The English version of this document is provided for your convenience only. The German version of this document will govern our relationship.

Data privacy and information security

Data privacy and information security have a central role in our company and are one of the main motives for the development of this open source software.

OpenProject GmbH meets all the requirements of the EU General Data Protection Regulation.

Preliminary remark

The purpose of the OpenProject application is to improve the results of a project team. It’s about networking people so they can work together effectively towards a common goal. The processing of personal data is a fundamental requirement for using the OpenProject application.

The great advantage of the OpenProject application as open source software is the great freedom that the open source license gives users and developers. This gives every user the opportunity to view the source code of this software, to change it and to install and operate in its own infrastructure.

Another big advantage is the portability of the OpenProject application and the data processed in it. This allows the owner of the data to decide on which infrastructure he operates the software and whether to commission a processor with the operation and maintenance. This is a crucial difference from proprietary cloud applications, where this option is not granted by the manufacturer.

The development of OpenProject as open source software is the most crucial and far-reaching technical and organizational measure to protect your personal data. Thus, each OpenProject user can decide for himself whether he wants to transfer personal data to us.

If a visitor visits our website, contacts us, uses our SaaS platform or uses our software delivery service, we will need to process certain personal information.

This processing always takes place in accordance with the General Data Protection Regulation and in accordance with the national data protection provisions.

We have implemented numerous technical and organizational measures to ensure the most complete protection possible for your processed personal data. However, any technology can have security vulnerabilities, so absolute protection can not be guaranteed.

1. General

1.1 Scope and Scope of this Privacy Policy

This Privacy Policy covers the processing of personal data of OpenProject GmbH in the following areas:

  1. Visit our website and contact
  2. Using our SaaS platform
  3. Using our community platform
  4. usUsing our release API

1.2 Responsible body

Responsible in terms of data protection -Grundverordnung (DS-GVO) and other national data protection laws and other data protection provisions is the

OpenProject GmbH
Karl-Liebknecht-Str. 5
10178 Berlin
Phone: +49 30 288 777 07
E-Mail: info@openproject.comOfficer

The Data Protection of OpenProject GmbH is:

Mr. Ingo Wolff
tacticx GmbH
47608 Geldern
Phone: +49 2831 121910

1.3 Legal basis for the processing of personal data

The processing of personal data of our users takes place regularly after the consent of the user. An exception applies to cases in which prior consent is not possible for reasons of fact or where the processing of the data is required by law. The storage of data and log files is based on Art. 6 para. 1 f DS-GVO.

1.4 Data deletion and storage perioddata subjects

The personal data of theare deleted or blocked by us as soon as the purpose of the storage is omitted or legally prescribed storage periods have expired.

2. Access and Activity

Logs Each access to the platforms described in 1.1 automatically collects general log data, called server logs.

Without this data, it would not be technically possible to operate these platforms. In addition, the processing of this data is imperative for security reasons, in particular for access, input, transfer and storage control. In addition, the anonymous information may be used for statistical purposes as well as for the optimization of the offer and the technology. In addition, the log files can be subsequently inspected and evaluated in case of suspected illegal use of the website. The legal basis for this can be found in § 15 para. 1 Telemedia Act (TMG) and Art. 6. (1) f DS-GVO.

Data such as domain name of the website, web browser and web browser version, operating system, IP address and timestamp of access to the website are generally collected.

The storage duration of these access logs is up to 90 days. A right of objection does not exist.

3. error logs

for the purpose of fault identification and rectification so-called error logs ( “Error logs”) are prepared. This is absolutely necessary in order to be able to react as promptly as possible to potential problems with the use and operation of the platforms (legitimate interest). pursuant to § 15 (1) TMG and Art. 6. (1) f DS-GV).

If an error message occurs, general data such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp are recorded when the corresponding error message / specification occurs.

The storage duration of these error logs is up to 90 days. A right of objection does not exist.

4. Use of Cookies

We use so-called cookies in the OpenProject platform. These are small text files stored on the device that you use to access this platform. A cookie contains a characteristic string that allows the browser to be uniquely identified when we reopen our web pages. The processing of personal data using cookies is based on Art. 6 para. 1 f DS-GVO.

