Privacy policy
Last updated: 2026-05-23
CollMan is an academic tool for the management of natural history collections. This page explains what personal data we process, why, how long we keep it, and the rights you have. Essential cookies are always used. We also use Google Analytics in a two-tier setup: aggregate, cookieless usage pings are sent by default (no cookies, no user identifier), and cookie-based analytics only after you accept it in the cookie banner. You can change the choice at any time via "Cookie settings".
1. Data controller
The data controller responsible for processing your personal data under this policy is:
Instytut Chemii Bioorganicznej Polskiej Akademii Nauk w Poznaniu (ICHB PAN) / Poznańskie Centrum Superkomputerowo-Sieciowe (PCSS)ul. Z. Noskowskiego 12/14, 61-704 Poznań, Poland
Email: ibch@ibch.poznan.pl
For privacy-specific inquiries: use the CollMan contact form.
CollMan operates within the data-protection framework of its parent institution. Read the parent institution's general GDPR information clause ↗ .
Data Protection Officer
A Data Protection Officer (Inspektor Ochrony Danych) has been designated by the controller. Contact the DPO directly for any matter related to your personal data:
Inspektor Ochrony Danych, ICHB PANul. Z. Noskowskiego 12/14, 61-704 Poznań, Poland
Email: dpo@ibch.poznan.pl
Project context: Lead Beneficiary
CollMan is developed within a funded project for which Adam Mickiewicz University in Poznań acts as the Lead Beneficiary (Beneficjent wiodący). The Lead Beneficiary's information clause covers a NARROW set of personal data — specifically people named as representatives or contact persons in the project consortium agreement. General CollMan user data (accounts, collections) is processed by the controller above, not by the Lead Beneficiary.
Uniwersytet im. Adama Mickiewicza w Poznaniu (Adam Mickiewicz University in Poznań)ul. H. Wieniawskiego 1, 61-712 Poznań, Poland
Lead Beneficiary DPO: iod@amu.edu.pl
Read the Lead Beneficiary's full information clause (PDF) ↗
2. Data we process
Depending on how you use CollMan, we may process the following categories of personal data:
- Account data — name, email address, password hash, email verification status, role assignments, last login timestamp, optional Google account identifier if you sign in with Google.
- Content you create — collections (assessments), profiles, curatorial actions, loans, publications, permits, attached files, comments and notes. Anything you type into the platform.
- Membership data — which institutions you belong to and your role inside them.
- Audit trail — a log of significant actions (logins, logouts, failed login attempts, edits, role and permission changes) with timestamp, IP address and user-agent string. Used for security investigations and accountability.
- Contact form submissions — the message you send, your name and email, plus the originating IP address and user-agent (kept for abuse prevention).
- Technical session data — a session identifier kept server-side in our database (not in third-party services).
We do NOT process: payment data, marketing profiles, location data, biometric data, or any data routed to advertising networks.
3. Purposes and lawful bases
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Providing the CollMan service — accounts, authentication, content management, exports | Performance of a contract (Art. 6(1)(b)) — you create an account to use the service |
| Security: audit log, login tracking, abuse-prevention rate limits | Legitimate interest (Art. 6(1)(f)) — protecting the platform and its users |
| Replying to contact-form messages | Legitimate interest (Art. 6(1)(f)) — handling your inquiry |
| Anonymous benchmarking (Module 7) — if you opt in | Consent (Art. 6(1)(a)) — opt-in flag on the collection, withdrawable at any time |
| Google Analytics (cookieless pings) — anonymous, aggregate usage measurement to operate and improve the service | Legitimate interest (Art. 6(1)(f)) — no cookies, no user identifier, IP not retained |
| Google Analytics (cookie-based) — fuller, session-linked usage statistics, only if you accept it in the cookie banner | Consent (Art. 6(1)(a)) — withdrawable any time via "Cookie settings" |
| Compliance with legal obligations (e.g. responding to lawful requests) | Legal obligation (Art. 6(1)(c)) |
4. How long we keep your data
- Account data — for the lifetime of your account. When you delete your account, the account record and the collections you own are removed.
