The OpenStack Foundation, d/b/a Open Infrastructure Foundation is a Delaware non-stock, non-profit corporation under the jurisdiction of the FTC with its principal office in Austin, Texas. The goal of the Open Infrastructure Foundation is to serve developers, users, and other participants in the open infrastructure ecosystem by providing a set of shared resources to build community, facilitate collaboration, and support integration of open source technologies.
The Open Infrastructure Foundation is committed to the principles of the Privacy Shield through transparent disclosure of our activities related to privacy protection. We work at carefully balancing the Foundation’s interest in using your personal data to meet its goal against any potential impact to you arising from our use.
This Policy is divided into sections:
A. Personal data we collect
B. Personal data we receive from other organizations
goal refers to the goal of the Open Infrastructure Foundation stated above, and the Foundation’s purpose as stated in our Bylaws at https://www.openstack.org/legal/bylaws-of-the-openstack-foundation/.
visitor means a visitor to the Site, including visitors who use services on the site, such as the OpenStack Marketplace;
community member means an individual who: (i) is a member of the Open Infrastructure Foundation, (ii) contributes software, documentation, or other information to the OpenStack Project, (iii) attends an OpenInfra or OpenStack event, (iv) takes a certification exam, such as the Certified OpenStack Administrator exam, or (v) provides personal data to the Foundation in some other way as described below;
personal data or personal information means any information about an individual that identifies the individual, or that can be used to identify the individual, directly or indirectly.
we and our and us refers to the Open Infrastructure Foundation; and
you and your refers to visitors and community members.
Part I. Personal data that we collect from and about you
A. Personal Data We Collect. We collect different kinds of personal data from and about you as follows:
when you visit openstack.org or any other website where this policy is posted as a guest
- we may use third party web analytics tools such as Google Analytics or Google Website Optimizer, to capture information about the use of our site, such as mouse clicks and scrolling activity. The providers of these tools capture data about your activity on our site, via cookies and other techniques, and provide us with this information in aggregate, anonymous form. This information is not personally identifiable to any site user.
when you submit other information on our site:
- if you want to join the Open Infrastructure Foundation as an individual member, you will be asked to complete a web form with your name, contact information, employer name, physical location, field of activity, profession, and other information;
- if you sign up for a mailing list, we will ask for your name and contact information.
when you publish content on the site:
- if you participate in a forum, chat room, blog, or news group, your user name and the information you publish will be available to the Open Infrastructure Foundation (and the public);
- if you are a candidate for a seat on the Open Infrastructure Foundation Board of Directors: we will ask you to submit biographical information and a photograph of yourself to post on our site.
when you use our Summit mobile app:
- if you use our mobile app to plan your activity at the summit (which sessions to attend, etc.), we will have access to those plans as a necessary part of providing this feature. We do not view or use that information except in emergency circumstances – see “How we use your personal data” below. We also have access to your unique device identifier and other information useful for monitoring the availability of the app. We currently use Crashlytics to monitor the availability of the app.
- when you send us an email (including email to community group lists), or via our site to submit a question to openstack.org: we will collect your name and email address.
- when you participate in a survey: we periodically ask Project users to complete a survey to provide feedback on our events. If you choose to participate in such a survey, you will be asked to submit personal data such as your name, email address, and location.
- when you register for an OpenStackID in order to contribute source code or documentation via Launchpad or other repository: we require you to provide your name and email address to issue you with the required OpenStackID.
B. Personal Data We Receive from Other Organizations. We receive personal data from these organizations who collect personal data from and about you:
event contractors we hire to provide event registration and management services, such as Eventbrite:
- if you register to attend on of our bi-annual summits, you will register and pay through Eventbrite and will be asked to submit name, email address, company, work phone, title, and geographic location of your workplace. Eventbrite shares that data with us.
event technology providers such as vandePoel Productions and FNTECH:
- event sponsors who host a booth or other facility at an OpenInfra or OpenStack event may use a device provided by vandePoel Productions that enables them to scan your event badge. You do not have to permit an event sponsor to scan your event badge, but if you do, the event sponsor will be able to collect the personal data you provided to Eventbrite when you registered for the Summit.
source repository managers, such as Canonical:
- Canonical manages our Launchpad instance. As the account owner and administrator, OpenStack has access to the information that you provide to Canonical, such as your Launchpad id.
- the Open Infrastructure Foundation has a Facebook page, a Twitter account, LinkedIn Company Page, and YouTube Channel. Your user names on these platforms will be exposed to the Foundation if you follow our social media accounts. Any personal data you elect to share as part of a posting using those platforms is also available to us.
