Privacy Policy

Last updated: 2026-04-24

This Privacy Policy explains how ODON – Offene Daten für Offene Nutzung (“ODON”, “we”, “us”) collects and processes personal data when you visit our website, use our services, or otherwise interact with us. We follow the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

If you have any questions about this policy, please write to us at info@odon.at.

1. Who is responsible (Controller)

The controller for the personal data described in this policy is:

ODON – Offene Daten für Offene Nutzung Austrian non-profit association (Verein), ZVR 1593372349 Gablenzgasse 26/01, 1160 Vienna, Austria Email: info@odon.at

We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR. For all data protection enquiries, please contact us at the email address above.

2. Scope of this policy

This policy applies to:

our website at odon.at (including all language versions and subdomains);
our APIs provided under api-eu-2.odon.at and similar endpoints;
contact we have with you by email, through our forms, or via membership and service agreements.

It does not apply to websites we link to (for example the Open Knowledge Foundation, data.europa.eu, or other third-party sites referenced on our pages). Please consult those sites’ own privacy policies.

3. What data we process, for what purpose, and on what legal basis

We only process personal data where we have a clear purpose and a legal basis under Art. 6 GDPR. The following sections describe our main processing activities.

3.1 Visiting our website (server log files)

Our website is a static site hosted on GitHub Pages, a service of GitHub, Inc. (88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA). When you visit odon.at, GitHub Pages automatically records technical data required to deliver the website to you. This typically includes your IP address, the date and time of the request, the URL requested, the HTTP status code, the amount of data transferred, the referring page, and your browser’s user-agent string.

Purpose: to deliver the website, ensure technical stability, and detect and defend against attacks.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure and functional website.
Retention: log files on GitHub Pages infrastructure are retained under GitHub’s own retention schedule. We ourselves do not receive or store these logs.
Recipient: GitHub, Inc., acting as a processor under Art. 28 GDPR. GitHub’s privacy practices are described in the GitHub Privacy Statement.
Transfers outside the EU: GitHub, Inc. is based in the United States. Transfers are safeguarded by the EU–US Data Privacy Framework (GitHub is self-certified) and, as an additional safeguard, by the Standard Contractual Clauses contained in GitHub’s Data Protection Agreement.

3.2 Contacting us by email or contact form

When you send us an email or fill in our contact form, we process the data you provide (typically your name, email address, and the content of your message). Our contact form is implemented using Google Forms; submissions are stored in a Google Sheet on our Google Shared Drive, and a notification containing basic information about the submission is sent to our internal Google Chat. All of these services are provided to us by Google under our Google Workspace for Nonprofits agreement (see section 4).

Purpose: to answer your enquiry and, where relevant, to follow up with you.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps or contract performance) where your enquiry concerns a service, membership, or similar relationship; Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries) in all other cases.
Retention: for as long as needed to handle your request, and afterwards for up to 3 years where retention is needed for accountability or to document the correspondence. You can ask us to delete your message earlier at any time.

3.3 Internship registration

When you register for an internship via the form at /en/internship-registration/, we process the data you provide in the form. This typically includes your name, email address, and information about your background, interests, and availability. Providing this data is necessary to evaluate your application; without it we cannot assess whether an internship is a fit.

The internship registration form is also implemented using Google Forms, with responses stored in a Google Sheet on our Google Shared Drive and a notification sent to our internal Google Chat (see section 4).

Purpose: to evaluate your application, communicate with you about it, and, if an internship is agreed, to prepare and carry out that internship.
Legal basis: Art. 6(1)(b) GDPR (steps taken at your request prior to entering into a contract) for the application itself; Art. 6(1)(a) GDPR (your consent) if you additionally agree that we may keep your application for future opportunities.
Retention: if no internship comes about, we delete the application no later than 7 months after the end of the selection process, in line with the limitation period under the Austrian Equal Treatment Act (Gleichbehandlungsgesetz). If you consent to us keeping your application for future opportunities, we keep it for a maximum of 12 months; you can withdraw this consent at any time. If an internship is agreed, we keep the relevant documentation in line with statutory retention obligations.
Recipients: members of ODON’s board and, where applicable, the mentor responsible for the internship. Technical processors as described in section 4.

