Individual Privacy Policy (v1)


NOTICE: Terms Updated

These version one terms have been replaced by newer terms; effective immediately if you're a new user or organisation, or effective on 19th May 2021 otherwise.

Thank you for trusting Cloudsmith to be responsible for your packages and your personal information. Your private information is extremely important to us, and we want you to know that we’re handling it appropriately.

Short & Sweet Edition

We collect your information only with your consent; we only collect the minimum amount of personal information that is necessary to fulfil the purpose of your interaction with us; we don't sell it to third parties; and we only use it as this Privacy Policy describes.

What Information Is Collected?

Cloudsmith collects and analyzes traffic by keeping track of the IP addresses of our visitors and by collecting log file information. Your IP address is a number that is automatically assigned to the computer that you are using by your Internet service provider (ISP) or by another organization. An IP address, by itself, cannot identify you personally. However, when combined with other information, your IP address can be used to identify the computer you are using. In addition, Cloudsmith may use your IP address to estimate your geographic location.

If you register or make a purchase while on the Website, Cloudsmith may ask for Personally Identifiable Information such as your name, email address, or physical address.

The Website uses "cookies" and similar technologies, including HTML5 local storage on the Website and when providing the Services. A cookie is a file stored on your device that may be used to identify an individual as a unique user by storing certain personal preferences and user data. Cloudsmith uses cookies and other technologies to identify your device, identify authorized users of the Cloudsmith service, track affiliate referrals, complete online purchases through Cloudsmith's billing system, and similar Website monitoring activities.

Cloudsmith may also use web beacons, small graphic images or other web programming code (also known as "1x1 GIFs" or "clear GIFs"), which may be included in our web pages and email messages. Web beacons may be invisible to you, but any electronic image or other web programming code inserted into a web page or e-mail can act as a web beacon. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count visitors to the Website, to monitor how users navigate the Website, to count how many e-mails that were sent were actually opened or to count how many particular articles or links were actually viewed.

Cloudsmith may also use embedded scripts on the Website and in connection with the provision of its Services. “Embedded scripts” are programming code designed to collect information about your interactions with a website, such as the links you click on, and may assist our customers in providing us with information used to provide the Services. The code is temporarily downloaded onto your device from our web server, our customer's web server, or a third party service provider, is active only while you are connected to the website containing the embedded script, and is deactivated or deleted thereafter.

Your web browser automatically sends information to every website you visit, including ours. For example, our server logs may receive and record information such as the pages you access on the Website, referring URLs, your browser type, your operating system, the date and time of your visit, and the duration of your visit to each page.

Log file information may also include a user agent string, a series of characters automatically sent with your Internet requests that provide information necessary for smooth Internet communications such as the operating system and browser you used. Similar to an IP address, a user agent string, by itself, does not identify you personally. However, when combined with other information, a user agent string might be used to identify the computer originating a message.

Cloudsmith may also request access to or otherwise receive information about your device location when you access the Website. Your location data may be based on your IP address. We use location data in connection with providing the Services and to help improve the Services.

Cloudsmith may assign your computer or mobile device a unique identification number ("Unique ID") based on log file information when you access the Website Cloudsmith may set a cookie on your device containing, amongst other things, the device's Unique ID. Cloudsmith uses information generated from the Unique ID for purposes of improving our Services, primarily our ability to detect fraud. Cloudsmith does not share the Unique ID or any associated data with unaffiliated third parties.
Cloudsmith may receive information about you from third parties. For example, our customers may provide us with certain e-commerce transaction information, which may include IP address, cardholder name, billing and shipping address, email, and phone number. We may combine the information we receive from third parties with information we collect through the Website. If we do so, Cloudsmith will apply this Privacy Policy to that combined information.

Cloudsmith may collect additional information from or about you in other ways, including responses to customer surveys or your communications with our customer service team. Cloudsmith may retain all information it collects for an indefinite period of time.

