Datenschutzerklärung in accordance with GDPR
Last updated: April 14, 2026
Peter Hartwieg
Tölzer Str. 5a
81379 Munich
Germany
Email: privacy@openclienting.org
When you create an account (via Google OAuth or email magic link) we store your email address, display name (from your Google profile or derived from your email), a unique user ID, and the date of registration.
Legal basis:Performance of a contract (Art. 6(1)(b) GDPR) — necessary to provide you with an account and the ability to contribute content.
Content you submit (problem templates, requirements, pilot frameworks, solution approaches, success reports, comments, votes, and suggested edits) is stored along with your author ID and timestamps.
If you choose the anonymous option when submitting, your identity is hidden from other users on the published page. However, your author ID is always stored server-side for moderation purposes.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
When you visit our website your browser transmits certain data automatically (IP address, browser type, operating system, referring URL, date and time of access). This data is processed by our hosting provider (Vercel) and our authentication provider (Supabase) for security and operational purposes.
Legal basis:Legitimate interest (Art. 6(1)(f) GDPR) — ensuring security and availability of the service.
We store or read the following information on your device. The governing rule is § 25 TDDDG (the German implementation of the ePrivacy Directive).
Strictly necessary (no consent required under § 25(2) TDDDG)
These items are necessary for the service to function or to provide a feature you explicitly requested. They are set without consent but are disclosed here for transparency.
oc_cookie_consent — stores your choice in the cookie banner so it doesn't reappear on every page view. Storage: localStorage. Lifetime: 6 months, after which you are asked again.NEXT_LOCALE — remembers your language preference (German / English) so you don't have to choose on every visit. Storage: cookie. Lifetime: 1 year.oc_persona — remembers whether you selected the homepage view for established companies or for start-ups. Storage: cookie. Lifetime: 1 year.theme(next-themes) — remembers your light/dark mode preference. Storage: localStorage. Lifetime: until you clear it.Consent-based (only after opt-in via the cookie banner)
_ga, _gid, _gcl_*. Set only if you consent to analytics. If you decline or withdraw consent, these cookies are removed. See Section 5 for details.To change your choice or withdraw your consent, click “Cookie Settings” in the footer. The cookie banner will reappear and you can either choose Decline or, under Settings, untick the analytics option and save. At that moment existing analytics cookies are deleted and a Google Consent Mode withdrawal signal is sent. If the Tag Manager was already loaded in your current tab, the page is also reloaded automatically so that no further analytics data is processed in this session either.
If you sign in with Google, we receive your name and email address from Google. We do not access your contacts, calendar, or any other Google data. Google's own privacy policy applies to data Google collects during the OAuth flow.
Legal basis:Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR) — signing in with Google is one of several sign-in options and is part of providing the service.
When you create an organization as a signed-in user, we store its name, a URL slug derived from it, optionally a website, description and employee count, a verification status (e.g. unverified, pending, verified), and your user ID as the creator. This data is publicly visible (with the exception of internal status fields).
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). Recipients: Supabase (database hosting). Retention: until the organization is deleted. If you delete your account, the creator reference is anonymised.
When you request membership in a verified organization, we store your user ID, the organization ID, your role (member or admin), the membership status (pending, active, rejected, revoked), and timestamps. Administrators of the organization can see your request and accept or reject it.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). Retention: for as long as the membership exists; rejected or revoked records are retained to prevent repeated requests.
We generate in-app notifications when relevant events occur on your contributions (e.g. status changes, comments, suggested edits). They are stored with your user ID, the event type, and a timestamp. You can mark notifications as read individually or all at once; they are retained until your account is deleted.
You can additionally enable or disable email notifications for individual categories (status changes, suggested edits, replies to your comments, verification outcomes, success report decisions, reverted revisions). Your preferences are stored against your user ID.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for service-related notifications, switchable by you at any time. Retention: until your account is deleted. (There is currently no separate delete function for individual notifications.)
Organization administrators can upload a logo. Logos are stored in the public Supabase Storage bucket org-logos and served via a CDN; they are therefore visible to all visitors. Uploads are limited to image files up to 512 KB.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and legitimate interest in a recognisable representation of organizations (Art. 6(1)(f) GDPR). Retention: until removed by an administrator or until the organization is deleted.
We share personal data with the following processors:
Some of our processors (Vercel, Google, Cloudflare) are based in the United States. These transfers are safeguarded by the EU–US Data Privacy Framework (where the processor is certified) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that all processors provide adequate data protection guarantees.
We use Google Tag Manager (GTM)to load Google Analytics 4 (GA4) on our website. GTM itself does not collect analytics data, but when it is loaded it makes a request to Google's servers, which logs the IP address and user agent of your browser.
Google Analytics 4 is configured as a tag inside our GTM container to understand how visitors use our website (pages visited, time on site, device type, country). GA4 anonymises IP addresses by default for traffic from the EU.
Both GTM and the cookies set by tags loaded through it (_ga, _gid, _gcl_*) are only loaded after you give explicit consent via our cookie banner. If you decline, GTM is never loaded, no analytics data is collected, and no analytics cookies are placed on your device.
You can withdraw your consent at any time: click “Cookie Settings” in the website footer to bring the banner back, then either choose Decline or open Settings and save without analytics. Existing analytics cookies are removed at that moment and a Consent Mode withdrawal signal is sent to Google. If the Tag Manager was already loaded in your current tab, the page is reloaded automatically so it cannot process further data in this session. The Tag Manager will not be loaded on subsequent visits.
Legal basis: Consent (Art. 6(1)(a) GDPR).
We use IBM Plex Sans and IBM Plex Mono. These fonts are downloaded at build time via next/font and then self-hosted from our own servers. When you visit our pages, no data is transmitted to Google for font delivery.
You have the right to:
To exercise any of these rights, contact us at privacy@openclienting.org. We will respond within 30 days.
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).
The competent supervisory authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de
We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
We may update this privacy policy from time to time. The “last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.