This policy is designed to be accessible, understandable, and easy to read without legal and other jargon. If you have any comments, questions, or concerns about this policy, please get in touch with us using our contact form.
This document will have slight changes made to it occasionally. Please refer back to it from time to time.
This policy governs the use and protection of personal data of people (‘users’, ‘you’, etc.) using our service.
Data protection refers to the responsible security of personal data and transparency in the way we handle and process such data. Personal data is information that - on its own or in conjunction with other data - can be used to identify an individual person. With respect to the UK General Data Protection Regulation (GDPR), we act as data controller for the data you provide through using our services.
If you would like to complain about this policy, or how we may have treated a request from you with respect to data protection, then please get in touch with us in the first case so that we can help rectify the problem. In other cases, you may also want to get in touch with the Information Commissioners Office (ICO), who may be able to provide you with more information and support. Their website is at https://ico.org.uk.
Sometimes you may wish to send an email to us or reply to an email we have sent you, or use our contact form. Any such messages received will be treated in confidence and kept securely. Strong passwords and multi-factor authentication is implemented on all email accounts that can receive such emails.
In these cases, we will process:
Our service may allow you to register for an account. This is the primary way by which we collect personal data from you, since such data is needed in order to identify you when you want to login and use these services. We may also use your email address to update you on platform updates and notifications, which you can control. When signing-up we collect an email address and password. Once registered, you can choose to fill in additional profile data. We ask for consent to this policy when creating an account, and the legal basis for processing this data is a legitimate interest in being able to provide services to you.
In these cases, we will process:
Staff operating the service can view accounts and account data. This is with the exception of passwords, which are fully encrypted.
In order to provide access to our services to users, we also sometimes need to pass pieces of your personal data to third-party services (known as 'data processors' or 'subprocessors' for the purposes of the GDPR). We only ever do this when this is directly related to providing the service to you, and we only send the minimum amount of information required. We ensure that the processors' own privacy policies follow suitable data protection practices. Our current data processors are:
Our service runs on Amazon Web Services.
We keep your account data (e.g. email address) and content produced by your account for as long as your account is active. You can fully and irreversibly delete your account (and its associated data) at any time.
Please note that data held in backup systems may be stored for up to an additional 30 days after content is deleted.
Data sent to us via email may be kept indefinitely until you ask us to delete it.
Our databases and servers are based in the UK, and so your data will primarily be stored and processed within the UK. We use Mailgun's EU servers for transmitting mail.
All data is encrypted during transmission (e.g. between your device and our servers, and between our servers), and when stored ("encrypted at rest"). Our servers are well-protected with industry standard security measures.
Cookies are small pieces of data that are stored on your computer when you visit a website. Some cookies are essential (i.e. functional) for the website to work, and some are non-essential (i.e. tracking) and are used for analytics and advertising purposes.
Our services only use functional cookies, which are necessary for the website to work and to enable you to login. We do not use tracking cookies.
Children under the age of 18 are not allowed to use our services or to provide us with personal data. As such, we do not knowingly store or process personal data relating to children.
If a user account or content is created and suspected to be originated from a child, it may be removed.
We take the handling of personal data very seriously, and we want to make sure that you are aware of your rights under this policy. If your wish to invoke your rights requires us to complete some action on your behalf (for example, to stop processing your data), then we will always deal with your request in total confidence, at no cost, and as soon as we can (within 30 days of receiving your request).
You have a right to know about how we handle and process your personal data. This Privacy Policy aims to fulfil this Right, but please contact us if you have further questions or concerns.
You have a right to know if we store or process your personal data and to obtain access to the personal data about you that we, or any data processors that process data on our behalf, have about you. To obtain this information, please get in touch with us.
You have a right to have personal data we keep or process about you rectified. If data we have about you is incorrect or incomplete, then please contact us with details of any corrections to be made. Alternatively, you can make use of account and profile settings to make your changes.
You have the right to have all of your personal data erased, which will prevent any further storage or processing any of your personal data on our behalf, and will sometimes result in a necessary deletion of any accounts you hold with us. In many cases, deleting any accounts you hold with us will erase your details. However, if you wish to make sure of this, then please contact us with details of your request.
You have the right to halt the processing of your personal data in the way that you choose. For example, you may wish to maintain an account with us but no longer want us to use one of our data processors to process your data. To restrict the processing of your personal data, please contact us with details of your request.
Please note that in some cases it may not be possible to restrict processing whilst still providing services to you.
You have the right to obtain personal data we have or process about you in a format that is useful to you for the purposes of portability. We can provide data to you in the following formats:
Please contact us with details of your request.
You have a right to object to the processing of your personal data in particular ways. If you would like to object to our processing of your data, then please contact us.
We do not use personal data for automated decision making, and do not use such data for profiling users. Additionally, any processing done for analytics and reporting is done on an entirely anonymous basis. For more information or if you have any concerns, please contact us.
© 2025 Cardiff University
