Privacy Policy (Datenschutzerklärung)

We take the protection of your personal data very seriously. This privacy policy informs you about how we collect, process, and use your personal data when you visit our website openconstructionerp.com and use our services.

This policy complies with the EU General Data Protection Regulation (GDPR / DSGVO), the German Federal Data Protection Act (BDSG), the German Telemedia Act (TMG), and the Swiss Federal Act on Data Protection (DSG).

1. Controller

The controller responsible for data processing on this website is:

If you have any questions about data protection, please contact us at contact@openconstructionerp.com.

2. Overview of Data Processing

2.1 Types of Data Processed

• Usage data (e.g., pages visited, access times, referrer URLs)
• Communication data (e.g., email address, name, message content)
• Technical data (e.g., IP address, browser type, operating system, device information)
• Account data (e.g., username, email address, password hash) if you create an account
• Payment data (e.g., billing address, payment method) if you purchase a commercial license

2.2 Purposes of Processing

• Providing and improving our website and services
• Responding to inquiries and providing support
• Processing commercial license purchases
• Sending newsletters (only with your explicit consent)
• Ensuring the security and stability of our website
• Compliance with legal obligations
• Web analytics (in anonymized or pseudonymized form)

2.3 Legal Bases

We process personal data based on the following legal grounds under GDPR:

• Art. 6(1)(a) GDPR – Consent (e.g., newsletter subscription, non-essential cookies)
• Art. 6(1)(b) GDPR – Performance of a contract (e.g., license purchase, account creation)
• Art. 6(1)(c) GDPR – Legal obligation (e.g., tax and accounting requirements)
• Art. 6(1)(f) GDPR – Legitimate interest (e.g., website security, analytics, fraud prevention)

3. Data Collection on Our Website

3.1 Server Log Files

When you visit our website, our hosting provider automatically collects and stores information in server log files that your browser transmits to us. This includes:

• Browser type and version
• Operating system
• Referrer URL (the previously visited page)
• Hostname of the accessing computer
• IP address (anonymized where possible)
• Date and time of the server request

This data is not combined with other data sources. The processing is based on Art. 6(1)(f) GDPR, as we have a legitimate interest in ensuring the technical operation and security of our website.

3.2 Contact Forms and Email

If you contact us via email or a contact form, the data you provide (e.g., name, email address, message content) will be stored and processed for the purpose of handling your inquiry and any follow-up questions. We will not share this data without your consent.

The processing is based on Art. 6(1)(b) GDPR if your request relates to the performance of a contract, or Art. 6(1)(f) GDPR based on our legitimate interest in effectively processing inquiries.

3.3 User Accounts

If you create an account on our platform, we store your email address, username, and a securely hashed password. Additional profile information you provide is voluntary. Account data is processed based on Art. 6(1)(b) GDPR for the performance of the user agreement.

3.4 Commercial License Purchases

When you purchase a commercial license, we collect billing information (name, address, email, payment details) as required to process the transaction and comply with legal obligations (Art. 6(1)(b) and Art. 6(1)(c) GDPR). Payment processing is handled by third-party payment providers (see Section 6).

4. Cookies

4.1 What Are Cookies

Cookies are small text files stored on your device by your web browser. They enable the website to recognize your device and remember certain information about your visit.

4.2 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the website to function properly. They enable basic features such as page navigation, secure areas access, and session management. The website cannot function properly without these cookies. These are processed based on Art. 6(1)(f) GDPR (legitimate interest).

Preference Cookies

These cookies allow the website to remember choices you have made (such as your preferred language or region) and provide enhanced, personalized features. These are only set with your consent per Art. 6(1)(a) GDPR.

Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use this information to improve our website. These are only set with your consent per Art. 6(1)(a) GDPR.

Marketing Cookies

These cookies are used to track visitors across websites to allow publishers to display relevant advertisements. These are only set with your consent per Art. 6(1)(a) GDPR.

4.3 Cookie Consent

When you first visit our website, you will be shown a cookie consent banner. Only strictly necessary cookies are set without your consent. All other cookies require your explicit opt-in. You can change or withdraw your consent at any time through the cookie settings link in the website footer.

4.4 Managing Cookies

You can configure your browser to refuse all cookies, or to alert you when a cookie is being sent. Please note that some features of the website may not function properly if you disable cookies entirely.

5. Newsletter

If you subscribe to our newsletter, we collect your email address and, optionally, your name. We use a double opt-in procedure: after you sign up, you will receive a confirmation email asking you to verify your subscription. We will not send you newsletters until you confirm.

