Privacy Policy

Version: 2020-09-08

Summary

Our systems and processes are designed around your privacy and the principle of data minimization. OpenProject GmbH meets all requirements of the EU General Data Protection Regulation.

Niels Lindenthal

Data protection and information security are of central importance in our company and are one of the main motives for the development of this open source software. We are very proud of the results so far, but we still need to reduce our “data privacy debt”. We intend to invest a lot of energy and time into this. Our goal is to bring OpenProject to perfection as a lighthouse project for “Data privacy made in Europe”. We have gone to great lengths to make this policy as clear and simple as possible. We want you to understand everything. You should not have to struggle through many pages of incomprehensible legal text. We would therefore be very pleased to receive your feedback and perhaps even an exchange of ideas on the topic of data privacy and security. In this sense, this privacy policy is also consistently subject to an open source license.

OpenProject – With Open Source and Open Mind.

Niels Lindenthal – Founder of OpenProject.org Berlin, November 2020

Preliminary comments

The purpose of the OpenProject application is to improve the results of a project team. It is about networking people so that they can work together effectively towards a common goal. The processing of personal data is a fundamental prerequisite for the use of the OpenProject application.

A considerable advantage of the OpenProject application as open source software is the great freedom that the open source license grants to users and developers. This gives every user the possibility to view the source code of this software, to modify it and to install and operate it within their own infrastructure.

Another major advantage is the portability of the OpenProject application and the data processed within it. This means that the owner of the data can decide what infrastructure to run the software on and whether to commission a data processor to operate and maintain it. This is a crucial difference to proprietary cloud applications, where the manufacturers do not grant this option.

The development of OpenProject as open source software is the most decisive and far-reaching technical and organizational measure to protect personal data. Each owner of an OpenProject database is therefore able to decide individually whether to transmit personal data to us.

If a visitor visits our website, contacts us, uses our SaaS platform or uses our software provision service, the processing of certain personal data is required.

This processing is always carried out in accordance with the General Data Protection Regulation and in compliance with German data privacy regulations.

We have implemented numerous technical and organizational measures to ensure the most complete protection of your processed personal data. Nevertheless, any technology may have security vulnerabilities, meaning that absolute protection cannot be guaranteed.

General information on data processing

Scope and area of application of this privacy policy

We process your data strictly confidentially and only for the purpose we informed you of when collecting the data. Our benchmark for processing your data is the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data privacy regulations.

This privacy policy covers the processing of personal data by OpenProject GmbH in the following areas:

  1. Websites,
  2. Contact,
  3. Newsletter,
  4. OpenProject Enterprise Cloud (SaaS)
  5. OpenProject Enterprise On-Premises,
  6. OpenProject Community Platform,
  7. OpenProject Release API,
  8. Applications.

Controller

The Controller within the meaning of the GDPR is

OpenProject GmbH

Karl-Liebknecht-Str. 5

10178 Berlin

Telephone: +49 30 288 777 07

Email: privacy@openproject.com

GPG Key: BDCFE01EDE84EA199AE172CE7D669C6D47533958

The Data Protection Officer for OpenProject GmbH is:

Mr. David Heimburger

Friedensallee 114

22763 Hamburg

Email: dh@davidheimburger.de

GPG Key: BC5D D292 8DD3 3B95 B6F7 0272 FE3F 95A3 135C 46A1

The processing of your personal data generally takes place for the preparation or fulfilment of a corresponding contract regarding the use of our services, pursuant to Art. 6 para. 1 lit. b GDPR. Data processing based on our legitimate interest is governed by Art. 6 para. 1 lit. f GDPR. Processing based on a legitimate interest may be objected to with reference to reasons arising from your particular situation, pursuant to Art. 21 GDPR. In some cases, your consent is the legal basis, pursuant to Article 6 (1) (a) and Article 7 GDPR, which you may revoke at any time with with effect for the future by sending an email to privacy@openproject.com.

