The English version of this document is provided for your convenience only. The German version of this document will govern our relationship.
Data privacy and information security
Data privacy and information security have a central role in our company and are one of the main motives for the development of this open source software.
OpenProject GmbH meets all the requirements of the EU General Data Protection Regulation.
The purpose of the OpenProject application is to improve the results of a project team. It’s about networking people so they can work together effectively towards a common goal. The processing of personal data is a fundamental requirement for using the OpenProject application.
The great advantage of the OpenProject application as open source software is the great freedom that the open source license gives users and developers. This gives every user the opportunity to view the source code of this software, to change it and to install and operate in its own infrastructure.
Another big advantage is the portability of the OpenProject application and the data processed in it. This allows the owner of the data to decide on which infrastructure he operates the software and whether to commission a processor with the operation and maintenance. This is a crucial difference from proprietary cloud applications, where this option is not granted by the manufacturer.
The development of OpenProject as open source software is the most crucial and far-reaching technical and organizational measure to protect your personal data. Thus, each OpenProject user can decide for himself whether he wants to transfer personal data to us.
If a visitor visits our website, contacts us, uses our SaaS platform or uses our software delivery service, we will need to process certain personal information.
This processing always takes place in accordance with the General Data Protection Regulation and in accordance with the national data protection provisions.
We have implemented numerous technical and organizational measures to ensure the most complete protection possible for your processed personal data. However, any technology can have security vulnerabilities, so absolute protection can not be guaranteed.
- Visit our website and contact
- Using our SaaS platform
- Using our community platform
- usUsing our release API
1.2 Responsible body
Responsible in terms of data protection -Grundverordnung (DS-GVO) and other national data protection laws and other data protection provisions is the
Phone: +49 30 288 777 07
The Data Protection of OpenProject GmbH is:
Mr. Ingo Wolff
Phone: +49 2831 121910
1.3 Legal basis for the processing of personal data
The processing of personal data of our users takes place regularly after the consent of the user. An exception applies to cases in which prior consent is not possible for reasons of fact or where the processing of the data is required by law. The storage of data and log files is based on Art. 6 para. 1 f DS-GVO.
1.4 Data deletion and storage perioddata subjects
The personal data of theare deleted or blocked by us as soon as the purpose of the storage is omitted or legally prescribed storage periods have expired.
2. Access and Activity
Logs Each access to the platforms described in 1.1 automatically collects general log data, called server logs.
Without this data, it would not be technically possible to operate these platforms. In addition, the processing of this data is imperative for security reasons, in particular for access, input, transfer and storage control. In addition, the anonymous information may be used for statistical purposes as well as for the optimization of the offer and the technology. In addition, the log files can be subsequently inspected and evaluated in case of suspected illegal use of the website. The legal basis for this can be found in § 15 para. 1 Telemedia Act (TMG) and Art. 6. (1) f DS-GVO.
Data such as domain name of the website, web browser and web browser version, operating system, IP address and timestamp of access to the website are generally collected.
The storage duration of these access logs is up to 90 days. A right of objection does not exist.
3. error logs
for the purpose of fault identification and rectification so-called error logs ( “Error logs”) are prepared. This is absolutely necessary in order to be able to react as promptly as possible to potential problems with the use and operation of the platforms (legitimate interest). pursuant to § 15 (1) TMG and Art. 6. (1) f DS-GV).
If an error message occurs, general data such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp are recorded when the corresponding error message / specification occurs.
The storage duration of these error logs is up to 90 days. A right of objection does not exist.
We use so-called cookies in the OpenProject platform. These are small text files stored on the device that you use to access this platform. A cookie contains a characteristic string that allows the browser to be uniquely identified when we reopen our web pages. The processing of personal data using cookies is based on Art. 6 para. 1 f DS-GVO.
In particular, cookies are used to ensure the security when visiting a website or web application (“strictly necessary”) to implement certain functionalities such as standard language settings (“functional”). In addition, cookies are also used for the purpose of web analysis (see section “Web Analysis”).
5. Using the Release API
The Release API allows users of a self-hosted OpenProject application to check if a new version of Community Edition or Enterprise Edition has been released. The purpose of this feature is to prevent erroneous and unsafe OpenProject applications.
This is for users with administrator rights on the start page of the OpenProject application as well on the administrators page an update banner is displayed, which is dynamically generated by a request to the release API and derives the status and availability of a new version from anonymous data of the installation.
