Last updated: May 23, 2026

Privacy Notice

This notice summarizes how Evidentia Review handles personal data while providing the platform, collaboration features, and system reports.

What data we process

  • Account and profile data such as username, email, language, institution, location, URL, and optional public profile picture.
  • Collaboration data such as invites, review roles, external share access records, and audit trails tied to methodological decisions.
  • Technical and security data such as authenticated session state, CSRF token, language preference, cookie consent state, and operational events needed to keep the service secure.
  • User-configured integration credentials such as OpenAlex and Zotero API keys, stored in encrypted form.

Why we use this data

  • To operate accounts, authentication, account recovery, and core product preferences.
  • To enable review collaboration with access control, audit trails, and reproducible reporting.
  • To protect the platform against abuse, keep sessions secure, and investigate operational incidents.
  • To execute bibliographic integrations initiated by the user.

Legal bases and operational context

Processing may occur to provide the requested service, pursue legitimate interests in platform security and operation, and preserve methodological traceability in collaborative reviews. Some reports and trails may need to be preserved for scientific integrity and auditability of the review process.

Sharing and third parties

  • External reports are only exposed when enabled by the review owner and may require token, password, expiration, and revocation controls.
  • Optional cookies may load usage analytics and error monitoring services only after consent.
  • Bibliographic integrations use credentials supplied by the user to query third-party services.

Retention

We keep account data while the account remains active and methodological data while it is required for the review, its auditability, and the security of the installation. Invites, waitlist records, optional cookies, and some operational events follow their own retention windows or installation policies. When retention is no longer needed, data should be removed, anonymized, or aggregated according to the applicable operational policy.

Your rights and contact

Requests related to access, correction, deletion, restriction, or questions about personal data processing can be sent to cedis.unb@gmail.com. Handling may require identity verification and an impact review for records that must be preserved for security, methodological integrity, or legal obligations.

Security controls currently in place

  • Role-based access control for reviews.
  • Secure cookies in production, HSTS, and transport protections.
  • Idle and absolute session timeouts.
  • Encryption for supported operational secrets and integration keys.