diff --git a/README.md b/README.md
index 021b8d2..be59f04 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@
 you'll have to run this command:
 
 ```
-docker run --rm -p 4000:4000 -p 35729:35729 --mount type=bind,src=$PWD,dst=/root/build --mount type=volume,dst=/root/build/node_modules -it apache/privacy_apache_org serve --watch --incremental
+docker run --rm -p 4000:4000 --mount type=bind,src=$PWD,dst=/root/build --mount type=volume,dst=/root/build/node_modules -it apache/privacy_apache_org serve --watch --incremental
 ```
 
 Once it runs, you can reach your website at:
@@ -31,12 +31,12 @@
 http://localhost:4000/
 ```
 
-Jekyll will regenerate content as you change it and you can see all changes with 
+Jekyll will regenerate content as you change it and you can see all changes with
 hitting refresh.
 
 If you find it necessary to connect to your Docker instance while working, you can run
 and connect to it with this command:
 
 ```
-docker run --rm -p 4000:4000 -p 35729:35729 --mount type=bind,src=$PWD,dst=/root/build --mount type=volume,dst=/root/build/node_modules -it  --entrypoint "/bin/bash" apache/privacy_apache_org
+docker run --rm -p 4000:4000 --mount type=bind,src=$PWD,dst=/root/build --mount type=volume,dst=/root/build/node_modules -it  --entrypoint "/bin/bash" apache/privacy_apache_org
 ```
diff --git a/_config.yml b/_config.yml
index ea8be2b..e08c1e1 100644
--- a/_config.yml
+++ b/_config.yml
@@ -17,7 +17,7 @@
 
 title: "Apache Software Foundation - Data Privacy"
 email: vp-privacy@apache.org
-description: >- 
+description: >-
   Write an awesome description for your new site here. You can edit this
   line in _config.yml. It will appear in your document head meta (for
   Google search results) and in your feed.xml site description.
@@ -28,7 +28,7 @@
   - jekyll-feed
 
 sass:
-  sass_dir: _sass  
+  sass_dir: _sass
   style: compressed
 
 # Exclude from processing.
diff --git a/_includes/header.html b/_includes/header.html
index 74c8d63..cdcb403 100644
--- a/_includes/header.html
+++ b/_includes/header.html
@@ -8,10 +8,12 @@
 	<input type="checkbox" id="show-menu" role="button">
         <ul id="menu">
             <li><a href="/">Home</a></li>
+            <li><a href="/policies">Policies</a></li>
             <li>
                 <a href="#">FAQ &#9660;</a>
                 <ul class="hidden">
                     <li><a href="/faq/committers.html">Committers' FAQ</a></li>
+                    <li><a href="/faq/infrastructure.html">Infrastructure FAQ</a></li>
                 </ul>
             </li>
             <li><a href="http://www.apache.org/foundation/">About the ASF</a></li>
diff --git a/_sass/main.scss b/_sass/main.scss
index 0dd05b7..095b2d2 100644
--- a/_sass/main.scss
+++ b/_sass/main.scss
@@ -178,6 +178,7 @@
     padding: 0.5em;
     margin: 0 auto;
     max-width: 85%;
+    min-width: 85%;
     color: $color_text;
     background: $main_background_color;
     font-family: $font;
diff --git a/faq/committers.md b/faq/committers.md
index 02f114c..a46a02a 100644
--- a/faq/committers.md
+++ b/faq/committers.md
@@ -21,6 +21,30 @@
 
 # Committers' FAQ
 
+## General Privacy Questions
+
+### What, if we receive a data removal request?
+
+If you receive removal requests for mailing lists or of a generic kind,
+please forward this message to privacy@apache.org. If you feel the email
+is of a sensitive kind or did not arrive on a mailing list, 
+please forward this message to vp-privacy@apache.org.
+
+You can reply to the original message that you have forwarded this request,
+but don't reply with any further information (confirmation of deletions etc).
+
+In example:
+
+"Dear sender,
+
+we have forwarded your message to Apache Software Foundation privacy committee,
+which will handle your request. You can always reach out to VP Data Privacy (vp-privacy@apache.org)
+or to the comittee directly (privacy@apache.org) if you have further questions.
+
+Kind regards,"
+
+
+
 ## Project Websites
 
 ### Can I use Google Analytics?
@@ -31,10 +55,13 @@
 
  - the user's IP address would be anonymized before transmitting data
  - the user approved the use of Google Analytics before it was loaded
+ - you have a privacy policy clearly explaining what user data is collected on your web site
 
 Court decisions around Google Analytics have changed several times
 in the past years and made its use uncertain.
 
+For this reason, ASF projects shall not use Google Analytics at all.
+
 ### Can I use Google Fonts?
 
 You can use Google Fonts, but please host the fonts on ASF servers.
diff --git a/faq/infrastructure.md b/faq/infrastructure.md
new file mode 100644
index 0000000..769a4cb
--- /dev/null
+++ b/faq/infrastructure.md
@@ -0,0 +1,49 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+# Infrastructure FAQ
+
+## When should I notify privacy@?
+
+All changes which may require an update in our terms or other privacy related
+documentation need to be reported to privacy@apache.org. In best case, with some 
+time between announcement and change.
+
+Examples for changes which may require privacy policy updates:
+
+ - adding a new service, like webhost server company
+ - removing a service, which may not be any longer in the terms
+ - changes to logfiles, in example when IP addresses are logged (which werent't before)
+ - moving data with PI to other services like a managed service
+ - a new domain was registered, transferred or removed
+
+Other notifications may be sent when:
+
+ - another office or committee requests user data from infra, which they may not access (like running analytics on diversification with a 3rd party)
+ - a security issue happened and user addresses and password have been stolen (data leaks in general)
+
+No notification is required when:
+
+ - new VMs are started or reorganized with companies which we already have an DPA for
+ - data is migrated from an outdated database version to a new version
+ - a CDN is setup with a company which we already have a DPA for and which is already mentioned in the terms
+ - a new project subdomain was created or removed
+ - a new user account was created or removed
diff --git a/index.md b/index.md
index 3d3bbe8..5f97f6c 100644
--- a/index.md
+++ b/index.md
@@ -21,14 +21,14 @@
 
 # ASF - Data Privacy
 
-Welcome to the Data Privacy website. 
+Welcome to the Data Privacy website.
 
 The Apache Software Foundation is committed to protect the privacy
 of their Members, Committers and Users.
 
 ## Privacy related questions
 
-If you have questions related to privacy at 
+If you have questions related to privacy at
 The Apache Software Foundation which are not of confidential
 nature, feel free to ask at our (archived) mailing list:
 
diff --git a/policies/asf-domains.md b/policies/asf-domains.md
new file mode 100644
index 0000000..25d0e34
--- /dev/null
+++ b/policies/asf-domains.md
@@ -0,0 +1,69 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+# Domains controlled by The Apache Software Foundation
+
+The following list represents all domains currently owned, maintained and
+controlled by The Apache Software Foundation:
+ 
+ - any23.com
+ - any23.org
+ - apache-extras.org
+ - apache.org
+ - apachecon.com
+ - apachecon.org
+ - apacheextras.org
+ - apachextras.org
+ - cloudstack.com
+ - cloudstack.org
+ - codehaus.org
+ - couchapp.com
+ - couchapp.org
+ - couchhack.org
+ - deltaspike.org
+ - feathercast.org
+ - freemarker.org
+ - gremlint.com
+ - groovy-lang.org
+ - ignite.run
+ - jclouds.com
+ - jclouds.net
+ - jclouds.org
+ - jspwiki.org
+ - libcloud.com
+ - libcloud.net
+ - libcloud.org
+ - modssl.com
+ - modssl.net
+ - myfaces.org
+ - netbeans.org
+ - ofbiz.org
+ - openoffice.org
+ - openwhisk.com
+ - openwhisk.net
+ - openwhisk.org
+ - projectgeode.org
+ - qi4j.org
+ - spamassassin.org
+ - subversion.com
+ - subversion.net
+ - subversion.org
+ - tinkerpop.com
diff --git a/policies/index.md b/policies/index.md
new file mode 100644
index 0000000..e8736e3
--- /dev/null
+++ b/policies/index.md
@@ -0,0 +1,32 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+# Available Policies
+
+## Privacy Policies 
+
+ - [Privacy Policy for public services](/policies/privacy-policy-public.html)
+ - Privacy Policy for committers
+
+## Internal Policies
+
+ - [Website Policy](/policies/website-policy.html)
+ - [Mailing List Policy](/policies/mailinglist-policy.html)
\ No newline at end of file
diff --git a/policies/mailinglist-policy.md b/policies/mailinglist-policy.md
new file mode 100644
index 0000000..e5fed01
--- /dev/null
+++ b/policies/mailinglist-policy.md
@@ -0,0 +1,82 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+**---> DRAFT VERSION**
+
+This policy describes restrictions for mailing lists managed by the
+ASF or hosted on ASF servers.