- if you register for and take an OpenStack certification exam, such as the Certified OpenStack Administrator exam, our exam administrator, which is currently Mirantis, will collect your name and other personal data. Mirantis provides us with exam results tied to the OpenStack ID you use to register for the exam.
advertisers who link to our Sites:
- if you arrive at our site by clicking on an advertisement or content published by a third party, that third party may provide information to us about your activity on their website. we may use Google AdWords or other third party advertisers.
- local user groups and other community partners also provide us information about your attendance at their events, including your name and email address.
Generally we do not combine personal data we have about you from different sources for any purpose, with the exception that we will use information we collect about your interest in our events to send you email communications about those events.
Part II. Third Parties Who Collect Data
On Our Site
Third parties who display content or provide services on our websites may also collect personal data about you using cookies, tracking pixels, and other methods. They share some of that data with us as described above, but they may collect other data that they use for things un-related to OpenStack. For example,
- YouTube https://www.youtube.com/t/terms
- Google AdSense https://policies.google.com/privacy?hl=en
- Shopify https://www.shopify.com/legal/privacy#Main
- Google reCAPTCHA https://policies.google.com/privacy?hl=en
- Akismet https://automattic.com/privacy/
- Google Tag Manager https://policies.google.com/privacy?hl=en
- CloudFlare https://www.cloudflare.com/privacypolicy/
You may block cookies using the cookiebot feature available on our site. If you elect to permit collection of data via cookies initially, but later change your mind, you can change your preferences.
Mobile App Availability Monitoring
Part III. How we use personal data and the legal basis for such use
We will use your personal data to provide information and services to you as a participant in the OpenInfra community and to manage the community consistent with the Foundation’s goals, at all times balancing the Foundation’s goal against your interest in protecting your personal data. We will strive to use your personal data only to the limited extent necessary to meet our legitimate interest as the manager of the OpenStack Project and community. Specific ways that we use your personal data in this way are as follows:
to provide you with information that you have requested or that is relevant to the OpenInfra community:
- if you elect to be included in our Individual Member Directory, we will publish your member profile on our site;
- we may use your email address to send you information about upcoming events, Foundation news, and governance matters;
- Please see the section below captioned Email Policy for information on how to stop receiving email communications from us.
to improve our website:
- we use web visit information to measure interest in and develop our web pages and marketing plans, and administer our site.
to administer our website:
- we use web visitor IP addresses to help diagnose problems with our servers, and to administer our site.
to improve our events and our management of the Open Infrastructure Foundation and the community in general:
- we use personal data you choose to provide in response to our survey, as well as your comments on our site content.
- to provide you with access to secure areas of our site or third party services, such as the code repository service or a certification exam; and
to respond to complaints regarding a violation of our Code of Conduct.
- We will not use your personal data in any other way unless:
- (i) you have given your express consent for that use, or (ii) to the limited extent necessary to comply with a legal obligation that we are subject to.
Part IV. Circumstances under which we may disclose your personal data
We will not disclose your personal data to third parties except as follows:
to third parties that provide services to us:
- for example, we currently use the following third party services:
- Mailchimp, Emma, and Sendgrid for outgoing email;
- Salesforce for community relationship information management;
- Discus for the comments features on our blog and other Web publications;
- Zendesk to manage incoming email and other requests, such email to [email protected] and [email protected];
- Survey Monkey to administer surveys and analyze the results;
- Adobe Echosign e-signing service; and
- Formstack to administer webforms.
- we may use other service providers to provide similar services to those described above or to otherwise help us manage contact information and communications, analyze data, provide marketing services, or other services that help us manage the Open Infrastructure Foundation. These providers are not authorized to further disclose your personal data or to use your personal data for any purpose other than providing services to us.
- our site is hosted and monitored by third parties and we use third party infrastructure monitoring services. These third parties may have inadvertent or incidental access to your personal data. These providers are not authorized to further disclose your personal data or to use your personal data for any purpose other than providing services to us.
- we may disclose your personal data when we believe release is appropriate to comply with the law, or to protect the rights and safety of others. This may include exchanging information with government regulatory or law enforcement agencies, or with other companies and organizations for fraud protection and legal compliance. We have, in the rare occasion of an emergency, used information that a mobile app user entered regarding their planned activities to find the user.
We do not directly disclose event registration data to event sponsors. However, event sponsors may receive your personal data under the following circumstances:
- event sponsors who host a booth or other facility at an OpenInfra event may use a device provided by vandePoel Productions that enables them to scan your event badge. You do not have to permit an event sponsor to scan your event badge, but if you do, the event sponsor will be able to collect the personal data you provided to Eventbrite when you registered for the Summit.
- if you register for parties, visit a sponsored lounge, or participate in other sponsored events or facilities, you may be asked to provide personal data to the sponsor as part of the registration or when you sign in.
