Privacy Policy

Thank you for your interest in OpenProject. Data protection and security are of central importance at our company. With that in mind, we take the task of protecting your personal data very seriously.

In general, it is possible to use our website without providing any personal data. However, if a data subject wishes to take advantage of our special services, it may be necessary to process personal data. This data always processed in accordance with the General Data Protection Regulation and in accordance with applicable national data protection regulations.

We have implemented numerous technical and organisational measures to ensure that the personal data processed via this website is protected as fully as possible. Nevertheless, transmission via the Internet may have security gaps, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means.

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and data protection regulations is:

OpenProject GmbH

Karl-Liebknecht-Str. 5
10178 Berlin
T: +49 30 288 777 07
E-Mail: info[at]openproject.com

The data protection officer for OpenProject GmbH is:

Mr Ingo Wolff
tacticx GmbH
Walbecker Straße 53
47608 Geldern
T: +49 2831 121910
E-mail: security[at]openproject.com

Any data subject may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

1. General information about data processing

1.1 Processing personal data and its purpose

OpenProject GmbH (hereinafter “OpenProject” or “we”) processes personal user data only to the extent necessary to provide a functional website along with our content and services. The following data is processed when you visit our website:

  • The user’s IP address
  • The user’s browser (type, version, language)
  • The user’s operating system
  • The user’s Internet service provider
  • The date and time of access to our website
  • Files accessed on our website
  • The website from which the user reached our website
  • Websites that the user accesses via our website

The processing and temporary storage of the user’s IP address is necessary to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must be stored for the duration of the session. The log files contain IP addresses or other data that allows for the identification of a user. Data is stored in log files to ensure the functionality of the website. In addition, this data helps to optimise our website and to ensure the security of our information technology systems.

Any use of personal data is confined to the purposes stated above, and is only undertaken to the extent necessary for these purposes. This data is not used for advertising, customer service or market research purposes.

1.2 Legal bases for processing personal data

As a rule, the processing of users’ personal data is undertaken with the respective user’s consent. An exception applies in such cases where prior consent cannot be obtained for circumstantial reasons and where we are permitted by law to process the data. Data and log files are stored on the basis of Art. 6(1)(f) GDPR.

1.3 Data erasure and retention period

The personal data of a data subject will be erased or blocked by us as soon as the purpose for which it was retained ceases to apply. In the case of data processing for the provision of the website, erasure takes place when the respective session has ended. If personal data is stored in log files, it will be erased after seven days at the latest. Further storage is possible if the IP addresses of the respective users are erased or modified, so that it is not possible to associate the IP address with the requesting client.

2. Cookies

We use cookies in several instances on our websites and for our Cloud Edition. A cookie may be stored on the user’s operating system if a user visits one of our web pages. A cookie contains a distinctive character string that enables unique identification of the browser when the website is accessed again. The following data is stored and transmitted in cookies:

  • Language settings (website)
  • Session cookie – required for registration
  • GA/GTM Cookies

Cookies are used to make our website user-friendly. The legal basis for processing personal data using cookies is Art. 6(1)(f) GDPR. Cookies are stored on the user’s computer and transmitted to our site from there. Users may deactivate or restrict the transmission of cookies by changing the settings on their web browser. Cookies that have already been saved can be deleted at any time. If cookies are deactivated for our website, it may no longer be possible to use all functions of our websites to their full extent.

3. Web analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. No personal user profiles are created; only anonymous statistical values are collected. The purpose of web analysis is to improve the quality of our website and its content. Google Analytics also uses cookies (see above), which enables the analysis of the use of our website. Web analysis can be prevented by the user of the website by deactivating JavaScript and cookies in their web browser: Opt out from Google Analytics. Details regarding the settings required for this can be found in the product descriptions and instructions of the various browser providers. Data processing is performed in this context on the basis of Art. 6(1)(a) GDPR.