+
+## 1) Subscription Information
+
+When a user subscribes to a new mailing list, the following text need to be included 
+when asking for subscription confirmation:
+
+"By subscribing to this mailing list you agree to the privacy policies of 
+The Apache Software Foundation. The privacy policies can be found at:
+https://privacy.apache.org/policies/
+
+The subscriber is fully aware that message may be posted in public and distributed by 3rd parties. The subscriber is also aware, that private message lists will also be read by multiple people with appropriate access rights, like - but not exclusively - Foundation Members, Board Members, Officers etc..
+
+The subscriber is also fully aware that messages may not be (fully) removed from our archives if there is no strong reason to do so; also, we may decide to only remove parts of a message."
+
+## 2) Email distribution
+
+Every email send from our mailing list servers have a footer message with the text:
+"You receive this message because you are subscribed to &lt;listname&gt;. You can unsubscribe any time by sending a blank message to: &lt;listname&gt;-unsubscribe@&lt;subdomain&gt;.apache.org
+
+## 3) Message/Data removal
+
+Messages are only edited in rare occassions and when necessary from a privacy perspective.
+
+Messages need to be edited or removed, when personal information according to the GDPR or CCPA is disclosed and need to be removed. 
+
+This includes all data which makes it possible to identify a person. In example:
+
+ - full name
+ - email address
+ - phone number
+ - address, city, country of origin
+ - ethnicity
+ - medical conditions
+ - etc
+
+Messages are not considered for removal when data is not related to a person:
+
+ - login names (if it is not a real name) 
+ - ssh passwords
+ - production IP addresses
+ - machine names 
+ - URLs 
+
+Please not that any edit to our archives does not automatically edit the archives of 3rd party services which mirror our archives. A requestors will need to contact mirror services themselves.
+
+## 4) Procedures for archive modifications
+
+A removal request need to be sent to privacy@apache.org (private, but archived list) or directly sent to vp-privacy@apache.org. Please note that you request will be documented for future reference.
+
+Please include the following:
+
+ - country of residence, to apply the right data privacy laws
+ - the list of messages to be removed or edited
+
+After submitting the request, VP Data Privacy will confirm it's receipt and discuss appropriate solutions with the Infrastructure team.
+
+Please note: The Apache Software Foundation is a volunteer organization; we do our best to handle each request as quickly as we can.
\ No newline at end of file
diff --git a/policies/privacy-policy-committer.md b/policies/privacy-policy-committer.md
new file mode 100644
index 0000000..fb82ce3
--- /dev/null
+++ b/policies/privacy-policy-committer.md
@@ -0,0 +1,43 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+**---> DRAFT VERSION**
+
+
+This Privacy Policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as "Data") within our online offering and the related websites, features and content, as well as external online presence, e.g. our social media profiles on. (collectively referred to as "online offer"). With regard to the terminology used, e.g. "Processing" or "Responsible", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
+
+## 1.  Name and contact details of the controller and the company data protection officer
+
+This privacy policy applies to data processing by:
+
+Responsible:    
+
+The Apache Software Foundation  
+V. P. Data Privacy  
+1000 N West Street, Suite 1200  
+Wilmington, DE  19801  
+U.S.A.  
+
+E-Mail: vp-privacy@apache.org
+
+##  2. Collection and storage of personal data and the nature and purpose of their use
+
+TODO
diff --git a/policies/privacy-policy-public.md b/policies/privacy-policy-public.md
new file mode 100644
index 0000000..dc2a40b
--- /dev/null
+++ b/policies/privacy-policy-public.md
@@ -0,0 +1,193 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+**---> DRAFT VERSION**
+
+
+This Privacy Policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as "Data") within our online offering and the related websites, features and content, as well as external online presence, e.g. our social media profiles on. (collectively referred to as "online offer"). With regard to the terminology used, e.g. "Processing" or "Responsible", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
+
+## 1.  Name and contact details of the controller and the company data protection officer
+
+This privacy policy applies to data processing by:
+
+Responsible:    
+
+The Apache Software Foundation  
+V. P. Data Privacy  
+1000 N West Street, Suite 1200  
+Wilmington, DE  19801  
+U.S.A.  
