Go
Back

Data Privacy Statement

This data privacy statement with version 1.0 has been published on 1.2.2024.

If you have any questions, contact us here.

Introduction, purpose and scope of this notice

This privacy policy for DECTRIS Cloud a service of DECTRIS Ltd., Taefernweg 1, 5405 Baden-Daettwil, Switzerland (“DECTRIS Cloud”, “we”, “us”, or “our”), describes how and why we might collect, store, use, and/or share ("process") your information when you use it, such as when you experience services delivered through https://www.dectris.cloud, and/or through any of its associated applications (“Service”).

We treat your privacy and personal data with great importance. As such, we are committed to protecting and respecting your privacy in compliance with European General Data Protection Regulation (GDPR) 2016/679, dated April 27, 2016.

We aim to treat every user as equal, such that we intent to apply the high standards of GDPR even for users that are subject to more permissive privacy regulations.
This privacy policy (hereinafter the "Policy") aims to provide you with simple, clear information on the Processing of Personal Data concerning you, in the context of your browsing and the operations carried out on our website.

Please note that if you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact our data controller here.

Summary of this notice

This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process?
When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.

Do we process any sensitive personal information?
We do not process sensitive personal information.

Do we receive any information from third parties?
We do not receive any information from third parties.

How do we process your information?
We process your information to secure, provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so.

In what situations and with which parties do we share personal information? 
We may share information in specific situations and with specific third parties.

How do we keep your information safe?
We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

What are your rights?
Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.

How do you exercise your rights?
The easiest way to exercise your rights is by visiting www.dectris.cloud/contactus, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

Service Description

The mission of DECTRIS Cloud is to accelerate scientific progress by facilitating collaborative discovery of experimental data. At the core, we provide a safe, secure and globally accessible repository for scientific data, particularly experimental data generated at research facilities around the world. Our service starts right after such experimental data is generated, e.g. when an image is collected by an X-Ray detector at a research facility and the corresponding file is made accessible to our uploading device (“Hub”). From this moment on, experimental data will be transferred, managed and made accessible for processing, sharing and analysis via the DECTRIS Cloud platform. It is hence our core interest to ensure uninterrupted availability of our web service such that experiments may at no point be interrupted by unintended or maliciously caused interruptions.

In order to deliver this data management service, and particularly to track legal ownership, ensure data authenticity and safeguard unsolicited access, we are required to collect, store, maintain and share personal information about the users interacting with experimental data within the DECTRIS Cloud platform.

Furthermore, in the notion of free and open science, experimental data will be made publicly accessible upon request of the legal owner. This means that some personal data of registered users will be made publicly accessible, searchable and findable by anonymous visitors of the DECTRIS Cloud Service.

What information do we collect?

In summary, we collect three different types of data:

  • Fundamental Data:
    This refers to anonymized technical logs necessary to maintain, operate and improve our Services.

  • Personal Data:
    This refers to data required for user-centered functionality as well as unambiguous tracking of legal ownership of scientific data.

  • Scientific Data:
    This refers to data generated during, through our based on scientific experiments.

Fundamental Data

When you access the Service, certain data has to be inevitably (automatically) acquired and processed to ensure faultless operation, such as site display, performance & responsivity, safety and security, fraud detection and technical requests. Such data is stored in technical logs and comprises:

  • Computer/device type and operating system

  • Browser type, language and country

  • IP addresses of accessing host (last 2 bytes masked - e.g. 192.168.xxx.xxx)

  • Referring entry and exit URLs

  • Click & Visit statistics (e.g. frequency, duration, page sequence, time spent, ...)

  • Media, Form and UI interactions, including session recordings & A/B testing 

Even though IP addresses are generally considered personal data, we cannot derive any direct conclusions about your identity from such data, as technical data will not be captured and stored together with a personal identifier. In short: your website behavior will not be linked to your personal identity.

Note that it is our core responsibility to ensure uninterrupted availability of our web application to ensure flawless experimental operation. We hence have a strong legitimate interest in using fundamental data as a foundation for being able to provide a functioning, reliable and accessible web service and resolve server-requests in an appropriate manner. 

