Cauldron Privacy Policy is provided by Bitergium SLL (“Bitergia” or “we/us”) and we are committed to protecting the privacy of the user of our services and our website (“You/r”). This Privacy Policy is part of the Terms of Use and explains our practices regarding the use of personal data collected and processed through our services and website. Defined terms set out herein shall have the same meaning as in Terms of Use of which it forms part.


The entity responsible for processing the data in the website or through our services is Bitergium SLL, located at Av.da Gregorio Peces Barba, 1 - 28918 Leganés, Madrid. All communications regarding the processing of your personal data shall be directed to

Data collected as Data Controller

You can use our website without revealing any personal identifiable information about yourself other than as indicated in our cookie policy. However, in certain cases we collect and process the following data:

  • Log-in data: You must necessarily access the platform through the GitHub, Gitlab, Meetup, StackExchange or Twitter portals of your choice by entering your credentials. When you access our services using third party credentials (GitLab, GitHub, Meetup, StackExchange and Twitter), we will import your information from any of these third parties to create an account on our service.

These data are mandatory and if they are not provided we cannot contact you and respond to your requests.

  • Newsletter. If you want to subscribe to receive our newsletter, your email address will be collected in our webform “Join the newsletter” in order to send you the latest news about our Service.
  • Give us feedback: if you would like to give us feedback about our services, you will need to sign in to your Gitlab account by entering your email and password or through any of the other providers listed (Google, Twitter, Github, Salesforce, or Bitbucket)

Cauldron automatically collects data regarding your browsing of the website, such as your IP address, the browser you are using, the site from which you came and the site to which you are going when you leave the site.

Data collected as Data Processor

The personal data which may be generated during the course of services provided by services will be processed by us as a Data Processor, as established in Annex I "Data Processing Addendum" below which regulates that data processing. Under no circumstances the personal data of third parties resulting from our analysis services will be disclosed.

Data quality

It is important that the personal data we hold about you is accurate and current. You are responsible for the accuracy of the information you provide to us and you are expected to update any information you provide us with.

Data use

We use your personal data to:

  • Contact you and manage the professional and commercial relationship with you.
  • Manage any request you are asking us and provide our services.
  • Send you newsletters, event announcements, product notices including those announcing changes to our terms or policies, promotional offers and surveys.
  • For sign-in users, provide our services.

Data collected automatically from website use will be maintained and used in aggregate form only and it will not contain personally identifiable information. We may use such aggregate information to analyse trends, administer the site/s, and gather broad demographic information for aggregate use.

Legal Basis

The legal basis of this processing is the performance of our services (registration and user management), and our legitimate interest to contact you and respond to your requests, and your express consent where indicated by you (newsletter). For clients, processing the personal data of your staff and contacts is necessary for entering into and performing our contract.

Commercial Communications

If you tick the corresponding box, you consent to receiving commercial communications from us regarding our services and products and any new features, offers or promotions offered by us. If later you do not wish to receive commercial Information about and our services, you can expressly opt out by sending a notification to or by clicking the unsubscribe link in our email communications.


We process your personal data with strict confidentiality in accordance with applicable law. However, we shall disclose any personal or other data you provide us in compliance with a legal obligation or in order to correctly deliver our Services or perform other obligations in accordance with our website terms or professional terms of engagement, or in the event of a corporate operation involving investment, merger or sale.

Except as indicated, we do not reveal any of your data unless it is necessary for the performance of our services, or to our professional suppliers who provide us their services (email, storage, etc.).

International. We inform you that we use the following international third-party services to provide our Services:

These companies are located in the United States, territory which does not generally provide adequate safeguards in relation to data processing, but they are part of the EU-US Privacy Shield and have entered into contracts with us providing the appropriate safeguards according to law.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.


We will retain the personal data submitted through our website and collected during the course of the services while we have commercial and professional relations with you. Once such personal data is no longer used for the purpose mentioned above, it will be deleted. We may retain personal data beyond the aforementioned periods for legal or administrative reasons, such as defending our responsibility and complying with mandatory legal obligations, subject to applicable law. For clients, we will retain your data during out engagement and 6 years thereafter (duly blocked) for tax and legal reasons. This period may be extended for the period of liability of Bitergia.

Note that we may retain the data collected from you in an anonymised and aggregated format.


We implement security measures and personal data protection schemes as required by law to maintain the confidentiality and integrity of your data and protection against unauthorised access, modification or destruction.


You have the following rights under data protection laws in relation to your personal data: Request access to your personal data (commonly known as a "data subject access request"), Request correction of the personal data that we hold about you, Request erasure of your personal data; Object to processing of your personal data where we are relying on a legitimate interest; Request restriction of processing of your personal data, Request the transfer to you or to a third party of personal data you have provided us (right to data portability), Withdraw consent at any time where we are relying on consent to process your personal data. Note that if you oppose or request erasure or restriction of processing, we may not be able to provide our services.

