The OpenStack Foundation, d/b/a Open Infrastructure Foundation is a Delaware non-stock, non-profit corporation under the jurisdiction of the FTC with its principal office in Austin, Texas. The goal of the Open Infrastructure Foundation is to serve developers, users, and other participants in the open infrastructure ecosystem by providing a set of shared resources to build community, facilitate collaboration, and support integration of open source technologies.
This Privacy Policy describes how the Open Infrastructure Foundation collects personal data from and about website visitors and individual community members, how and why we use that data, and the circumstances under which we share that data with others. The Privacy Policy covers the following Open Infrastructure Foundation web properties: openstack.org, airshipit.org, starlingx.io, zuulci.org, katacontainers.io, opendev.org, and openinfralabs.org.
The Open Infrastructure Foundation is committed to the principles of the EU-U.S. Data Privacy Framework through transparent disclosure of our activities related to privacy protection. We work at carefully balancing the Foundation’s interest in using your personal data to meet its goal against any potential impact to you arising from our use.
If you have any questions or concerns about this Privacy Policy, or want further information on how we balance your right to personal data protection against our interest in serving our community, please contact us at [email protected], or PO Box 1903, Austin, Texas 78767.
This Policy is divided into sections:
I. Personal data that we collect from and about you
A. Personal data we collect
B. Personal data we receive from other organizations
II. Third parties who collect data on our website
III. How we use your personal data and the legal basis for such use
IV. Circumstances under which we may disclose your personal data
V. Cookies and other online data collection technologies
X. Requests to amend or erase your personal data, or restrict our use of your personal data
XII. EU-U.S. Data Privacy Framework
Please note that this Privacy Policy does not cover the privacy practices of separate organizations that are authorized to use the OpenStack name or logo. For example, this Privacy Policy does not cover personal data collected by user groups and supporters. Those organizations are responsible for posting their own privacy policies.
These words have specific meanings in this Privacy Policy:
goal refers to the goal of the Open Infrastructure Foundation stated above, and the Foundation’s purpose as stated in our Bylaws at https://www.openstack.org/legal/bylaws-of-the-openstack-foundation/.
site means the website at https://openinfra.dev and any other website on which this Privacy Policy is posted, including each of the following:
visitor means a visitor to the Site, including visitors who use services on the site, such as the OpenStack Marketplace;
community member means an individual who: (i) is a member of the Open Infrastructure Foundation, (ii) contributes software, documentation, or other information to the OpenStack Project, (iii) attends an OpenInfra or OpenStack event, (iv) takes a certification exam, such as the Certified OpenStack Administrator exam, or (v) provides personal data to the Foundation in some other way as described below;
personal data or personal information means any information about an individual that identifies the individual, or that can be used to identify the individual, directly or indirectly.
we and our and us refers to the Open Infrastructure Foundation; and
you and your refers to visitors and community members.
Part I. Personal data that we collect from and about you
A. Personal Data We Collect. We collect different kinds of personal data from and about you as follows:
-
when you visit openstack.org or any other website where this policy is posted as a guest
-
when you visit our sites our web server will capture your IP address, the time and duration of your visit, and the pages on the site that you visit. It may also collect information about your browser type and version (including any plug-ins), operating system and platform, device (including your mobile device), time zone setting and location and other information of the type collected by web servers generally. We use cookies, web beacons, pixel tags and other techniques to identify your browser and device to your guest activity on the site. Please see the section below captioned “Online Data Collection Technologies” for more information regarding our use of these techniques and your ability to restrict our collection of data in this manner.
-
we may use third party web analytics tools such as Google Analytics or Google Website Optimizer, to capture information about the use of our site, such as mouse clicks and scrolling activity. The providers of these tools capture data about your activity on our site, via cookies and other techniques, and provide us with this information in aggregate, anonymous form. This information is not personally identifiable to any site user.
-
-
when you submit other information on our site:
-
if you want to join the Open Infrastructure Foundation as an individual member, you will be asked to complete a web form with your name, contact information, employer name, physical location, field of activity, profession, and other information;
-
if you sign up for a mailing list, we will ask for your name and contact information.
-
-
when you publish content on the site:
- if you participate in a forum, chat room, blog, or news group, your user name and the information you publish will be available to the Open Infrastructure Foundation (and the public);
-
if you are a candidate for a seat on the Open Infrastructure Foundation Board of Directors: we will ask you to submit biographical information and a photograph of yourself to post on our site.