To display the availability of new versions, the call to the Release API contains the following information:
- the type of installation packages used: installation packages, docker,manual installation,
- the current version of the application,
- the database version, and
- the installation contains an active enterprise edition .
So that the calls are not counted twice, the call still contains a random, unique identification code of the installation.
The banner will not process any personally identifiable information under the Release API. However, falling for technical reasons by calling data such as the IP address and the type and of the versionbrowser,which are stored as server logs for 90 days.
To deactivate the call of the Release-API, remove the checkmark under “Administration> System Settings> General> Display Update Security” or set the configuration policy “Security_badge_displayed: false“.
6. Using the OpenProject SaaS Platform
Visitors to our websites can create their own OpenProject instance in our SaaS platform.
With the creation of an OpenProject instance, the client automatically concludes anwith OpenProject GmbH as the order processor additional agreementpursuant to Art. 28 DS-GVO off.
7. Use of the OpenProject Community Platform
OpenProject operates a publicly accessiblefor the networking of the Open Source Community and for the further development of the OpenProject application OpenProject instance within the OpenProject SaaS platform. Registration and use of this instance is optional.
The legal basis for processing the data is Art. 6 para. 1 lit. f DS-GMO. We have a legitimate interest in protecting our websites from abusive automated spying and spamming.
8. Use of third-party tools and subcontractorsuse third-party
In order to provide and continuously improve our services, weproviders that also process personal data. We have selected these subcontractors carefully and in accordance with the provisions of the DS-GVO. A list of subcontractors can be found here .
8.1 Newsletter distribution
You canon our web platform subscribe to a free newsletter. To receive the newsletter, you must enter an e-mail address and a name. The specification of additional, separately marked data is voluntary and will be used to address you personally. The deregistration is possible at any time, for example via a link at the end of each newsletter.
The legal basis for the processing of personal data in this context is Article 6 (1) lit. a DS-GMO. The personal data of the user is stored by us as long as the subscription to the newsletter is active. Consent can be revoked by clicking on the corresponding link in each newsletter. The personal data will be deleted immediately.
8.2 Contact form and e-mail contact
For electronic contact, users can use a contact form on our website. The provision of these forms and the processing of the registered information also takes place via the technical platform of the US provider HubSpot.
The legal basis for processing the data is Art. 6 para. 1 lit. f DS-GMO. The data will be used exclusively to process the contact and the subsequent communication. There is no disclosure of data to third parties in this context. If we use the data for other purposes, we obtain the consent of the user in advance.
Analysis OpenProject uses the following analysis tools to evaluate user access to the OpenProject platform:
9. Use of social media
On our websites we link the following social media networks:
- Facebook: https://www.facebook.com/policy
- Yottube: https://policies.google.com/privacy
- Twitter: https://twitter.com/privacy
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
Through the mere linking, these providers can not set cookies technically or process personally identifiable information without using the links.
10. Technical and organizational security measures
OpenProject uses technical and organizational security measures to protect the personal data of users against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are constantly being improved in line with technical developments.
An overview of the technical and organizational measures can be found here members.
11. Rights of the
data subject If OpenProject processes your personal data, you are regarded as the person concerned pursuant to Art. 4 No. 1 DS-GVO with the following rights to OpenProject:Right of
You may request confirmation from us in accordance with Art. 15 DS-GVO whether personal data concerning you is processed by us. If we process your personal data, you can ask us for information about the following information:purposes
- the processing;
- the categories of your personal information we process;
- the recipients or categories of recipients to whom we have disclosed or will disclose your personal information;
- (if possible) the planned duration for which we store your personal data or, if this communication is not possible, the criteria for determining the retention period;
- the existence of a right to rectification or deletion of personal data concerning you, a right to restriction of our processing or a right of objection to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data, if the personal data was not collected from you;
- the existence of automated decision-making including profiling (Article 22 (1) and (4) of the DSBER Regulation) and – at least in these cases – meaningful information about the logic involved and the implications and consequences of such processing for you.
You have the right to request information about whether the personal data relating to you are transferred to a third country or an international organization. In this regard, you can request the appropriate warranties in accordance with. Art. 46 DS-BER in connection with the transfer.
13.2 Right to correction
According to Art. 16 DS-BER, you have the right to demand the correction and / or completion of incorrect personal data concerning you.
13.3 Right to delete
According to Art. 17 DS-GVO, you may request that your personal data be deleted immediately. We are required to delete your information immediately if one of the following is true:
- Your personal information is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke your consent, on which we base the processing according to Art. 6 (1) a DS-GVO or Art. 9 (2) a DS-GVO, and there is no other legal basis for the processing.