+
+E-Mail: vp-privacy@apache.org
+
+##  2. Collection and storage of personal data and the nature and purpose of their use
+
+### a) When visiting the website
+
+When you visit our websites ([full list of websites](/policies/asf-domains.html)) or one of our subdomains, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information will be collected without your intervention and stored until automated deletion:
+
+ - IP address of the requesting computer,
+ - date and time of access,
+ - name and URL of the retrieved file,
+ - website from which access is made (referrer URL),
+ - the geo information from which access is made,
+ - The browser used and, if applicable, the operating system of your computer and the name of your access provider.
+
+The data mentioned are processed by us for the following purposes:
+
+ - ensuring a smooth connection of the website,
+ - ensuring comfortable use of our website,
+ - Evaluation of system security and stability as well
+ - for further administrative purposes.
+
+The retention time for this data is 90 days.
+
+The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case we use the collected data for the purpose of drawing conclusions about you.
+In addition, we use cookies and analysis services when visiting our website. Further details can be found under no. 4 and 5 of this privacy policy.
+
+### b) When registering for our newsletter and mailing lists
+
+If, pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR have expressly consented, we use your e-mail address to regularly send you our newsletter. For the receipt of the newsletter the indication of an e-mail address is sufficient.
+
+We inform our visitors at regular intervals through newsletters about news and offers from The Apache Software Foundation.
+
+The newsletter of our company can only be received if (1) the data subject has a valid e-mail address and (2) the person concerned registers for the newsletter. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by an affected person for the first time for newsletter mailing using the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address as the person concerned authorized the receipt of the newsletter.
+
+When subscribing to the newsletter, we store the date and time of registration and the email address. The collection of this data is necessary in order to understand the (possible) misuse of an affected person's e-mail address at a later date and therefore serves as legal safeguards for the controller.
+
+The personal data collected in the context of registering for the newsletter will be used exclusively to send our newsletter. 
+
+Subscribers may also be notified by e-mail if this is necessary for the operation of the newsletter service or registration, as might be the case in the event of changes to the newsletter/mailing list or technical changes. 
+
+There will be no transfer of the personal data collected as part of the newsletter service to third parties.
+
+Subscription to our newsletter may be terminated by the person concerned at any time. The consent to the storage of personal data that the data subject has given us for the newsletter dispatch can be revoked at any time. For the purpose of revoking the consent, instructions are given by the end of any email. 
+
+### c) When registering for our mailing lists
+
+If, pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR have expressly consented, we use your e-mail address to send you messages arriving at our mailing lists. For the receipt of the mailing list message the indication of an e-mail address is sufficient.
+
+Visitors may communicate with us through our mailing lists.
+
+The mailing list messages of our organisation can only be received if (1) the data subject has a valid e-mail address and (2) the person concerned registers for the mailing list. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by an affected person for the first time using the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address as the person concerned authorized the receipt of the mailing list messages.
+
+When subscribing to the mailing list, we store the date and time of registration and the email address. The collection of this data is necessary in order to understand the (possible) misuse of an affected person's e-mail address at a later date and therefore serves as legal safeguards for the controller. When a mailing list is archived, the log file will be deleted.
+
+The personal data collected in the context of registering for the mailing list will be used exclusively to send messages arriving at the mailing list. The personal data collected in the context of registering for a mailing list will be used exclusively to send messages arriving at our mailing list. 
+
+Subscribers may also be notified by e-mail if this is necessary for the operation of the mailing list service or registration, as might be the case in the event of changes to the mailing list or technical changes. 
+
+We will not actively transfer any personal data as part of the mailing list service to third parties. However, almost all of our mailing lists are of public nature.
+
+This means, your name and email may be exposed to the public. Also, all information you send to a mailing list will be exposed to the public. Third parties may collect this information and process separately. The sender of messages is responsible for exposing their data to the public.
+
+All content sent to mailing lists are archived indefinitely. By using our mailing list service, you agree that any content is archived in that way.
+
+Subscription to our mailing lists may be terminated by the person concerned at any time. The consent to the storage of personal data that the data subject has given us for the mailing list dispatch can be revoked at any time. For the purpose of revoking the consent, instructions are given by the end of any email. 
+
+## 3. Disclosure of data
+
+A transfer of your personal data to third parties for purposes other than those listed below does not take place.