Rights of data subjects

If we process your personal data, you are a data subject within the meaning of Article 4(1) GDPR with the following rights that can be asserted against us:

  • Right of access (Article 15 GDPR),
  • Right of rectification (Article 16 GDPR),
  • Right of erasure (Article 17 GDPR),
  • Right to restriction of processing (Article 18 GDPR),
  • Right to notification (Article 19 GDPR),
  • Right to data portability (Article 20 GDPR),
  • Right of object (Article 21 GDPR),
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR),
  • Right to withdraw your declaration of consent under data privacy law (Article 7(3) GDPR). You have the right to withdraw your consent to us at any time by sending an email to privacy@openproject.com. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.

We would like to point out that in certain cases we may request additional information from you in order to establish your identity. For example, when exercising the right of access we can ensure that information is not released to unauthorized persons.

Right to object (Article 21 GDPR)

You have the right, for reasons of your own particular situation, to object at any time to the processing of your personal data that is performed on the basis of Article 6(1)(f) GDPR; this also applies to any profiling based on these provisions. An objection shall be send to privacy@openproject.com. We will then cease to process your personal data unless we can demonstrate compelling legitimate grounds for our processing that override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

Security

We implement technical and organizational security measures to protect your personal data from accidental or willful manipulation, loss, destruction or unauthorized access. We continuously improve our security measures in line with technological developments

Validity of the privacy policy

Due to the further development of our websites or the implementation of new technologies, it may become necessary to amend this privacy policy. We reserve the right to modify this privacy policy at any time with effect for the future. The version available at the time of your visit to the website or use of our products always applies.

Responsibility for external content

Our websites contain links to websites of external providers. We have no influence on and do not monitor whether other providers comply with the applicable data protection provisions. If you believe that linked external websites violate applicable law or contain other inappropriate content, please let us know. We will check your information and remove the external link if necessary. We are not responsible for the content and availability of linked external websites.

Access statistics (Matomo)

In the following applications we use Matomo for the compilation of access statistics:

  • Websites,
  • Community platform,
  • SaaS platform.

Matomo is an open source software started by its founder Matthieu Aubry. We use Matomo as a cloud service of the official Matomo company InnoCraft ltd, 150 Willis St, 6011 Wellington, New Zealand.

The purpose of web analysis is to improve the quality of our websites and their content. No cookies are used for this purpose.

Through the use of Matomo, no personal user profiles are created, but only statistical measurement values are collected. It is not possible to draw any conclusions about your person from the statistical data.

The personal reference in the source data is dissolved after a short time. The IP address from which the page was accessed is immediately anonymised by replacing the last digits of the address with zeros. The front digits are used for statistics on the regions from which our pages were accessed. The digital fingerprint of the device used to access our pages is deleted after 24 hours at the latest. If you visit our pages again, the new fingerprint cannot be linked to the previous one. The digital fingerprint of your device is created via JavaScript and is used by us to be able to track a user’s movements within our Internet offering.

Further information on the data protection of Matomo can be found at https://matomo.org/privacy-policy/ or for the cloud service used by us at https://matomo.org/matomo-cloud-privacy-policy/.

You can technically disable the web analysis by deactivating JavaScript in your web browser. Details on the settings required for this can be found in the product descriptions and/or instructions of the various browser providers.

You can prevent the collection of the aforementioned data and the processing thereof by installing a JavaScript blocker to prevent the collection of other website analysis data. You can object to the storage and evaluation of this data by Matomo at any time. At the bottom of this page you will find an opt-out dialog for this. In this case, a so-called opt-out cookie is permanently stored in your browser which instructs Matomo not to collect any data for storage and analysis.

Alternatively, most modern browsers have a so-called “Do Not Track” option, with which you tell websites not to track your user activities. Matomo respects this option.

The data processing is performed on the basis of Article 6(1)(f) GDPR.

Purpose of data processing

Matomo is used for the purpose of improving the quality of our website and its content. This enables us to learn how the website is used and thereby constantly optimize our offering.

Duration of the storage of your personal data

The personal data when using Matomo without cookies are stored for 24 hours.