All of our pages are secured using SSL (Secure Socket Layer) technology, which encrypts data transmitted between our servers and your end devices, including authentication and communication with our on-premise “Hub” device. We also apply other suitable technical and organizational measures to protect your personal data whenever possible.

We do not track fundamental data using cookies.

Personal Data

In order to provide you with functionalities, we need to process certain data and/or information relating to you. What specific data is collected and/or shared depends on the context of your interactions with us and/or the Services.

However, we do not collect any sensitive personal information, such as ethnicity, origin, race, political opinions, health data, biometric data, genetic data, religion and philosophical beliefs or sexual orientation.

Account registration

If you choose to create a user account on our service, you will be required, during the registration process, to provide

  • your first and last name (identifier for other users within our service)

  • your academic institution (defining legal ownership of experimental data)

  • your personal email address (verification and authentication)

  • your password (security)

Once you have provided this information, you will receive a confirmation email. Your account will be confirmed after you have clicked on the respective link in the account activation email. During the period between registration and confirmation, you will be a “tentatively registered user”. If you do not activate your account, any personal data will you provided during registration will be deleted after 12 months. Once your account has been activated, you become a “registered user” of our service.

As a registered user on our service, you will only be identifiable with your first and last name together with your academic institution. Your email address will not be shared with other registered or non-registered users unless explicitly authorized by you in the account management.

Complimentary account data

During the registration process or when updating your profile, you can choose to provide other information that can be used to identify you, which includes:

  • your institutional email (verification purposes)

  • your ORCID identifier (for unambiguous identification)

  • your phone number (for Multi Factor Authentication)

Note that in order to ensure uncontestable assignment and tracking of legal ownership of experimental data, each registered user that wants to be owner of an experiment (“Principal investigator”) must be associated with a scientific institution. This association must be verified using an institutional email address.

Contact us - Feedback

When you contact us through our service, you may provide us with your name, contact details, and other personal data as part of your communication, as well as the content of your message itself. Similarly, when we communicate with you, we will process your personal information, such as your email address. For some of our emails, we also process information indicating whether you have opened the email. For technical feedback, we may also include basic information as described in Fundamental Data to ensure reproducibility of your observations.

Communications through the service

Various communications that you initiate through our Service (e.g. sending an email invitation to access experimental data to a potential new user outside of our service) will list your name and institution as part of the message. Other communications that you initiate within the Service (e.g. chatting, note taking, …) will show your name and institution to registered and non-registered users. Based on your personal activity within the service, we may generate other information about you that will help us provide an improved service offering (E.g. If you were to be the principal investigator of numerous experiments, we may assume that you are not a university student but a researcher with higher academic seniority).

Security

We process the number of page views to detect and prevent data harvesting. We also process your IP address to filter out suspicious requests. If you are a registered user, we store your full IP address in connection with your account registration request and your current last login. Otherwise, your login activities are only stored in connection with your truncated IP addresses. Also, we process information about your device, its operating system and the browser you are using for your current session.

Statistics

We use activity data, such as number of read publications, projects and number of citations, to generate statistics, which pertain to reading behavior or achievements. For example, we may use such activity data in order to calculate and display a read count on an individual publication page.

Personal data from Minors

We do not knowingly solicit personal data from children under 18 years of age. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us here.

Scientific Data

A comprehensive description of our Scientific Data Policy, which explains types of data, retention rules, user roles and rights, can be found here.

In the context of this privacy notice, we look at “Scientific Data” from the perspective of “Management Purpose”, as this clearly defines data ownership and your personal relation to the scientific data. In general, we consider the following organizational types of Scientific Data”:

  • Experiment Data
    • Scientific data that is generated through experimental activities under laboratory conditions or is derived during the course of processing and analysis or that is required to perform said processing and analysis tasks.

    • Experimental data must be linked to an “Experiment” with an unique experiment ID (“exID”).

    • Experimental data is owned by the home institution of the Principal Investigator (“PI”) of the experiment at the time at which the experiment was conducted. 

