Platform and meet legal and security obligations — audit logs and backups may persist for a while after you delete something.
- We try to protect it, but nothing is perfectly secure. Keep your own backups and don't store secrets you can't afford to lose or leak.
- Your choices. You can access and correct much of your information, withdraw consent, or ask us about your data using the contact details below. Some rights depend on where you live.
- This is an AI-native platform. A lot of the content and tooling is AI-generated, and some processing (like ranking, matching, or moderation signals) is automated.
Part B — Formal Privacy Notice
1. Who we are and scope
1.1 Tooltwist Pte Ltd operates WBSP and is the controller responsible for the personal data described in this notice.
1.2 This notice applies to personal data we process about visitors, account holders, collaborators, organisation members, directory-listed people and organisations, and anyone else who interacts with the Platform. It does not apply to how other Users, organisations, or third parties process personal data you share with them — those parties are responsible for their own processing (see Sections 5 and 7).
2. The personal data we collect
We collect the following categories of personal data.
2.1 Account and identity data. Your email address; account status; account creation date; sign-in history (last login time and login count); your git/registry username; your linked platform identity identifier from our authentication provider; and preferences such as whether you have opted out of contributor credit.
2.2 Authentication and security data. One-time access codes and their status; access-token identifiers and revocation records; SSH public-key fingerprints used for git access; and related security metadata. We do not store your one-time-code or token secrets in a readable form, and we never receive or store your underlying cloud credentials.
2.3 Profile and directory data (largely public by design). Any information you choose to publish, such as display name, headline, biography, location, roles, skills, domains, availability, and links (for example a personal website or professional-network URL); directory listings you create (headline, pitch, regions served, languages); organisations you create or belong to and your membership details; and references or testimonials you write about, or that others write about, you or your organisation.
2.4 Content and activity data. The content you contribute — source code and git repositories (including commit metadata such as author name and email embedded in your commits), container images, documentation, project and variant metadata, descriptions, thumbnails, screenshots, and demo material — together with your votes, comments, reviews, ratings, favourites, follows, interests, test sign-ups and reports, contributions, and credits.
2.5 Communications data. Engagement requests and their messages; introductions; conversation threads and the messages within them; and any other communications you send through or to the Platform.
2.6 Usage, device, and audit data. Technical records generated as you use the Platform, including IP address; git and container-registry access records (who requested what operation on which repository, the decision and reason, the transport used, the token or key-fingerprint attributed, and the time); access-control audit events; webhook and system events; and general log, device, and diagnostic data. These audit records are integral to how access control and security on the Platform work.
2.7 Payment data. Where fees apply, limited billing information necessary to process a payment. Payment-card processing is typically handled by a third-party payment provider; we do not store full card numbers.
2.8 Data you provide in support or correspondence. Anything you send us when you contact us, report content, or make a request.
We do not intend to collect special-category (sensitive) personal data, and you should not submit it through the Platform except where strictly necessary and lawful.
3. How we collect personal data
3.1 Directly from you — when you sign up, sign in, create a profile or directory listing, contribute content, communicate, or contact us.
3.2 Automatically — through your use of the Platform, including logs, audit records, and cookies or similar technologies (Section 6).
3.3 From third parties — from our authentication provider when you sign in, from other Users (for example, a reference someone writes about you, or an engagement request sent to you), and from service providers who help operate the Platform.
4. How and why we use personal data, and our legal bases
We use personal data to:
(a) provide and operate the Platform — create and manage your account, sign you in, host and serve your content, enable collaboration, directories, the store, and messaging, and process fees;
(b) secure and protect the Platform — authenticate requests, enforce access control and permissions, maintain the audit trail, detect and prevent fraud, abuse, and security incidents, and moderate content;
(c) enable discovery and collaboration — publish directory listings, profiles, trust signals, references, and rankings, and broker contact between Users;
(d) communicate with you — send service, security, and administrative messages, and respond to your requests;
(e) improve the Platform — understand usage, diagnose problems, and develop features; and
(f) comply with law — meet legal, regulatory, tax, and law-enforcement obligations, and establish, exercise, or defend legal claims.
Legal bases / consent. Under Singapore's Personal Data Protection Act 2012 (PDPA), we collect, use, and disclose personal data with your consent (including deemed consent where you voluntarily provide data for an evident purpose), and in reliance on the legitimate-interests and other exceptions the PDPA permits, such as operating and securing the Platform. Where the EU/UK GDPR or a similar law applies to you, our legal bases are: performance of our contract with you (the Terms of Service); our legitimate interests in operating, securing, and improving the Platform and enabling collaboration; your consent (for example, for certain cookies or optional communications); and compliance with legal obligations.
5. Public and shared information
5.1 Public by design. Much of the Platform is intended to be shared. Directory listings, public profiles, public projects and variants, references and testimonials, ratings, reviews, comments, and contributor credits are visible to other Users or to the public according to their nature and your configuration. Information you place there — and personal data embedded in content you publish (for example, an author name and email in a git commit) — may be seen, copied, cached, indexed, or retained by others, including outside the Platform, beyond our control.
5.2 Sharing you configure. When you make content public or share it with specific Collaborators or an Organisation, you are directing us to make it available accordingly, and you are responsible for that choice.
5.3 Attribution and trust signals. Certain records exist to attribute activity to a person (for example, who pushed to a repository, or who authored a reference). These support accountability and are not fully private.
