Thank you for your interest in OpenProject. Data protection and security are of central importance at our company. With that in mind, we take the task of protecting your personal data very seriously.
In general, it is possible to use our website without providing any personal data. However, if a data subject wishes to take advantage of our special services, it may be necessary to process personal data. This data always processed in accordance with the General Data Protection Regulation and in accordance with applicable national data protection regulations.
We have implemented numerous technical and organisational measures to ensure that the personal data processed via this website is protected as fully as possible. Nevertheless, transmission via the Internet may have security gaps, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means.
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and data protection regulations is:
T: +49 30 288 777 07
The data protection officer for OpenProject GmbH is:
Mr Ingo Wolff
Walbecker Straße 53
T: +49 2831 121910
Any data subject may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.
1. General information about data processing
1.1 Processing personal data and its purpose
OpenProject GmbH (hereinafter “OpenProject” or “we”) processes personal user data only to the extent necessary to provide a functional website along with our content and services. The following data is processed when you visit our website:
- The user’s IP address
- The user’s browser (type, version, language)
- The user’s operating system
- The user’s Internet service provider
- The date and time of access to our website
- Files accessed on our website
- The website from which the user reached our website
- Websites that the user accesses via our website
The processing and temporary storage of the user’s IP address is necessary to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must be stored for the duration of the session. The log files contain IP addresses or other data that allows for the identification of a user. Data is stored in log files to ensure the functionality of the website. In addition, this data helps to optimise our website and to ensure the security of our information technology systems.
Any use of personal data is confined to the purposes stated above, and is only undertaken to the extent necessary for these purposes. This data is not used for advertising, customer service or market research purposes.
1.2 Legal bases for processing personal data
As a rule, the processing of users’ personal data is undertaken with the respective user’s consent. An exception applies in such cases where prior consent cannot be obtained for circumstantial reasons and where we are permitted by law to process the data. Data and log files are stored on the basis of Art. 6(1)(f) GDPR.
1.3 Data erasure and retention period
The personal data of a data subject will be erased or blocked by us as soon as the purpose for which it was retained ceases to apply. In the case of data processing for the provision of the website, erasure takes place when the respective session has ended. If personal data is stored in log files, it will be erased after seven days at the latest. Further storage is possible if the IP addresses of the respective users are erased or modified, so that it is not possible to associate the IP address with the requesting client.
- Language settings (website)
- Session cookie – required for registration
- GA/GTM Cookies
Cookies are used to make our website user-friendly. The legal basis for processing personal data using cookies is Art. 6(1)(f) GDPR. Cookies are stored on the user’s computer and transmitted to our site from there. Users may deactivate or restrict the transmission of cookies by changing the settings on their web browser. Cookies that have already been saved can be deleted at any time. If cookies are deactivated for our website, it may no longer be possible to use all functions of our websites to their full extent.
3. Web analytics
This data is only used to create the user account and to send notification e-mails from the application. This also applies to creating an account on the community platform community.openproject.com.
A billing address will also be stored for the fee-based cloud service.
We offer our cloud customers a contract data processing agreement (DPA), which governs our data protection and security obligations in relation to our customers in accordance with Art. 28 GDPR. Please download the OpenProject Contract Data Processing Agreement (DPA) and send a signed copy to:
Security and Data Privacy
5. Sending newsletters
Users can subscribe to a free newsletter on our website. To receive the newsletter, users need only provide their e-mail address. The provision of further, separately marked data is voluntary and is used to be able to address you personally. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by a data subject using the double-opt-in procedure before the newsletter is sent for the first time.
Users can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you are welcome to send your request to unsubscribe to firstname.lastname@example.org by e-mail at any time.
The newsletter is sent via “MailChimp”, a newsletter distribution platform from US-based provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The e-mail addresses of our newsletter recipients, as well as additional data they have entered voluntarily, are stored on MailChimp’s server in the United States. MailChimp uses this information to send and analyse the newsletter on our behalf. Furthermore, MailChimp can use this data along with its own information to optimise or improve its own services, e.g. to technically optimise the sending and presentation of the newsletter or for business purposes, in order to determine from what countries the recipients originate. However, the MailChimp does not use the data of our newsletter recipients to contact recipients directly, nor do they pass the information on to third parties.
6. Contact form and contacting us by e-mail
Our website includes a contact form that may be used to contact us electronically. If a user makes use of this option, the data entered in the input screen will be transmitted to us and stored:
- First name
- Last name
- E-mail address
- Telephone number
- Number of employees (voluntary)
- Text entered by the user in the text box (voluntary).
In addition, the following data is stored when the message is sent:
- The user’s IP address
- Date and time the message was sent.
In advance of data processing, we obtain the user’s consent as part of the sending process. Alternatively, you may contact us via the e-mail address provided for this purpose. In this case, we store the user’s personal data that is transmitted along with the e-mail. The legal basis for the processing of data is Art. 6(1)(a) GDPR if the user has given their consent. If personal data is transmitted in the context of sending an e-mail, Art. 6(1)(f) GDPR provides the legal basis. If the intent of the e-mail is to conclude a contract, then Art. 6(1)(b) GDPR provides an additional legal basis for processing the data. The data will only be used to process your contact enquiry and the subsequent communication. The data will not be disclosed to third parties in this context. Personal data entered into the contact form, and data sent by e-mail, will be erased when the respective communication with the user is terminated, i.e. as soon as it can be inferred from the circumstances that the matter at hand has been conclusively resolved. Additional personal data collected during the sending process will be erased after a period of seven days at the latest.
The user can withdraw their consent to the processing of personal data at any time. A user who has contacted us by e-mail can object at any time to the retention of their personal data. In such cases, the contact enquiry will not be processed and it will not be possible to continue the respective conversation. All personal data retained when establishing contact with us will be erased in such cases.
7. Use of social media
We incorporate social media plug-ins from social networks Facebook, Google+, Twitter, YouTube, LinkedIn and Pinterest on our website. They establish a connection to the respective service provider. Data concerning the user’s browser behaviour is transmitted in this context. When users click on one of the plug-ins, personal data (user’s IP address and the web address (URL) of the page currently being viewed by the user, including time and location) is transferred to the respective service provider and processed there. Additional information on data processing can be found in the privacy policies of the respective service providers:
- Facebook: https://de-de.facebook.com/policy.php
- Google+: https://policies.google.com/privacy?hl=de&gl=de
- Twitter: https://twitter.com/de/privacy#update
- Pinterest: https://policy.pinterest.com/de/privacy-policy
- LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=de_DE
Users who are members of the social networks referred to above who do not wish user data to be collected by the respective social network via our website, must log out of their respective social media account before visiting our website.
OpenProject employs technical and organisational security measures to protect users’ personal data against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments.
9. Rights of data subjects
If OpenProject processes your personal data, you are a data subject pursuant to Art. 4(1) GDPR with the following rights in relation to OpenProject:
9.1 Right to information
In accordance with Art. 15 GDPR, you can ask us to confirm whether we process personal data concerning you. In the event we do process your personal data, you can request the following information from us:
- The processing purposes;
- The categories of personal data we process;
- The recipients or categories of recipients to whom your personal data has been or will be disclosed;
- Where possible, the envisaged period for which we will retain your personal data, or, if not possible, the criteria used to determine that period;
- The existence of a right to rectification or erasure of your personal data, a right to restrict processing by the controller, or the right to object to such processing;
- The existence of the right to lodge a complaint with a supervisory authority;
- Any available information about the origin of the data, unless the personal data was collected from you;
- The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the rationale involved, as well as the significance and envisaged consequences of such processing for you.
You also have the right to know whether your personal data has been transmitted to a third country or to an international organization. In this respect, you can request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.
9.2 Right to rectification
In accordance with Art. 16 GDPR, you have the right to request us to correct and/or complete any inaccurate personal data concerning you.
9.3 Right to erasure
In accordance with Art. 17 GDPR, you may request that we erase your personal data without undue delay. We are obliged to erase this data immediately if one of the following applies:
- Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- You withdraw your consent upon which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and no other legal ground for the processing applies.
- You object to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing pursuant to Article 21(2) GDPR.
- Your personal data has been unlawfully processed.
- The erasure of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.
- Your personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If we have made your personal data public and we are obliged to erase it in accordance with Art. 17(1) GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the erasure of all links to this personal data or of copies or replications of this personal data.
The right to erasure does not apply insofar as processing is necessary
- To exercise the right of freedom of expression and information;
- To perform a legal obligation which requires such processing under the applicable laws of the Union or of the Member States or to perform a task in the public interest or in the exercise of official authority vested in us;
- For reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
- For archiving purposes in the interest of public, scientific, or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, to the extent that the law referred to above is likely to render impossible or seriously prejudice the attainment of the objectives of such processing; or
- To establish, exercise, or defend legal claims.
9.4 Right to restriction of processing
Under the following conditions, you may request that the processing of your personal data be restricted pursuant to Art. 18 GDPR:
- If you dispute the accuracy of your personal data for a period of time that enables us to verify the accuracy of the personal data;
- If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- If we no longer need your personal data for the purpose of data processing, but you require it to establish, exercise, or defend legal claims; or
- If you have objected to the processing in accordance with Art. 21(1) GDPR and it has not yet been verified whether our legitimate reasons override yours.
Where processing of personal data that concerns you has been restricted, such data – apart from being retained – may be processed only with your consent or for the purpose of establishing, exercising, or defending legal claims or protecting the rights of another natural or legal person or on the grounds of an important public interest of the Union or of a Member State. If the restriction of processing has been implemented in accordance with the above conditions, you will be informed by us before the restriction has been lifted.
9.5 Right to notification
If you have exercised your right to have your data rectified or erased, or have asked for its processing to be restricted, pursuant to Art. 19 GDPR we are obliged to provide notice of the same to all recipients to whom your data has been disclosed, unless this proves impossible or involves a disproportionate effort. It is your right to have us inform you regarding such recipients.
9.6 Right to data portability
Pursuant to Art. 20 GDPR, you have the right to obtain personal data you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another data controller without any interference from us, provided that
- Processing is based on consent (Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR) or based on a contract pursuant to Art. 6(1)(b) GDPR and
- Processing is carried out by automated means.
In exercising this right, you also have the right to request that personal data concerning you be transferred directly by us to another controller, insofar as this is technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
9.7 Right to object
Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. We will then no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
9.8 Right to withdraw consent
You have the right to withdraw any consent you have provided us under data protection law at any time. Such a withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9.9 Automated decision in individual cases, including profiling
Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- Is necessary for entering into, or performance of, a contract between you and us;
- Is authorised by Union or Member State law to which we are subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- Is made based on your explicit consent.
9.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge ca complaint with a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of your personal data infringes the GDPR.
10. Responsibility for content and information
Our website contains links to online content provided by third parties. When creating the respective link, we checked the online content provided by third parties to determine whether it violated applicable civil law or criminal laws. However, it cannot be ruled out that such content may be subsequently changed by the respective providers. If you are of the opinion that external sites for which links have been provided violate applicable law or have other inappropriate content, please let us know. We will follow-up on your information and remove the external link if necessary. OpenProject is not responsible for the content and availability of external websites to which links have been provided.
Last updated: May 2018
For more information regarding GDPR compliance, please also visit our Security and data privacy statement.