Privacy Policy

Last updated: May 2026 · info@scienceecosystem.org

        Short version: ScienceEcosystem uses a single strictly necessary cookie to keep you signed in. We do not track you, sell your data, or show advertising. You can delete your account and all your data at any time.
      

Contents

Who we are
Cookies — what we use and why no banner
What data we store
Third-party services
How long we keep data
Your rights
Security
Contact

1. Who we are

ScienceEcosystem is an independent open-science infrastructure project operated by Olivier V. Raven (olivier.raven@scienceecosystem.org). We are a public-interest project, not a commercial company. We do not advertise, sell data, or operate a subscription business.

2. Cookies — what we use and why there is no banner

We set exactly two cookies. Both are strictly necessary to operate the service. Under GDPR Article 5(3) and ePrivacy Directive Recital 25, strictly necessary cookies are exempt from the consent requirement. This is why you do not see a cookie consent popup on ScienceEcosystem — the same reason Wikipedia, your bank, and most government websites do not show one.

Name	Purpose	Duration	Type
`sid`	Keeps you signed in. Contains a random ID that references your session on our server. No personal data is stored in the cookie itself.	90 days (renewed automatically when you use the site)	Strictly necessary
`orcid_oauth`	Temporary security token used during the ORCID sign-in process to prevent CSRF attacks. Deleted immediately after login completes.	Seconds to minutes (one login flow)	Strictly necessary

We do not use analytics cookies, advertising cookies, or any tracking pixels. We do not use Google Analytics, Facebook Pixel, or any equivalent service.

3. What data we store

If you are not signed in

We store nothing. We do not log IP addresses, user agents, or page views. Your searches and browsing on ScienceEcosystem leave no record on our servers.

If you sign in with ORCID

When you authenticate via ORCID, we store the following in our database:

ORCID iD — your permanent researcher identifier (e.g., 0000-0002-1234-5678). This is the primary key for your account.
Name and affiliation — pulled from ORCID at login; you can edit or delete these at any time.
Profile data you add — bio, keywords, languages, external profile links.
Library items — papers you save, including title, DOI, and any notes or tags you add.
PDF annotations — highlights and notes you make in the PDF reader.
Followed researchers — the list of researchers you follow.
Session record — a random session ID with an expiry timestamp. No browsing history is stored.

We do not store your ORCID password — authentication happens entirely on ORCID's servers. We receive only a confirmation that you successfully authenticated, plus the basic profile data you have made public on ORCID.

What we never store

Browsing history or page view logs
IP addresses (beyond what your hosting provider's infrastructure logs at network level)
Device fingerprints or user agent strings
Payment information (we are free; there is nothing to pay)
Behavioural profiles or inferred interests

4. Third-party services

ScienceEcosystem connects to external services to enrich paper data. None of these receive your personal data unless noted:

OpenAlex (openalex.org) — open bibliographic database. Queries contain only paper IDs and search terms, never your identity.
Semantic Scholar (semanticscholar.org) — citation data. Same as above.
CrossRef (crossref.org) — DOI and retraction data. No personal data sent.
ORCID (orcid.org) — authentication and public profile data. Governed by ORCID's privacy policy.
Altmetric (altmetric.com) — citation attention scores shown on paper pages. Their embed script loads from their CDN when you view a paper page. Altmetric may set their own cookies; see Altmetric's privacy policy.
Google Fonts — typography loaded from Google's servers. Your browser sends a request to Google when loading the font. We are working to self-host fonts to eliminate this. Google's handling is governed by Google's privacy policy.
CORE, Europe PMC, BASE, Zenodo — used to find open-access PDFs. Queries contain only paper identifiers.

5. How long we keep data

Sessions — 90 days from last activity, then automatically deleted.
Account data — kept until you delete your account.
Library, annotations, follows — deleted immediately when you delete your account.

We do not keep backups of deleted accounts beyond our standard database backup window (typically 7 days).

6. Your rights

Under GDPR you have the right to access, correct, export, and erase your data. Because we store very little, these are straightforward:

Access and correct — view and edit everything in Profile settings.
Export — download your library from the Library page (CSV / BibTeX export).
Erase — delete your account and all associated data permanently from Profile settings → Delete account. This is immediate and irreversible.
Object or restrict — contact us at info@scienceecosystem.org.

7. Security

Session cookies are HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), cryptographically signed, and use SameSite=Lax to prevent cross-site request forgery. Sessions are stored server-side in our database — the cookie contains only a random ID, nothing else. All data is transmitted over HTTPS.

Sharing a link with another person shares only the URL — your session cannot be transferred through a link.

8. Contact and complaints

For any privacy question or data request: info@scienceecosystem.org

If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority. In the Netherlands: Autoriteit Persoonsgegevens.