- Audit log entries — kept for security investigations; entries referencing a deleted user are anonymized (the causer link is severed) rather than deleted, so a complete forensic record remains.
- Contact form messages — kept until an administrator marks them resolved; routinely archived after 12 months.
- Server access logs and rate-limit data — rotated and discarded automatically (typically within 30 days).
- Backups — encrypted backups may retain deleted data for up to 90 days before being overwritten.
5. Recipients and third parties
CollMan does not sell or rent personal data. The following parties may receive limited data, strictly for the operation of the service:
- Hosting infrastructure — the data controller (PSNC) operates the servers; data does not leave their infrastructure for storage purposes.
- Google (Sign-in) — if you choose to sign in with Google, your authentication request is processed by Google. Only your email and account identifier are returned to CollMan. See Google's privacy policy.
- Google Analytics (Google LLC) — Google receives aggregate, cookieless usage pings from every visit (page URL, screen size, approximate country, referrer; no cookies, no user identifier, IP not retained). If you click "Accept analytics" in the cookie banner, full cookie-based GA4 tracking with a client identifier is additionally enabled. Measurement ID:
G-T6JTEXJ47D. Data is processed under Google's standard contractual clauses for EEA traffic. - CrossRef — when you click the "Retrieve data" button on a publication, we send the DOI you provided to CrossRef's public API to fetch citation metadata. No personal data is sent.
- GBIF — the visibility module fetches public dataset counts from GBIF's API. No personal data is sent.
- Fonts (fonts.bunny.net) — a privacy-respecting Google Fonts mirror that does not log IP addresses or set cookies.
- Email delivery — outgoing mail (verification, notifications, contact replies) is transmitted through the configured SMTP relay.
6. Cookies
CollMan sets essential and functional cookies at all times. Google Analytics cookies (_ga, _ga_*) are set only if you click "Accept analytics" in the cookie banner — choosing "Essential only" means no analytics cookies are written (Google still receives aggregate cookieless pings, which set no cookies on your device). We never set marketing or advertising cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
collman_system_for_determining_the_value_of_museum_collections_session |
Keeps you logged in. Holds a session identifier only — your data is stored server-side. | 120 minutes | Essential |
XSRF-TOKEN |
Cross-Site Request Forgery (CSRF) protection on form submissions. | Session | Essential |
cookie_consent_v1 |
Records your cookie-banner choice (granted or denied) so the banner does not reappear and so we know whether to load Google Analytics on subsequent visits. | 365 days | Functional |
_ga |
Google Analytics client identifier — used to distinguish visitors. Set only after you accept analytics in the cookie banner. | 2 years | Analytics (consent-gated) |
_ga_T6JTEXJ47D |
Google Analytics session state for this specific GA4 property. | 2 years | Analytics (consent-gated) |
7. Your rights
Under GDPR you have, in particular, the following rights. You can exercise most of them directly through your profile page; for everything else, use the contact form (category "Data protection request") or email the Data Protection Officer at dpo@ibch.poznan.pl:
- Right of access (Art. 15) — to obtain a copy of the personal data we hold about you. Use the "Download my data" button on your Profile page; for anything beyond that, use the contact form.
- Right to rectification (Art. 16) — to correct inaccurate data. You can edit your name and email on the Profile page directly.
- Right to erasure (Art. 17) — to have your data deleted. Use the "Delete account" button on your Profile page. The action removes your account, your collections and your attachments.
- Right to data portability (Art. 20) — to receive your data in a machine-readable format. The "Download my data" button on your Profile page returns a structured ZIP.
- Right to restrict or object (Art. 18, 21) — to limit or object to specific processing. Use the contact form.
- Right to withdraw consent (Art. 7) — where processing is based on consent (e.g. opting in to anonymous benchmarking), you can withdraw it at any time without affecting prior lawful processing.
8. Right to complain to a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority competent for the data controller is:
Urząd Ochrony Danych Osobowych (UODO)ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl/
9. Changes to this policy
We may update this policy to reflect changes to the service or to legal obligations. The "Last updated" date at the top of this page reflects the date of the most recent revision. Material changes will be signalled in CollMan and, where appropriate, the first-visit notice will reappear.