In particular, cookies are used to ensure the security when visiting a website or web application (“strictly necessary”) to implement certain functionalities such as standard language settings (“functional”). In addition, cookies are also used for the purpose of web analysis (see section “Web Analysis”).

You can decide yourself via your browser settings whether you want to allow cookies or object to the use of cookies. Please note that disabling cookies may result in restricted or completely disabled website functionality.

5. Using the Release API

The Release API allows users of a self-hosted OpenProject application to check if a new version of Community Edition or Enterprise Edition has been released. The purpose of this feature is to prevent erroneous and unsafe OpenProject applications.

This is for users with administrator rights on the start page of the OpenProject application as well on the administrators page an update banner is displayed, which is dynamically generated by a request to the release API and derives the status and availability of a new version from anonymous data of the installation.

To display the availability of new versions, the call to the Release API contains the following information:

  1. the type of installation packages used: installation packages, docker,manual installation,
  2. the current version of the application,
  3. the database version, and
  4. the installation contains an active enterprise edition .

So that the calls are not counted twice, the call still contains a random, unique identification code of the installation.

The banner will not process any personally identifiable information under the Release API. However, falling for technical reasons by calling data such as the IP address and the type and  of the versionbrowser,which are stored as server logs for 90 days.

To deactivate the call of the Release-API, remove the checkmark under “Administration> System Settings> General> Display Update Security” or set the configuration policy “Security_badge_displayed: false“.

6. Using the OpenProject SaaS Platform

Visitors to our websites can create their own OpenProject instance in our SaaS platform.

For the account creation we need first and last name as well as your e-mail address. Alternatively, you can sign in with an existing Google Account. This application will redirect you to Google’s servers, which is why Google collected your IP address and other personal information if applicable. For this, the privacy policy of Google. Use of this login service is optional.

With the creation of an OpenProject instance, the client automatically concludes anwith OpenProject GmbH as the order processor additional agreementpursuant to Art. 28 DS-GVO off.

7. Use of the OpenProject Community Platform

OpenProject operates a publicly accessiblefor the networking of the Open Source Community and for the further development of the OpenProject application OpenProject instance within the OpenProject SaaS platform. Registration and use of this instance is optional.

To protect against spam, we use a captcha when registering and signing up for the first time reCAPTCHA from Google Inc. This captcha is used to check if the login to this community is done by natural persons. This check sends requests to Google’s servers, which means that your IP address and any other data needed by Google for the reCAPTCHA service will be sent to Google. For this, the privacy policy of Google.

The legal basis for processing the data is Art. 6 para. 1 lit. f DS-GMO. We have a legitimate interest in protecting our websites from abusive automated spying and spamming.

8. Use of third-party tools and subcontractorsuse third-party

In order to provide and continuously improve our services, weproviders that also process personal data. We have selected these subcontractors carefully and in accordance with the provisions of the DS-GVO. A list of subcontractors can be found here .

8.1 Newsletter distribution

You canon our web platform subscribe to a free newsletter. To receive the newsletter, you must enter an e-mail address and a name. The specification of additional, separately marked data is voluntary and will be used to address you personally. The deregistration is possible at any time, for example via a link at the end of each newsletter.

The newsletter is sent via the technical platform of the US provider HubSpot. The e-mail addresses of our newsletter recipients as well as their optionally optional data are stored on the servers of HubSpot in the USA. HubSpot uses this information to send and evaluate the newsletters on our behalf. In addition, HubSpot may, according to its own information, use this data for the purpose of optimizing or improving its own services, eg for the technical optimization of shipping and the presentation of newsletters or for economic purposes in order to determine from which countries the recipients come. However, HubSpot does not use the data of our newsletter recipients to write them down or to pass them on to third parties.The privacy policy of HubSpot can be found here see.

The legal basis for the processing of personal data in this context is Article 6 (1) lit. a DS-GMO. The personal data of the user is stored by us as long as the subscription to the newsletter is active. Consent can be revoked by clicking on the corresponding link in each newsletter. The personal data will be deleted immediately.

