Skip to content

Privacy Policy

Last updated: 11 May 2026

1. Controller

The controller responsible for the processing of personal data on this website (opening.science and all associated subdomains) within the meaning of the Swiss Federal Act on Data Protection (FADP / nDSG) and, where applicable, of Regulation (EU) 2016/679 (GDPR) is:

Open Science Stiftung (Open Science Foundation)
Obere Bönigstrasse 100
3800 Matten bei Interlaken
Switzerland

Contact for data-protection matters: office@opening.science

The Foundation has not appointed a Data Protection Officer (DPO), as the statutory criteria for mandatory appointment under Article 37 GDPR and Article 10 FADP are not met. The above contact address handles all data-protection inquiries.

EU representative under Article 27 GDPR

The Foundation is established in Switzerland and processes personal data of data subjects in the European Union only on an occasional basis, without large-scale processing of special categories of data and without systematic monitoring. On this basis, the exception of Article 27(2)(a) GDPR applies and no EU representative has been appointed. Should circumstances change, this section will be updated accordingly.

2. Scope of this Policy

This Privacy Policy explains which personal data we collect when you visit our website, on what legal basis we process it, how long we retain it, with whom we share it, and what rights you have. It applies to all users of opening.science, regardless of location.

3. Principles of processing

We process personal data in accordance with the principles of lawfulness, good faith, proportionality, purpose limitation, data minimisation, accuracy, integrity, confidentiality, and transparency. We do not sell personal data, and we use it only for the purposes described in this Policy.

4. Categories of data, purposes, and legal bases

4.1 Server log files

When you access this website, our hosting provider automatically processes the following technical data:

  • IP address (in some cases shortened/anonymised)
  • Date and time of the request
  • Content of the request (specific page accessed)
  • Access status / HTTP status code
  • Volume of data transmitted
  • Referrer URL
  • Browser type, browser version, and operating system

Purpose: ensuring the technical operation, security, and stability of the website; detecting and preventing abuse and attacks; troubleshooting.

Legal basis: FADP Art. 6 and 31(2)(c) — overriding legitimate interest in the secure operation of the website; GDPR Art. 6(1)(f) — legitimate interest in providing a functional and secure online presence.

Retention: server log files are typically retained for a maximum of 30 days, unless retention for a longer period is necessary for the investigation of a security incident.

4.2 Contact via email

When you contact us at any published address, we process the personal data you voluntarily provide (typically name, email address, and the content of your message).

Purpose: answering your inquiry, conducting any resulting correspondence, and where applicable preparing or performing a contract.

Legal basis: FADP Art. 6 and 31(2)(a) and (c); GDPR Art. 6(1)(b) (where the inquiry concerns a contractual or pre-contractual matter), Art. 6(1)(a) (consent), and/or Art. 6(1)(f) (legitimate interest in responding to inquiries).

Retention: as long as necessary to handle the inquiry and any follow-up, and thereafter for the duration of applicable statutory retention obligations (typically up to ten years under Swiss law for business correspondence).

4.3 Newsletter and mailing lists

If and when the Foundation operates a newsletter or mailing list, subscription is voluntary and operated on a double opt-in basis. The data you provide (typically email address and, optionally, name) is processed solely for the purpose of sending the newsletter. You may unsubscribe at any time using the link contained in each newsletter or by writing to office@opening.science.

Legal basis: FADP Art. 6(6) and (7) — express consent; GDPR Art. 6(1)(a) — consent.

Retention: until withdrawal of consent. Documentation of consent is retained as evidence for as long as necessary to demonstrate compliance.

4.4 Analytics and tracking

This website uses Matomo (https://matomo.org), a self-hosted open-source analytics software.

Purpose: To improve the user experience and for statistical analysis.

Data categories: IP address (anonymized after 24 hours), page views, device information, referrer URL.

Retention period: 13 months (in accordance with the GDPR).

Legal basis:

  • Switzerland: Art. 6 para. 6 FADP (legitimate interest).
  • EU: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Right to object: You may object to the collection of your data by Matomo at any time via the opt-out link in the footer of this website: [Insert link].

Hosting: Matomo is hosted on our own servers in Switzerland (no data export to third countries).

4.5 Embedded third-party content

This website may link to third-party content such as videos, fonts, or code repositories. Where third-party content is technically embedded rather than only linked, the provider may receive your IP address and other technical metadata when the content loads. Specific embedded services in use will be listed here once the production website is finalised.