Use of cookies

We only use cookies that are technically necessary for the use of the websites. We do not use cookies for range measurement or usage analysis. We do not use your user data collected through technically necessary cookies to create user profiles.

Necessary cookies are technically required for the proper operation of our websites. They ensure the technical stability of our websites and enable security-relevant functionalities. The cookies used do not contain any IP addresses or other information allowing a tracing back to you personally.

The processing of personal data using necessary cookies is based on Article 6(1)(f) GDPR. By using technically necessary cookies, we aim to simplify the use of our websites for you. Some functions of our websites cannot be provided without the use of cookies. For these functions, it is necessary for the browser to be recognized even after a page change. Our legitimate interest also lies in these purposes.

It is not possible to use our websites without such processing of data, i.e. you have no option to object.

1. Websites

Scope of data processing

  • https://www.openproject.org
  • https://community.openproject.org/

When you visit our websites, the following data is stored in the log files of our web server:

  • IP address,
  • Date and time of the request (time-stamp),
  • Request details and destination address (protocol version, HTTP method, referrer, UserAgent string),
  • Name of the retrieved file and transferred data volume (requested URL incl. query string, size in bytes),
  • Message as to whether the request was successful (HTTP status code),
  • Web page from which the request came,
  • Browser type or app used,
  • Operating system and its interface,
  • Language and version of the browser software.

When processing this data, we do not draw any conclusions about your person. No personal evaluation nor evaluation of the data for marketing purposes or profiling takes place.

The legal basis for the processing of the data is Article 6(1)(f) GDPR. The processing of the data is mandatory for technical purposes in order to provide our websites. It is not possible to use our websites without such processing of data.

Your data will be deleted no later than 90 days. The purpose of retention is to enable us to reconstruct the origin of an attack on our infrastructure in the event of an attack. If an attack has occurred, the data will be stored until all investigations by forensic experts commissioned by us and the law enforcement authorities have been completed.

2. Contact

You can contact us in several ways:

  • Email,
  • Contact forms on our websites,
  • Post,
  • Phone.

In the event that do you contact us, we will store your personal data transmitted to us in connection with the contact.

Email: privacy@openproject.com

GPG Key: BDCFE01EDE84EA199AE172CE7D669C6D47533958

Scope of data processing

There are contact forms on our websites, which you can use to contact us. Your personal data transmitted with the form will be stored by us. The forms mark as mandatory only those fields that are absolutely necessary for the use of the respective offering. By contacting us, the following personal data may be processed by us:

  • Name,
  • Email address,
  • Address,
  • Telephone number,
  • Company/Organization,
  • Message content and other data that arises from the content.

3. Newsletter

Scope of data processing

On our websites there is the option to subscribe to our free newsletter. When you register for our newsletter, we process the following personal in each case:

  • Name,
  • Email address,
  • IP address of the accessing computer.
  • Date and time of transmission.

Your consent for the processing of data is obtained during the registration process. We secure the registration by means of a so-called double opt-in procedure. In this way, we ensure that the email address provided in connection with the newsletter subscription is actually assigned to you. After you have entered the required data (name, email address) in the respective input fields, you will receive an automated email with an activation link. With confirmation of the link you have subscribed to our newsletter.

The dispatch of our newsletter is carried out by Odoo, a Software of Odoo S.A., Chaussee de Namur, 40 Grand-Rosiere, 1367 Belgium. We have concluded an data processing agreement with Odoo. Further information on data processing by Odoo can be found at https://www.odoo.com/gdpr.

The legal basis for the processing of your personal data in the context of our newsletter is Article 6(1)(a) GDPR.

Right of withdrawal

You have the right to withdraw your consent at any time with effect for the future without giving reasons, for example by clicking on the link to terminate your subscription contained in each mail.

Purpose of data processing

Newsletter distribution

Duration of the storage of your personal data

We store your personal data for the duration of your respective subscription to our newsletter.

4. OpenProject Enterprise Cloud (SaaS)

Visitors to our websites can create their own OpenProject entity in our SaaS platform.