-
when you use our Summit mobile app:
- if you use our mobile app to plan your activity at the summit (which sessions to attend, etc.), we will have access to those plans as a necessary part of providing this feature. We do not view or use that information except in emergency circumstances – see “How we use your personal data” below. We also have access to your unique device identifier and other information useful for monitoring the availability of the app. We currently use Crashlytics to monitor the availability of the app.
-
when you send us an email (including email to community group lists), or via our site to submit a question to openstack.org: we will collect your name and email address.
-
when you participate in a survey: we periodically ask Project users to complete a survey to provide feedback on our events. If you choose to participate in such a survey, you will be asked to submit personal data such as your name, email address, and location.
-
when you register for an OpenStackID in order to contribute source code or documentation via Launchpad or other repository: we require you to provide your name and email address to issue you with the required OpenStackID.
B. Personal Data We Receive from Other Organizations. We receive personal data from these organizations who collect personal data from and about you:
-
event contractors we hire to provide event registration and management services, such as Eventbrite:
- if you register to attend on of our bi-annual summits, you will register and pay through Eventbrite and will be asked to submit name, email address, company, work phone, title, and geographic location of your workplace. Eventbrite shares that data with us.
-
event technology providers such as vandePoel Productions and FNTECH:
- event sponsors who host a booth or other facility at an OpenInfra or OpenStack event may use a device provided by vandePoel Productions that enables them to scan your event badge. You do not have to permit an event sponsor to scan your event badge, but if you do, the event sponsor will be able to collect the personal data you provided to Eventbrite when you registered for the Summit.
-
source repository managers, such as Canonical:
- Canonical manages our Launchpad instance. As the account owner and administrator, OpenStack has access to the information that you provide to Canonical, such as your Launchpad id.
-
social media:
- the Open Infrastructure Foundation has a Facebook page, a Twitter account, LinkedIn Company Page, and YouTube Channel. Your user names on these platforms will be exposed to the Foundation if you follow our social media accounts. Any personal data you elect to share as part of a posting using those platforms is also available to us.
-
exam administrators:
- if you register for and take an OpenStack certification exam, such as the Certified OpenStack Administrator exam, our exam administrator, which is currently Mirantis, will collect your name and other personal data. Mirantis provides us with exam results tied to the OpenStack ID you use to register for the exam.
-
advertisers who link to our Sites:
- if you arrive at our site by clicking on an advertisement or content published by a third party, that third party may provide information to us about your activity on their website. we may use Google AdWords or other third party advertisers.
-
community partners:
- local user groups and other community partners also provide us information about your attendance at their events, including your name and email address.
Generally we do not combine personal data we have about you from different sources for any purpose, with the exception that we will use information we collect about your interest in our events to send you email communications about those events.
Part II. Third Parties Who Collect Data
On Our Site
Third parties who display content or provide services on our websites may also collect personal data about you using cookies, tracking pixels, and other methods. They share some of that data with us as described above, but they may collect other data that they use for things un-related to OpenStack. For example,
-
YouTube https://www.youtube.com/t/terms
-
Google AdSense https://policies.google.com/privacy?hl=en
-
Google reCAPTCHA https://policies.google.com/privacy?hl=en
-
Akismet https://automattic.com/privacy/
-
Google Tag Manager https://policies.google.com/privacy?hl=en
-
CloudFlare https://www.cloudflare.com/privacypolicy/
You may block cookies using the cookiebot feature available on our site. If you elect to permit collection of data via cookies initially, but later change your mind, you can change your preferences.
Mobile App Availability Monitoring
We use Crashlytics to monitor the availability of the Open Infrastructure Summit mobile app. Crashlytics collects mobile device unique identifiers and other information. Their collection and user of personal data is described in their privacy policy, which can be found http://try.crashlytics.com/terms/privacy-policy.pdf. If you do not want your personal data shared with Crashlytics you should not use the mobile app.
Part III. How we use personal data and the legal basis for such use
We will use your personal data to provide information and services to you as a participant in the OpenInfra community and to manage the community consistent with the Foundation’s goals, at all times balancing the Foundation’s goal against your interest in protecting your personal data. We will strive to use your personal data only to the limited extent necessary to meet our legitimate interest as the manager of the OpenStack Project and community. Specific ways that we use your personal data in this way are as follows:
-
to provide you with information that you have requested or that is relevant to the OpenInfra community:
-
if you elect to be included in our Individual Member Directory, we will publish your member profile on our site;
-
we may use your email address to send you information about upcoming events, Foundation news, and governance matters;
-
Please see the section below captioned Email Policy for information on how to stop receiving email communications from us.
-
-
to improve our website:
- we use web visit information to measure interest in and develop our web pages and marketing plans, and administer our site.
