WSO2 Identity Server - Privacy Policy

About WSO2 Identity Server

WSO2 Identity Server (referred to as “WSO2 IS” within this policy) is an open source Identity Management and Entitlement Server that is based on open standards and specifications.

Privacy Policy

This policy describes how WSO2 IS captures your personal information, the purposes of collection, and information about the retention of your personal information.

Please note that this policy is for reference only, and is applicable for the software as a product. WSO2 Inc. and its developers have no access to the information held within WSO2 IS. Please see the Disclaimer section for more information

Entities, organisations or individuals controlling the use and administration of WSO2 IS should create their own privacy policies setting out the manner in which data is controlled or processed by the respective entity, organisation or individual.

What is personal information?

WSO2 IS considers anything related to you, and by which you may be identified, as your personal information. This includes, but is not limited to:

  • Your user name (except in cases where the user name created by your employer is under contract)
  • Your date of birth/age
  • IP address used to log in
  • Your device ID if you use a device (e.g., phone or tablet) to log in

However, WSO2 IS also collects the following information that is not considered personal information, but is used only for statistical purposes. The reason for this is that this information can not be used to track you.

  • City/Country from which you originated the TCP/IP connection
  • Time of the day that you logged in (year, month, week, hour or minute)
  • Type of device that you used to log in (e.g., phone or tablet)
  • Operating system and generic browser information

Collection of personal information

WSO2 IS collects your information only to serve your access requirements. For example:

  • WSO2 IS uses your IP address to detect any suspicious login attempts to your account.
  • WSO2 IS uses attributes like your first name, last name, etc., to provide a rich and personalized user experience.
  • WSO2 IS uses your security questions and answers only to allow account recovery.

Tracking Technologies

WSO2 IS collects your information by:

  • Collecting information from the user profile page where you enter your personal data.
  • Tracking your IP address with HTTP request, HTTP headers, and TCP/IP.
  • Tracking your geographic information with the IP address.
  • Tracking your login history with browser cookies. Please see our cookie policy for more information.

Use of personal information

WSO2 IS will only use your personal information for the purposes for which it was collected (or for a use identified as consistent with that purpose).

WSO2 IS uses your personal information only for the following purposes.

  • To provide you with a personalized user experience. WSO2 IS uses your name and uploaded profile pictures for this purpose.
  • To protect your account from unauthorized access or potential hacking attempts. WSO2 IS uses HTTP or TCP/IP Headers for this purpose.
    • This includes:
      • IP address
      • Browser fingerprinting
      • Cookies
  • Derive statistical data for analytical purposes on system performance improvements. WSO2 IS will not keep any personal information after statistical calculations. Therefore, the statistical report has no means of identifying an individual person.
    • WSO2 IS may use:
      • IP Address to derive geographic information
      • Browser fingerprinting to determine the browser technology or/and version

Disclosure of personal information

WSO2 IS only discloses personal information to the relevant applications (also known as “Service Providers”) that are registered with WSO2 IS. These applications are registered by the identity administrator of your entity or organization. Personal information is disclosed only for the purposes for which it was collected (or for a use identified as consistent with that purpose), as controlled by such Service Providers, unless you have consented otherwise or where it is required by law.

Please note that the organisation, entity or individual running WSO2 IS may be compelled to disclose your personal information with or without your consent when it is required by law following due and lawful process.

Storage of personal information

Where your personal information is stored

WSO2 IS stores your personal information in secured databases. WSO2 IS exercises proper industry accepted security measures to protect the database where your personal information is held. WSO2 IS as a product does not transfer or share your data with any third parties or locations.

WSO2 IS may use encryption to keep your personal data with an added level of security.

How long your personal information is retained

WSO2 IS retains your personal data as long as you are an active user of our system. You can update your personal data at any time using the given self-care user portals.

WSO2 IS may keep hashed secrets to provide you with an added level of security. This includes:

  • Current password
  • Previously used passwords

How to request removal of your personal information

You can request the administrator to delete your account. The administrator is the administrator of the tenant you are registered under, or the super-administrator if you do not use the tenant feature.

Additionally, you can request to anonymize all traces of your activities that WSO2 IS may have retained in logs, databases or analytical storage.

More information

Changes to this policy

Upgraded versions of WSO2 IS may contain changes to this policy and revisions to this policy will be packaged within such upgrades. Such changes would only apply to users who choose to use upgraded versions.

The organization running WSO2 IS may revise the Privacy Policy from time to time. You can find the most recent governing policy with the respective link provided by the organization running WSO2 IS. The organization will notify any changes to the privacy policy over our official public channels.

Your choices

If you are already have a user account within WSO2 IS, you have the right to deactivate your account if you find that this privacy policy is unacceptable to you.

If you do not have an account and you do not agree with our privacy policy, you can chose not to create one.

Contact us

Please contact WSO2 if you have any question or concerns regarding this privacy policy.


  1. WSO2, its employees, partners, and affiliates do not have access to and do not require, store, process or control any of the data, including personal data contained in WSO2 IS. All data, including personal data is controlled and processed by the entity or individual running WSO2 IS. WSO2, its employees partners and affiliates are not a data processor or a data controller within the meaning of any data privacy regulations. WSO2 does not provide any warranties or undertake any responsibility or liability in connection with the lawfulness or the manner and purposes for which WSO2 IS is used by such entities or persons.

  2. This privacy policy is for the informational purposes of the entity or persons running WSO2 IS and sets out the processes and functionality contained within WSO2 IS regarding personal data protection. It is the responsibility of entities and persons running WSO2 IS to create and administer its own rules and processes governing users’ personal data, and such rules and processes may change the use, storage and disclosure policies contained herein. Therefore users should consult the entity or persons running WSO2 IS for its own privacy policy for details governing users’ personal data.