5. Cookies and similar technologies

We distinguish between:

  • Strictly necessary cookies — required for basic functioning of the website (e.g. session, security, load balancing). These are set on the basis of GDPR Art. 6(1)(f) / FADP Art. 31(2)(c) and do not require consent.
  • Optional cookies (e.g. analytics, marketing, embedded media) — set only on the basis of your explicit and revocable consent (GDPR Art. 6(1)(a) / FADP Art. 6(6)).

You can manage your consent at any time via the cookie banner on the website and configure your browser to block or delete cookies. Disabling strictly necessary cookies may impair functionality. A detailed list of cookies in use will be maintained at opening.science/cookies.

6. Data recipients and transfers abroad

6.1 Categories of recipients

We share personal data only with carefully selected recipients and only to the extent necessary for the purposes described:

  • Hosting and content-delivery provider — technical access data necessarily passes through their infrastructure; a data-processing agreement (DPA) within the meaning of FADP Art. 9 and GDPR Art. 28 is in place.
  • IT service providers assisting with website maintenance, email, and security, each under appropriate contractual safeguards.
  • Auditor, legal counsel, and tax advisors, where required to comply with statutory obligations.
  • Public authorities and courts, where legally obliged to disclose data.

A current list of sub-processors can be requested at office@opening.science.

6.2 Transfers to third countries

Some recipients may be located in countries outside Switzerland or the EU/EEA. Where personal data is transferred to such countries:

  • Transfers occur only on the basis of an adequacy decision (e.g. the FDPIC's list of countries with adequate data protection; the EU adequacy decisions; the Swiss–US Data Privacy Framework, in force since 15 September 2024; the EU–US Data Privacy Framework, in force since 10 July 2023, where the recipient is certified), or
  • on the basis of appropriate safeguards within the meaning of Article 16 FADP and Articles 46 et seq. GDPR (in particular EU Standard Contractual Clauses with the FDPIC's Swiss addendum), or
  • on the basis of an applicable derogation (Article 17 FADP, Article 49 GDPR).

Information on the safeguards in place can be obtained at office@opening.science.

7. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in line with FADP Art. 8 and GDPR Art. 32. These measures include encrypted transport (TLS/HTTPS), access controls, logging, regular review of safeguards, and contractual obligations imposed on processors.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Retention periods relevant to specific processing operations are set out in section 4. Once the relevant period expires, data is deleted or irreversibly anonymised, save where retention is required by overriding legal obligations (e.g. accounting and bookkeeping records under Articles 957–958f of the Swiss Code of Obligations).

9. Your rights

Subject to the conditions and limitations set out in applicable law, you have the following rights with respect to your personal data:

  • Right to information / access (Article 25 FADP, Article 15 GDPR)
  • Right to rectification (Article 32 (1) FADP, Article 16 GDPR)
  • Right to erasure / "right to be forgotten" (Article 32 (2) FADP, Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 28 FADP, Article 20 GDPR)
  • Right to object to processing based on legitimate interests (Article 30 FADP, Article 21 GDPR)
  • Right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal (Article 6 (6) FADP, Article 7 (3) GDPR)
  • Right not to be subject to solely automated decisions producing legal or similarly significant effects (Article 21 FADP, Article 22 GDPR). The Foundation does not currently engage in such automated decision-making.

To exercise any of these rights, please write to office@opening.science. We may need to verify your identity before responding. We will reply within the timeframes set by applicable law (typically within 30 days under FADP and within one month under GDPR, extendable where justified).

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a competent data-protection supervisory authority. In particular:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, 3003 Bern — www.edoeb.admin.ch
  • European Union / EEA: the supervisory authority of your habitual residence, place of work, or place of the alleged infringement

10. Children

This website is not directed at children. We do not knowingly collect personal data from persons under the age of 16 (under FADP and most EU laws). If you believe we have inadvertently collected such data, please contact office@opening.science so we can delete it.

11. Automated decision-making and profiling

The Foundation does not use automated decision-making (including profiling within the meaning of Article 22 GDPR) that produces legal or similarly significant effects on data subjects on this website.

12. Changes to this Policy

We may amend this Privacy Policy from time to time to reflect changes in our processing activities or in the legal framework. The current version is always accessible at this URL with its effective date.

13. Contact

For any question regarding this Policy or the processing of your personal data, please contact:

Open Science Stiftung — Data Protection Obere Bönigstrasse 100, 3800 Matten bei Interlaken, Switzerland Email: office@opening.science