    • The PI acts as an ownership delegate of the assigned home institution.

    • The PI is responsible for privacy related aspects occurring in the context of a scientific collaboration on experimental data.

  • Team Data & Project Data
    • Scientific data stored, processed, or shared within a scientific team, e.g. a workgroup, laboratory, project team, etc.

    • All data assigned is owned by the home institution of the Principal Investigator (“PI”) of the team.

    • The PI acts as an ownership delegate of the assigned home institution.

    • The PI is responsible for privacy related aspects occurring in the context of a scientific collaboration on experimental data.

  • Personal Scientific Data
    • Scientific data stored or processed in your personal user repository.

    • You are the sole owner of your personal data.

    • You are responsible for privacy related aspects occurring in the context of a scientific collaboration on experimental data.

Privacy Aspects of Experiment Data

You can access Experiment Data by obtaining or inheriting a specific role in the related Experiment. Once you assume a role in an Experiment, your personal data (your name and institution) will be visible to all other registered users that are linked to the same Experiment. If the owner of the experiment (PI) decides to make the Experiment publicly available, your personal data (your name and institution) and your relation to the experiment will also become publicly visible. Furthermore, some activities you may undertake within an Experiment will be tracked and a log of scientific activities will be visible to all other participants of the same Experiment.

Privacy Aspects of Team Data or Project Data

Similar to Experimental Data, you can access Team or Project Data by obtaining or inheriting a specific role in the related Team or Project. Once you assume a role in a Team or Project, your personal data (your name and institution) will be visible to all other registered users that are linked to the same Team or Project. Furthermore, some activities you may undertake within a Team or Project will be tracked and a log of your scientific activities will be visible to all other participants of the same Team or Project.

Privacy Aspects of Personal Scientific Data

Your personal data (your name and institution) will only become visible to other users if you decide to share specific files and or folders with other users.

Activity Tracking for Scientific Transparency

For the purpose of scientific transparency, reproducibility and integrity of the scientific content, we will retain a record of any role assignment or change that occurs within the context of an Experiment, Project or Team. 

If you decide to delete your account, we will remove your active role within the experiment. 

However, even if your account has been deleted we will retain any role transaction and activity logs of past roles you held in any experiment, team or project. Our legitimate reason for this behavior is our responsibility towards the scientific community: if we receive claims of fraudulent, manipulated or otherwise wrongfully falsified scientific data, we are obligated to provide end-to-end transcripts of users capable of undertaking malicious actions.  

Note that descriptive metadata of experiments (e.g. author names, institution, etc..) is considered necessary for publication and is hence exempt from the right to be removed unless incorrect.

How do we use data we collected from you?

The following explanations will provide you with information about how we use the personal data that we collect about you, and our legal basis for doing so under the GDPR. Generally speaking, we may use your data based on our legitimate interests:

  • To facilitate account creation and authentication and otherwise manage user accounts
    We may process your information so you can create and log in to your account, as well as keep your account in working order.

  • To deliver and facilitate delivery of services
    We may process your information to provide you with the requested services, such as e.g. storing, archiving and sharing of your scientific data.

  • To send administrative information to you
    We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information. Note that any marketing related communication from us to you is optional and we respect your wish not to receive such information.

  • To enable user-to-user communications within the Service
    We may process your information if you choose to use any of our Services that allow for communication with another user.

  • To enable scientific collaboration within the Service
    We may process your information to allow other users to find your user account and hence share scientific data with you.

  • To request feedback
    We may process your information when necessary to request feedback and to contact you about your use of our Services.

  • To protect our Services
    We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention, cyber attacks or other security breaches.

  • To identify usage trends
    We may process information about how you use our Services to better understand how they are being used so we can improve them.

  • To enforce Terms of Use
    We may process your information when necessary to enforce the Terms of Use accepted by the user, e.g. investigate claims of discrimination, harassment or to prevent harm.

  • To investigate a claim of fraudulent behavior
    We may process your information when we investigate a claim that you may have been involved in activities leading to wrongful manipulation of scientific data.