-
to administer our website:
- we use web visitor IP addresses to help diagnose problems with our servers, and to administer our site.
-
to improve our events and our management of the Open Infrastructure Foundation and the community in general:
- we use personal data you choose to provide in response to our survey, as well as your comments on our site content.
-
to provide you with access to secure areas of our site or third party services, such as the code repository service or a certification exam; and
-
to respond to complaints regarding a violation of our Code of Conduct.
- We will not use your personal data in any other way unless:
- (i) you have given your express consent for that use, or (ii) to the limited extent necessary to comply with a legal obligation that we are subject to.
Part IV. Circumstances under which we may disclose your personal data
We will not disclose your personal data to third parties except as follows:
-
to third parties that provide services to us:
-
for example, we currently use the following third party services:
-
Mailchimp, Emma, and Sendgrid for outgoing email;
-
Salesforce for community relationship information management;
-
Discus for the comments features on our blog and other Web publications;
-
Zendesk to manage incoming email and other requests, such email to [email protected] and [email protected];
-
Survey Monkey to administer surveys and analyze the results;
-
Adobe Echosign e-signing service; and
-
Formstack to administer webforms.
-
-
we may use other service providers to provide similar services to those described above or to otherwise help us manage contact information and communications, analyze data, provide marketing services, or other services that help us manage the Open Infrastructure Foundation. These providers are not authorized to further disclose your personal data or to use your personal data for any purpose other than providing services to us.
-
our site is hosted and monitored by third parties and we use third party infrastructure monitoring services. These third parties may have inadvertent or incidental access to your personal data. These providers are not authorized to further disclose your personal data or to use your personal data for any purpose other than providing services to us.
-
we may disclose your personal data when we believe release is appropriate to comply with the law, or to protect the rights and safety of others. This may include exchanging information with government regulatory or law enforcement agencies, or with other companies and organizations for fraud protection and legal compliance. We have, in the rare occasion of an emergency, used information that a mobile app user entered regarding their planned activities to find the user.
-
in the event we merge the Foundation with another non-profit organization, we will disclose your personal information to the successor entity, and the successor entity will use and disclose your personal data in the same manner as set out in this Privacy Policy.
We do not directly disclose event registration data to event sponsors. However, event sponsors may receive your personal data under the following circumstances:
-
event sponsors who host a booth or other facility at an OpenInfra event may use a device provided by vandePoel Productions that enables them to scan your event badge. You do not have to permit an event sponsor to scan your event badge, but if you do, the event sponsor will be able to collect the personal data you provided to Eventbrite when you registered for the Summit.
-
if you register for parties, visit a sponsored lounge, or participate in other sponsored events or facilities, you may be asked to provide personal data to the sponsor as part of the registration or when you sign in.
-
personal data collected by event sponsors is subject to each sponsor’s Privacy Policy.
A note about Elections Administrators: we currently use BigPulse to administer our annual election of individual members to the Open Infrastructure Board of Directors. BigPulse enables the Open Infrastructure Foundation to issue each eligible voter a unique link to the voting platform. To vote in this election you are required to use this unique link. BigPulse shares the aggregate election results with the Open Infrastructure Foundation and the community, but does not share individual voting records.
Part V. Online Data Collection Technologies
A cookie is a unique alphanumeric identifier that is used to identify unique visitors to a website, whether or not those visitors are repeat visitors, and the source of the visits. Cookies cannot be executed as code or used to deliver a virus. Cookies are used to help site administrators recognize visitors as unique visitors (just a number) when they return. For example, if there are 1,000 visits to a website on a certain day, the site operator can use cookies to discover how many of those visits were made via the same browser (same visitor) and to track whether a certain visitor has visited the site more than once, and the source for each visit.
A tracking pixel, also known as a web bug or web beacon, is a small graphic (usually 1 pixel x 1 pixel) invisible to the eye, that is embedded in web content or email. When you view content that has an embedded web beacon, your web browser will request content from a web server, which in turn will set a cookie in your web browser containing a unique identifier. This unique identifier can be linked to log information that is used to track your movements on the operator’s website.
You may block cookies using the cookiebot feature available on our site. Your current cookie status and the link to change it appears in Section II above captioned “Third Parties Who Collect Data On Our Site.”
Part VI. Communications Policy
If you do not wish to receive our email or other communications, please send your request to [email protected] or write us at Compliance Officer, Open Infrastructure Foundation, P.O. Box 1903, Austin, TX 78767. Please note that it may take up to ten days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request.
