Frontier Model Forum Privacy Notice

Your privacy is important to us. This privacy notice explains how Frontier Model Forum (“FMF”, “we”, “us”) collects, uses, and discloses personal data. For the purposes of this notice, “personal data” means any information relating to an identified or identifiable natural person. This privacy notice applies to personal data processed in connection with:

1. our website at www.frontiermodelforum.org/ (“Website”), and
2. our information-sharing activities that support frontier AI safety and security (“Information-Sharing Activities”).

Personal Data We Collect

The personal data we collect depends on how you interact with us.

Information you provide directly. We collect personal data you provide to us. For example, if you choose to send us an email inquiry or submit a request via a “Contact Us” form, we will collect contact information, such as your name and email address, as well as the content of your communications.

Information we collect automatically. When you visit the Website, we collect some information automatically. For example:

• Identifiers and device information. When you visit the Website, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software, including type, version, language, settings, and configuration. As further described in the Cookies and Similar Technologies section below, our Website stores and retrieves cookie identifiers and other data.
• Approximate location data. Depending on your device settings, we collect approximate location data when you use the Website.
• Usage data. We automatically log your activity on the Website, including the URL of the Website from which you came to our site, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our Website.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services, those features may not be available. For example, if you don’t provide an email address, we will be unable to respond to any inquiries you may have.

Information we collect from member firms. FMF supports AI safety, security, and threat management by facilitating the structured sharing of threat-related information among its member firms. FMF’s information-sharing framework is designed to focus on technical, operational, and threat-related artifacts, such as security vulnerabilities, safety classifiers, and threat intelligence information. Most information shared through this mechanism is technical and does not relate to individuals. However, in limited circumstances, information shared for AI safety and security purposes may include personal data. Such data may include online identifiers, information about the user prompts and model output, and limited usage information relevant to AI safety and security, such as timestamps and technical context associated with suspected misuse. Moreover, this data may occasionally include limited professional contact details, identifiers, demographic information, and role-based information of designated personnel at member firms involved in AI safety and security coordination.

Cookies and similar technologies

We use cookies, web beacons, and similar technologies to operate the Website and to help collect data, including usage data, identifiers, and device information.

What are cookies and similar technologies?

Cookies are small text files placed by a Website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server.

Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our websites (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content.

How do we and our partners use cookies and similar technologies?

We, and our analytics partners, use these technologies in our Website to collect personal data (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use our services. This information is used to analyze how our Website performs, track your interaction with the site, and fulfill other legitimate purposes. Please see the Sharing section below for details on the third-party analytics providers we use on the Website.

What controls are available?

• Browser cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our Website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
• Do Not Track. Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the Websites you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our websites do not currently respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the cookie controls and advertising controls described above.

Our use of personal data

We use each of the categories or personal data we collect for purposes described in this privacy notice or otherwise disclosed to you. For example, we use personal data for the following purposes:

• Website delivery. To provide, operate, and maintain the Website, including troubleshooting, securing, and improving the Website.
• Website security. To ensure the safety and security of our service, preventing abuse, and detecting and responding to security incidents.
• AI safety, security, and threat-management purposes (Information-Sharing Activities). FMF processes personal data for AI safety, security, and threat-management purposes by engaging in Information-Sharing Activities. For this purpose, FMF facilitates the structured sharing of threat-related information among its member firms.
• Communications and support. To respond to your questions and enquiries and provide user support.
• Promotional emails. To send you updates and promotional emails.
• Legal compliance. To meet our legal obligations and establish, exercise, or defend legal claims.

Legal bases for processing personal data

Where data protection laws of the European Economic Area, Switzerland or the United Kingdom (jointly “Europe”) apply, we only process your Personal Data where we have a legal basis to do so. The legal bases we rely on include: 

• Necessary for compliance with a legal obligation to which we are subject. We may process your personal data where we are required to do so to comply with our legal obligations, for example to comply with a search warrant or court order.
• Necessary for a legitimate interest that we pursue. Where we or a third party have a legitimate interest in processing your personal data, we may do so provided that our interest is not overridden by your rights and interests. We may rely on this legal basis, for example, for the purpose of enabling the structured sharing of threat-related information among participating organizations to support their effort of developing safe and secure AI models.
• Consent. We may also process your Personal Data on the basis of consent in some circumstances. You may withdraw your consent at any time by contacting us.

