Privacy statement
Last updated: 8 May 2026
Joinalyse is an academic research platform. This statement explains what personal data we collect, why we collect it, who we share it with, and how long we keep it. Where this statement and a survey-specific consent form contradict each other, the survey-specific consent form prevails for that participation. The full list of sub-processors that receive your data is published below in the Sub-processor agreements section.
Who is responsible
Joinalyse is operated by SkyWise International B.V. (the data controller) under a service agreement with Prikr (the data processor). SkyWise is registered in the Netherlands and is the legal owner of the platform.
For privacy questions or to exercise your rights, contact [email protected].
What we collect
When you create an account we store your name, university email address, and the profile fields you fill in (study programme, language, research interests). When you participate in a survey we store your answers, the survey ID, and a timestamp. When you publish a survey we store the configuration you set (questions, eligibility rules, distribution settings). We do not collect IP addresses for analytics purposes; server logs (see retention table) are kept for security and incident response only.
Joinalyse uses technical mechanisms to safeguard the integrity of research data, including preventing duplicate participation. For unauthenticated participants this involves a one-way, irreversible hash derived from a few browser characteristics. No raw fingerprint and no profiling data is stored, only the hash itself, scoped to the specific survey link. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
As an additional anti-abuse signal we fold a salted, one-way hash of your IP address into that same dedup hash. The raw IP is never stored, never logged, and never shared. Only the resulting composite hash exists in our database, and it is meaningless without the rotating server-side secret. IPv6 addresses are truncated to the /64 prefix before hashing so the signal cannot single out individual devices on a household network. This is the minimum effective signal needed to prevent the same household from filling in a study repeatedly via different browsers, and it is the only purpose the IP-derived value is used for. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). The secret is rotated yearly or immediately on suspected compromise. After rotation, old hashes can no longer be linked back to any IP even with full database access.
Product analytics
When you accept analytics in the cookie banner, Joinalyse records a small set of product-usage events so we can understand how the platform is used and improve it. The analytics run on our own EU-hosted server, with no Google Analytics, no Plausible, and no third-party tracker. You can withdraw your choice at any time using the toggle in our cookie policy.
Lawful basis: Explicit consent (Art. 6(1)(a) GDPR), captured via the cookie banner. Until you opt in, no analytics event is recorded.
What we record per event
- Event name from a fixed list (e.g. pageview, survey.published, participation.submitted), with no free-text and no question or answer content.
- Server-assigned UTC timestamp.
- A random UUID generated in your browser and kept in localStorage. It rotates per browser tab origin, never crosses sites, and is not linked to your identity. It is not a cookie.
- If you are signed in, your Joinalyse user ID is added server-side so a researcher can see their own funnel; for guests this field stays empty.
- Pathname of the current page (no query string, no fragment).
- Hostname of the referring page (no path, no query).
- A short whitelist of per-event metadata (e.g. survey ID, question index). Strictly no PII: no email, no name, no answer content.
What we never record
- IP addresses (never stored, never logged for analytics; only used as a transient rate-limit bucket key).
- User-agent string.
- Device fingerprints or cross-site identifiers.
- Question or answer content, or any free-text input.
Event catalogue
The list below is the full set of events we may record. Adding a new event requires a privacy review and updates this list.
| Event | Purpose |
|---|---|
| pageview | Records that a page was viewed (path + referring host). |
| survey.published | Records that a researcher published a survey (survey ID + built-in vs external). |
| survey.share_link_opened | Records that a survey share link was opened (survey ID). |
| participation.consent_given | Records that a participant consented to take part in a survey (survey ID + guest flag). |
| participation.intake_started | Records that a participant started the intake screen (survey ID). |
| participation.question_answered | Records that a participant answered a question (survey ID + question index, optional duration). |
| participation.submitted | Records that a participant submitted a survey (survey ID + total duration + guest flag). |
| participation.dropped | Records that a participant abandoned a survey (survey ID + last question index reached). |
| learning_hub.article_read | Records that a learning-hub article was read (article slug + read time). |
| discover.filter_applied | Records that a filter was applied on the Discover page (filter type + value). |
Retention: Raw events are kept for 18 months and then deleted. Aggregated, fully anonymous totals (e.g. pageviews per day) may be kept for up to 5 years for trend analysis. See the retention table below for the canonical values.
Opt out at any time
If you previously accepted analytics and want to stop, use the toggle on the cookie policy page below. Switching the toggle off stops all new events immediately. Events recorded before you opted out remain in the database and roll off automatically once they reach the 18-month retention limit. You can also ask us to delete the events tied to your account earlier; see Your rights below.