- In accordance with Art. 21 para. 1 DS-GVO, they object to the processing, and there are no legitimate reasons for the processing, or they object to the processing in accordance with Art. 21 (2) DS-GVO.
- Your personal data has been processed unlawfully.
- The deletion of your personal data is required to fulfill a legal obligation under Union or national law to which we are subject.
- Your personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 DS-BER.
If we have made your personal data public and we are obliged to delete them in accordance with Article 17 paragraph 1 DS-BER, we shall take appropriate measures, includingand the implementation costs technical ones, to the data controllers, the data controllersprocess the personal data, informing you as the data subject that you have requested the deletion of all links to your personal data or of copies or replications of your personal data.
The right to erasure does not exist insofar as the processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfill a legal obligation to which we are subject or to perform a task of public interest or in the exercise of official authority which has been assigned to us;
- for reasons of public interest in the field of public health (Article 9 (2) and (i) and Article 9 (3) of the GDPR);
- for archival purposes of public interest, scientific or historical research purposes or for statistical purposes acc. Article 89 (1) of the GDPR, in so far as that law is likely to render impossible or seriously affect the achievement of the objectives of that processing or
- to assert, pursue or defend rights.
13.4 Right to restriction of processing
Under the following conditions, you may demand, pursuant to Art. 18 DS-GVO, the limitation of the processing of your personal data:datadata
- if you deny the accuracy of your personalfor a period that allows us to verify the accuracy of the personalCheck data;
- if the processing is unlawful and you refuse the deletion of the personal data and instead demand the restriction of the use of personal data;
- If we no longer need your personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
- if you have objected to the processing under Art. 21 (1) GDPR and has not yet determined whether our legitimate reasons outweigh your reasons.
If the processing of your personal data has been restricted, these data may only be used with the consent of or for the purpose of exercising, exercising or defending legal claims or protecting the rights of another natural or legal person or for important public interest of the Union or a Member State. If processing has beenaccordance with the above conditions restricted in, you will be informed by us before the restriction is lifted.
13.5 Right to information
If you have the right to rectify, delete or limit the processing against us, according to Art. 19 GDPR we are obliged to inform all recipients to whom your personal data have been disclosed by us that fact because, this proves to be impossible or would involve a disproportionate effort. You have the right to be informed about these recipients.
13.6 Data transferability
You have the right, in accordance with Art. 20 DS-BER, to receive your personal data provided to us in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person responsible, without hindrance by us, if
- the processing is based on a consent (Article 6 paragraph a DS-GVO or Article 9 paragraph 2 a DS-GVO) or on a contract gem. Art. 6 para. 1 b DS-GVO and
- the processing takes place with the help of automated procedures.
In exercising this right, you also have the right to obtain that your personal data be transmitted directly by us to another person responsible, as far as technically feasible. Freedoms and rights of other persons may not be affected. The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority that has been delegated to us.
Right toAccording to Art. 21 DS-GVO, you have the right at any time, for reasons arising from your particular situation, against the processing of your personal data on the basis of Art. 6 (1) e or f DS-GVO To file an objection; this also applies to profiling based on these provisions. We will not process your personal information subsequently unless we can demonstrate compelling legitimate reasons for our processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.
13.8 Right to revoke the data protection consent declaration
You have the right to revoke your data protection consent declaration at any time to us. The revocation of consentthe legality of thethe does not affectprocessing carried out onbasis of the consent until the revocation.
13.9 Automated decision on a case-by-case basis, including profiling In
accordance with Art. 22 DS-BER, you have the right not to be subject to a decision based exclusively on automated processing – including profiling – which will have a legal effect on you or significantly affect you in a similar manner. This does not apply if the decision
- to conclude or to fulfill a contract between you and us is required
- by law of the Union or of the Member States to which we are subject, and that legislation is adequate to safeguard your rights and freedoms, and yours legitimate interests or
- with your express consent.
11.1 Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of alleged infringement, if you consider that the processing of your personal data by us against the DS-GVO violates.
12. Responsibility for content and information
Our websites contain links to internet offers of external providers. The contents of the Internet offers of external providers were checked when setting the link by us, whether they violate civil law or criminal law against applicable laws. However, it can not be ruled out that these contents are subsequently changed by the respective providers. If you believe that linked external sites infringe applicable law or have any other inappropriate content, please let us know. We will review your notice and remove the external link if necessary. OpenProject is not responsible for the content and availability of the linked external websites.