** This privacy policy is currently being adopted and may not yet be fully implemented at all websites **
This Privacy Policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as “Data”) within our online offering and the related websites, features and content, as well as external online presence, e.g. our social media profiles on Twitter, Facebook, YouTube and similar sites (collectively referred to as “online presence”). With regard to the terminology we use, e.g. “Processing” or “Responsible”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
1. Name and contact details of the controller and the company data protection officer
This privacy policy applies to data processing by:
Responsible:
The Apache Software Foundation
V. P. Data Privacy
1000 N West Street, Suite 1200
Wilmington, DE 19801
U.S.A.
E-Mail: vp-privacy@apache.org
2. Collection and storage of personal data and the nature and purpose of their use
a) When visiting the website
Log files
When you visit our websites (full list of domains) or one of our subdomains, the browser on your device automatically sends information to the server of our website. This information is temporarily stored in a log file. The following information is being collected without your intervention and stored until automated deletion:
- The IP address of the requesting computer
- The date and time of access
- The name and URL of the retrieved file
- The website from which access is made (referrer URL)
- Geo information of the location from which access is made
- The browser used and, if applicable, the operating system of your computer and the name of your access provider
The data mentioned are processed by us for the following purposes:
- Ensuring connectivity of our website
- Ensuring a use of our website, of which we think is comfortable for you
- Evaluation of system security and stability
- Other administrative purposes
The retention time for this data is 90 days.
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case do we use the collected data for the purpose of drawing conclusions about you. In addition, we use cookies and analysis services when you visit our website. Further details can be found under no. 4 and 5 of this privacy policy.
Matomo
In addition to log files, some of our websites use Matomo to understand what parts of the website are important to our users, what features are most frequently accessed, where users get lost in the documentation, etc. This data allows us to better understand how users use the system, the website, and the docs and where to focus improvements next.
The collected information consists of the following:
- The IP address from which you access the website
- The type of browser and operating system you use to access our site
- The date and time you access our site
- The pages you visit
- If you click on any of the file download links on our website
- The addresses of pages from where you followed a link to our site
- The addresses of pages you go to from our site
- The search terms you use on the website
This information is gathered and stored using the open source software Matomo. We don’t use any cookies to collect this information. An IP address is anonymized by removing the last two octets from the IP address. That means that if your IP is 192.168.100.50, we store it as 192.168.0.0.
Matomo is self-hosted on a virtual machine provided by the Apache Software Foundation. It can only be accessed by members of the Apache Privacy committee. The data can be viewed by anyone by visiting https://analytics.apache.org/.
Matomo respects any Do Not Track setting in your browser. You can also opt-out from all Matomo tracking below.
b) When registering for our newsletter and mailing lists
If, pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, you have expressly consented, we use your e-mail address to periodically send you our newsletter. For the receipt of the newsletter the indication of an e-mail address is sufficient.
We inform our visitors at regular intervals through newsletters about news and offers from The Apache Software Foundation.
The newsletter of our Foundation can only be received if (1) the data subject has a valid e-mail address and (2) the person concerned registers for the newsletter. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by an affected person before the first time of sending the newsletter, using the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address is the person who authorized the receipt of the newsletter.
When you subscribe to the newsletter, we store the date and time of registration and the email address. The collection of this data is necessary for us to understand the (possible) misuse of an affected person’s e-mail address at a later date and therefore serves as legal safeguards for the controller.
The personal data collected in the context of registering for the newsletter is used exclusively to send our newsletter.
Subscribers may also be notified by e-mail if this is necessary for the operation of the newsletter service or registration, as might be the case in the event of changes to the newsletter/mailing list or technical changes.
There will be no transfer to third parties of the personal data collected as part of the newsletter service.
Subscription to our newsletter may be terminated by the person concerned at any time. Consent to the storage of personal data that the person has given us for the newsletter dispatch can be revoked at any time. For the purpose of revoking the consent, instructions are given by the end of each newsletter email.
c) When registering for our mailing lists
If, pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, you have expressly consented, we use your e-mail address to send you messages arriving at our mailing lists. For the receipt of the mailing list message the indication of an e-mail address is sufficient.
Visitors may communicate with us through our mailing lists.
