1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Johannes JacobOhlsdorfer Straße 72
22297 Hamburg
Germany
hello@openpls.app
2. Access data and hosting
The marketing website (openpls.app) and the app (cloud.openpls.app) are hosted on Google Firebase Hosting (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). For every request, technical data is processed in the server log:
- IP address (truncated or stored only briefly for delivery)
- date and time of the request
- URL requested and HTTP status code
- user agent and referrer (where transmitted)
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in secure and functional website operation).
3. Cookies and similar technologies
The marketing site (openpls.app) does not use tracking cookies or third-party analytics. Only strictly necessary key-value pairs (such as a language preference) may be stored in the browser when required.
The app (cloud.openpls.app) uses technically necessary cookies and local-storage entries for sign-in (Firebase Authentication), session handling, and language preferences (Art. 6 (1) lit. b GDPR — contract performance).
4. Registration and use of the app
Using the OpenPLS cloud app requires a user account. The following data is processed:
- email address (for sign-in and communication)
- display name
- optional: affiliation (institution, country, ROR ID)
- hashed password
- timestamps of account creation and sign-ins
Legal basis: Art. 6 (1) lit. b GDPR (contract performance).
Project and model data
Model definitions, uploaded datasets, computation results, and comments are stored in Google Firestore and Google Cloud Storage (region: europe-west). This data is used solely to provide the contracted service. You retain full control and can delete your data at any time.
5. Service providers (processors)
We use the following service providers, with whom data processing agreements under Art. 28 GDPR are in place:
- Google Ireland Limited — Firebase Hosting, Firebase Authentication, Firestore, Cloud Storage, Cloud Functions, Cloud Run (bootstrap service). Data location: preferably europe-west.
- Resend (Resend, Inc.) — transactional email delivery (e.g. email verification, invitations, password reset).
- Sentry (Functional Software, Inc.) — error and performance monitoring of the app. Pseudonymous exception reports; no advertising use.
Transfers to third countries (e.g. the USA) are based on Standard Contractual Clauses pursuant to Art. 46 GDPR or under the EU-US Data Privacy Framework where the provider is certified.
6. Contact requests
If you contact us by email, we process the data you provide exclusively to handle your request (Art. 6 (1) lit. b or f GDPR). After completion of the request, data is deleted unless there is a statutory retention requirement.
7. Your rights
You always have the right to:
- access (Art. 15 GDPR) the data we hold about you
- rectification (Art. 16 GDPR) of inaccurate data
- erasure (Art. 17 GDPR, where no retention obligations apply)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing (Art. 21 GDPR)
- lodge a complaint with a supervisory authority (Art. 77 GDPR) — in our case: Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit
To exercise your rights, a simple message to hello@openpls.app is sufficient.
8. Retention
Personal data is stored for as long as necessary to fulfil the stated purposes or as required by statutory retention obligations. Account and project data are removed without undue delay after account deletion.
9. Changes to this privacy policy
This privacy policy will be updated as required by legal changes or product changes. The current version is always available at openpls.app/en/privacy.