Scope of data processing

Registration of a user account

To use our SaaS platform, the registration of a user account is required. In this process, we collect and process the following personal data:

  • Name,
  • Email address,
  • IP address of the accessing computer.

Creation of an OpenProject entity

For the creation of your own OpenProject entity we collect and process the following data:

  • Name of the organization,
  • URL of the OpenProject entity.

Two-factor authentication

We recommend securing access to your OpenProject entity using two-factor authentication. In this case, we collect and process the following additional security-specific settings:

  • Telephone number for sending one-time passwords via SMS,
  • OATH secret code (e.g. for the 2FA app FreeOTP).

Use of the OpenProject application

When you use your OpenProject entity, we collect and process the personal data you enter:

  • Work packages,
  • Comments,
  • Wiki pages,
  • Time booking,
  • Agendas and minutes,
  • Schedules,
  • Project news,
  • Project status information,
  • Project attributes,
  • Source text,
  • Documents and other attachments,
  • Invited users (name and email address),
  • Other user-generated content.

Product booking and billing

In your OpenProject entity you can optionally conclude a service agreement for operation, maintenance and support of your OpenProject entity. In the context of booking and contract billing, the following personal data are collected and processed:

  • Contract holder,
  • Contract data,
  • Billing data,
  • Billing address,
  • Email address for sending the invoice,
  • VAT ID,
  • Payment method.

Data processing agreement according to Article 28 GDPR

In connection with our OpenProject Enterprise Cloud (SaaS), we, as data processors, offer our customers a supplementary agreement on data processing pursuant to Article 28 GDPR. This agreement on data processing regulates the obligations of the contracting parties regarding data privacy, which arise from the service agreement together with product descriptions.

Optional authentication via external authentication providers (Google)

For authentication vis-à-vis OpenProject, you can alternatively use your existing Google account. However, we recommend that you refrain from using Google services to protect your personal data.

When registering via Google, your data will be forwarded to servers of Google Cloud EMEA Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. During this process, your IP address and other personal data will be collected by Google. You cannot therefore rule out the fact that data will also be transferred to the USA. For more information about Google’s privacy policy, please visit https://policies.google.com/privacy.

Data processing in connection with the registration of a user account, product booking and billing is based on Article 6(1)(a) GDPR.

Purpose of data processing

Data processing is carried out for the purpose of operating the SaaS platform in the context of data processing within the meaning of Article 28 GDPR.

We use the collected data to manage your user account and for product booking and billing. In this context, we pass on your data to the extent permitted by law to our sub-processors, who support us in the proper fulfillment of the contract. These companies are in turn obliged to comply with the applicable data privacy provisions. In particular, these companies may process the data exclusively for the fulfillment of their tasks on our behalf and only in accordance with our instructions.

Duration of the storage of your personal data

We process your data for the duration of our contractual relationship. This also includes the initiation of a contract (pre-contractual legal relationship). Your OpenProject entity will be automatically deleted six months after your contract expires. This includes the content entered by you. A further deletion of your data takes place after the expiration of the retention periods pursuant to tax and commercial law. These are, according to Section 147 of the German Fiscal Code (AO), a full ten years for accounting documents and according to Section 257 of the German Commercial Code (HGB), a full six years for business documents.

5. OpenProject Enterprise On-Premises

Scope of data processing

On our websites, we offer you the opportunity to place orders in our booking system or to receive a free offer in advance. In order to process the order, we process the personal data you provide during the ordering process or the offer process (including name, billing address, email address, payment data). We use the data for order processing and, if necessary, for communication with you. We pass on your data within the scope of what is legally permissible to our service providers, who support us with the billing modalities. These companies, in turn, are obligated to comply with the applicable data privacy provisions; in particular, these companies may process the data exclusively for the purpose of fulfilling their tasks on our behalf and only in accordance with our instructions.

Data processing in connection with the ordering process is based on Article 6(1)(b) GDPR.

Purpose of data processing

The purpose of data processing is the processing of contracts concluded via our booking tool as well as the implementation of customer service and customer advisory services. In addition, we also use your personal data to assert rights arising from the contracts concluded or initiated with you.