5.4 Other Users are independent. When another User or Organisation receives your personal data through the Platform (for example, via an engagement request or a shared repository), they process it independently and are responsible for their own handling of it. See also Section 6 of the Terms of Service (Tooltwist is an intermediary, not a party to your dealings).
6. Cookies and similar technologies
6.1 We use cookies and similar technologies for essential purposes such as keeping you signed in and keeping the Platform secure, and may use them to remember preferences and to understand usage. Essential cookies are necessary for the Platform to function.
6.2 You can control non-essential cookies through your browser settings or any cookie controls we provide. Blocking essential cookies may prevent parts of the Platform from working.
(If Tooltwist uses analytics or third-party cookies, list them here with their purposes before publication.)
7. When we disclose personal data
We disclose personal data only as described below. We do not sell your personal data.
7.1 To other Users and the public — as described in Section 5, according to the nature of the content and your configuration.
7.2 To service providers (processors / subprocessors) — third parties who process personal data on our behalf to help us run the Platform, under contractual confidentiality and data-protection obligations. These include, for example, our cloud-infrastructure and container-storage provider, our git-hosting software/infrastructure, our authentication provider, and any payment, email, logging, or analytics providers we use. (Maintain and, where required, publish a current subprocessor list.)
7.3 For legal and safety reasons — where we believe disclosure is required by law, regulation, legal process, or a governmental request, or is necessary to enforce our Terms, protect the rights, property, or safety of Tooltwist, our Users, or others, or to detect, prevent, or address fraud, security, or technical issues.
7.4 In a business transfer — in connection with a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred as part of that transaction, subject to this notice or a successor notice.
7.5 With your consent — for any other disclosure you direct or agree to.
8. International transfers
Tooltwist operates from Singapore, and the Platform relies on infrastructure and service providers that may store or process personal data in countries other than the one you are in. Where we transfer personal data across borders, we take steps required by applicable law to ensure it is protected to a comparable standard — for example, by contractual safeguards with recipients (such as standard contractual clauses where the GDPR applies), consistent with the PDPA's transfer-limitation requirements.
9. How long we keep personal data
9.1 We keep personal data for as long as necessary to provide the Platform, operate your account, and fulfil the purposes in Section 4, and then for as long as needed to meet legal, tax, accounting, security, and dispute-resolution obligations.
9.2 Some data is retained after you delete content or close your account. In particular, audit and security logs, and routine backups, may persist for a period after deletion, and content you have made public or shared may remain with others outside our control (Section 5). We will delete or de-identify personal data when it is no longer required, in accordance with our retention practices and applicable law.
10. How we protect personal data
10.1 We implement reasonable technical and organisational measures designed to protect personal data, including authenticated, permission-checked access to repositories and images, audit logging, and encryption in transit.
10.2 However, consistent with Section 9 of the Terms of Service, no platform is perfectly secure, and we do not guarantee the security of the Platform or of any data. You are responsible for maintaining your own backups, protecting your credentials and tokens, and not storing on the Platform anything whose loss or disclosure you cannot tolerate. If we become aware of a personal-data breach that requires notification, we will comply with our obligations under applicable law.
11. Your rights and choices
11.1 Under the PDPA, you may request access to the personal data we hold about you and information about how it has been used or disclosed, and you may request correction of inaccurate or incomplete personal data. You may withdraw consent to our collection, use, or disclosure of your personal data (on reasonable notice), though doing so may prevent us from providing parts of the Platform.
11.2 If the GDPR or a similar law applies to you, you may also have rights to erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority. Where we rely on legitimate interests, you may object to that processing.
11.3 Self-service. You can view and edit much of your account, profile, and directory information directly on the Platform, and you can control certain content visibility and sharing yourself.
11.4 How to exercise your rights. Contact us using the details in Section 16. We may need to verify your identity, and we will respond within the time required by applicable law. Some requests are subject to legal limits and exceptions (for example, where deletion would conflict with our legal obligations, security needs, or the rights of others).
12. Children
The Platform is not directed to children, and you must meet the minimum-age requirement in Section 2 of the Terms of Service. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps.
13. AI and automated processing
Consistent with the nature of WBSP, much of the content and tooling on the Platform is generated by artificial intelligence, and some Platform functions use automated processing — for example, ranking and featuring, search and matching, trust-signal computation, and abuse or security detection. These functions support the Platform's operation; where any automated processing would produce a legal or similarly significant effect on you and a law grants you rights in respect of it, we will honour those rights. Nothing here changes the disclaimers in the Terms of Service about the accuracy or reliability of AI-generated content.
14. Third-party links and user content
The Platform may contain links to, or content from, third parties (including other Users' content and external sites). We are not responsible for the privacy practices of third parties. Review their privacy notices before providing them personal data.
15. Changes to this notice
We may update this notice from time to time. The updated notice takes effect when posted or on any later date stated, and is identified by version number and effective date (this is Version 1.0). Where a change is material, we will take reasonable steps to notify you. Your continued use of the Platform after the update takes effect indicates your acknowledgement of it.
16. How to contact us
For privacy questions, to exercise your rights, or to reach our data-protection contact, contact Tooltwist Pte Ltd via the contact channel published on wbsp.ai. (Insert the Data Protection Officer's name/title and email, Tooltwist's registered address, and company registration number before publication.)
End of WBSP Privacy Notice, Version 1.0.