+We only share your personal information with third parties if:
+
+ - You your according to Art. 6 para. 1 p. 1 lit. a GDPR have given express consent to this
+ - disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is required to assert, exercise or defend legal claims and there is no reason to assume that you have a predominantly legitimate interest in not disclosing your data,
+ - in the event that disclosure pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR is a legal obligation, as well
+ - as permitted by law and according to Art. 6 para. 1 sentence 1 lit. b GDPR is required for the settlement of contractual relationships with you.
+
+## 4. External service providers
+
+The Apache Software Foundation uses the following external service providers who help to optimize the service. Insofar as these service providers process data on behalf of The Apache Software Foundation, agreements have been concluded with them which set the European data protection standards as binding and in particular prohibit the use of the data for other purposes. If we commission third parties to process data on the basis of a so-called "contract processing contract", this is done on the basis of Art. 28 GDPR.
+
+### (a) Hetzner: Hosting 
+
+The Apache Software Foundation uses the Hetzner Data Centers (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany) for maintaining our servers. The servers are located in Finland and used for hosting databases and webcontent. 
+
+### (b) Amazon Web Services: DNS
+The Apache Software Foundation uses the Amazon Web Services ("AWS") service of Amazon Web Services, Inc. (P.O. Box 81226, Seattle, WA 98108-1226, USA), for hosting DNS records. As by the nature of DNS, the data is stored in several server accross the globe. AWS data centers are certified to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1.
+
+### (c) LeaseWeb: Hosting 
+
+The Apache Software Foundation uses the LeaseWeb Data Centers (Leaseweb USA, Inc., 9301 Innovation Drive / Suite 100, Manassas, VA 20110) for maintaining our servers. The servers are located in the USA and used for hosting databases and webcontent. LeaseWeb fully supports the GDPR. Details and privacy statements can be found [here](https://www.leaseweb.us/legal/personal-data-protection-acts).
+
+### (d) Microsoft Azure: Hosting 
+
+The Apache Software Foundation uses the Microsoft Azure Data Centers (Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052 USA) for maintaining our servers. The servers are located in the USA and used for hosting databases and webcontent. Microsoft fully supports the GDPR. Details and privacy statements can be found [here](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67).
+
+### (d) Online.net (Scaleway): Hosting 
+
+The Apache Software Foundation uses the Scaleway Data Centers (Scaleway S.A.S., 8 rue de la Ville l’Evêque, 75008 Paris) for maintaining our servers. The servers are located in Europe and used for hosting databases and webcontent. Scaleway fully supports the GDPR. Details and privacy statements can be found [here](https://images-www.scaleway.com/wp-content/uploads/2021/05/05103001/DPA_EN_2020.pdf).
+
+
+### (e) GitHub: Source Code Hosting 
+
+The Apache Software Foundation uses the GitHub Services (GitHub Inc., 88 Colin P. Kelly Jr. Street, San Francisco, California 94107 USA) for serving and maintaining source code. GitHub fully supports the GDPR. Details and privacy statements can be found [here](https://github.com/enterprise-legal/github-addendum-to-microsoft-dpa).
+
+### (f) Fastly: CDN
+
+The Apache Software Foundation uses the GitHub Services (Fastly Inc., PO Box 78266, San Francisco, California, 94107, United States of America) for serving our services. Fastly fully supports the GDPR. Details and privacy statements can be found [here](https://www.fastly.com/data-processing).
+
+
+## 5. Social Media Plug-ins
+
+We rely on our website on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR social plug-ins from the social networks Facebook, Twitter and Instagram to make our company better known. The underlying commercial purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for the operation compliant with data protection is to be guaranteed by their respective providers. The integration of these plug-ins by us is done by means of the so-called two-click method to protect visitors to our website in the best possible way.
+
+### a) Youtube
+
+On our website we have integrated components from YouTube. YouTube is an internet video portal that allows video publishers to freely watch video clips and other users for free viewing, rating and commenting. YouTube allows the publication of all types of videos, so that both complete film and television broadcasts, but also music videos, trailers or user-made videos via the Internet portal are available.
+
+YouTube's operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
+
+Each visit to one of the pages of this site operated by the controller and incorporating a YouTube component (YouTube video) will automatically cause the Internet browser on the subject's information technology system to be represented by the respective YouTube component to download an illustration of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/en/. As part of this technical process, YouTube and Google are aware of the specific bottom of our site visited by the person concerned.