Duration of the storage of your personal data

We process your data for the duration of our contractual relationship. This also includes the initiation of a contract (pre-contractual legal relationship). Your data will be deleted after expiry of the retention periods pursuant to tax and commercial law. These are, according to Section 147 of the German Fiscal Code (AO), a full ten years for accounting documents and according to Section 257 of the German Commercial Code (HGB), a full six years for business documents.

6. OpenProject Community Platform

For the networking of the open source community and for the further development of the OpenProject application, OpenProject operates a publicly accessible OpenProject entity within the OpenProject SaaS platform, i.e. users can view the public content of other users without logging in (e.g. forum posts, bug reports, requirements). Prior registration of a user account is required to create a contribution.

Scope of data processing

Registration of a user account

Creating a post on our SaaS platform requires the registration of a user account. In this process, we collect and process the following personal data:

  • Name,
  • Email address,
  • User name,
  • IP address of the accessing computer.

Optional authentication via external authentication providers (Google)

For authentication vis-à-vis OpenProject, you can alternatively use your existing Google account. However, we recommend that you refrain from using Google services to protect your personal data.

When you register, you will be redirected to servers of Google Cloud EMEA Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. During this process, your IP address and other personal data will be collected by Google. It cannot be ruled out that data will also be transferred to the USA. For more information about Google’s privacy policy, please visit https://policies.google.com/privacy.

Creating a user contribution

In the project environment, you can exchange information with other users on various topics. In this process, we collect and process the following personal data:

  • User-generated contribution,
  • Date,
  • Reference to the user’s account.

Bot control using hCaptcha

We use the hCaptcha anti-bot service (hereinafter “hCaptcha”) on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation (“IMI”). hCaptcha is used to check whether the data entered on our website (such as on a login page or contact form) has been entered by a human or by an automated program. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user).

The data collected during the analysis will be forwarded to IMI. hCaptcha analysis in the “invisible mode” may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. IMI acts as a “data processor” acting on behalf of its customers as defined under the GDPR. For more information about hCaptcha and IMI’s privacy policy and terms of use, please visit the following links: https://hcaptcha.com/privacy/ and https://hcaptcha.com/terms.

Data processing is based on Art. 6(1)(f) GDPR: the website or mobile app operator has a legitimate interest in protecting its site from abusive automated crawling and spam. Data transfer to the USA is secured by EU standard data protection clauses.

The legal basis for processing your data in connection with the OpenProject Community Platform is fulfilment of a contract pursuant to Article 6(1)(b) GDPR.

Purpose of data processing

Provision of the community platform.

Duration of the storage of your personal data

The user can delete his user account independently. The following personal data will be deleted:

  • Name,
  • User name,
  • Email address,
  • Telephone number for sending one-time passwords via SMS,
  • OATH secret code (e.g. for the 2FA app FreeOTP).

The comments and the associated data (e.g. IP address) are stored and remain on this environment until the commented content has been completely deleted or the comments have to be deleted for legal reasons (e.g. offensive comments). Provided you have deleted your user account, all posts created will be assigned to an anonymous collective user. Statutory retention periods remain unaffected.

7. OpenProject Release API

The Release API allows users of a self-hosted OpenProject application to check if a new software version has been released.

The collection is for statistical purposes only. The calling IP addresses are anonymized so that no conclusions can be drawn about individual OpenProject installations. Also, no data is passed on to third parties at any time, in particular no personal data.

Scope of data processing

To check for the availability of new software versions, users with administrator rights will see an update banner on the start page of the OpenProject application as well as on the administrator page. This banner is used to dynamically send a request to the Release API. The availability of a new version is derived anonymously from the transmitted data.

The Release API call includes only the following information:

  • IP address of the calling computer (is not stored),
  • The type of installation packages used: Installation packages, Docker, manual installation (anonymized storage),
  • The current version of the application (anonymized storage and evaluation),
  • The database version (anonymized storage and evaluation),
  • Activation status of the Enterprise Edition (anonymized storage and statistical analysis),
  • Browser type (will not be stored),
  • Device and connection data (anonymized storage and statistical evaluation),
  • Location information (anonymized storage and statistical evaluation at the level of a country).