What Is Information Used For?

As stated above, Cloudsmith may use Personally Identifiable Information such as your name, address, telephone number, e-mail address, or other contact information we obtain from you, our customers, or our business partners, for the purposes of providing, enhancing, or improving our IP geolocation, fraud detection, demographic targeting, and other services and products.

Cloudsmith maintains one or more contact lists (with email addresses and other information) to allow Cloudsmith to communicate with individuals who do business with Cloudsmith or who have expressed an interest in the Services. We may contact you to confirm your purchases or respond to requests that you make, notify you of changes to your account or the Services, for marketing purposes, or to otherwise inform you of information related to our business or your account with us.

Cloudsmith may use the information we collect about you for a variety of website administration and customization purposes. For example, we use your information to process your registration request, provide you with services and communications that you have requested, send you email updates and other communications, customize features and advertising that appear on the Website, deliver the Website content to you, measure Website traffic, measure user interests and traffic patterns, and improve the Website and the services and features offered via the Website.

Non-identifying information includes information collected from or about you that does not personally identify you. Cloudsmith treats IP addresses, log file information, user agent strings, computer IDs, and related information as non-identifying information, except if applicable law suggest us to do otherwise. Cloudsmith may use non-identifying information for any purpose. We may also combine your non-identifying information with third party data sources (including data obtained from offline sources and data obtained from our customers using the Services) in our effort to improve our Services. Unless you opt-out, Cloudsmith may share such non-identifying information with customers, affiliates, and other third parties, for any purpose.

Certain jurisdictions, including the European Union, may deem IP addresses and/or Unique IDs, to be Personally Identifiable Information. Accordingly, for persons in such jurisdictions, our use of Non-Identifying Information as described in this Privacy Policy should be assumed to include IP address and Unique ID data.

What Information Is Not Collected?

We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although Cloudsmith does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account, such as in a package repository. If you store any sensitive personal information on our servers, you are consenting to our storage of that information on our servers, which are in the United States and the European Union.

We do not intentionally collect information that is stored in your package repositories or other free-form content inputs. Information in your package repositories belongs to you, and you are responsible for it, as well as for making sure that your content complies with our Terms of Service.

Cloudsmith employees do not access private package repositories unless required to for security or maintenance, or for support reasons, with the consent of the package repository owner.
If your package repository is public, anyone (including us) may view its contents. If you have included private or sensitive information in your public package repository, such as email addresses, that information may be indexed by search engines or used by third parties. In addition, while we do not generally search for content in your package repositories, we may scan our servers for certain tokens or security signatures.

If you're a child under the age of 13, you may not have an account on Cloudsmith. Cloudsmith does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will unfortunately have to close your account. Please see our Terms of Service for information about account termination.

What Information Is Shared?

We do not share, sell, rent, or trade Personally Identifiable Information with third parties for their commercial purposes.

We do not disclose Personally Identifiable Information outside Cloudsmith, except in the situations listed in this section or in the section below on Compelled Disclosure.

We do share certain aggregated, non-personally identifying information with others about how our users, collectively, use Cloudsmith, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on the usage of particularly package formats on Cloudsmith. However, we do not sell this information to advertisers or marketers.
We do not host advertising on Cloudsmith. We may occasionally embed content from third party sites, such as YouTube, and that content may include ads. While we try to minimize the amount of ads our embedded content contains, we can't always control what third parties show.

We may share Personally Identifiable Information with your permission, so we can perform services you have requested.

We may share Personally Identifiable Information with a limited number of third-party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Policy. Our vendors perform services such as payment processing, customer support ticketing, network data transmission, and other similar services. When we transfer your data to our vendors, we remain responsible for it.

We may share Personally Identifiable Information if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of Personally Identifiable Information, and we will notify you on our website or by email before any transfer of your Personally Identifiable Information. The organization receiving any Personally Identifiable Information will have to honor any promises we have made in our Privacy Policy or in our Terms of Service.

