Open Ingredients
|

Privacy

1. Data controller

The data controller for this site is Open Elements GmbH, Gerhart-Hauptmann-Str. 49B, 51379 Leverkusen, Germany. The managing director is Hendrik Ebbers. The full imprint information, including the VAT ID and the responsible person under § 18 (2) MStV, is available on the Imprint page.

2. What we DO NOT collect

Open Ingredients is a read-only public mirror of technical security data. We do not collect personal data about visitors. In particular, this site:

  • does not require an account, login, or registration,
  • does not set tracking cookies and does not use browser fingerprinting,
  • does not store IP addresses, user identifiers, session identifiers, or any other personally identifiable information (PII) in its events,
  • does not share data with advertising or marketing networks,
  • does not profile visitors.

The only personal data ever processed is the email address you voluntarily submit if you sign up for the newsletter (see section 5).

3. Plausible analytics

Open Ingredients uses Plausible for aggregate, privacy-friendly traffic analytics. Plausible is operated by Plausible Insights OÜ and is hosted on EU infrastructure (Hetzner, Germany). Plausible:

  • does not set any cookies,
  • does not use browser fingerprinting,
  • does not store IP addresses persistently — it processes them only briefly to derive a non-identifying hash, in line with Plausible's published data policy,
  • does not process personal data for advertising or profiling.

The events the site fires are limited to the standard pageview event plus three explicit goal events: `newslettersignup` (when the newsletter form is successfully submitted), `contactclick` (when a visitor opens the Support & Care contact link), and `sbom_download` (when a visitor downloads a CycloneDX SBOM). All event payloads are limited to non-identifying technical attributes such as the URL path and the project slug. None of these events fire on the Imprint or Privacy pages — only the standard pageview is recorded there.

4. DependencyTrack as data origin

The security data displayed on Open Ingredients is mirrored from a DependencyTrack instance operated by Open Elements at `dependencytrack.open-elements.cloud`. Open Ingredients acts as a public mirror: the data is purely technical and consists of open-source project names, versions, components, licenses, and known vulnerabilities. The data does not contain any personal information about visitors or about the contributors of the upstream projects.

The visitor's browser never communicates with DependencyTrack directly. Every request is mediated by the Open Ingredients backend-for-frontend (BFF), which talks to DependencyTrack server-side over a separate, authenticated connection.

5. Embedded services

The following external services are loaded by the visitor's browser when using Open Ingredients:

  • Plausible analytics, loaded on every page from the Plausible script endpoint, as described in section 3.
  • The Open Elements newsletter endpoint, contacted only when a visitor submits the newsletter form, and only when the newsletter feature is enabled in the active build. The submitted email address is forwarded to the configured newsletter provider for the sole purpose of sending opt-in confirmation and subsequent newsletter content.

No other third-party services are embedded. In particular, Open Ingredients does not load fonts from third-party CDNs, does not embed Google Analytics or any comparable advertising-network tracker, does not embed social-media widgets, does not embed maps, and does not embed chat widgets.

6. Contact

For data protection inquiries, please contact us by email at hendrik.ebbers@open-elements.de. The link is a plain HTML anchor — there is no contact form on this site, and the address is not obfuscated by JavaScript.

7. Your rights

Under the General Data Protection Regulation (GDPR) you have the right to access, rectify, and request the erasure of personal data concerning you, the right to restrict or object to processing, the right to data portability where applicable, and the right to lodge a complaint with a supervisory authority.

Last updated: May 6th, 2026