You should not collect or store private data or personally identifiable information, such as user names, passwords, or IP addresses (“Private Information”) from the individuals using your Labs Project (“End Users”)
This means that I can only store usernames for a maximum of 30 days:
Purge, anonymize, or aggregate any Private Information you store no more than 30 days after storing it;
It also says that if I collect "Private Information" then I have to show a big disclaimer:
If my tools collect Private Information...
If you collect any Private Information from End Users, you must display this disclaimer to the End Users before you collect the Private Information:
By using this project, you agree that any private information you give to this project may be made publicly available and not be treated as confidential.
There is ambiguity between different users, for example on IRC chasemp said:
<tom29739> If I collect a user's username using OAuth in a tool, then do I need to show this disclaimer: https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#If_my_tools_collect_Private_Information... before sending the user off to authenticate?
<chasemp> tom29739: is this in Tools or other?
<tom29739> In tools.
<chasemp> tom29739: it's a good question to which we can dig up a legally satisifying answer but my experience is 'no'
<tom29739> chasemp, I thought that, but here: https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous#Request_to_approve_OAuth_consumer_for_Citation_Hunt_v1.0 the question was asked
However here: https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous#Request_to_approve_OAuth_consumer_for_Citation_Hunt_v1.0
it is suggested by MarcoAurelio that collecting data from users is not compliant with the Labs ToU.
It would be good to get clarification on this, because if collecting usernames is against the ToU then many tools will have to be updated e.g. Quarry (https://quarry.wmflabs.org/)