8.2 Contact form and e-mail contact

For electronic contact, users can use a contact form on our website. The provision of these forms and the processing of the registered information also takes place via the technical platform of the US provider HubSpot.

In addition, users can send us an e-mail. To do this, OpenProject uses the Google G Suite email infrastructure. Youprivacy policy of Google canhere view the. Users have the option totheir emails to us via PGP encrypt.

The legal basis for processing the data is Art. 6 para. 1 lit. f DS-GMO. The data will be used exclusively to process the contact and the subsequent communication. There is no disclosure of data to third parties in this context. If we use the data for other purposes, we obtain the consent of the user in advance.

8.3 Web

Analysis OpenProject uses the following analysis tools to evaluate user access to the OpenProject platform:

Web analytics aims to improve the quality of the OpenProject platform and its content. Our partners use cookiesthat allow an analysis of the use of the OpenProject platform. The web analysis can be technically prevented by the user of the web pages by deactivating JavaScript and cookies in his web browser. Details on the necessary settings can be found in the product descriptions and instructions of the various browser providers. Data processing in this context is based on Art. 6 para. 1 a DS-GVO.

9. Use of social media

On our websites we link the following social media networks:

Through the mere linking, these providers can not set cookies technically or process personally identifiable information without using the links.

We also include YouTube videos on our websites. These are embedded via the integration of the URL with iframes in the extended data protection mode on our web pages. Here, the domain is replaced by the respective official YouTube Nocookie domain. According to the current information from YouTube, using this variant only information about visitors to the web pages are saved when they play the video, but not in a simple call the einbindenden websites. For more information about the collection and use of data by YouTube and the rights to protect the privacy of users can be found in the privacy policy of Google.

10. Technical and organizational security measures

OpenProject uses technical and organizational security measures to protect the personal data of users against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are constantly being improved in line with technical developments.

An overview of the technical and organizational measures can be found here members.

11. Rights of the

data subject If OpenProject processes your personal data, you are regarded as the person concerned pursuant to Art. 4 No. 1 DS-GVO with the following rights to OpenProject:Right of


You may request confirmation from us in accordance with Art. 15 DS-GVO whether personal data concerning you is processed by us. If we process your personal data, you can ask us for information about the following information:purposes

  • the processing;
  • the categories of your personal information we process;
  • the recipients or categories of recipients to whom we have disclosed or will disclose your personal information;
  • (if possible) the planned duration for which we store your personal data or, if this communication is not possible, the criteria for determining the retention period;
  • the existence of a right to rectification or deletion of personal data concerning you, a right to restriction of our processing or a right of objection to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • all available information about the origin of the data, if the personal data was not collected from you;
  • the existence of automated decision-making including profiling (Article 22 (1) and (4) of the DSBER Regulation) and – at least in these cases – meaningful information about the logic involved and the implications and consequences of such processing for you.

You have the right to request information about whether the personal data relating to you are transferred to a third country or an international organization. In this regard, you can request the appropriate warranties in accordance with. Art. 46 DS-BER in connection with the transfer.

13.2 Right to correction

According to Art. 16 DS-BER, you have the right to demand the correction and / or completion of incorrect personal data concerning you.

13.3 Right to delete

According to Art. 17 DS-GVO, you may request that your personal data be deleted immediately. We are required to delete your information immediately if one of the following is true:

  • Your personal information is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You revoke your consent, on which we base the processing according to Art. 6 (1) a DS-GVO or Art. 9 (2) a DS-GVO, and there is no other legal basis for the processing.
  • In accordance with Art. 21 para. 1 DS-GVO, they object to the processing, and there are no legitimate reasons for the processing, or they object to the processing in accordance with Art. 21 (2) DS-GVO.
  • Your personal data has been processed unlawfully.
  • The deletion of your personal data is required to fulfill a legal obligation under Union or national law to which we are subject.
  • Your personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 DS-BER.

If we have made your personal data public and we are obliged to delete them in accordance with Article 17 paragraph 1 DS-BER, we shall take appropriate measures, includingand the implementation costs technical ones, to the data controllers, the data controllersprocess the personal data, informing you as the data subject that you have requested the deletion of all links to your personal data or of copies or replications of your personal data.