The mailing list messages of our organisation can only be received if (1) the person concerned has a valid e-mail address and (2) the person concerned registers for the mailing list. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by an affected person for the first time using the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address authorized the receipt of the mailing list messages.
When you subscribe to a mailing list, we store the date and time of registration and the email address. The collection of this data is necessary for us to understand the (possible) misuse of an affected person’s e-mail address at a later date and therefore serves as legal safeguards for the controller. When a mailing list is archived, the log file will be deleted.
The personal data collected in the context of registering for a mailing list will be used exclusively to send messages arriving at that mailing list.
Subscribers may also be notified by e-mail if this is necessary for the operation of the mailing list service or registration, as might be the case in the event of changes to the mailing list or other technical changes.
We will not actively transfer to third parties any personal data as part of the mailing list service. However, almost all of our mailing lists are of a public nature.
This means, your name and email may be exposed to the public. Also, all information you send to a mailing list will be exposed to the public. Third parties may collect this information and process it separately. The sender of messages is responsible if they expose their personal data to the public.
All content sent to mailing lists is archived indefinitely. By using our mailing list service, you agree that any content is archived in that way.
Subscription to our mailing lists may be terminated by the person concerned at any time. The consent to the storage of personal data that a person has given us for the mailing list dispatch can be revoked at any time. For the purpose of revoking the consent, instructions are given by the end of every email.
3. Disclosure of data
Transfer of your personal data to third parties for purposes other than those listed below does not take place. We only share your personal information with third parties if:
- You, in accordance with Art. 6 para. 1 p. 1 lit. a GDPR, have given express consent to this.
- Disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is required to assert, exercise or defend legal claims and there is no reason to assume that you have a predominantly legitimate interest in not disclosing your data.
- Disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR is a legal obligation.
- As permitted by law and according to Art. 6 para. 1 sentence 1 lit. b GDPR, disclosure is required for the settlement of contractual relationships with you.
4. External service providers
The Apache Software Foundation uses the following external service providers who help to optimize its services. Insofar as these service providers process data on behalf of The Apache Software Foundation, agreements have been concluded with them which set the European data protection standards as binding and, in particular, prohibit the use of the data for other purposes. If we commission third parties to process data on the basis of a so-called “contract processing contract”, this is done on the basis of Art. 28 GDPR.
(a) Hetzner: Hosting
The Apache Software Foundation uses the Hetzner Data Centers (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany) to maintain our servers. The servers are located in Finland and used for hosting databases and web content.
(b) Amazon Web Services: DNS
The Apache Software Foundation uses the Amazon Web Services (“AWS”) service of Amazon Web Services, Inc. (P.O. Box 81226, Seattle, WA 98108-1226, USA), to host DNS records. By the nature of DNS, the data is stored in several servers around the globe. AWS data centers are certified to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1.
(c) LeaseWeb: Hosting
The Apache Software Foundation uses the LeaseWeb Data Centers (Leaseweb USA, Inc., 9301 Innovation Drive / Suite 100, Manassas, VA 20110) to maintain our servers. The servers are located in the USA and used for hosting databases and web content. LeaseWeb fully supports the GDPR. Details and privacy statements can be found here.
(d) Microsoft Azure: Hosting
The Apache Software Foundation uses the Microsoft Azure Data Centers (Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052 USA) to maintain our servers. The servers are located in the USA and used for hosting databases and web content. Microsoft fully supports the GDPR. Details and privacy statements can be found here.
(d) Online.net (Scaleway): Hosting
The Apache Software Foundation uses the Scaleway Data Centers (Scaleway S.A.S., 8 rue de la Ville l’Evêque, 75008 Paris) to maintain our servers. The servers are located in Europe and used for hosting databases and web content. Scaleway fully supports the GDPR. Details and privacy statements can be found here.
(e) GitHub: Source Code Hosting
The Apache Software Foundation uses the GitHub Services (GitHub Inc., 88 Colin P. Kelly Jr. Street, San Francisco, California 94107 USA) to store, serve, and maintain source code. GitHub fully supports the GDPR. Details and privacy statements can be found here.