4. Software-as-a-Service

You may use OpenProject as Software-as-a-Service in the cloud. You can create an OpenProject entity via our website. In order to create an account, we need your first and last name as well as your e-mail address. Alternatively, you can log in using your Google account. Google’s privacy policy may be found here.
This data is only used to create the user account and to send notification e-mails from the application. This also applies to creating an account on the community platform community.openproject.com.
A billing address will also be stored for the fee-based cloud service.
Invoicing is handled by BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt, Germany. The BS Payone privacy policy may be found here.

Our application and database servers are hosted by Amazon Web Services (AWS) in Ireland. AWS is certified under the US-EU data protection agreement “Privacy Shield” and is thus committed to complying with EU data protection regulations. Furthermore, we have concluded a “Data-Processing-Agreement” with AWS. This is a contract in which AWS undertakes to protect our users’ data, to process it on our behalf in accordance with its data protection policies, and, in particular, not to pass it on to third parties. The AWS privacy policy may be found here.

We offer our cloud customers a contract data processing agreement (DPA), which governs our data protection and security obligations in relation to our customers in accordance with Art. 28 GDPR. Please download the OpenProject Contract Data Processing Agreement (DPA) and send a signed copy to:
security@openproject.com

OpenProject GmbH
Security and Data Privacy
Karl-Liebknecht-Str. 5
10178 Berlin

5. Sending newsletters

Users can subscribe to a free newsletter on our website. To receive the newsletter, users need only provide their e-mail address. The provision of further, separately marked data is voluntary and is used to be able to address you personally. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by a data subject using the double-opt-in procedure before the newsletter is sent for the first time.

Users can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you are welcome to send your request to unsubscribe to info@openproject.com by e-mail at any time.

The newsletter is sent via “MailChimp”, a newsletter distribution platform from US-based provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The e-mail addresses of our newsletter recipients, as well as additional data they have entered voluntarily, are stored on MailChimp’s server in the United States. MailChimp uses this information to send and analyse the newsletter on our behalf. Furthermore, MailChimp can use this data along with its own information to optimise or improve its own services, e.g. to technically optimise the sending and presentation of the newsletter or for business purposes, in order to determine from what countries the recipients originate. However, the MailChimp does not use the data of our newsletter recipients to contact recipients directly, nor do they pass the information on to third parties.
We trust in the reliability and IT/data security of MailChimp. MailChimp is certified under the US-EU data protection agreement “Privacy Shield” and is thus committed to complying with EU data protection regulations. Furthermore, we have concluded a “Data Processing Agreement” with MailChimp. This is a contract in which MailChimp undertakes to protect our users’ data, to process it on our behalf in accordance with its data protection policies, and, in particular, not to pass it on to third parties. The MailChimp privacy policy may be found here.

6. Contact form and contacting us by e-mail

Our website includes a contact form that may be used to contact us electronically. If a user makes use of this option, the data entered in the input screen will be transmitted to us and stored:

  • First name
  • Last name
  • E-mail address
  • Telephone number
  • Organisation
  • Number of employees (voluntary)
  • Text entered by the user in the text box (voluntary).

In addition, the following data is stored when the message is sent:

  • The user’s IP address
  • Date and time the message was sent.

In advance of data processing, we obtain the user’s consent as part of the sending process. Alternatively, you may contact us via the e-mail address provided for this purpose. In this case, we store the user’s personal data that is transmitted along with the e-mail. The legal basis for the processing of data is Art. 6(1)(a) GDPR if the user has given their consent. If personal data is transmitted in the context of sending an e-mail, Art. 6(1)(f) GDPR provides the legal basis. If the intent of the e-mail is to conclude a contract, then Art. 6(1)(b) GDPR provides an additional legal basis for processing the data. The data will only be used to process your contact enquiry and the subsequent communication. The data will not be disclosed to third parties in this context. Personal data entered into the contact form, and data sent by e-mail, will be erased when the respective communication with the user is terminated, i.e. as soon as it can be inferred from the circumstances that the matter at hand has been conclusively resolved. Additional personal data collected during the sending process will be erased after a period of seven days at the latest.

We use a CRM by Pipedrive to process contact enquiries. Pipedrive’s privacy policy can be found here: Datenschutzerklärung.