Manage your analytics choice →Cookies and similar technologies
We use a small number of strictly-necessary cookies and one consent-record key. We do not use advertising cookies, third-party analytics, or tracking-style fingerprinting (see "What we collect" above for the survey-integrity mechanism we do use). Our own product analytics (see "Product analytics" above) do not use cookies; the session identifier lives in localStorage and is not cross-site. The table below lists everything we set in your browser.
| Name | Category | Purpose | Retention |
|---|---|---|---|
| directus_session_token | Strictly necessary | Keeps you signed in during a session. | Session (cleared on logout) |
| directus_refresh_token | Strictly necessary | Refreshes your sign-in without asking you to sign in again. | 30 days |
| joinalyse:consent:v2 | Strictly necessary | Remembers your choice on this banner so we don't ask again. | 12 months |
| joinalyse:analytics:session_id:v1 | Analytics (opt-in) | Random UUID identifying your browser session for our own product analytics. Stored in localStorage (not a cookie), never sent to third parties, not linked to your identity. Only set after you accept analytics in the banner. | Until you clear browser storage or opt out |
You have not yet chosen your cookie preferences. The banner at the bottom of the page will let you decide.
Sub-processor agreements
The list below is the authoritative sub-processor register required under GDPR Article 28(2). Each entry shows the legal entity, the purpose for which we share data, the processing location, and the contractual basis (DPA plus, where data leaves the EEA, the EU Standard Contractual Clauses 2021/914).
| Sub-processor | Purpose | Location | DPA + SCCs |
|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting (VPS and Storage Box backups). | Germany (FSN1, Frankfurt). | EU DPA via the Hetzner Datenschutzhinweis. No transfer outside the EEA. |
| Resend Inc. | Transactional email delivery (verification, magic-link, account notifications). | United States, with EU DPA and SCCs. | Standard Contractual Clauses 2021/914 (modules 2 and 3) plus a signed Resend DPA. |
| Cloudflare Inc. | DNS, CDN, DDoS protection, Origin CA. | Global edge, US-controller. | EU DPA + SCCs 2021/914. Joinalyse does not store request bodies at Cloudflare. |
Notification of new or replacement sub-processors
We notify data subjects and our controller within 30 days of any new sub-processor or replacement. To object, write to [email protected]. We keep the prior arrangement in place during a reasonable objection window where it does not prevent us from delivering the service.
Object or ask questions: [email protected].
All processors and service providers
Expanded view of every processor and service provider, including infrastructure providers and self-hosted services. Fonts are self-hosted from the same VPS, so no third-party font CDN (such as Google Fonts) is contacted. The sub-processor register above covers the contractually scoped Article 28 entities; this table is the full operational view. Each contract includes a data-processing agreement (DPA) and the EU Standard Contractual Clauses where data leaves the EEA.
| Sub-processor | Role | Region | Data shared |
|---|---|---|---|
| Hetzner Online GmbH | Application & database hosting | EU (Germany) | All application data, served from a single VPS in Falkenstein, Germany. |
| Cloudflare, Inc. | DNS, CDN and DDoS protection | Global edge network | Request metadata (IP, user agent) needed to route traffic and block abuse. No content is stored at rest. |
| Resend (Plus Five Five Inc.) | Transactional email delivery | United States | Recipient email address, subject line and message body of system emails (sign-up verification, password reset, magic links, opt-in recommended-surveys digest). The digest is sent only to users who enabled it in Settings → Notifications. |
| GlitchTip (self-hosted) | Self-hosted error monitoring | EU (Germany) | Stack traces and request metadata of unhandled errors. Self-hosted on the same VPS, no third-party transfer. |
Fonts are self-hosted from this server; no data is sent to third-party font CDNs.
How long we keep your data
We delete personal data when it is no longer needed for the purpose it was collected for, or when you ask us to. The table below summarises the defaults; you can request earlier deletion at any time.
| Data type | Retention period | Why |
|---|---|---|
| Account profile | Until you delete your account, then 30 days of soft-delete before hard-delete | Required to sign you in and match you to surveys. After you delete via Settings → Account, your profile is hidden immediately and the row is permanently removed 30 days later. |
| Surveys you publish | Until you delete the survey | You stay in control of your own research output. |
| Survey responses | Until the survey owner deletes the survey or anonymises the dataset | Researchers need their dataset to draw conclusions. |
| Server access logs | 30 days | Security incident response and abuse handling. |
| Error reports (GlitchTip) | 90 days | Debug production issues; rolling window keeps the dataset small. |
| Analytics events (opt-in) | 18 months | Understand product usage and improve features. Aligned with GA4's 14-month default; deleted on schedule even if you do nothing. |
| Analytics aggregates (anonymous) | Up to 5 years | Pre-computed counts (e.g. pageviews per day) contain no personal data; kept for long-term trend analysis. |
| Recommended-surveys email digest | Sent at most once per day, only while you have the toggle enabled in Settings → Notifications. We store one timestamp per user (`last_recommended_digest_at`) to avoid sending the same survey twice; the email content itself is not retained on our side after delivery. | Helps you discover surveys that match your profile. Legal basis: opt-in (Art. 6(1)(a) GDPR), defaulted ON at sign-up and switchable off at any time without losing access. |
Data quality and duplicate-submission detection
To keep academic research data trustworthy we detect when the same device submits a survey more than once. This section explains exactly which technical characteristics we read from your browser, what we store, what we never see, and on which legal basis we do this.