(f) Fastly: CDN
The Apache Software Foundation uses Fastly (Fastly Inc., PO Box 78266, San Francisco, California, 94107, United States of America) to support our services. Fastly fully supports the GDPR. Details and privacy statements can be found here.
(g) Scarf: Download analytics.
The Apache Software Foundation uses Scarf (Scarf Systems Inc., 548 Market St, PMB 17568, San Francisco, CA 94104 USA) to understand how our software is downloaded, adopted and used. Scarf fully supports the GDPR. Details and privacy statements can be found here.
(h) DinoSource ApS: PonyMail
The Apache Software Foundation uses Pony Mail (DinoSource ApS, Vangedevej 223A, DK-2870 Dyssegard, Denmark) to display mailing list content to the web. DinoSource ApS fully supports the GDPR and DPA is on file.
5. Social Media Plug-ins
We rely on our website on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR social plug-ins from the social networks Facebook, Twitter and Instagram to make our company better known. The underlying commercial purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for operation compliant with data protection is to be guaranteed by the respective providers. The integration of these plug-ins by us is done by means of the so-called two-click method to protect visitors to our website in the best possible way.
a) YouTube
On our website we have integrated components from YouTube. YouTube is an internet video portal that allows video publishers to freely watch video clips provided by other users for free viewing, rating and commenting. YouTube allows the publication of all types of videos, so that both complete film and television broadcasts, music videos, trailers and user-made videos uploaded via the YouTube internet portal are available.
YouTube’s operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
Each visit to one of the pages of this site operated by the controller and incorporating a YouTube component (YouTube video) will automatically cause the Internet browser on the subject’s information technology system to download an illustration of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/en/. As part of this technical process, YouTube and Google are aware of the specific location of our site visited by the person concerned. If the person visiting our site is logged in to YouTube at the same time, YouTube calls a sub-page containing a YouTube video for the person visiting our site. This information is collected by YouTube and Google and associated with the individual YouTube account.
YouTube and Google will always receive information through the YouTube component that a person has visited our website if the person is logged into YouTube at the time of access to our website; this happens regardless of whether the person clicks on a YouTube video or not. If such transmission of this information to YouTube and Google is not wanted by the person visiting our site, they can prevent the transmission by logging out of their YouTube account before visiting our website.
YouTube’s privacy policy, available at https://www.google.com/intl/en/policies/privacy/, identifies the collection, processing, and use of personally identifiable information by YouTube and Google.
7. Affected rights
You have the right:
- in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information on the processing purposes, the category of personal data, the categories of recipients to whom your data has been disclosed, the planned retention period, the right to rectification, deletion, limitation of processing or opposition, the existence of a right to complain, the source of your data, if not collected from us, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about your data.
- in accordance with Art. 16 GDPR, to demand the immediate correction of incorrect or complete personal data stored with us.
- in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is required for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the assertion, exercise or defense of Legal claims.
- to demand the restriction of the processing of your personal data according to Art. 18 GDPR, as far as the accuracy of the data is disputed by you, the processing is unlawful, but you reject its deletion and we no longer need the data, but you assert this, in the exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR.
- in accordance with Art. 20 GDPR, to receive your personal data provided to us in a structured, standard and machine-readable format or to request transmission to another person.
- according to Art. 7 para. 3 GDPR, to revoke your once-given consent to us at any time. As a result, we are not allowed to continue processing of data based on this consent for the future.
- to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or our office.
8. Right to object
If our retention of your personal data is based on legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to file an objection against the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct mail. In the latter case, you have a general right of objection, which is implemented by us without specifying any particular situation. If you would like to exercise your right of revocation or objection, please send an e-mail to vp-privacy@apache.org.
9. Data security
We use the popular SSL (Secure Socket Layer) method during your site visit, in conjunction with the highest level of encryption supported by your browser. In general, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. Whether a single page of our website is encrypted is shown by the closed representation of the key or lock icon in the lower status bar of your browser.
We also take appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
10. Updating and changing this privacy policy
This privacy policy is currently valid and is valid as of 2022-04-21.
As a result of the further development of our website and offers thereof, or due to changed legal or official requirements, it may be necessary to change this privacy policy. The current privacy policy can be viewed and printed by you at any time on the website at https://privacy.apache.org/policies/privacy-policy-public.html.