  • To track legal ownership of scientific data
    We may process your data to track and maintain legal ownership and hence intellectual property rights of scientific data.

Also, we may use your data to comply with legal obligations, e.g. to observe retention periods required by trade or tax law or to comply with obligations to disclose data based on a legally binding court decision or official order.

How do we use data we collected from you?

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with Services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

We generally act based on the legal standards defined by the European General Data Protection Regulation (GDPR) 2016/679, dated April 27, 2016. 

In legal terms, we are generally the "data controller" under European data protection laws of the personal information described in this privacy notice, since we determine the means and/or purposes of the data processing we perform.

When and with whom do we share personal information?

We will not sell your personal data to any third party entity.

However, there are situations in which we may need to share your personal data with other third-parties. Such situations include:

  • Usage Analytics
    We may share information with third-party services in order to capture, track and analyze user behavior. Note that we only track and share anonymized, fundamental data for usage analytics. More information on this topic is found here

  • Business Transfers
    We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

  • Affiliates
    We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.

  • Other Users
    When you share personal information (for example, by posting comments, contributions, or other content to the Services) or otherwise interact with public areas of the Services, such personal information may be viewed by all users and may be publicly made available outside the Services in perpetuity. Similarly, other users will be able to view descriptions of your activity, communicate with you within our Services, and view your profile.

How do we use third party services for usage analytics and activity tracking?

As noted, we may also capture, track and analyze usage statistics of your behavior in our Service to ensure safety, security, operational reliability and to further improve offerings of future functionalities. In order to protect your privacy, we do NOT link your personal information with any tracked usage behavior we may have recorded. 

We use Matomo as a third party component for activity tracking in our Services. Matomo is an open source web analytics platform that is fully GDPR compliant. A web analytics platform is used to measure, collect, analyze and report user data for purposes of understanding and optimizing their website. More information about Matomo and its privacy policy can be found at: https://matomo.org/matomo-cloud-privacy-policy/

Matomo is operated on servers in the European Union, with primary storage in Germany and data backups located in Ireland. All usage data recorded in our Services for usage analytics is 100% owned by us and is not shared with other third parties for marketing, advertising or other commercial purposes. Note that all usage data is stored separately from your personal data and there exist no identifiers to link both usage with personal data.

Matomo functions by setting a short-lived cookie on your IT system. With the setting of the cookie, an analysis of the use of our website is enabled. With each call-up to one of the individual pages of this website via the Matomo component, your browser is automatically prompted to submit data for the purpose of online analysis to a Matomo server.

You may prevent the setting of cookies through our website at any time by means of a corresponding adjustment of your browser and thus permanently deny the setting of cookies. Such an adjustment would also prevent Matomo from setting a cookie. In addition, cookies already in use by Matomo may be deleted at any time via a browser or other software programs.

How do we use cookies and related technologies?

We and service providers acting on our behalf may use technologies such as cookies to collect information relating to you and your use of the Service. 

Cookies are small text files that are placed on your computer by websites that you visit. Websites use cookies to help users navigate efficiently and perform certain functions. Cookies that are required for the website to operate properly are allowed to be set without your permission. All other cookies need to be approved before they can be set in the browser. 

We only use essential cookies in our Services. Essential cookies are necessary for the proper functioning of our website and services. These cookies enable core functionalities such as security, network management, and accessibility. Without these cookies, our website cannot perform properly, and certain features and services may not be available.

We do not use cookies for marketing, advertising, or any other non-essential purposes. Our focus is solely on providing a secure and efficient user experience. Your trust and privacy are of utmost importance to us, and we are committed to maintaining the highest standards of data protection and transparency.

Cookie Table

We currently do not use cookies for any purposes. If we start doing that, we will inform you.

Cookies

Expiry

Cookies Used

Privacy Information

__session,
__client_uat,
__clerk_db_jwt

1 year

First party

https://clerk.com/legal/privacy

How long do we store your data?

