← Back to home

Privacy

This privacy notice explains how Open Data Inside processes personal data, which legal bases are used, and what rights you have as a data subject.

Last updated: May 31, 2026

We process personal data only to the extent needed for badge submissions, contact requests, newsletter operations, public directory publication, and the secured admin area.

This notice is adapted to the current Open Data Inside platform and follows the current Dobriy AI legal baseline where relevant.

1. Who is the data controller and how can you contact us?

The data controller for this website is Dobriy AI GmbH.

Registered office: Stephansplatz 8/20, 1010 Vienna, Austria.

Commercial register number: FN 670995h, Handelsgericht Wien.

Privacy contact: office@dobriy.ai, phone: +43 720 880775.

2. Does this notice apply only to this website?

This privacy notice applies to opendatainside.org, opendatainside.net, and the public pages, forms, ambassador directory, and administrative sign-in area available on this website.

Services or identity infrastructure on other domains, especially auth.dobriy.ai for admin login, may provide additional notices of their own.

3. What categories of data do we process?

  • Technical usage and connection data such as IP address, date/time, request metadata, browser/device information, and security logs.
  • Badge submission data such as organization name, website, short description, uploaded logo, contact person name, email address, and moderation status.
  • Contact form data such as name, email address, and message.
  • Newsletter data such as email address, consent status, sign-up source, and confirmation/unsubscribe data used in the double opt-in flow.
  • Admin authentication data such as email address, roles, groups, and session/identity claims where you use the administrative area.

4. For what purposes and on what legal basis do we process data?

  • To provide, operate, secure, and protect the website against misuse on the basis of our legitimate interests under Art. 6(1)(f) GDPR.
  • To process badge submissions, communicate about a submission, and carry out editorial moderation on the basis of your request, the requested service, and our legitimate interests under Art. 6(1)(b) and Art. 6(1)(f) GDPR.
  • To publish approved ambassador profiles in the public directory on the basis of your submission/publication request and our legitimate interest in operating the directory under Art. 6(1)(b) and Art. 6(1)(f) GDPR.
  • To handle contact requests on the basis of our legitimate interests in communication and support and, where relevant, pre-contractual steps under Art. 6(1)(f) and Art. 6(1)(b) GDPR.
  • To send the newsletter, including double opt-in confirmation, on the basis of your consent under Art. 6(1)(a) GDPR.
  • To authenticate and control access to the admin area on the basis of our legitimate interest in secure editorial administration under Art. 6(1)(f) GDPR.
  • To comply with legal obligations where retention, evidence, or security measures are required by law under Art. 6(1)(c) GDPR.

5. What becomes public when an ambassador profile is published?

Draft submissions are not public. A directory entry becomes public only after approval.

Once published, organization name, external website, logo, join date, and editorial profile text may become publicly accessible and indexable by search engines.

If you submit data on behalf of an organization, you must ensure that you are authorized to submit and, where applicable, publish that material.

6. What categories of recipients receive data?

  • Hosting, database, and infrastructure providers used to operate this website.
  • Local server storage or configured S3-compatible object storage used for uploaded logos and media files.
  • auth.dobriy.ai / Keycloak for admin sign-in and related authentication/session handling.
  • Brevo for transactional emails, newsletter double opt-in, confirmations, and unsubscribe flows.
  • Internal or expressly authorized administrators and maintainers where required for moderation, support, or maintenance.

7. Do we transfer data to third countries?

We aim to operate this website and its core systems within the EU/EEA.

If any provider processes data outside the EU/EEA, this happens only under appropriate legal safeguards, such as standard contractual clauses or equivalent protections.

8. How long do we retain data?

  • Technical logs and security data only as long as needed for operational security, troubleshooting, and abuse prevention.
  • Draft badge submissions until review and thereafter only as long as needed for traceability, communication, or legitimate operational purposes.
  • Published ambassador profiles generally until removal, withdrawal of publication, or retirement of the platform.
  • Contact requests until they are fully handled and thereafter only as long as needed for follow-up or legal evidence.
  • Newsletter data until you unsubscribe, withdraw consent, or the data is no longer needed for newsletter operations.
  • Unconfirmed newsletter sign-ups only as long as needed to complete or expire the double opt-in process.
  • Admin authentication and session data only for the lifetime of the relevant session or as otherwise needed for security purposes.

9. Where do we obtain the data from?

  • Directly from you when you complete a form, upload a logo, send a message, or subscribe to the newsletter.
  • Automatically from technical connection metadata when you visit the website.
  • From the configured identity provider where you use admin login and authentication data is returned to this website.

10. Cookies, sessions, and similar technologies

The public website currently does not use advertising or profiling cookies.

In the current setup, no optional analytics or marketing trackers are loaded on the public pages.

If you use the admin login, technically necessary cookies and session information may be set by this website and by auth.dobriy.ai for authentication and session continuity.

11. What rights do you have?

Under the GDPR, you have rights including access, rectification, erasure, restriction of processing, data portability, and objection.

Where processing is based on consent, you may withdraw that consent at any time for the future.

You may also lodge a complaint with the Austrian data protection authority: https://www.dsb.gv.at/.

To exercise your rights, contact us at office@dobriy.ai.

12. Do we make automated decisions under Art. 22 GDPR?

No. This website does not currently use automated individual decision-making that produces legal or similarly significant effects.

13. Security

We use technical and organizational measures to protect data appropriately, including encrypted transport, access restrictions, secure authentication flows, and operational security controls.

14. Changes to this privacy notice

Current version: May 31, 2026.

If our processing activities or legal requirements materially change, we will update this notice accordingly.