This is a draft policy subject to approval

Privacy Policy for ASF Downloadable Applications

This Privacy Policy clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as “Data”) within our download products offering (collectively referred to as “application”). With regard to the terminology we use, e.g. “Processing” or “Responsible”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

1. Name and contact details of the controller and the company data protection officer

This privacy policy applies to data processing by:

Responsible:

The Apache Software Foundation
V. P. Data Privacy
1000 N West Street, Suite 1200
Wilmington, DE 19801
U.S.A.

E-Mail: vp-privacy@apache.org

2. Personal data collected before downloading the application

When you attend our websites and download the product, the following privacy policy applies: Privacy Policy for public services.

3. Applications offered by the ASF covered by this policy

The following applications are covered by this policy:

• Airflow

4. Collection and storage of personal data and the nature and purpose of their use

User behavior data

To enhance the quality and performance of our applications, the Apache Software Foundation uses Scarf Systems Inc. to collect minimal data about user behavior. The Apache Software Foundation is committed to protect the privacy of our users; Scarf Systems Inc. was carefully chosen as partner due to its minimal data collection practices and its commitment to protecting user privacy.

This data collection is limited to the following:

The following information is being collected without your intervention and stored until automated deletion:

• The IP address of the requesting computer
• The date and time of access
• General usage patterns (e.g., frequency of application use)

The collected data serves the following purposes:

• Ensuring a smooth connection setup and operation of the application
• Improving user experience and application performance
• Monitoring system stability and identifying potential issues
• Administrative purposes and analysis for application improvement

This data is processed based on our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

Scarf Systems Inc. collects this data directly via the integrated application telemetry system. ASF ensures that only the necessary data is collected, and no personally identifiable data, such as names or email addresses, is included in the collection process.

4. External service providers

The Apache Software Foundation uses the following external service providers who help to optimize its services. Insofar as these service providers process data on behalf of The Apache Software Foundation, agreements have been concluded with them which set the European data protection standards as binding and, in particular, prohibit the use of the data for other purposes. If we commission third parties to process data on the basis of a so-called “contract processing contract”, this is done on the basis of Art. 28 GDPR.

Scarf Systems Inc.

ASF employs Scarf Systems Inc. to optimize the applications it provides to its users. Scarf is fully compliant with GDPR and collects only minimal data necessary for the outlined purposes. The collected data is processed securely, adhering to European data protection standards, and is not used for any other purposes.

Scarf Systems Inc. contact information:

Scarf Systems Inc.
548 Market St
PMB 17568
San Francisco, California 94104-5401 US

For further details on how Scarf handles data, you can review their privacy policy at https://about.scarf.sh/privacy-policy.

5. Affected rights

You have the right:

• in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information on the processing purposes, the category of personal data, the categories of recipients to whom your data has been disclosed, the planned retention period, the right to rectification, deletion, limitation of processing or opposition, the existence of a right to complain, the source of your data, if not collected from us, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about your data.
• in accordance with Art. 16 GDPR, to demand the immediate correction of incorrect or complete personal data stored with us.
• in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is required for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the assertion, exercise or defense of Legal claims.
• to demand the restriction of the processing of your personal data according to Art. 18 GDPR, as far as the accuracy of the data is disputed by you, the processing is unlawful, but you reject its deletion and we no longer need the data, but you assert this, in the exercise or defense of legal claims or you have objected to the processing in accordance with Art. 21 GDPR.
• in accordance with Art. 20 GDPR, to receive your personal data provided to us in a structured, standard and machine-readable format or to request transmission to another person.
• according to Art. 7 para. 3 GDPR, to revoke your once-given consent to us at any time. As a result, we are not allowed to continue processing of data based on this consent for the future.
• to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or work or our office.

6. Right to object

If our retention of your personal data is based on legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to file an objection against the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct mail. In the latter case, you have a general right of objection, which is implemented by us without specifying any particular situation. If you would like to exercise your right of revocation or objection, please send an e-mail to vp-privacy@apache.org.

7. Data security

We take appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

8. Updating and changing this privacy policy

This privacy policy is currently valid and is valid as of 2024-12-11.

As a result of the further development of our website and offers thereof, or due to changed legal or official requirements, it may be necessary to change this privacy policy. The current privacy policy can be viewed and printed by you at any time on the website at https://privacy.apache.org/policies/privacy-products-policy-high.html.