Our sharing of personal data

We share personal data with your consent or as necessary to operate the Website, respond to your inquiries, or support our Information-Sharing Activities. We share each of the categories of personal data described above, with the types of third parties described below, for the following purposes:

• Information-Sharing Activities. We may disclose your personal data to our member firms as part of our Information-Sharing Activities. Where shared information includes personal data, it is subject to safeguards, restrictions, and confidentiality obligations designed to ensure it is used only for AI safety and security purposes. You can find the current list of our member firms here.
• Service providers. We share personal data with vendors or agents working on our behalf for the purposes described in this notice. For example, companies we’ve hired to host the Website, process incoming email, or assist in protecting and securing the Website and our systems may need access to personal data to provide those functions.  We also use website analytics services, as described in the Cookies section of this notice (currently Google Analytics). You can learn more about Google’s practices by visiting https://www.google.com/policies/privacy/partners/.
• Legal and law enforcement. We will access, disclose, and preserve personal data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
• Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:
  • protect our users and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Finally, we may share de-identified information in accordance with applicable law.

Choice and control of personal data

Access, correction, and deletion. If you wish to access, correct, or delete personal data about you that we hold, you may contact us as described at the bottom of this privacy notice. However, to the extent permitted by applicable law, we reserve the right to decline requests that are unreasonable or excessive, where providing the data would be prohibited by law or could adversely affect the privacy or other rights of another person, where deleting data would interfere with a legal or business obligation that requires retention of the data, or where we are unable to authenticate you as the person to whom the data relates.

Promotional emails. You can unsubscribe from our promotional emails via the link provided in the emails. Even if you opt out of receiving promotional email messages from us, you will continue to receive administrative messages from us.

Choices for Cookies and Similar Technologies. See the Cookies section for choices about cookies and similar controls.

European data protection rights

Where data protection laws of Europe apply, you have certain rights with respect to your personal data:

• You can request access to, and rectification or erasure of, personal data;
• If any automated processing of personal data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the personal data in a usable and portable format;
• If the processing of personal data is based on your consent, you can withdraw consent at any time for future processing;
• You can object to, or obtain a restriction of, the processing of personal data under certain circumstances;

To make such requests, please use the contact information at the bottom of this notice.  You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.

California privacy rights

Under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law. California Customers may request further information about our compliance with this law by e-mailing at the address at the bottom of this notice. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.

Retention of personal data

We retain personal data for as long as necessary to provide the Website,  support our Information-Sharing Activities, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary. When determining the specific retention period, we take into account various criteria, such as the type of data, the nature of our relationship with you, and mandatory retention periods provided by law and the relevant statute of limitations.

We take measures to delete your Personal Data or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it.

International transfers

FMF is based in the United States. The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers maintain facilities. Currently, we primarily use data centers in the United States. We take steps designed to ensure that the data we collect under this notice is processed and protected according to the provisions of this notice and applicable law wherever the data is located.

If we transfer personal data from the European Economic Area (EEA), UK, and Switzerland to countries that have not been determined by the European Commission, or the UK or Swiss government to have an adequate level of data protection, we will use legal mechanisms, including contracts, to help ensure your rights and protections. In particular, we use approved transfer mechanisms, such as the Standard Contractual Clauses. You may request additional information about these mechanisms by contacting us at info@frontiermodelforum.org.

Security of personal data

We take reasonable and appropriate steps to help protect personal data from unauthorized access, use, disclosure, alteration, and destruction. These measures include appropriate access controls and security practices tailored to the nature of our processing.

Changes to this privacy notice

We will update this privacy notice when necessary to reflect changes in our services, how we use personal data, or the applicable law. When we post changes to the notice, we will revise the “Last Updated” date at the top of the notice. If we make material changes to the notice, we will provide notice or obtain consent regarding such changes as may be required by law.

How to contact us

If you have a privacy concern, complaint, or a question for us, please contact us at info@frontiermodelforum.org.