We use Calendly to schedule appointments online. This website offers an external platform for scheduling appointments. The appointment is integrated into the source code on our website via a script. By using appointment scheduling, you are automatically using services provided by Calendly.com. Data collected in this context includes: Name, IP address at the time the appointment is scheduled, agreed date and time. This data is not shared with third parties and is only used for the administration and organisation of appointments as well as for internal statistics. By scheduling appointments using this function, you agree to the foregoing use. The Calendly privacy policy may be found here (in English): https://calendly.com/pages/privacy.

To protect your enquiries via the contact form, we use the reCAPTCHA service provided by Google Inc. (Google). The prompt helps to discern whether the input is made by a person or via unauthorised automated machine processing. This service involves sending Google the IP address and any other data required by Google for the reCAPTCHA service. For this purpose, your input will be transmitted to Google and used there. However, if IP anonymisation is activated on this website, your IP address will first be shortened by Google within member states of the European Union or in other contracting parties of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and shortened there. Google will use this information to evaluate your use of this service on behalf of the operator of this website. The IP address transmitted by your browser as part of reCAPTCHA is not associated with other Google data. This data is subject to the Google Inc. privacy policy. For more information about Google’s privacy policy, please visit: https://www.google.com/intl/de/policies/privacy/.

The user can withdraw their consent to the processing of personal data at any time. A user who has contacted us by e-mail can object at any time to the retention of their personal data. In such cases, the contact enquiry will not be processed and it will not be possible to continue the respective conversation. All personal data retained when establishing contact with us will be erased in such cases.

7. Use of social media

We incorporate social media plug-ins from social networks Facebook, Google+, Twitter, YouTube, LinkedIn and Pinterest on our website. They establish a connection to the respective service provider. Data concerning the user’s browser behaviour is transmitted in this context. When users click on one of the plug-ins, personal data (user’s IP address and the web address (URL) of the page currently being viewed by the user, including time and location) is transferred to the respective service provider and processed there. Additional information on data processing can be found in the privacy policies of the respective service providers:

Users who are members of the social networks referred to above who do not wish user data to be collected by the respective social network via our website, must log out of their respective social media account before visiting our website.

We make You-Tube videos available on our website. They are embedded in our website by integrating the URL with iframes in extended data protection mode. As a result, the domain will be replaced by the official YouTube nocookie domain. According to current information provided by YouTube, information about visitors to the website is only stored if they play the video, but not if they simply access a webpage in which a video is integrated. Additional information about YouTube’s collection and use of data, and rights for protecting user privacy, can be found in the relevant privacy policy https://policies.google.com/privacy.

8. Security

OpenProject employs technical and organisational security measures to protect users’ personal data against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

9. Rights of data subjects

If OpenProject processes your personal data, you are a data subject pursuant to Art. 4(1) GDPR with the following rights in relation to OpenProject:

9.1 Right to information

In accordance with Art. 15 GDPR, you can ask us to confirm whether we process personal data concerning you. In the event we do process your personal data, you can request the following information from us:

  • The processing purposes;
  • The categories of personal data we process;
  • The recipients or categories of recipients to whom your personal data has been or will be disclosed;
  • Where possible, the envisaged period for which we will retain your personal data, or, if not possible, the criteria used to determine that period;
  • The existence of a right to rectification or erasure of your personal data, a right to restrict processing by the controller, or the right to object to such processing;
  • The existence of the right to lodge a complaint with a supervisory authority;
  • Any available information about the origin of the data, unless the personal data was collected from you;
  • The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the rationale involved, as well as the significance and envisaged consequences of such processing for you.

You also have the right to know whether your personal data has been transmitted to a third country or to an international organization. In this respect, you can request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

9.2 Right to rectification

In accordance with Art. 16 GDPR, you have the right to request us to correct and/or complete any inaccurate personal data concerning you.

9.3 Right to erasure

In accordance with Art. 17 GDPR, you may request that we erase your personal data without undue delay. We are obliged to erase this data immediately if one of the following applies:

  • Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • You withdraw your consent upon which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and no other legal ground for the processing applies.
  • You object to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to processing pursuant to Article 21(2) GDPR.
  • Your personal data has been unlawfully processed.
  • The erasure of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject.
  • Your personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

If we have made your personal data public and we are obliged to erase it in accordance with Art. 17(1) GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the erasure of all links to this personal data or of copies or replications of this personal data.

The right to erasure does not apply insofar as processing is necessary

  • To exercise the right of freedom of expression and information;
  • To perform a legal obligation which requires such processing under the applicable laws of the Union or of the Member States or to perform a task in the public interest or in the exercise of official authority vested in us;
  • For reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
  • For archiving purposes in the interest of public, scientific, or historical research purposes or for statistical purposes pursuant to Art. 89(1) GDPR, to the extent that the law referred to above is likely to render impossible or seriously prejudice the attainment of the objectives of such processing; or
  • To establish, exercise, or defend legal claims.

9.4 Right to restriction of processing

Under the following conditions, you may request that the processing of your personal data be restricted pursuant to Art. 18 GDPR:

  • If you dispute the accuracy of your personal data for a period of time that enables us to verify the accuracy of the personal data;
  • If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  • If we no longer need your personal data for the purpose of data processing, but you require it to establish, exercise, or defend legal claims; or
  • If you have objected to the processing in accordance with Art. 21(1) GDPR and it has not yet been verified whether our legitimate reasons override yours.

Where processing of personal data that concerns you has been restricted, such data – apart from being retained – may be processed only with your consent or for the purpose of establishing, exercising, or defending legal claims or protecting the rights of another natural or legal person or on the grounds of an important public interest of the Union or of a Member State. If the restriction of processing has been implemented in accordance with the above conditions, you will be informed by us before the restriction has been lifted.

9.5 Right to notification

If you have exercised your right to have your data rectified or erased, or have asked for its processing to be restricted, pursuant to Art. 19 GDPR we are obliged to provide notice of the same to all recipients to whom your data has been disclosed, unless this proves impossible or involves a disproportionate effort. It is your right to have us inform you regarding such recipients.

9.6 Right to data portability

Pursuant to Art. 20 GDPR, you have the right to obtain personal data you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another data controller without any interference from us, provided that

  • Processing is based on consent (Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR) or based on a contract pursuant to Art. 6(1)(b) GDPR and
  • Processing is carried out by automated means.

In exercising this right, you also have the right to request that personal data concerning you be transferred directly by us to another controller, insofar as this is technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

9.7 Right to object

Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. We will then no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

9.8 Right to withdraw consent

You have the right to withdraw any consent you have provided us under data protection law at any time. Such a withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.9 Automated decision in individual cases, including profiling

Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

  • Is necessary for entering into, or performance of, a contract between you and us;
  • Is authorised by Union or Member State law to which we are subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • Is made based on your explicit consent.

9.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge ca complaint with a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of your personal data infringes the GDPR.

10. Responsibility for content and information

Our website contains links to online content provided by third parties. When creating the respective link, we checked the online content provided by third parties to determine whether it violated applicable civil law or criminal laws. However, it cannot be ruled out that such content may be subsequently changed by the respective providers. If you are of the opinion that external sites for which links have been provided violate applicable law or have other inappropriate content, please let us know. We will follow-up on your information and remove the external link if necessary. OpenProject is not responsible for the content and availability of external websites to which links have been provided.

11. Integration and validity of the Privacy Policy

By using our website, you agree to the data processing described above. This Privacy Policy applies only to the content provided by OpenProject. Different data protection and data security policies apply to external content to which links have been provided. Please consult the relevant legal notices for information about who is responsible for such content.

It may become necessary to change our Privacy Policy in light of enhancements made to our website or the implementation of new technologies. We therefore reserve the right to amend our Privacy Policy at any time with future effect. The version available at the time of your visit to our website applies in all cases.

Last updated: May 2018

For more information regarding GDPR compliance, please also visit our Security and data privacy statement.