The text below is taken from https://www.eff.org/code/privacy/policy.
Unless otherwise specified, this policy does not apply to projects run by individuals or organizations outside of EFF, such as Tor, OTR, or GnuPG, even if we promote the use of those projects or happen to contribute to them.
Bug Reports and Research Datasets: EFF software and technology projects may give you the option to submit bug reports to us, either manually or (if you opt-in) automatically, such as when an error occurs. For example, if you disable HTTPS Everywhere on a particular site, that may be indicative of bugs in the ruleset for that site. If you choose to submit reports, the content of those reports will be available to the project developers, which may include third parties. The software user interface will describe the contents of the report and the retention policies in further detail. We may maintain this information for as long as we believe it is relevant to improving the software or technology project, and we may disclose it to people as necessary to improve the software or technology project.
Sometimes our software and technology projects may collect other types of information to help with technology research, which generally will not include personally identifiable information. For instance, the SSL Observatory collects SSL/TLS certificates and associated metadata. When our software collects such information, its user interfaces will explain what it does, and let you enable or disable submissions. This information may be included in datasets, which are discussed below.
Generally, we do not store personally identifiable information (PII), including the IP addresses of users, when collecting bug reports or research data. However, on occasion, we may store IP addresses for limited debugging purposes. (You may also choose to submit these reports and data via Tor in order to prevent us from being able to observe your IP address.)
Use of Information: In general, EFF uses the information provided by you to further its mission, including to strengthen Internet security and privacy, defend freedom and innovation, and to protect your rights in the digital world. To help you better understand how this information further these goals, we may include further explanations of the use of data within the project’s user interface.
Disclosure of Your Information: While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by whatever means is reasonably practical. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our products and technologies that we believe to be improper and we have done so.
Sharing of datasets: From time to time, we may share datasets derived from our technology projects with research partners working on topics related to Internet security, censorship resistance, privacy or other public policy objectives. We may also publish datasets in an effort to further these objectives. The datasets we may share or publish will not intentionally contain PII and we will evaluate whether further sanitization or aggregation of data is necessary to reduce the likelihood that inferences about identifiable individuals' activities might be made from the published dataset. Because anonymization is an algorithmically complex problem, we cannot promise that it will be flawless or attack-proof. When we believe that a dataset may contain information that is especially sensitive or vulnerable to de-anonymition, we will not publish it, and if we share share such data with research partners, we will place them under a contractual obligation to keep the dataset confidential and avoid de-anonymization.
Security: Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs.