---> DRAFT VERSION
This Privacy Policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as “Data”) within our online offering and the related websites, features and content, as well as external online presence, e.g. our social media profiles on. (collectively referred to as “online offer”). With regard to the terminology used, e.g. “Processing” or “Responsible”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
This privacy policy applies to data processing by:
Responsible:
The Apache Software Foundation
V. P. Data Privacy
1000 N West Street, Suite 1200
Wilmington, DE 19801
U.S.A.
E-Mail: vp-privacy@apache.org
When you visit our websites (full list of websites) or one of our subdomains, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information will be collected without your intervention and stored until automated deletion:
The data mentioned are processed by us for the following purposes:
The retention time for this data is 90 days.
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest follows from the data collection purposes listed above. In no case we use the collected data for the purpose of drawing conclusions about you. In addition, we use cookies and analysis services when visiting our website. Further details can be found under no. 4 and 5 of this privacy policy.
If, pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR have expressly consented, we use your e-mail address to regularly send you our newsletter or message arriving at our mailing lists. For the receipt of the newsletter or mailing list message the indication of an e-mail address is sufficient.
We inform our visitors at regular intervals through newsletters about news and offers from The Apache Software Foundation. Furthermore, we communicate with interested person through our mailing lists.
The newsletter of our company can only be received if (1) the data subject has a valid e-mail address and (2) the person concerned registers for the newsletter. For legal reasons, a confirmation e-mail will be sent to the e-mail address entered by an affected person for the first time for newsletter mailing using the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address as the person concerned authorized the receipt of the newsletter.
TODO: Confirm with infra, if we actually store the IP address - we should
When subscribing to the newsletter, we also store the IP address of the computer system used by the person concerned at the time of registration, as well as the date and time of registration, as assigned by the Internet Service Provider (ISP). The collection of this data is necessary in order to understand the (possible) misuse of an affected person's e-mail address at a later date and therefore serves as legal safeguards for the controller.
The personal data collected in the context of registering for the newsletter will be used exclusively to send our newsletter. The personal data collected in the context of registering for a mailing list will be used exclusively to send messages arriving at our mailing list.
Subscribers may also be notified by e-mail if this is necessary for the operation of the newsletter/mailing list service or registration, as might be the case in the event of changes to the newsletter/mailing list or technical changes.
There will be no transfer of the personal data collected as part of the newsletter service to third parties.
Almost all of our mailing lists are of public nature. This means, your name and email may be exposed to the public. Also, all information you send to a mailing list will be exposed to the public. Third parties may collect this information and process separately. The sender of messages is responsible for exposing their data to the public.
All content sent to mailing lists are archived indefinitely.
Subscription to our newsletter and mailing lists may be terminated by the person concerned at any time. The consent to the storage of personal data that the data subject has given us for the newsletter/mailing list dispatch can be revoked at any time. For the purpose of revoking the consent, instructions are given by the end of any email.
A transfer of your personal data to third parties for purposes other than those listed below does not take place. We only share your personal information with third parties if:
The Apache Software Foundation uses the following external service providers who help to optimize the service. Insofar as these service providers process data on behalf of The Apache Software Foundation, agreements have been concluded with them which set the European data protection standards as binding and in particular prohibit the use of the data for other purposes. If we commission third parties to process data on the basis of a so-called “contract processing contract”, this is done on the basis of Art. 28 GDPR.
The Apache Software Foundation uses the Hetzner Data Centers (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany) for maintaining our servers. The servers are located in Finland and used for hosting databases and webcontent.
The Apache Software Foundation uses the Amazon Web Services (“AWS”) service of Amazon Web Services, Inc. (P.O. Box 81226, Seattle, WA 98108-1226, USA), for hosting DNS records. As by the nature of DNS, the data is stored in several server accross the globe. AWS data centers are certified to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1.
The Apache Software Foundation uses the LeaseWeb Data Centers (Leaseweb USA, Inc., 9301 Innovation Drive / Suite 100, Manassas, VA 20110) for maintaining our servers. The servers are located in the USA and used for hosting databases and webcontent. LeaseWeb fully supports the GDPR. Details and privacy statements can be found here.
We rely on our website on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR social plug-ins from the social networks Facebook, Twitter and Instagram to make our company better known. The underlying commercial purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for the operation compliant with data protection is to be guaranteed by their respective providers. The integration of these plug-ins by us is done by means of the so-called two-click method to protect visitors to our website in the best possible way.
On our website we have integrated components from YouTube. YouTube is an internet video portal that allows video publishers to freely watch video clips and other users for free viewing, rating and commenting. YouTube allows the publication of all types of videos, so that both complete film and television broadcasts, but also music videos, trailers or user-made videos via the Internet portal are available.
YouTube's operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.
Each visit to one of the pages of this site operated by the controller and incorporating a YouTube component (YouTube video) will automatically cause the Internet browser on the subject's information technology system to be represented by the respective YouTube component to download an illustration of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/en/. As part of this technical process, YouTube and Google are aware of the specific bottom of our site visited by the person concerned. If the data subject is logged in to YouTube at the same time, YouTube recognizes by calling a sub-page containing a YouTube video, which specific bottom of our website the affected person visits. This information is collected by YouTube and Google and associated with the individual YouTube account.
YouTube and Google will always receive information through the YouTube component that the data subject has visited our website if the data subject is simultaneously logged into YouTube at the time of access to our website; this happens regardless of whether the person clicks on a YouTube video or not. If such transmission of this information to YouTube and Google is not wanted by the data subject, it can prevent the transmission by logging out of their YouTube account before calling our website.
YouTube's privacy policy, available at https://www.google.com/intl/en/policies/privacy/, identifies the collection, processing, and use of personally identifiable information by YouTube and Google.
You have the right:
If your personal data are based on legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR are processed, you have the right to file an objection against the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct mail. In the latter case, you have a general right of objection, which is implemented by us without specifying any particular situation. If you would like to exercise your right of revocation or objection, please send an e-mail to vp-privacy@apache.org.
We use the popular SSL (Secure Socket Layer) method within the site visit, in conjunction with the highest level of encryption supported by your browser. In general, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we'll use 128-bit v3 technology instead. Whether a single page of our website is encrypted is shown by the closed representation of the key or lock icon in the lower status bar of your browser.
We also take appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
This privacy policy is currently valid and is valid as of TODO: VALIDITY DATE.
As a result of the further development of our website and offers thereof or due to changed legal or official requirements, it may be necessary to change this privacy policy. The current privacy policy can be viewed and printed by you at any time on the website at https://privacy.apache.org/policies/privacy-policy-public.html.