The aforementioned rights may be effective by contacting us at or at Bitergium SLL, Av.da Gregorio Peces Barba, 1 - 28918 Leganés, Madrid. We may require proof of identity, e.g. a digital copy of your identification document such as your ID card or passport.

You also have the right to make any complaint to the competent authority, in this case the Spanish Data Protection Agency (Agencia Española de Protección de Datos), C/. Jorge Juan, 6, 28001 Madrid, Spain.


We reserve the right to amend the terms of this Privacy Policy and will notify you by providing a clear notice of these changes by email or on our Website, and in this Privacy Policy. If you continue to use our Services after such update, you will be deemed to accept the new terms. If you do not accept the update, please notify us and we will terminate your Account and remove any of your personal data (except as required to be maintained for legal purposes), and you will not be able to continue to use our services.

Unless a specific local regulation sets forth to the contrary, the Privacy Policy is governed by the laws of Spain.


With the advent of the EU General Data Protection Regulation, it is all the more important to regulate the processing of this data in the context of the Agreement between Bitergia and its client (the “Parties”) in the use of the services.

The parties agree as follows:

  1. Definitions

    For the purpose of this Annex, the following terms shall take the meanings set out below:

    • Personal Data: all information about an identified or identifiable individual; An identifiable natural person shall mean any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more identity elements Physical, physiological, genetic, psychological, economic, cultural or social.
    • Data Processor: the natural or legal person, public authority or other organization processing Personal Data on behalf of the Data Controller.
    • Data Subject: is the individual that is identified or identifiable.
    • Data Controller: the natural or legal person, public authority, or other organization that, alone or jointly with others, defines the purposes and means of the processing.
    • Processing: Any operation or set of operations carried out on Personal Data or Personal Data sets, whether by automated processes or not, such as collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, collation or interconnection, limitation, suppression or destruction.
    • Security breach of the Personal Data: any breach of security that results in the destruction, loss or accidental or unlawful alteration of Personal Data transmitted, preserved or otherwise processed, or unauthorized communication or access to such data.
    • Customer: User of Cauldron,io requesting the Services.
    • Services: software development analytics services of provided to its Users.
    • FOSS project: any open source development project that the Customer has asked us to analyse and provide its reports.

  2. Data Protection Laws Compliance

    Each Party shall use all reasonable efforts to comply with all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation (2016/679) on and from 25 May 2018, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).

  3. Bitergia as Data Processor

    This section of the Addendum is entered into pursuant to Art. 28.3 of the GDPR and regulates the Processing of Personal Data by us in the course of providing our Services to the User. The duration of such processing shall be for the period during which the Parties perform their applicable obligations when using the website and service.

    During the provision of its services to Users through the website, we may access certain Personal Data for and on behalf of the User, in particular (but without limitation), the data set out below (“User Personal Data”) relating to the indicated persons (“Data Subjects”). This includes the Project Developer and Maintainer information, etc. Under applicable privacy regulations, the User is responsible for this data and is what is known under privacy regulation as the “data controller”. On requesting the data analytics services, the Cauldron User appoints Bitergia as a data processor of this Personal Data, to process the Personal Data on User’s behalf, for the purpose of providing the Service.

    1. Data accessed and processing, purposes

      For the provision of the Service, we access different systems used to support, or related to FOSS development, including (but not limited to): source code versioning systems, issue tracking systems, asynchronous and synchronous communication systems, testing systems, code review systems, and storage and distribution systems (collectively, “SDSS”).

      In carrying out the Services, the following personal data in the SDSS may be accessed and processed for Users:

      • FOSS projects developers name, surname, email address.
      • FOSS projects developers contributions, time of contribution.
      • Other data in the SDSS (comments, affiliation, IP address, User names, User accounts, etc.) relating to the above.

      Our processing of this data consists in:

      • Retrieving, compiling, recording, storing, organising, segmenting, combining, analysing the Personal Data, transmitting to User, erasing and eventually destroying.

      The purpose of this processing is to provide the Services, including carrying out an analysis of the attributes, health and sustainability of the FOSS projects, and:

      • Measuring Engineering Teams Performance on the FOSS Project
      • Understanding the FOSS Project’s Community Health
      • Revealing FOSS Project Transparency
      • Gaining Deeper Metrics Knowledge about the FOSS Project

    2. Attribution of responsibility

      User is made aware that for the purpose of providing the Service, we may access and process the aforementioned User Personal Data on behalf of User without the prior informed consent of the data subject. The Parties agree that the processing of the Personal Data on behalf of the User as part of the Services is legitimized as set out in the introductory note above and developed in more detail in the Annex.

      User understands that there is still a risk that Data Subjects may (a) object to the processing under this Engagement and (b) request cancellation or suppression of their data (as indicated below), or (c) request certain limitation or restriction to the processing or even (d) claim against either party for breach of his/her privacy rights under Applicable Privacy Laws. We respect developers’ privacy and will comply with the exercise of these rights on request from the developers/Data Subjects.

      In the event of any claim or procedure made against either of the Parties with respect to the processing of any User Personal Data hereunder, provided compliance at all times with the remainder of terms of this Annex, User will be responsible for dealing with such claim, with our support. In particular, both Parties undertake to come into compliance with applicable privacy law as soon as possible and minimise any harm to Data Subjects’ rights; and to cooperate in good faith to respond to such claims.

      Notwithstanding the foregoing, User agrees to indemnify and hold us harmless from all claims, losses and fines relating to the processing of personal data hereunder, provided we are in compliance with the terms of this Annex.

    3. Compliance with Art. 14 GDPR (Information)

      Pursuant to Art. 14 GDPR, Data Controller that has access to User Personal Data not directly from the Data Subject must inform the Data Subject that their data is being processed, providing the information set out in that Article. While it is User’s responsibility to provide this information, User and Bitergia will cooperate in good faith to determine the best method to achieve this, in each case, and at the request of User and on its behalf, we will use our best efforts to ensure that this information is provided to the Data Subjects (e.g. through the appropriate FOSS Project communication mechanisms). Given our experience in the matter, we can work with the User, and support them whenever possible, in this information effort.

    4. Rights and responsibilities of the User as Data Controller

      As established in the GDPR, User as Data Controller shall:

      1. Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.
      2. Adopt data protection policies with respect to User Personal Data.
      3. Ensure that its Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of User Personal Data.
      4. Adhere to a relevant code of conduct that can be approved by the Commission or other competent authority.
      5. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
      6. Make available to the interested parties the essential aspects of this Engagement, at the request of the User Data Processor or Data Subject.
      7. Respond to the legal rights established by applicable law on the protection of User Personal Data and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor.
      8. Inform the Data Subjects of the processing, in accordance with section 4.3 above.

    5. Rights and responsibilities of Bitergia as Data Processor

      As established in the GDPR, Bitergia as Data Processor shall:

      1. Process Personal Data only on the basis of documented instructions from the Data Controller (being the engagement of its services under the Service Engagement), including transfers of Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
      2. Ensure that the persons authorised to process Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
      3. Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
      4. Respect the conditions for having recourse to another Data Processor, as established in the current legislation on protection of User Personal Data.
      5. Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects.
      6. Assist the Data Controller in ensuring that they comply with their obligations, taking into account the nature of the processing and the information that is available to the Data Processor.
      7. At the choice of the Data Controller, either destroy or return all Personal Data once the processing services have been completed and destroy any existing copies unless the retention of Personal Data is required under Union or applicable Member State law.
      8. Make available to the relevant Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
      9. Process the Personal Data placed at the disposal of the Data Processor in a way that ensures that the personnel in charge follow the instructions of the Data Controller.
      10. Ensure that its Data Protection Officer or, in his / her absence, the Privacy Manager is involved in an adequate and timely manner in all matters relating to the protection of User Personal Data.
      11. Adhere to a relevant Code of Conduct that is approved by the Commission or other competent authority.
      12. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
      13. Respond to the legal rights established by the GDPR and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor.

  4. Data subjects’ exercise of their rights

    If the Data Subjects addresses a request or exercises any of the rights established in the General Data Protection Regulation, the Controller and / or the Processor must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.

    Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

  5. Subcontracting

    As Data Processor, we may provide access to a subcontractor processor to User Personal Data if it reasonably considers such access and processing necessary to the performance of the Services. In the event of such access and before the access takes place, we shall ensure that an Engagement with the third party is in place which is sufficient to require it to treat personal data in accordance with the applicable provisions of this Engagement and applicable. Sub-contractors indicated at the end of this document are approved by User, and further subcontractors may be engaged upon prior notice to User (including with international transfers, provided section 7 is respected).

  6. International transfer of data

    International transfers of Personal Data may only be performed if the requirements of Data Protection Law and regulations that regulate them, are met. If a party carries out an international transfer of data without the other party’s consent, the latter shall be exempted from any liability that may arise as a result of or in connection with such transfer. As stated above, we may transfer User Personal Data outside the EEA to its subprocessors indicated in section 6 above, who have entered into contract with us with appropriate contractual safeguards. Sub-processors in other countries, including the USA, indicated in the table below are approved by the User.

  7. Security breach of the User Personal Data

    Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 48 hours after it happened.

  8. Termination, resolution and expiration

    In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Data Controller and the Data Processor, the latter shall not keep the Personal Data unless otherwise legally required to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, the Data Processor shall destroy or return to the Data Controller all Personal Data and any copies of it, as well as any support or other document containing any Personal Data.

Current Subcontractors and International Transfers with access to User Personal Data for the provision of their services to us

Entity Processing URL and security / privacy policy
Digital Ocean Inc. (USA) Hosting and
Gigas Hosting S.A. (Spain) Hosting and

Last updated: 2020-01-24