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us to keep your personal information for longer than twelve (12) months past the termination of the user's account.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

We only keep personal data for the time strictly necessary in order to enable the use of our Service and/or to fulfill the purposes identified above, and/or to comply with any legal or regulatory obligations. In all other cases, we delete your personal data with the exception of such data that we are required to retain for the purpose of contractual or statutory (e.g., taxation or commercial law) retention periods. In particular, we keep payment and invoice related information or support inquiries to the extent required by trade and tax law for the statutory retention periods (ten, respectively six years).

How and where do we keep your data safe?

Recipients

We do not sell any of your personal data.

The personal data we collect from you and that you provide to us is stored on servers in Ireland EU and processed in Switzerland. With Ireland being part of the European Union, all notions of the European General Data Protection Regulation (GDPR) apply to our Services.

Some of your personal data is visible to other Users and Visitors of our Services who may, for example, collaborate with you in an Experiment or access files of an Experiment that was made Open Accessible.

We may disclose personal data in response to a legal process or when the law requires it (for example, in response to a court order) or, to the extent permitted by applicable law, to protect the rights, property, or safety of DECTRIS CLOUD, the Service, Users of the Service (including you), and others.

We may use third party service providers, in particular for technical and business services, tax advisors and legal counsel. These service providers receive personal data solely for the performance of their services for us on our behalf. They are contractually obliged not to use personal data for other purposes.

Storage location & safeguards

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

If we transfer your personal data to countries outside of the European Economic Area which do not offer adequate and similar protection, we will ensure that we do this in accordance with applicable data protection regulations (e.g., by putting in place an appropriate data transfer instrument such as the European Standard Contractual Clauses).

We will do this with a view to ensuring that the level of protection applied to the processing of your personal data in these countries is similar to that applied within the European Economic Area.

How can you close your account?

For registered users, we generally store their personal data as long as their account is active.

If you have created an account, you can close it yourself in your ‘Account Settings’. If you request that we close your account for you, we might ask for proof of identity before doing so. We may also close inactive accounts or accounts that are used in violation of our Terms of Service or any applicable law. Closing of an account is irreversible.

We will retain personal data from closed or inactive accounts to the extent and as long as it is necessary and relevant for our operations and/or to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our Terms of Service, and/or take other actions otherwise permitted by law.

In general, personal data from closed or inactive accounts will be deleted or anonymized from our system backups one year after the account is closed or deactivated.

How can you review, update, or delete data we collect from you?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please contact us at  www.dectris.cloud/contactus.

What are your privacy rights?

First off, you can object to tracking of your Fundamental Data using the following link: opt-out. In addition to your right to object to tracking of fundamental data, you may be entitled to exercise some or all of the following rights:

  • Right of access by the data subject.

  • Right to correct inaccurate personal data or complete incomplete data.

  • Right to obtain deletion of your personal data stored with us subject to legal or contractual retention periods or other legal obligations or rights which must be observed. Note that descriptive metadata of experiments, unless incorrect, is exempt from this right.

  • Right to object to or restrict the processing of your personal in the event that: you contest the accuracy of the data; the processing is unlawful but you oppose it’s deletion; we no longer need the personal data for the purposes of the processing but you need it for your assertion; it may be relevant to the exercise or defense of legal claims; or you have lodged an objection to the processing.

  • Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights. We will not discriminate against you if you exercise your privacy rights.

  • Right to be informed of changes. In case we amend this privacy notice, we will actively inform you about major additions.

Additional rights may be granted by the Local Regulations to affected Persons.

In case you decide to make use of any of your privacy rights, contact us through one of our accepted channels. Note that in order to protect your personal information from wrongfully made requests and in order to comply with country/state specific privacy acts, we will have to ask for personal verification before sharing any user information.

How can you close your account?

We conduct regular reviews of this policy to ensure ongoing compliance with GDPR measures. We may hence update this privacy notice from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

How can you close your account?

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) using our contact form, directly via email at privacy@dectris.cloud or by post mail at:

DECTRIS Ltd.
DASKIO Data Officer
Taefernweg 1
5405 Baden-Daettwil, AG
SWITZERLAND