The processing is based on Art. 6(1)(a) GDPR (your consent). You can unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us at contact@openconstructionerp.com.

We may use third-party email service providers to send newsletters. Your email address will be shared with this provider solely for the purpose of sending the newsletter. See Section 6 for details on third-party processors.

6. Third-Party Services and Processors

We may use the following third-party services that process personal data on our behalf:

6.1 Hosting

Our website is hosted by a professional hosting provider. The hosting provider processes all data transmitted when you visit our website. This is based on Art. 6(1)(f) GDPR (legitimate interest in reliable and secure hosting). We have entered into a data processing agreement (DPA) with our hosting provider in accordance with Art. 28 GDPR.

6.2 Web Analytics

We may use privacy-friendly analytics tools (such as Plausible Analytics, Umami, or similar) to understand how visitors use our website. These tools are configured to anonymize or not collect IP addresses and do not use cookies where possible. Where analytics cookies are used, they require your consent per Art. 6(1)(a) GDPR.

6.3 Payment Processing

For commercial license purchases, we use third-party payment processors (e.g., Stripe, PayPal). These providers process your payment data directly. We do not store your full credit card or bank details on our servers. The processing is based on Art. 6(1)(b) GDPR (contract performance). These providers have their own privacy policies which we encourage you to review.

6.4 Email Service Provider

We may use third-party email service providers (e.g., Mailchimp, Brevo/Sendinblue) to send newsletters and transactional emails. Your email address and name are shared with these providers for this purpose. We have ensured appropriate data protection agreements are in place. Where data is transferred to the United States, it is done under the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).

6.5 GitHub

Our open-source code is hosted on GitHub (Microsoft). If you interact with our GitHub repositories (e.g., filing issues, submitting pull requests), your GitHub profile information and contributions are processed by GitHub. Please refer to GitHub's Privacy Statement.

6.6 Content Delivery Network (CDN)

We may use a CDN to deliver website assets quickly and securely. The CDN provider may process your IP address and request data. This is based on Art. 6(1)(f) GDPR (legitimate interest in fast and secure content delivery).

7. Data Transfer to Third Countries

Some of our third-party service providers may be based outside the European Economic Area (EEA). Where personal data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place, such as:

• The EU-US Data Privacy Framework (for US-based providers that are certified)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Server log files: Automatically deleted after 30 days.
• Contact inquiries: Deleted after the inquiry is fully resolved, unless retention is required for contractual or legal reasons.
• Account data: Retained for the duration of the account. Deleted upon account deletion request, subject to legal retention obligations.
• Purchase and billing data: Retained for 10 years in accordance with German tax and commercial law (Section 147 AO, Section 257 HGB).
• Newsletter data: Deleted promptly upon unsubscription.
• Cookie data: Cookies expire according to their individual settings. Session cookies are deleted when you close your browser.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with supplementary information.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

9.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purpose it was collected.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing your personal data under certain conditions.

9.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data based on Art. 6(1)(e) or Art. 6(1)(f) GDPR at any time, on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

If personal data is processed for direct marketing purposes, you have the right to object at any time. If you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for us is:

10. Data Security

We use industry-standard security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Secure password hashing for user accounts
• Regular security updates and vulnerability assessments
• Access controls limiting data access to authorized personnel
• Data processing agreements with all third-party service providers

11. Open-Source Software and Data Processing

OpenConstructionERP is open-source software licensed under AGPL-3.0. When you download and self-host our software, the software itself does not transmit any personal data to us. Data processed by a self-hosted instance of OpenConstructionERP is entirely under the control of the entity operating that instance.

This privacy policy applies only to data collected through our website at openconstructionerp.com and any services we operate directly. If you use a self-hosted instance operated by a third party, that third party is the data controller and is responsible for their own privacy policy.

12. Social Media

We maintain profiles on social media platforms (e.g., LinkedIn, Twitter/X, GitHub, YouTube). When you visit these profiles, the respective platform operator is the data controller or joint controller. We may receive aggregated, anonymized statistics about visitor activity. Please refer to the privacy policies of the respective platforms for details on their data processing practices.

13. Minors

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have inadvertently collected such data, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or services. The updated version will be published on this page with a revised "Last updated" date. We encourage you to review this page periodically.

If we make material changes, we will notify you by placing a prominent notice on our website or, where applicable, by email.

15. Contact

For any questions, concerns, or requests regarding this privacy policy or the processing of your personal data, please contact us: