who is responsible
the controller.
the openroar collective, verein für eine florierende zukunft mit ki. (in gründung, vienna, austria. the registered postal address will be added once the association is formed, see the imprint.)
you can reach us through the feedback button on our home page. every message is read by the team.
no data protection officer has been appointed. this is not required for an organisation of our size and the limited processing we do.
how we measure
aggregate-only. no profiles.
we run self-hosted umami on our own servers in europe. it records aggregate page views, referrers, device types, and click events (including interest in the alpha and donations) so we can see what is useful. it records nothing that could identify you or trace a journey across sessions. it honours do-not-track. no third-party scripts, no profiling, no per-user data, ever.
aggregate counts only. we will never know it was you.
to serve this site quickly and reliably we use a content delivery network (cloudflare). delivering a page means cloudflare processes connection metadata such as your ip address. it sets no cookies through us, runs no profiling, and we place no third-party scripts on the page. this is the one processor involved in simply loading the site.
your email
stored, protected. not used for anything else.
if you leave your email, it is stored in cloudflare's kv store, encrypted at rest, restricted to our project. sending you the confirmation and launch emails is handled by resend, an email-delivery service based in the united states. that means your email address is processed by resend, outside the eu, under the eu-us data privacy framework and standard contractual clauses, for the sole purpose of sending you that mail. it is not sold, not shared for advertising, and not used to target you.
legal basis. your consent (gdpr art.6(1)(a)), given when you submit your email. purpose. to notify you when openroar opens and about launch updates. nothing else.
recipients & transfers. three processors can touch your data. cloudflare hosts and stores your email in its kv store, encrypted at rest, under a data-processing agreement. cloudflare runs a global network, so we cannot promise that storage happens only inside the eu. resend sends the confirmation and launch emails from servers in the united states, covered by the eu-us data privacy framework and standard contractual clauses. if you type into the gate or the chat, that text goes to mistral, an eu-based ai provider, to generate a reply, and stays in the eu. no one else receives your data. we are not going to claim it never leaves the eu, because parts of it do. that is the honest shape of it.
how long we keep it. until you withdraw consent or until openroar launches, whichever comes first. at launch we will ask you to re-confirm, or we will erase it.
spam protection. invisible bot protection (cloudflare turnstile) keeps the signup form human, no puzzle, no click. to tell a human from a bot it processes limited technical signals such as your ip address and browser characteristics; it does not receive your email, set cookies through us, or track you across sites. see cloudflare's turnstile privacy addendum.
confirmation is live: the email you receive asks for one tap before your spot is added, so nobody's inbox ends up on this list without them. one-tap erase isn't built yet. until it is, use the feedback button on our home page, tell us the email to remove, and we will delete it promptly, and always within the one month gdpr requires. withdrawing consent is as easy as giving it.
gdpr+ means we hold ourselves to more than the regulation requires. the full standard is in our charter. when one-tap erase is live, this page will say so.
your rights
access, correct, erase, restrict, object. and withdraw.
under the gdpr you have the right to access the data we hold about you, to have it corrected or erased, to restrict or object to its processing, and to data portability.
you also have the right to withdraw your consent at any time, with no effect on processing done before you withdrew. to exercise any right, use the feedback button on our home page. we will act promptly, always within one month.
you have the right to lodge a complaint with your national supervisory authority. in austria that is the datenschutzbehörde (dsb.gv.at).
the short version
what we do, and do not, do.
- cookies: none. we set not one. the single banner you may see asks about analytics, remembered in your browser's local storage, not a cookie.
- no third-party trackers. no analytics SDKs, no ad pixels, no fonts phoning home. the fonts ship from our own servers.
- aggregate-only. self-hosted umami, counting page views and click events, and only once you say yes. never a per-user journey, never a profile.
- your email, protected. cloudflare stores it, encrypted at rest, restricted to our project. resend sends it, from the united states, under the eu-us data privacy framework and standard contractual clauses. never sold, never shared, never used to target you.
- the gate and the chat send text to mistral. what you type there is processed, in the eu, to generate the reply. that's the only reason it's sent.
- do-not-track is honoured. if your browser sends DNT, we count nothing for you.
- confirmation and erase are being built. until they are live, one message through the feedback button erases you. promptly, and always within the one month gdpr requires.
built in vienna, europe. owned by you.