Privacy

What we collect

On submission: your ORCID, name, email, manuscript (PDF or DOI), and submission metadata — title, abstract, keywords, license, conflict-of-interest declaration, author list, ORCID-verified identity.

On credential lookup (/verify): the credential ID you queried, your IP address (logged for rate limiting and abuse defense), and the timestamp.

On any page visit: standard web-server logs — IP, browser user agent, requested URL, timestamp. No third-party trackers. No advertising cookies. No analytics services.

Cookies: one cookie for your theme preference (light or dark). Cloudflare Turnstile (anti-bot) sets a short-lived verification cookie during form submission only.

On donation: when you give via Stripe, Manifund, or (in future) GitHub Sponsors, the processor collects your payment details directly on its own hosted infrastructure — your card or bank information never touches ICSAC servers. From Stripe we receive transaction records (donor name, email, billing country, amount, transaction ID) and, for recurring tiers, subscription status. From Manifund we receive the funder name (unless you donated anonymously) and the amount. From GitHub Sponsors, when active, we will receive the sponsor’s GitHub username and tier (unless your sponsorship is private).

Why

• Submission processing — to fetch your manuscript, route it through the curation system, send you decisions and the curation record.
• ORCID verification — to confirm you are who you say you are and prevent fabricated authorship.
• Fraud and abuse defense — to detect prompt injection, jailbreaking, duplicate submissions, and other system-integrity attacks.
• Rate limiting — to keep public endpoints reachable for everyone.

Who we share with

We do not sell, rent, trade, or share your data with third parties for marketing or any other purpose.

Operational disclosures:

• Zenodo (CERN-operated): if your submission uses the upload route and you grant deposit consent, we deposit your manuscript to the ICSAC Zenodo community for permanent archiving.
• Cloudflare: routes requests to icsacinstitute.org as a CDN and handles Turnstile bot-detection on form submission. Cloudflare logs request metadata under its own privacy policy.
• Stripe: processes one-time donations and recurring Supporter/Sponsor tiers via its own hosted checkout (donate.stripe.com) and billing portal. Card and bank data are collected by Stripe, not by ICSAC. Stripe’s handling of payment information is governed by the Stripe Privacy Policy.
• Manifund: hosts our project-based crowdfunding page. Funder data shared back to ICSAC depends on what you choose to disclose on Manifund (anonymous donations are supported). Governed by the Manifund Privacy Policy.
• GitHub Sponsors (planned): when activated, will process GitHub-based recurring sponsorships. Governed by the GitHub Privacy Statement.

How long we keep it

• Submission records and curation records: indefinite. The curation record is part of the public scholarly record; it does not get deleted on request unless required by law (see Your Rights below).
• Verification access logs: 90 days, then purged.
• Web server logs: 30 days, then purged.

Your rights

If you are in the EU/EEA (GDPR) or California (CCPA), you have the right to:

• Request a copy of the data we hold on you.
• Request correction of inaccurate personal data.
• Request deletion of personal data that is not part of the public curation record. (We will not delete published papers or their curation records on request — that would compromise the scientific record. Pre-publication withdrawal is a separate process — see Publication Ethics → Corrections, Updates, and Retractions.)
• Withdraw consent for non-essential processing.

Email [email protected] with the request and your ORCID. We respond within 30 days.

Children

The submission system is not intended for use by anyone under 16. We do not knowingly collect data from children.

Changes

This policy may be revised. Material changes will be announced on /publication-ethics or sent to active submitters via email.