3.4 API token registration

When you register for an API token at /en/api-registration/, we process the data you submit during registration (typically your name, email address, organisation if provided, and a description of your intended use), together with technical logs of your API calls (including the token identifier, timestamps, endpoints accessed, and IP address).

Purpose: to provide you with API access, prevent abuse, ensure fair use within the association’s means, and maintain the stability and security of the API.
Legal basis: Art. 6(1)(b) GDPR (to provide the API service you requested) for the registration data; Art. 6(1)(f) GDPR (legitimate interest in securing and operating the API) for technical logs.
Retention: registration data for as long as your token is active, plus 12 months after revocation or inactivity. Technical logs for a maximum of 30 days.
Recipients: our API infrastructure provider Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) acts as a processor under Art. 28 GDPR. Our API is hosted in Hetzner data centres within the European Union, so the processing takes place inside the EU/EEA.

3.5 Membership

When you become a full member, associate member, or honorary member of the association, we process the data required to administer membership under the Austrian Vereinsgesetz 2002 and our statutes. This includes your name, postal address, email address, date of membership, membership type, and payment information.

Purpose: to administer membership, organise general assemblies and votes, collect membership fees, and comply with our statutory obligations as a Verein.
Legal basis: Art. 6(1)(b) GDPR (the membership contract), Art. 6(1)(c) GDPR (compliance with Vereinsgesetz 2002 and tax law obligations), and Art. 6(1)(f) GDPR (legitimate interest in running the association).
Retention: for the duration of your membership and for a maximum of 7 years after it ends, in line with the retention requirement of § 132 BAO (Austrian Federal Fiscal Code). Certain data may be kept longer where required by law.
Recipients: members of the board who are responsible for administration, our bank (see below), and, where required, tax authorities.

Membership fees are paid by bank transfer to an account we hold with Wise Europe SA (an electronic money institution registered in Belgium and licensed by the National Bank of Belgium; Rue du Trône 100, 3rd floor, 1050 Brussels). Wise processes your payment data (sender name, IBAN, amount, reference) as an independent controller under EU financial-services and anti-money-laundering law, not as our processor. Details of Wise’s own processing are available in its privacy policy.

3.6 Donations

If you make a donation, we process your name, contact details, donation amount, and payment reference. Donations are made by bank transfer to our account with Wise Europe SA; see section 3.5 for the role of Wise.

Purpose: to process the donation, issue receipts where requested, and comply with our bookkeeping obligations.
Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR.
Retention: up to 7 years under § 132 BAO.

We maintain profiles on LinkedIn and GitHub. If you interact with these profiles, the respective platform processes personal data under its own privacy policy:

LinkedIn: LinkedIn Ireland Unlimited Company
GitHub: GitHub, Inc.

Where LinkedIn and we jointly determine the purposes and means of processing page insights (for example on a LinkedIn Page), LinkedIn and ODON are joint controllers under Art. 26 GDPR. The primary responsibility for compliance and for providing information to data subjects lies with LinkedIn. To exercise your rights regarding data processed on the platform, please contact LinkedIn directly; we will forward any request we receive.

We link to these profiles from our website but do not embed their widgets or scripts. Note, however, that our website is hosted on GitHub Pages (see section 3.1) and uses embedded Google Forms for contact and registration (see sections 3.2 and 3.3), which do cause technical data to be shared with GitHub and Google respectively when those pages or forms are loaded.

4. Third parties who process data on our behalf

We use a small number of carefully selected service providers (“processors”) to operate our website and services. We have concluded a data processing agreement with each of them under Art. 28 GDPR. As of the date of this policy, they are:

Processor	Purpose	Location
GitHub, Inc. (GitHub Pages)	Hosting of the static odon.at website	United States
Google Ireland Limited / Google LLC (Google Workspace for Nonprofits)	Email (Gmail), form handling (Google Forms), document and response storage (Google Sheets, Google Drive), internal notifications (Google Chat)	Ireland / United States
Hetzner Online GmbH	Hosting of the ODON API (api-eu-2.odon.at)	Germany (EU)

We do not currently use a dedicated payment service provider. Membership fees and donations are received by bank transfer to our account with Wise Europe SA (an electronic money institution registered in Belgium and licensed by the National Bank of Belgium). Wise is an independent controller, not our processor, and is therefore not listed in the table above.