Why we do this
Duplicate submissions distort study results. A single participant who fills the same survey twice (deliberately or by accident) doubles the weight of their answers and pollutes the researcher's aggregates. This is a sample-integrity problem, not a marketing problem: we are not building a tracking profile, we are protecting the validity of academic research.
Exactly what we measure
When you give consent to participate in a survey, your browser computes a short combination of technical characteristics. These signals are split across two tiers. The basic tier (~12 bits of entropy) is always computed; the extended tier (~50-60 bits of entropy) is computed after your consent click because some browser APIs (audio context) need a user gesture to run.
- A tiny test drawing on a hidden canvas (basic tier). The rendered bytes depend on your graphics driver and installed fonts but contain no image of you or your screen.
- Static audio-context properties such as sample rate and channel count (basic tier).
- Your browser's user-agent string, hashed (basic tier).
- Your viewport width and height plus device pixel ratio (basic tier).
- Your graphics card renderer and vendor name reported by WebGL (extended tier).
- A check of which fonts from a list of about 30 well-known families are installed, measured by text width (extended tier).
- A short, inaudible audio test that captures the frequency-domain output of your audio pipeline (extended tier). No microphone is accessed.
- Your reported number of logical CPU cores and approximate device memory (extended tier).
- Your browser's reported time zone (extended tier).
- Your browser's reported language preference list (extended tier).
- The list of installed browser plugins, if any (extended tier).
- Whether your device has a touch screen and the maximum touch-point count (extended tier).
What we never see
- Your name, email, IP address or any direct identifier. These signals do not contain any of those things.
- Whether you participated in any other survey on this platform. Each survey computes its own scoped hash, so the same browser participating in two different surveys produces two completely different stored values.
- A persistent identifier we could re-use later. The hash is bound to the specific survey link you arrived through; the moment that survey is closed the hash is meaningless to us.
- The raw signals themselves. The browser hashes them locally and only the resulting irreversible digest is sent to our server.
What gets stored
We store one SHA-256 hash per completed participation, scoped to the specific survey link. We also store a tier label so the researcher knows whether the hash carries basic or extended entropy. No raw signals, no IP address, no user-agent string and no browser fingerprint are persisted alongside the hash.
Legal basis
Article 6(1)(f) of the GDPR (legitimate interest), combined with the transparency duty in articles 13 and 14. Our balancing test: detecting duplicate submissions is essential to the service we provide (trustworthy academic research data), is limited to the scope of a single survey, never enables cross-survey tracking, never stores raw signals, and is documented here so participants can make an informed choice. We have documented the full Legitimate Interest Assessment internally as required by EDPB Guidelines 02/2020.
Your rights
You can ask for a copy of all participation data we hold about you (right of access) or have it erased (right of erasure). Because the hash is irreversible and not linked to your account, we cannot look it up from your identity alone; we can only erase it by erasing the entire participation row, which is what happens when you delete your account. Contact [email protected] for any rights request.
If you do not want this
Choose not to consent to the survey. Participation, including the duplicate-detection step, is voluntary and there is no partial-consent option because duplicate detection is essential to the data-quality contract of the platform.
Document verification for non-university email signups
Because you are using a non-university email address, you will be asked to upload a verification document after signing up so we can confirm your academic or institutional affiliation.
Accepted documents may include a student card, staff card, enrolment confirmation, institutional letter, or another official document showing your affiliation.
Verification documents are used solely for verification, platform security, fraud prevention, and compliance purposes. They are reviewed securely, are not shared with researchers or other users, and are retained only for as long as reasonably necessary in accordance with our Privacy Notice.
Please avoid uploading documents containing unnecessary sensitive information, such as passport numbers, financial details, or unrelated personal data.
Your rights under the GDPR
Under the EU General Data Protection Regulation you have the following rights with respect to your personal data:
- Request a copy of the data we hold about you (right of access).
- Correct inaccurate or incomplete data (right to rectification).
- Delete your account and personal data (right to erasure). You can trigger this yourself via Settings → Account; your profile is hidden immediately and permanently removed after a 30-day retention window. Research data you contributed is kept without any link to your identity.
- Limit how we use your data (right to restriction of processing).
- Receive your data in a portable format (right to data portability).
- Object to processing based on legitimate interest (right to object). We honor this right. Because academic research often depends on transparent distinctions such as gender, age, or study field, researchers must justify any attribute they use for matching in the survey description and consent flow. To exercise your right to object to a specific attribute being used for matching, email [email protected]. We plan to surface granular per-attribute toggles in Settings, Privacy after the MVP launch.
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you think we are mishandling your data.
Changes to this statement
When we update this statement materially (adding a new sub-processor, changing retention periods, or expanding the data we collect), we update the date at the top and bump the version of the consent record so the banner reappears. Minor wording changes do not trigger a new consent prompt.