Back to Home

Privacy Policy

Data processing principles in OpenGPSR project (v1.1)

OpenGPSR processes data based on legitimate interest (Art. 6(1)(f) GDPR), consisting in maintaining a publicly useful database of business contact details in the context of product safety and preventing abuse (spam, attacks, false reports).

We apply the principle of data minimization and assess the balance of interests: we publish only information necessary in the context of GPSR and strive to avoid personal data of individuals.

1. What data do we collect in OpenGPSR database?

We collect data needed to identify the economic operator and their public contact points in the context of GPSR:

  • Entity data: name, country, (optionally) address, website.
  • Contact data (contact point): public email addresses and phone numbers indicated by the entity (e.g., compliance@company.com), or disclosed in public sources (e.g., "Contact", "Imprint").
  • Source data and change history: link to source, source type, dates, record version information, and verification status (e.g., UNVERIFIED, PRIMARY_CONFIRMED, OUTDATED).

Important: OpenGPSR aims to process B2B data. If a contact appearing in a public source looks private (e.g., email containing a first and last name), we treat it as potentially sensitive and may restrict its publication. We prefer publishing functional addresses (e.g., safety@, support@, compliance@).

2. Technical data and logs (user and report data)

If you use the service (browse the site, use the API, or submit data), the system may record:

  • IP address and technical details: server logs (e.g., IP, user-agent, request time) for security, diagnostics, and abuse prevention.
  • Submission metadata: in case of reporting data via form, information needed for audit may be saved (e.g., report ID, time, source, possibly account ID if login is implemented in the future).

Retention period: technical logs are stored for no longer than necessary for security and accountability purposes. By default, we strive for short retention periods (e.g., 30–90 days), unless an incident requiring longer analysis occurs.

3. No Marketing Tracking

The OpenGPSR project respects digital privacy:

  • We do not use marketing analytics (e.g., Google Analytics, Facebook Pixel).
  • We do not sell behavioral data to ad brokers.
  • We do not profile users.
  • We use only technical cookies necessary for service operation (if required).

4. Your Rights (Correction, Restriction, Objection)

If data concerns your company or you personally (e.g., private contact), you can submit a request for correction or publication restriction. OpenGPSR is not an official registry, but we react to credible reports and strive to minimize the risk of publishing personal data.

Reporting Procedure (Rectification / Notice & Takedown):

If data is incorrect, outdated, or contains a private contact:
1. Write to us via the Contact Form on the main page.
2. In the subject line put: [GDPR] Request for correction / publication restriction
3. Indicate the record URL and describe the scope of the request (correction / hiding contact / marking as OUTDATED).
4. If possible, attach a source confirming the change (e.g., current "Contact" page).

We try to react as quickly as possible. In cases requiring additional verification, we may ask for clarification.

Note: due to versioning and change audit, some information may be stored in the audit layer (e.g., as proof of report and its handling), while being hidden from public view.

5. Data Sharing

OpenGPSR publishes part of the data in open form (public view) and makes it available via API intended primarily for reading. If you use public data, remember that the license (e.g., CC BY 4.0) does not waive obligations under GDPR.

Entities downloading data and processing it in their own systems may act as separate data controllers and are responsible for compliance with relevant regulations in their context (purpose, scope, retention, legal basis).