Transfers outside the EU/EEA

Some of our processors are based in the United States or process data there. The transfers are safeguarded as follows:

Google Workspace for Nonprofits. Our plan does not offer data-region selection, so personal data processed through Google services may be processed in the United States or other countries where Google operates. Transfers are safeguarded by the EU–US Data Privacy Framework (Google LLC is self-certified) and, where the Framework does not apply, by the Standard Contractual Clauses included in Google’s Cloud Data Processing Addendum. Google encrypts Workspace data in transit and at rest and states that it does not use Workspace customer data for advertising or sell it to third parties.
GitHub Pages. Transfers to GitHub, Inc. in the United States are safeguarded by the EU–US Data Privacy Framework (GitHub is self-certified) and by the Standard Contractual Clauses contained in GitHub’s Data Protection Agreement.

You can request further information about these safeguards at info@odon.at.

5. Cookies and similar technologies

Our website does not set any cookies of its own, and the hosting infrastructure (GitHub Pages) does not set cookies either. The only cookies you may encounter on odon.at come from embedded Google Forms on the contact and internship registration pages: when you load one of those pages, your browser fetches resources from Google’s servers, which may set cookies and process technical data under Google’s own privacy policy. This processing is carried out by Google as an independent controller for its own purposes in addition to the processing described in sections 3.2 and 3.3.

We do not use web analytics (such as Google Analytics, Matomo, or Plausible) advertising cookies, or social-media tracking pixels. If this changes in the future, we will update this policy and, where required, ask for your prior consent through a cookie banner.

If you previously chose to load a Google Form and want to be asked again on your next visit, you can reset that preference here.

6. Is providing data mandatory?

Providing personal data is generally voluntary. However:

If you do not provide the data marked as required in a form, we may not be able to handle your request (for example, we cannot evaluate an internship application without an email address).
For membership, providing the statutory minimum of data is a contractual requirement under our statutes; without it we cannot admit you as a member.

We do not use automated decision-making or profiling under Art. 22 GDPR.

7. Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — to obtain confirmation of whether we process data about you and, if so, a copy of that data.
Right to rectification (Art. 16) — to have inaccurate data corrected and incomplete data completed.
Right to erasure (Art. 17) — to have your data deleted where one of the grounds in Art. 17 applies.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — to receive data you have provided in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — in particular against processing based on our legitimate interests.
Right to withdraw consent (Art. 7(3)) — at any time, with effect for the future, where our processing is based on consent.

To exercise any of these rights, please write to info@odon.at. We will respond within one month under Art. 12(3) GDPR (extendable by two further months for complex requests, with notice to you).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for Austria is:

Österreichische Datenschutzbehörde Barichgasse 40–42, 1030 Vienna, Austria Web: dsb.gv.at

8. Security

We take appropriate technical and organisational measures under Art. 32 GDPR to protect your data against loss, misuse, and unauthorised access. These include TLS encryption for data in transit (including for our static site served via GitHub Pages and for all Google Workspace services), encryption at rest for data held in Google Workspace, restricted access to administrative systems and to our Google Shared Drive, and regular review of our security measures. No method of transmission over the internet is entirely secure; we cannot guarantee absolute security but we work continuously to improve our safeguards.

9. Children

Our services are not directed at children. We do not knowingly process the personal data of persons under 16 years of age without the consent of a parent or legal guardian, as required by Art. 8 GDPR in conjunction with § 4(4) DSG. If you believe we have collected data from a child without the required consent, please contact us and we will delete it without undue delay.

10. Changes to this policy

We may update this policy when our processing activities, the services we offer, or the legal requirements change. The current version is always available at this URL, with the date of the last update at the top. We encourage you to review it from time to time. Material changes will be announced on our website.