Publicly Available Information

Much of Cloudsmith is public-facing. If your content is public-facing, third parties may access and use it in compliance with our Terms of Service. We do not sell that content; it is yours. However, we do allow third parties, such as research organizations or archives, to compile public-facing Cloudsmith information.

Your Personal Information, associated with your content, may be gathered by third parties in these compilations of Cloudsmith data. If you do not want your Personal Information to appear in third parties’ compilations of Cloudsmith data, please do not make your Personal Information publicly available.

If you would like to compile Cloudsmith data, you may only use any public-facing Personal Information you gather for the purpose for which our user has authorized it. For example, where a Cloudsmith user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for commercial advertising. We expect you to reasonably secure any Personal Information you have gathered from Cloudsmith, and to respond promptly to complaints, removal requests, and "do not contact" requests from Cloudsmith or Cloudsmith users.

Similarly, package repositories on Cloudsmith may include publicly available Personal Information collected as part of the collaborative process. In the event that a Cloudsmith project contains publicly available Personal Information that does not belong to Cloudsmith users, we will only use that Personal Information for the limited purpose for which it was collected, and we will secure that Personal Information as we would secure any Personally Identifiable Information. If you have a complaint about any Personal Information on Cloudsmith, please see our section on resolving complaints.

What Cookies / Tracking Code Are Used?


Cloudsmith uses cookies to make interactions with our service easy and meaningful. We use cookies (and similar technologies, like HTML5 local storage) to keep you logged in, remember your preferences, and provide information for future development of Cloudsmith.

A cookie is a small piece of text that our web server stores on your computer or mobile device, which your browser sends to us when you return to our site. Cookies do not necessarily identify you if you are merely visiting Cloudsmith; however, a cookie may store a unique identifier for each logged in user. The cookies Cloudsmith sets are essential for the operation of the website, or are used for performance or functionality. By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies, you will not be able to log in or use Cloudsmith’s services.

Google Analytics

We use Google Analytics as a third party tracking service, but we don’t use it to track you individually or collect your Personally Identifiable Information. We use Google Analytics to collect information about how our website performs and how our users, in general, navigate through and use Cloudsmith. This helps us evaluate our users' use of Cloudsmith; compile statistical reports on activity; and improve our content and website performance.

Google Analytics gathers certain simple, non-personally identifying information over time, such as your IP address, browser type, internet service provider, referring and exit pages, time stamp, and similar data about your use of Cloudsmith. We do not link this information to any of your personal information such as your user name.

Cloudsmith will not, nor will we allow any third party to, use the Google Analytics tool to track our users individually; collect any Personally Identifiable Information other than IP address; or correlate your IP address with your identity. Google provides further information about its own privacy practices and offers a browser add-on to opt out of Google Analytics tracking.

Certain pages on our site may set other third party cookies. For example, we may embed content, such as videos, from another site that sets a cookie. While we try to minimize these third party cookies, we can’t always control what cookies this third party content sets.


We use Intercom as a customer engagement platform, and each visitor and user is tracked in order to associate conversation history with your visit, your account (if logged in) and any Cloudsmith organizations you may belong to. Cloudsmith will not share any Personally Identifiable Information gathered and utilised via Intercom with third party services.


"Do Not Track" is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. We do not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site beyond our basic Google Analytics tracking, which you may opt out of. Because we do not share this kind of data with third party services or permit this kind of third party data collection on Cloudsmith for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting.

If you are interested in turning on your browser’s privacy and Do Not Track settings, the Do Not Track website has browser-specific instructions.

Please see our section on email communication to learn about our use of pixel tags in marketing emails.

How Is My Information Secured?

Cloudsmith takes all measures reasonably necessary to protect Personally Identifiable Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of Personally Identifiable Information. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it.

No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. For more information, see our Security Policy.

How Is Information Collected Globally?