The right to erasure does not exist insofar as the processing is necessary

  • to exercise the right to freedom of expression and information;
  • to fulfill a legal obligation to which we are subject or to perform a task of public interest or in the exercise of official authority which has been assigned to us;
  • for reasons of public interest in the field of public health (Article 9 (2) and (i) and Article 9 (3) of the GDPR);
  • for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) of the GDPR, in so far as that law is likely to render impossible or seriously affect the achievement of the objectives of that processing or
  • to assert, pursue or defend rights.

13.4 Right to restriction of processing

Under the following conditions, you may demand, pursuant to Art. 18 DS-GVO, the limitation of the processing of your personal data:datadata

  • if you deny the accuracy of your personalfor a period that allows us to verify the accuracy of the personalCheck data;
  • if the processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of personal data;
  • If we no longer need your personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
  • if you have objected to the processing under Art. 21 (1) GDPR and has not yet determined whether our legitimate reasons outweigh your reasons.

If the processing of your personal data has been restricted, these data may only be used with the consent of or for the purpose of exercising, exercising or defending legal claims or protecting the rights of another natural or legal person or for important public interest of the Union or a Member State. If processing has beenaccordance with the above conditions restricted in, you will be informed by us before the restriction is lifted.

13.5 Right to information

If you have the right to rectify, delete or limit the processing against us, according to Art. 19 GDPR we are obliged to inform all recipients to whom your personal data have been disclosed by us that fact because, this proves to be impossible or would involve a disproportionate effort. You have the right to be informed about these recipients.

13.6 Data transferability

You have the right, in accordance with Art. 20 DS-BER, to receive your personal data provided to us in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person responsible, without hindrance by us, if

  • the processing is based on a consent (Article 6 paragraph a DS-GVO or Article 9 paragraph 2 a DS-GVO) or on a contract gem. Art. 6 para. 1 b DS-GVO and
  • the processing takes place with the help of automated procedures.

In exercising this right, you also have the right to obtain that your personal data be transmitted directly by us to another person responsible, as far as technically feasible. Freedoms and rights of other persons may not be affected. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority that has been delegated to us.


Right toAccording to Art. 21 DS-GVO, you have the right at any time, for reasons arising from your particular situation, against the processing of your personal data on the basis of Art. 6 (1) e or f DS-GVO To file an objection; this also applies to profiling based on these provisions. We will not process your personal information subsequently unless we can demonstrate compelling legitimate reasons for our processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.

13.8 Right to revoke the data protection consent declaration

You have the right to revoke your data protection consent declaration at any time to us. The revocation of consentthe legality of thethe does not affectprocessing carried out onbasis of the consent until the revocation.

13.9 Automated decision on a case-by-case basis, including profiling In

accordance with Art. 22 DS-BER, you have the right not to be subject to a decision based exclusively on automated processing – including profiling – which will have a legal effect on you or significantly affect you in a similar manner. This does not apply if the decision

  • to conclude or to fulfill a contract between you and us is required
  • by law of the Union or of the Member States to which we are subject, and that legislation is adequate to safeguard your rights and freedoms, and yours legitimate interests or
  • with your express consent.

11.1 Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of alleged infringement, if you consider that the processing of your personal data by us against the DS-GVO violates.

12. Responsibility for content and information

Our websites contain links to internet offers of external providers. The contents of the Internet offers of external providers were checked when setting the link by us, whether they violate civil law or criminal law against applicable laws. However, it can not be ruled out that these contents are subsequently changed by the respective providers. If you believe that linked external sites infringe applicable law or have any other inappropriate content, please let us know. We will review your notice and remove the external link if necessary. OpenProject is not responsible for the content and availability of the linked external websites.

13. Inclusion and validity of the privacy policy

By using our web pages, you consent to the data processing described above. This Privacy Policy applies only to the content of OpenProject. The linked external content is governed by other privacy and data security regulations. If you are responsible for these offers, you will find out in the respective imprint.

Due to the further development of our web pages or the implementation of new technologies, it may be necessary to change this privacy policy. We therefore reserve the right to change the privacy policy at any time with future effect. Valid is always at the time of your website visit retrievable version.