+If the data subject is logged in to YouTube at the same time, YouTube recognizes by calling a sub-page containing a YouTube video, which specific bottom of our website the affected person visits. This information is collected by YouTube and Google and associated with the individual YouTube account.
+
+YouTube and Google will always receive information through the YouTube component that the data subject has visited our website if the data subject is simultaneously logged into YouTube at the time of access to our website; this happens regardless of whether the person clicks on a YouTube video or not. If such transmission of this information to YouTube and Google is not wanted by the data subject, it can prevent the transmission by logging out of their YouTube account before calling our website.
+
+YouTube's privacy policy, available at https://www.google.com/intl/en/policies/privacy/, identifies the collection, processing, and use of personally identifiable information by YouTube and Google.
+
+## 7. Affected rights
+
+You have the right:
+
+ - in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can provide information on the processing purposes, the category of personal data, the categories of recipients to whom your data has been disclosed, the planned retention period, the right to rectification, deletion, limitation of processing or opposition, the existence of a The right to complain, the source of their data, if not collected from us, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about their details;
+ - in accordance with Art. 16 GDPR, immediately demand the correction of incorrect or complete personal data stored with us;
+ - in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the assertion, exercise or defense of Legal claims is required;
+ - to demand the restriction of the processing of your personal data according to Art. 18 GDPR, as far as the accuracy of the data is disputed by you, the processing is unlawful, but you reject its deletion and we no longer need the data, but you assert this, Exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR;
+ - in accordance with Art. 20 GDPR, to receive your personal data provided to us in a structured, standard and machine-readable format or to request transmission to another person responsible;
+ - according to Art. 7 para. 3 GDPR, to revoke your once given consent to us at any time. As a result, we are not allowed to continue the data processing based on this consent for the future and
+ - to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or our office.
+
+## 8. Right to object
+
+If your personal data are based on legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR are processed, you have the right to file an objection against the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct mail. In the latter case, you have a general right of objection, which is implemented by us without specifying any particular situation.
+If you would like to exercise your right of revocation or objection, please send an e-mail to vp-privacy@apache.org.
+
+## 9. Data security
+
+We use the popular SSL (Secure Socket Layer) method within the site visit, in conjunction with the highest level of encryption supported by your browser. In general, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we'll use 128-bit v3 technology instead. Whether a single page of our website is encrypted is shown by the closed representation of the key or lock icon in the lower status bar of your browser.
+
+We also take appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
+
+## 10. Updating and changing this privacy policy
+
+This privacy policy is currently valid and is valid as of **TODO: VALIDITY DATE**.
+
+As a result of the further development of our website and offers thereof or due to changed legal or official requirements, it may be necessary to change this privacy policy. The current privacy policy can be viewed and printed by you at any time on the website at https://privacy.apache.org/policies/privacy-policy-public.html.
\ No newline at end of file
diff --git a/policies/website-policy.md b/policies/website-policy.md
new file mode 100644
index 0000000..991bcfb
--- /dev/null
+++ b/policies/website-policy.md
@@ -0,0 +1,63 @@
+---
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+layout: default
+---
+
+**---> DRAFT VERSION**
+
+This policy describes restrictions for websites managed by the
+ASF or hosted on ASF servers.
+
+## 1) Analytics
+
+All analytics software embedded on a website needs to be confirmed by
+V.P. Data Privacy. Analytics software need to support the GDPR and a
+DPA need to be signed before it can be used. 
+
+Note: Google Analytics cannot be used on any ASF website because
+of Schrems-II.
+
+## 2) YouTube
+
+YouTube content can be embedded only when the user gave consent before loading
+any file from YouTube.
+
+## 3) Cookies
+
+No cookies are allowed, except the user gave consent before setting the cookie.
+
+If the cookie is not used for tracking, but used for managing a so called session, no user content is necessary.
+
+## 4) Using Assets from other Domains
+
+Assets (JS, Images, Fonts, CSS etc) from other domains cannot be loaded. Assets
+need to be hosted on ASF servers.
+
+## 5) (Google) Maps 
+
+(Google) can usually be used, when the user gave consent before loading.
+
+## 6) Social Media
+
+Social Media buttons (Facebook Like, showing Instagram embeds, Twitter pixel) can
+only be used when the user gave consent before loading.
+
+## 7) Facebook Pages
+
+ASF Projects cannot run Facebook pages due to Art. 5 §2 and Art. 26 of the GDPR.