The English version of this document is provided for your convenience only. The German version of this document will govern our relationship.
Data protection and information security play a key role at our organisation and represent a primary motivation for the development of this open source software.
OpenProject GmbH satisfies all of the requirements of the European General Data Protection Regulation.
The purpose of the OpenProject application is to improve the output of a project team. The objective is to network people so that they can collaborate effectively to achieve a shared goal. In this context, processing personal data is an essential requirement for using the OpenProject application.
The primary advantage of the OpenProject application as open source software is the great degree of freedom that an open source licence provides to users and developers. This enables every user to view and modify the software’s source code and install and operate it in their own infrastructure.
Another major advantage is the portability of the OpenProject application and the data processed within the application. In this way, the owner of the data can decide which infrastructure they will operate the software on and whether to assign operation and maintenance to a commissioned processor. The application therefore differs considerably from proprietary cloud applications where the vendor does not allow this choice.
The development of OpenProject as open source software is the most critical and most extensive technical and organisational measure for protecting your personal data. This means that every OpenProject user can decide for themselves whether they want to transmit personal data to us.
Certain personal data must be processed when a visitor visits our website, contacts us, uses our SaaS platform, or uses our software delivery service.
This data is always processed in accordance with the General Data Protection Regulation and in accordance with applicable national data protection regulations.
We have implemented numerous technical and organisational measures to ensure that your personal data subject to processing is protected as fully as possible. Nevertheless, all technologies have security gaps such that absolute protection cannot be guaranteed.
1. General information
- Visiting our website and contacting us
- Use of our SaaS platform
- Use of our community platform
- Use of our Release API
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and data protection regulations is:
T: +49 30 288 777 07
The data protection officer for OpenProject GmbH is:
Mr Ingo Wolff
T: +49 2831 121910
1.3 Legal bases for processing personal data
As a rule, personal data from our users is processed on the basis of their consent. An exception applies in cases where prior consent cannot be obtained for reasons of circumstance or processing the data concerned is required by law. Data and log files are stored on the basis of Art. 6(1)(f) GDPR.
1.4 Data erasure and retention period
The personal data of a data subject will be erased or blocked by us as soon as the purpose for which it was retained ceases to apply or the statutory retention period has lapsed.
2. Access and activity logs
General log data, i.e. server logs, is collected automatically each time the platforms described in Section 1.1 are accessed.
Without this data, it would, to some extent, not be technically possible to operate the platforms. In addition, processing this data is absolutely necessary for security reasons, in particular for access, input, transfer and storage control. Furthermore, this anonymous information can be used for statistical purposes as well as for optimising our services and technology. The log files may also be subsequently checked and evaluated in the event illegal use of the website is suspected. In this context, the legal basis is found in section 15 (1) Telemedia Act and Art. 6(1)(f) GDPR.
General data is collected such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp for access to the website.
These access logs are retained for up to 90 days. There is no right to object.
3. Error logs
So-called error logs are created in order to identify and resolve errors. This is essential in order to be able to react as promptly as possible to potential problems with the use and operation of the platforms (legitimate interest in accordance with section 15 (1) Telemedia Act and Art. 6(1)(f) GDPR).
General data is collected in the event of an error message such as the domain name of the website, the web browser and web browser version, the operating system, the IP address and the time stamp for the occurrence of the relevant error message/specification.
These error logs are retained for up to 90 days. There is no right to object.
We use so-called cookies in connection with the OpenProject platform. These are small text files that are stored on the device you use to access the platform. A cookie contains a distinctive character string that enables unique identification of the browser when the website is accessed again. The legal basis for processing personal data using cookies is Art. 6(1)(f) GDPR.
Cookies are used in particular to ensure security when visiting a website or web application (‘essential’) and to implement certain functionalities such as standard language settings (‘functional’). In addition, cookies are also used for purposes of web analysis (see the ‘Web analytics’ section).
Using your browser settings, you can determine whether to allow cookies or to object to their use. Please note that disabling cookies may result in limitations to the functionality of this website or may prevent your use of the website entirely.
5. Use of the Release API
The Release API allows users of a self-hosted OpenProject application to check whether a new version of the Community Edition or Enterprise Edition has been released. The purpose of this function is to prevent defective or insecure OpenProject applications.
An update banner is displayed on the start page of the OpenProject application and on the administrator page for users with administrator rights. This banner is generated dynamically via a request to the Release API and ascertains the status and availability of a new version using anonymous installation data.
Accessing the Release API includes the following information in order to be able to display the availability of new versions:
- The type of installation packets used: installation packets, docker, manual installation;
- The current version of the application;
- The database version;
- Whether the installation includes an active Enterprise Edition.
The access also contains a random, unique identification code for the installation in order to avoid counting accesses twice.
No personal data is processed as part of the Release API banner. However, data such as the IP address as well as the type and version of the browser are stored as server logs for a maximum of 90 days on technical grounds.
In order to disable Release API access, uncheck the box under ‘Administration > System settings > General > Display update security badge’ or set the configuration guideline ‘security_badge_displayed: false’.
6. Use of the OpenProject SaaS platform
Visitors to our website may create their own OpenProject instance on our SaaS platform.
In accordance with the requirements of Art. 28 of the German Data Protection Ordinance (DSGVO) OpenProject GmbH (the Processor) offers our customers (the controller) a Supplemental agreement for contract data processing pursuant to Article 28 GDPR. This contract data processing agreement governs the obligations of the contracting parties with regard to data protection arising under the service agreement, including product descriptions.
7. Use of the OpenProject community platform
OpenProject operates a publicly accessible OpenProject instance within the OpenProject SaaS platform in order to network the open source community and for purposes of making advancements to the OpenProject application. Registration and use of the instance are optional.
The legal basis for processing data in this context is Art. 6(1)(f) GDPR. We have a legitimate interest in protecting our websites from unauthorised automated spying and spamming.
8. Use of third-party tools and sub-contractors
We use third-party providers who also process personal data in order to provide and continuously improve our offerings. We have carefully selected these sub-contractors in accordance with the provisions of the GDPR. You may access a list of our sub-contractors here.
8.1 Newsletter distribution
You can subscribe to a free newsletter on our web platform. To receive the newsletter, you must provide your email address and a name. The provision of further, separately marked information is voluntary and is used to be able to address you personally. You can unsubscribe at any time, for example via the link provided at the end of each newsletter.
The legal basis for processing personal data in this regard is Art. 6(1)(a) GDPR. We will store the user’s personal data for as long as the subscription to the newsletter is active. Consent may be withdrawn at any time by clicking the relevant link included in every newsletter. In such cases, personal data will then be deleted immediately.
8.2 Contact form and email contact
Users may use a contact form on our website to contact us electronically. This form is likewise provided, and data is processed, via a technical platform from US-based provider HubSpot.
The legal basis for processing data in each case is Art. 6(1)(f) GDPR. The data will only be used to process your contact enquiry and the subsequent communication. This data will not be shared with any third parties in this context. If we use the data for other purposes, we will obtain the user’s consent in advance.
8.3 Web analytics
OpenProject uses the following analytical tools to evaluate user visits to the OpenProject platform:
9. Use of social media
Our website includes links to the following social media networks:
- Facebook: https://www.facebook.com/policy
- YouTube: https://policies.google.com/privacy
- Twitter: https://twitter.com/privacy
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
These providers cannot set any cookies or process personal data by virtue of the link itself without your use of the link concerned.
10. Technical and organisational security measures
OpenProject employs technical and organisational security measures to protect users’ personal data against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are improved continuously in order to meet state-of-the-art requirements.
You may access an overview of these technical and organisational measures here.
