Photon & Neutron AAI
Use UmbrellaID

Privacy Policy

Effective date: [insert date]
Last updated: [insert date]

1 Who we are

umbrellaID is a digital identity service for users of photon and neutron facilities. The umbrellaID website and related services are operated for the umbrellaID federation and its collaborators.

For questions about this Privacy Policy or about the processing, correction, or deletion of personal data, please contact:

umbrellaID

Email: contact@umbrellaid.org

Controller: [confirm legal entity / controller name]
Until confirmed, this Privacy Policy refers to the website and services operator as umbrellaID,” “UMBRELLA,” “we,” “us,” or “our.”

2 Scope of this Privacy Policy

This Privacy Policy explains how we collect, use, store, protect, and disclose personal data when you:

  • visit umbrellaid.org;
  • create or use an umbrellaID account;
  • link umbrellaID to an identity at a participating facility or home organisation;
  • use umbrellaID to access participating services;
  • contact us by email, contact form, or other communication channels.

Participating facilities, home organisations, and third-party services may have their own privacy notices and terms. Those notices apply to their separate processing activities.

3 Personal data we collect

We collect only the personal data needed to provide, secure, maintain, and improve the website and umbrellaID services.

3.1 Website access and server log data

When you access our website, we may automatically collect and archive technical access data, including:

  • IP address;
  • date and time of access;
  • page or file requested;
  • browser and device information;
  • referring page, where available;
  • security and diagnostic logs.

We use this information to operate the website, maintain security, troubleshoot errors, generate anonymous statistics, and comply with legal obligations.

We do not carry out personal analyses. Statistical analysis is performed anonymously or in aggregated form.

3.2 Account registration data

When you create or use an umbrellaID account, we may process personal data and identity attributes needed to create, verify, manage, and secure your account, including:

  • username;
  • Full Name;
  • Given Name;
  • Family Name;
  • Email address;
  • verification code or verification status;
  • ORCID, where provided;
  • account identifiers and technical identity attributes;
  • Affiliation within Home Organization, including affiliation, organisational unit, role, status, or similar information provided by you, your Home Organization, a participating identity provider, or a participating facility.

Where the service hashes information and does not store it in clear text, we still treat such hashed data as personal data where it can be linked to you or your account.

3.3 Federated login and account-linking data

umbrellaID is built to link your umbrellaID identity with identities at participating facilities, Home Organizations, or identity providers. When you use these functions, we may process personal data and identity attributes received from or shared with these organisations, including:

  • identity provider or Home Organization information;
  • Full Name;
  • Given Name;
  • Family Name;
  • Email address;
  • Affiliation within Home Organization;
  • account-linking identifiers;
  • user identifiers, federation identifiers, or service-specific identifiers;
  • authentication status and timestamps;
  • attributes required to allow login, account linking, authorisation, or access to a participating service;
  • technical logs needed for security, auditing, and troubleshooting.

Only data required for the relevant authentication, account-linking, authorisation, security, or service purpose is processed.

3.4 Contact and support data

When you contact us, we may process:

  • your name;
  • email address;
  • organisation or affiliation, if provided;
  • message content;
  • any other information you choose to provide.

We use this data to respond to your request, handle support issues, and keep appropriate records of communications.

4 Why we process personal data

We process personal data for the following purposes:

  • to provide and maintain the umbrellaID website and services;
  • to create, authenticate, and manage user accounts;
  • to support federated identity and account-linking functions;
  • to identify users reliably across participating facilities and Home Organizations;
  • to verify user affiliation, eligibility, or authorisation for participating services;
  • to allow participating services to receive the identity attributes needed to provide access, support, security, and account management.
  • to enable access to participating services where you choose to use umbrellaID;
  • to protect the security, confidentiality, and integrity of our systems;
  • to detect, prevent, and investigate misuse, security incidents, or technical problems;
  • to respond to questions, complaints, and support requests;
  • to generate anonymous or aggregated statistics;
  • to comply with legal, regulatory, and operational obligations.

5 Legal basis for processing

Where applicable data protection law requires a legal basis, we rely on one or more of the following:

  • performance of a contract or service request, where processing is necessary to provide umbrellaID services you use;
  • legitimate interests, including operating a secure identity service, protecting systems, preventing misuse, and maintaining reliable access;
  • legal obligations, including record-keeping, security, and compliance obligations;
  • consent, where we ask for consent for a specific optional processing activity;
  • public-interest or research-infrastructure purposes, where applicable to participating public research facilities and permitted by law.