For anonymization of the call, the call contains a randomly generated identification code. This ensures that an environment is not statistically recorded twice.

You can disable the call of the Release API in your OpenProject entity by unchecking “Administration > System Settings > General > Show Update Security badge” or by setting the security_badge_displayed: false configuration policy. For more information, please refer to the documentation.

In case of deactivation of the automatic check, it is up to you to check the availability of new versions manually.

The legal basis for processing in connection with the OpenProject Release API is Article 6(1)(b) GDPR.

Purpose of data processing

The purpose of this feature is to avoid buggy and insecure OpenProject applications and to focus the development teams on the operating systems and installation options used.

Duration of the storage of your personal data

Server logs are stored for a maximum of 90 days.

8. Applications

Scope of data processing

Application via online tool

On our websites, we offer you the opportunity to apply to advertised vacancies by providing personal data. The personal data you provide in connection with your application will be stored by us. Which data are processed can be seen from the respective input forms. The forms mark as mandatory only those fields that are absolutely necessary for the use of the respective offering.

For processing your application, we use the online application tool of SmartRecruiters Inc. 225 Bush Street, Suite #300, San Francisco CA 94 104, USA. We have concluded an data processing agreement with this service provider. This company, in turn, is obligated to comply with the applicable data protection regulations; in particular, the company may only process the data to fulfill its tasks on our behalf and only according to our instructions. Further information on data privacy can be found at: https://www.smartrecruiters.com/legal/candidate-privacy-policy/august-13-2020/.

For your participation in the application process, you will need to provide personal data derived from the documents you provide to us, such as cover letter, résumé, application photo, certificates or other evidence of professional qualifications. This data may include, among other things, personal master data such as name, address, date of birth, contact data such as telephone number or email address, as well as data relating to your educational and/or professional career, such as school and work references, data on training, internships or previous employers.

Application by encrypted email

In addition to applying via the online tool, you can also send us your application documents in encrypted form by email:

The processing of personal data in connection with your application is based on Article 88(1) GDPR in conjunction with Section 26 BDSG.

Purpose of data processing

The personal data provided in your application will be processed by us solely for the purpose of selecting applicants. For the processing of applications, we limit ourselves to the information provided directly by you. This may also include information that you have provided in professional online networks or job market places. If as part of the application process we ask for your gender in the form of the desired form of address, this is solely due to the fact that we would like to write or speak to you in the correct manner.

Duration of the storage of your personal data

In the event that the application results in an employment relationship, your personal data will be transferred to the personnel file.

In the event that an application is rejected, the data will be deleted by us six months after the rejection of an application, unless you have consented to the inclusion of your personal data in our applicant pool. The legal basis for the processing in this case is Article 6(1)(a) GDPR.

9. Credit card payments

You have the option to pay for the booked services by credit card. The provider of this payment service is Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, a subsidiary of Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

Scope of data processing

When paying by credit card, the following personal data entered by you and required for payment processing will be transmitted to Stripe:

  • Name,
  • Billing address,
  • Contract data,
  • Email address,
  • IP address of the accessing computer,
  • Telephone number,
  • Mobile phone number,
  • VAT ID.

The data transmitted to Stripe may be transmitted by Stripe to credit agencies. This transmission serves to check identity and creditworthiness. Information on Stripe’s data protection is available here: https://stripe.com/de/privacy

The legal basis for the disclosure of the data disclosed within the context of the mandate is Article 6(1)(b) GDPR.

Purpose of data processing

Your data will only be passed on for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only to the extent necessary for this purpose.

Duration of the storage of your personal data

Your data will be deleted after expiry of the retention periods pursuant to tax and commercial law. These are, according to Section 147 of the German Fiscal Code (AO), a full ten years for accounting documents and according to Section 257 of the German Commercial Code (HGB), a full six years for business documents.

Matomo Opt-Out