11. Rights of data subjects
If OpenProject processes your personal data, you are a data subject pursuant to Art. 4(1) GDPR with the following rights in relation to OpenProject:
11.1 Right of access
In accordance with Art. 15 GDPR, you can ask us to confirm whether we process personal data concerning you. In the event we do process your personal data, you can request the following information from us:
- The purposes of the processing;
- The categories of personal data we process;
- The recipients or categories of recipients to whom your personal data has been or will be disclosed;
- Where possible, the envisaged period for which we will retain your personal data, or, if not possible, the criteria used to determine that period;
- The existence of the right to the rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- Any available information about the origin of the data, unless the personal data was collected from you;
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the rationale involved, as well as the significance and envisaged consequences of such processing for you.
You also have the right to know whether your personal data has been transmitted to a third country or to an international organisation. In this respect, you can request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.
13.2 Right to rectification
In accordance with Art. 16 GDPR, you have the right to request us to correct and/or complete any inaccurate personal data concerning you.
13.3 Right to erasure
In accordance with Art. 17 GDPR, you may request that we erase your personal data without undue delay. We are obliged to erase this data immediately if one of the following applies:
- Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- You withdraw your consent upon which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and no other legal basis for the relevant processing applies.
- You object to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing pursuant to Article 21(2) GDPR.
- Your personal data has been unlawfully processed.
- The erasure of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.
- Your personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If we have made your personal data public and we are obliged to erase it in accordance with Art. 17(1) GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, such personal data.
There is no right to erasure if the processing is necessary
- To exercise the right of freedom of expression and information;
- To perform a legal obligation which requires such processing under the applicable laws of the Union or of the Member States or to perform a task in the public interest or in the exercise of official authority vested in us;
- For reasons of public interest in the area of public health (Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR);
- For archiving purposes in the interest of public, scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, to the extent that the law referred to above is likely to render impossible or seriously prejudice the attainment of the objectives of such processing; or
- For the establishment, exercise or defence of legal claims.
13.4 Right to restriction of processing
Under the following conditions, you may request that the processing of your personal data be restricted pursuant to Art. 18 GDPR:
- If you dispute the accuracy of your personal data for a period of time that enables us to verify the accuracy of the personal data;
- If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- If we no longer need your personal data for the purpose of data processing, but you require it to establish, exercise or defend legal claims; or
- If you have objected to the processing in accordance with Art. 21(1) GDPR and it has yet to be determined whether we have compelling legitimate grounds that override your interests.
If the processing of your personal data has been restricted, such data – apart from being stored – may be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction has been lifted.
13.5 Right to notification
If you have exercised your right to have your data rectified or erased, or have asked for its processing to be restricted, pursuant to Art. 19 GDPR, we are obliged to provide notice of the same to all recipients to whom your data has been disclosed, unless this proves impossible or would involve a disproportionate effort. It is your right to have us inform you regarding such recipients.
13.6 Right to data portability
Pursuant to Art. 20 GDPR, you have the right to obtain personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without any hindrance by us, provided that:
- Processing is based on consent (Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR) or is based on a contract pursuant to Art. 6(1)(b) GDPR and
- The processing is carried out by automated means.
In exercising this right, you also have the right to request that personal data concerning you is transferred directly by us to another controller, where technically feasible. This must not adversely affect the rights and freedoms of others. The right to data portability does not apply to the processing of personal data that is required for a task that is performed in the public interest or the exercise of official authority vested in us.
13.7 Right to object
Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. We will then no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
13.8 Right to withdraw consent
You have the right to withdraw any consent you have provided us under data protection law at any time. Withdrawing consent has no bearing on the lawfulness of any processing performed up to the point of such withdrawal.
13.9 Automated individual decision-making, including profiling
Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- Is necessary for entering into, or the performance of, a contract between you and us;
- Is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- Is made with your explicit consent.
13.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of your personal data infringes the GDPR.
12. Responsibility for content and information
Our web pages contain links to online content provided by third parties. When creating the respective link, we checked the online content provided by third parties to determine whether it violated applicable civil law or criminal laws. However, it cannot be ruled out that such content may be subsequently changed by the respective providers. If you believe that third-party sites for which links have been provided violate applicable law or have other inappropriate content, please let us know. We will follow up on your information and remove the third-party link if necessary. OpenProject is not responsible for the content and availability of third-party websites to which links have been provided.