Oracle Java SE Privacy Policy

Last updated: November 15, 2024 · Effective date: December 1, 2024

1. Introduction

Oracle Corporation and its affiliates ("Oracle," "we," "us," or "our") are committed to protecting the privacy of individuals who use Oracle Java SE products, including the Java Runtime Environment (JRE), Java Development Kit (JDK), and associated tools and services (collectively, "Java SE Products").

This Privacy Policy describes the types of information we may collect from you or that you may provide when you download, install, or use Java SE Products, and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies specifically to data collected through Java SE Products and supplements the general Oracle Privacy Policy. In the event of a conflict, this policy governs with respect to Java SE Products.

2. Information We Collect

We collect several types of information from and about users of Java SE Products:

2.1 Information You Provide

• Oracle Account credentials when downloading Java SE from oracle.com
• Contact information provided during license registration
• Support requests and correspondence
• Survey responses and feedback

2.2 Information Collected Automatically

• Java Runtime version and build number
• Operating system type, version, and architecture
• JVM configuration parameters (heap size, garbage collector type)
• System locale and timezone settings
• IP address (collected during update checks and telemetry transmission)
• Java Auto-Update check frequency and results

2.3 Information from Java Usage Tracker

When the Java Usage Tracker is enabled (see Section 3), additional runtime data may be collected as described in the Telemetry documentation.

3. Java Usage Tracker Data

The Java Usage Tracker is a feature available in Java SE 8 Update 77 and later that enables recording of JRE usage information. The Usage Tracker may collect the following categories of data:

• JVM Identity: Java version, VM name, vendor string, runtime version
• System Environment: Operating system, architecture, available processors, total physical memory
• Runtime Metrics: Heap usage, class loading counts, thread counts, GC statistics
• Application Context: Main class name (if available), classpath length, module usage
• Network Context: TLS protocol versions, proxy configuration (hashed)

The Usage Tracker does not collect: user names, file contents, application data, keystrokes, screenshots, browsing history, or the content of network communications.

Enterprise administrators can control Usage Tracker behavior through the Java Control Panel or via enterprise group policy. See the Telemetry page for details.

4. How We Use Your Information

We use information collected through Java SE Products for the following purposes:

• Product Improvement: Analyzing usage patterns to prioritize feature development, performance optimization, and platform support decisions
• Security: Identifying vulnerable Java installations, measuring patch adoption rates, and informing security advisory targeting
• Compatibility: Understanding which OS versions, hardware configurations, and JVM settings are most common to ensure broad compatibility
• License Compliance: Verifying appropriate use of Java SE under applicable license terms
• Support: Diagnosing issues reported through Oracle Support channels
• Communications: Sending critical security notifications about Java SE vulnerabilities

5. Data Sharing and Disclosure

Oracle does not sell Java telemetry data to third parties. We may share information collected through Java SE Products in the following circumstances:

• Oracle Affiliates: With Oracle subsidiaries and affiliates for the purposes described in this policy
• Service Providers: With third-party vendors who process data on our behalf (e.g., cloud hosting, analytics), subject to contractual data protection obligations
• Legal Requirements: When required by law, regulation, subpoena, or court order
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Aggregated Data: We may share aggregated, de-identified statistics about Java usage publicly (e.g., in blog posts about Java adoption trends)

6. Data Retention

We retain information collected through Java SE Products as follows:

• Usage Tracker Data: Retained for a maximum of 36 months from the date of collection, after which it is automatically purged or irreversibly anonymized
• Update Check Logs: IP addresses and associated metadata from auto-update checks are retained for 12 months
• Account Information: Retained for the duration of your Oracle Account, plus 12 months following deletion
• Support Data: Retained for 5 years following case closure, or as required by applicable regulations

7. Data Security

Oracle implements appropriate technical and organizational measures to protect Java telemetry data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit using TLS 1.2 or higher for all telemetry transmissions
• Encryption at rest using AES-256 for stored telemetry data
• Access controls limiting data access to authorized Oracle personnel with a business need
• Regular security assessments and penetration testing of telemetry infrastructure
• Incident response procedures for potential data breaches

8. International Data Transfers

Java telemetry data may be transferred to, stored, and processed in the United States and other countries where Oracle or its service providers maintain facilities. Oracle relies on Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-U.S. Data Privacy Framework, and other legally recognized transfer mechanisms to lawfully transfer personal data from the European Economic Area, the United Kingdom, and Switzerland to other countries.

9. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data:

• Opt-Out of Telemetry: You can disable the Java Usage Tracker through the Java Control Panel or by contacting your system administrator. See Telemetry for details.
• Access: Request a copy of the personal data Oracle holds about you related to Java SE Products
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your personal data for certain purposes

To exercise these rights, contact the Oracle Privacy Office using the information in Section 12.

10. Children's Privacy

Java SE Products are not directed at children under the age of 16. Oracle does not knowingly collect personal information from children under 16 through Java SE Products. If you believe we have inadvertently collected such information, please contact us so we can promptly delete it.

11. Changes to This Policy

Oracle may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Material changes will be communicated through the Java Auto-Update mechanism or via the Oracle Technology Network. Your continued use of Java SE Products after the effective date of changes constitutes acceptance of the revised policy.

12. Contact Information

If you have questions or concerns about this Privacy Policy or Oracle's data practices related to Java SE Products, please contact:

Oracle Corporation
Global Privacy Office
500 Oracle Parkway
Redwood Shores, CA 94065
United States

Email: privacy-inquiries_ww@oracle.com
Web: https://www.oracle.com/legal/privacy/privacy-choices.html

For EU/EEA residents, Oracle's Data Protection Officer can be reached at the address above or via dpo-inquiries_ww@oracle.com.