A note about Elections Administrators: we currently use BigPulse to administer our annual election of individual members to the Open Infrastructure Board of Directors. BigPulse enables the Open Infrastructure Foundation to issue each eligible voter a unique link to the voting platform. To vote in this election you are required to use this unique link. BigPulse shares the aggregate election results with the Open Infrastructure Foundation and the community, but does not share individual voting records.
Part V. Online Data Collection Technologies
A tracking pixel, also known as a web bug or web beacon, is a small graphic (usually 1 pixel x 1 pixel) invisible to the eye, that is embedded in web content or email. When you view content that has an embedded web beacon, your web browser will request content from a web server, which in turn will set a cookie in your web browser containing a unique identifier. This unique identifier can be linked to log information that is used to track your movements on the operator’s website.
You may block cookies using the cookiebot feature available on our site. Your current cookie status and the link to change it appears in Section II above captioned “Third Parties Who Collect Data On Our Site.”
Part VI. Communications Policy
If you do not wish to receive our email or other communications, please send your request to [email protected] or write us at Compliance Officer, Open Infrastructure Foundation, P.O. Box 1903, Austin, TX 78767. Please note that it may take up to ten days to remove your contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make your request.
Part VII. Children
None of our websites, mobile applications or services are intended for children. Do not attempt to register as a services user unless you are at least 18 years old. Do not submit information about yourself using our websites or applications if you are under 13. If you are the parent or guardian of a child under 13 who may have submitted information to us please contact us at [email protected]ra.dev.
Part VIII. Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost or accessed in an unauthorized manner, including being altered or disclosed.
We have put in place procedures to handle security incidents, including a process for making notifications to you or a data breach as required by law.
We require our service providers to comply with appropriate security measures and to give us notice of security events as necessary for us to meet our security obligations to you.
Part IX. Data Retention
We will retain your personal data only for as long as reasonably necessary to fulfil the purpose for which it was collected, and to comply with our legal obligations. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Please contact us at [email protected] if you would like more information about our data retention policies
Part X. Requests to amend or erase your personal data, or restrict our use of your personal data
Our policies for complying with your requests to amend, erase, restrict or take other action with respect to your personal data are stated below. We will comply with the applicable legal requirements for these types of requests. You should communicate your request to [email protected].
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy;
- Where our use of the data is unlawful but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims; or
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If your request under this section is clearly unfounded, repetitive or excessive, we may charge you a fee to comply, or we may refuse to comply with your request, to the extent permitted by applicable law. We may need to request additional information from you to confirm your identity and help us comply with your request. We will try to respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests, it may take us longer than a month. In this case, we will notify you and keep you updated. There may be circumstances in which we believe our interest as the community manager requires us to retain your personal data despite your request, but we will disclose this to you at the time of the request. Those circumstances include the following:
- If you ask to have your individual member data removed, we may retain your name, email and OpenStackID in a separate “deleted members” database. We will use this record only to track our compliance with your deletion request and to respond to any subsequent communications you may have with us;
- If you contribute code or documentation to the OpenStack Project we believe our legitimate interest as the manager of the OpenStack Project requires us to retain and publish your name in connection with that contribution indefinitely, even if you ask to you have your name removed.
Part XI. De-identified data
In some circumstances we may use or disclose de-identified data about our community members to third parties, including aggregate data, such as the size of our community, the demographic make-up of the community, the proportionate number of users vs. developers, and like information. Provided that we have de-identified this data in a way that it cannot be re-identified to any individual, we do not consider this type of information to be “personal data” subject to this policy.
Part XII. EU-US and Swiss Privacy Shield
The Open Infrastructure Foundation participates in the EU-US and Swiss Privacy Shield frameworks regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. We have certified with the Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield Principles, visit here. Our certification appears here.
Please note that the Open Infrastructure Foundation has elected to continue its participation in the EU-US and Swiss Privacy Shield frameworks even though Privacy Shield is no longer recognized by the EU as a permitted transfer mechanism. If you have relied on our Privacy Shield certification as a transfer mechanism please let us know and we will work with you to sign Standard Contractual Clauses.
In compliance with the Privacy Shield Principles, The Open Infrastructure Foundation commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact The Open Infrastructure Foundation at [email protected] and give us the opportunity to resolve your complaint. We will respond to your complaint promptly.
The Open Infrastructure Foundation has further committed to refer unresolved Privacy Shield complaints to Privacy Trust, an alternate dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.privacytrust.com/drs/openstack for more information or to raise a privacy shield complaint with PrivacyTrust. The services of Privacy Trust are provided at no cost to you.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, OpenStack remains liable.
Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
Please see the additional information provided by the U.S. Department of Commerce here on resolving complaints.
Part XIII. Changes to Policy