Information that we collect will be stored and processed in the United States and the European Union in accordance with this Privacy Policy. However, we understand that we have users from different countries and regions with different privacy expectations, and we try to meet those needs.

We provide the same standard of privacy protection to all our users around the world, regardless of their country of origin or location, and we are proud of the levels of notice, choice, accountability, security, data integrity, access, and recourse we provide. We work hard to comply with the applicable data privacy laws wherever we do business. Additionally, we require that if our vendors or affiliates have access to Personally Identifiable Information, they must comply with our privacy policies and with applicable data privacy laws, including signing data transfer agreements such as Standard Contractual Clause agreements.

In particular:

  • Cloudsmith provides clear methods of unambiguous, informed consent at the time of data collection, when we do collect your personal data and if applicable. Where consent is not the applicable ground for processing, Cloudsmith will ensure that it has an appropriate ground for processing any personal data (including but not limited to contractual obligation or legitimate interest).
  • We collect only the minimum amount of personal data necessary, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing.
  • We offer you simple methods of accessing, correcting, or deleting the data we have collected.
  • We provide our users notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our users a method of recourse and enforcement.

How Do I Raise A Privacy Complaint?

If you have concerns about the way Cloudsmith is handling your Personally Identifiable Information, please let us know immediately. We want to help and there are several ways available that you can contact us. You may also email us directly at [email protected] with the subject line "Privacy Concerns." We will respond within 45 days at the latest.

How Are Privacy Disputes Handled?

In the unlikely event that a dispute arises between you and Cloudsmith regarding our handling of your Personally Identifiable Information, we will do our best to resolve it. If we cannot, we offer an independent dispute resolution provider at no cost to you.

What If I Need Independent Arbitration?

If we are unable to resolve your concerns after a good faith effort to address them, lease let us know and we will be happy to discuss independent arbitration services with you.

We are subject to the jurisdiction of the Federal Trade Commission.

How Does Cloudsmith Respond To Compelled Disclosure?

Cloudsmith may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar governmental order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.

In complying with court orders and similar legal processes, Cloudsmith strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.

How Can I Access My Own Personal Information?

If you're already a Cloudsmith user, you may access, update, alter, or delete your basic user profile information by editing your user profile or contact us.

Data Retention and Deletion

Cloudsmith will retain Personally Identifiable Information on your behalf whilst either a) valid grounds for processing exist; or b) a maximum of seven (7) years following termination of your account.

If you would like to cancel your account and initiate deletion of your Personally Identifiable Information, you may do so in your user profile. As above, we will retain and use your information as necessary to comply with our legal obligations, resolve disputes, maintain security, and enforce our agreements, but barring legal requirements, the timeframe above will be observed for deletion.

How Do You Communicate With Users?

We will use your email address to communicate with you, if you've said that's okay, and only for the reasons you’ve said that’s okay. Emails by default are not disclosed with other users, even if you belong to the same organization. This will not change how we contact you, as we always utilise your primary email address.

Depending on your email settings, Cloudsmith may occasionally send notification emails about changes in a package repository you’re watching, new features, requests for feedback, important policy changes, or offer customer support. We also send marketing emails, but only with your consent. There's an unsubscribe link located at the bottom of each of the emails we send you.

Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.

Do You Notify Change Your Privacy Policy?

Although most changes are likely to be minor, Cloudsmith may change our Privacy Policy from time to time. We will occasionally update this Privacy Policy in response to changing business circumstances and legal developments. If there are material changes to this Privacy Policy or in how we use your Personally Identifiable Information, we will prominently post such changes prior to implementing the change. We encourage you to periodically review this Privacy Policy to be informed of how we are collecting and using your information.

How Can I Contact Cloudsmith?

Questions regarding Cloudsmith's Privacy Policy or information practices should be directed to us one via one of the contact methods that we provide.

This Privacy Policy forms part of the Terms and Conditions.

Did this page help you?