Part VII. Children
None of our websites, mobile applications or services are intended for children. Do not attempt to register as a services user unless you are at least 18 years old. Do not submit information about yourself using our websites or applications if you are under 13. If you are the parent or guardian of a child under 13 who may have submitted information to us please contact us at [email protected].
Part VIII. Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost or accessed in an unauthorized manner, including being altered or disclosed.
We have put in place procedures to handle security incidents, including a process for making notifications to you or a data breach as required by law.
We require our service providers to comply with appropriate security measures and to give us notice of security events as necessary for us to meet our security obligations to you.
Part IX. Data Retention
We will retain your personal data only for as long as reasonably necessary to fulfil the purpose for which it was collected, and to comply with our legal obligations. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Please contact us at [email protected] if you would like more information about our data retention policies
Part X. Requests to amend or erase your personal data, or restrict our use of your personal data
Our policies for complying with your requests to amend, erase, restrict or take other action with respect to your personal data are stated below. We will comply with the applicable legal requirements for these types of requests. You should communicate your request to [email protected].
-
Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
-
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
-
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
-
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
-
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
-
If you want us to establish the data's accuracy;
-
Where our use of the data is unlawful but you do not want us to erase it;
-
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims; or
-
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
-
-
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
-
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If your request under this section is clearly unfounded, repetitive or excessive, we may charge you a fee to comply, or we may refuse to comply with your request, to the extent permitted by applicable law. We may need to request additional information from you to confirm your identity and help us comply with your request. We will try to respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests, it may take us longer than a month. In this case, we will notify you and keep you updated. There may be circumstances in which we believe our interest as the community manager requires us to retain your personal data despite your request, but we will disclose this to you at the time of the request. Those circumstances include the following:
-
If you ask to have your individual member data removed, we may retain your name, email and OpenStackID in a separate “deleted members” database. We will use this record only to track our compliance with your deletion request and to respond to any subsequent communications you may have with us;
-
If you contribute code or documentation to the OpenStack Project we believe our legitimate interest as the manager of the OpenStack Project requires us to retain and publish your name in connection with that contribution indefinitely, even if you ask to you have your name removed.
Part XI. De-identified data
In some circumstances we may use or disclose de-identified data about our community members to third parties, including aggregate data, such as the size of our community, the demographic make-up of the community, the proportionate number of users vs. developers, and like information. Provided that we have de-identified this data in a way that it cannot be re-identified to any individual, we do not consider this type of information to be “personal data” subject to this policy.
Part XII. EU-U.S. Data Privacy Framework
The Open Infrastructure Foundation complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. The Open Infrastructure Foundation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov.
Please note that the Open Infrastructure Foundation has elected to continue its participation in the EU-U.S. Data Privacy Framework even though EU-U.S. Data Privacy Framework is no longer recognized by the EU as a permitted transfer mechanism. If you have relied on our EU-U.S. Data Privacy Framework certification as a transfer mechanism please let us know and we will work with you to sign Standard Contractual Clauses.
In compliance with the EU-U.S. Data Privacy Framework (DPF), the Open Infrastructure Foundation commits to respect and adhere to the following principles regarding the handling of personal data transferred from the European Union to the United States:
- Notice: We inform individuals about the purposes for which we collect and use their personal data.
- Choice: We offer individuals the opportunity to choose whether their personal data is disclosed to third parties or used for a purpose other than the one for which it was originally collected.
- Accountability for Onward Transfer: We ensure that any transfer of personal data to third parties is covered by a contract that provides the same level of protection.
- Liability for Onward Transfer: For any personal data that we transfer to a third party, we may be liable if that third party processes the personal data in a way that is inconsistent with DPF principles.
- Security: We take reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access.
- Data Integrity and Purpose Limitation: We ensure that personal data is accurate, complete, and current, and that it is used only for the purposes for which it was collected.
- Access: We provide individuals with access to their personal data and allow them to correct, amend, or delete inaccurate information.
- Recourse, Enforcement, and Liability: We provide individuals with recourse mechanisms to lodge complaints and seek remedies for non-compliance with the above principles.
For further information or to lodge a complaint, please contact us at [email protected].
This policy reflects our commitment to protecting personal data and our dedication to upholding the highest standards of privacy and security.
Dispute Resolution
If a privacy complaint or dispute relating to Personal Data received by the Open Infrastructure Foundation in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
Binding Arbitration
If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.
Part XIII. Changes to Policy
We may revise our Privacy Policy at any time by posting a revision on our website. However, the version of the Privacy Policy posted on our site at the time of the collection of your personal data will continue to apply to the personal data collected while that version was published.