The precise legal basis may depend on your country, the facility or service involved, and the processing activity.

6 Confidentiality and disclosure

We treat personal data as strictly confidential.

We do not sell personal data. We do not disclose or make personal data available to third parties for unrelated commercial purposes.

We may disclose or make available personal data only where necessary and lawful, including:

  • to umbrellaID collaborators, representatives, technical administrators, or service providers who need access to operate or support the website or services;
  • to a participating facility, Home Organization, identity provider, or service when you choose to use umbrellaID for login, authentication, authorisation, account linking, or access to that service;
  • where required by law, regulation, court order, or competent authority;
  • where necessary to protect the security, rights, or legitimate interests of umbrellaID, participating services, users, or the public.

Identity attributes shared with participating facilities or services may include, where required for the relevant service:

  • Full Name;
  • Given Name;
  • Family Name;
  • Email address;
  • Affiliation within Home Organization;
  • user identifiers, account identifiers, or federation identifiers;
  • authentication and authorisation information.

Anyone processing personal data on our behalf must protect it appropriately and use it only for authorised purposes.

7 Cookies and similar technologies

We may use cookies or similar technologies that are necessary to operate the website, login sessions, account security, and related services.

We do not use cookies for personal profiling or personal analysis unless this is clearly disclosed and, where required, consent is obtained.

To confirm before publication: whether the website uses analytics cookies, third-party embedded content, CAPTCHA providers, or other non-essential technologies. If it does, add a cookie table listing provider, purpose, duration, and opt-out/consent mechanism.

8 Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, disclosure, alteration, or destruction.

These measures may include access controls, confidentiality obligations, secure storage, hashing of selected data, logging, monitoring, and other safeguards appropriate to the nature of the data and the service.

No internet transmission or online service can be guaranteed to be completely secure. Users are responsible for keeping their login credentials confidential and for notifying us promptly if they suspect unauthorised use of their account.

9 Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including service operation, security, legal compliance, dispute resolution, and archiving obligations.

Access logs may be stored and archived where necessary to comply with legal obligations and maintain security.

To confirm before publication: insert concrete retention periods, for example:

  • server logs: [insert period];
  • account data: for the lifetime of the account plus [insert period];
  • inactive accounts: [insert policy];
  • support requests: [insert period];
  • security logs: [insert period].

10 International processing and transfers

umbrellaID is used by a federation of participating research facilities and services. Depending on the service you use, personal data may be processed in Switzerland, the European Economic Area, the United Kingdom, or other countries where participating organisations or technical service providers are located.

Where required, we use appropriate safeguards for international transfers, such as contractual protections, technical measures, adequacy decisions, or other lawful transfer mechanisms.

Because umbrellaID supports federated access across participating research facilities and Home Organizations, identity attributes such as Full Name, Given Name, Family Name, Email address, and Affiliation within Home Organization may be transferred to participating services in other countries where necessary for authentication, authorisation, account linking, access management, support, or security.

11 Your rights

Subject to applicable law, you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate or incomplete data;
  • request deletion of personal data;
  • request restriction of processing;
  • object to certain processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a competent data protection authority.

To exercise your rights, contact contact@umbrellaid.org or use the postal address listed above.

We may need to verify your identity before responding to a request. Some rights may be limited where retention or processing is required for legal, security, or operational reasons.

12 Data of minors

umbrellaID is intended for users of participating research facilities, services, and organisations. It is not intended for use by children without appropriate authorisation.

Where a user is below the age required by applicable law to use the service independently, the user may need permission from a parent, guardian, institution, or other authorised representative.

13 Third-party links and participating services

The website may contain links to participating facilities, partner services, or external websites. We are not responsible for the privacy practices, security, or content of external websites or services.

When you use a participating facility or third-party service, its own privacy policy and terms may apply.

14 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version published on umbrellaid.org applies.

If we make material changes, we will update the “Last updated” date and, where appropriate, provide additional notice.

15 Contact

Questions, complaints, and requests relating to personal data may be sent to:

umbrellaID

Email: contact@umbrellaid.org