This Privacy Policy has been prepared in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG). It applies to all users of the PLEXUS beta programme.
Privacy Policy
Effective date: 26 April 2026 · Version: Beta 1.0
Contents
- 1. Data Controller
- 2. Personal Data We Collect
- 3. Purposes and Legal Bases for Processing
- 4. Third-Party Processors and Recipients
- 5. International Data Transfers
- 6. Data Retention
- 7. Your Rights Under the GDPR
- 8. Cookies and Tracking Technologies
- 9. Children's Privacy
- 10. Automated Decision-Making
- 11. Changes to This Policy
- 12. Contact and Complaints
1. Data Controller
The data controller responsible for your personal data is:
Plexus Science
Email: plexus.science@outlook.de
Full legal name and registered postal address will be published prior to general availability. Beta participants may exercise their rights via the email address above.
The data controller is the entity that determines the purposes and means of processing your personal data. We process your personal data only as described in this Privacy Policy.
2. Personal Data We Collect
We collect the following categories of personal data:
Account and Registration Data
Full name, email address, password (stored as a secure hash), institutional affiliation, and profile information you choose to provide (role, biography, profile photograph).
Research and Platform Content
Research projects, protocols, ethics submissions, datasets, documents, analyses, and other content you create or upload through the Service. This may include personal data of research participants where you include such data in your datasets — you are the data controller for participant data, and we act as your data processor.
Usage and Technical Data
IP address, browser type and version, operating system, pages visited, time and duration of visits, referring URL, and device identifiers. This data is collected automatically to operate and improve the Service.
Communications
Emails, support requests, and feedback you send to us, including any personal data contained therein.
We do not intentionally collect special categories of personal data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, or political opinions unless they form part of research data you explicitly upload for scientific research purposes, in which case the lawful basis is Article 9(2)(j) GDPR (scientific research).
3. Purposes and Legal Bases for Processing
We process your personal data for the following purposes, each with a corresponding legal basis under Article 6 GDPR:
| Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|
| Providing the Service, account management, and authentication | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (account confirmation, password reset, collaboration invitations) | Art. 6(1)(b) — performance of a contract |
| Processing beta feedback and improving the Service | Art. 6(1)(f) — legitimate interests (improving the platform for users) |
| Security monitoring, fraud prevention, and abuse detection | Art. 6(1)(f) — legitimate interests (protecting users and the platform) |
| Compliance with legal obligations (e.g., responding to lawful requests from authorities) | Art. 6(1)(c) — legal obligation |
| Sending beta programme updates and product communications | Art. 6(1)(a) — consent (you may withdraw at any time) |
| AI-assisted features (analysis suggestions, document assistance) | Art. 6(1)(b) — performance of a contract |
Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 7).
4. Third-Party Processors and Recipients
We engage the following third-party data processors to operate the Service. Each processor is bound by a Data Processing Agreement and required to process your data only on our documented instructions:
Supabase Inc.
Database infrastructure, authentication, and real-time data services
Anthropic PBC
AI-assisted features (analysis suggestions, document assistance, natural language processing)
Vercel Inc.
Web application hosting and content delivery
We do not sell your personal data to third parties. We do not share your data with advertisers or data brokers. We may disclose personal data to competent authorities where required by applicable law.
5. International Data Transfers
Some of our third-party processors are based in the United States. When we transfer personal data outside the European Economic Area (EEA), we ensure an adequate level of protection through one or more of the following mechanisms:
- ·Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR.
- ·Adequacy decisions by the European Commission where applicable.
- ·Supplementary technical measures (encryption at rest and in transit) where required by a transfer impact assessment.
You may request a copy of the applicable transfer safeguards by contacting us at plexus.science@outlook.de.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy, or as required by applicable law. Our standard retention periods are:
| Data Category | Retention Period |
|---|---|
| Account data (name, email, profile) | Duration of account + 30 days after deletion request |
| Research projects and datasets | Duration of account + 90 days after deletion (to allow data export) |
| Audit logs and activity records | 12 months from creation |
| Support communications | 3 years from last interaction |
| Technical/usage logs (server logs, IP addresses) | 90 days |
| Beta feedback | Until end of beta programme + 12 months |
Upon account deletion, we will anonymise or delete your personal data within the periods above, unless longer retention is required by law (e.g., tax records). Research data you have published to the public registry may be retained in anonymised form to preserve the integrity of public scientific records.
7. Your Rights Under the GDPR
As a data subject in the European Union, you have the following rights. You may exercise any of these rights by contacting us at plexus.science@outlook.de. We will respond within one calendar month, as required by Article 12 GDPR.
We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive. We may ask you to verify your identity before fulfilling a request.
9. Children's Privacy
The Service is not directed to persons under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at plexus.science@outlook.de and we will delete it promptly.
10. Automated Decision-Making
We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.
AI-assisted features (such as analysis recommendations or document suggestions) are advisory only. All significant decisions about your research remain with you.
11. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify you of material changes by email and by prominent notice within the platform at least 14 days before the changes take effect. The “effective date” at the top of this page will always reflect the date of the most recent version.
12. Contact and Complaints
For all privacy-related enquiries, requests to exercise your rights, or complaints, contact us at:
Plexus Science — Data Protection
Email: plexus.science@outlook.de
We aim to respond within one calendar month as required by Article 12 GDPR.
Supervisory Authority: You have the right to lodge a complaint with the competent data protection supervisory authority at any time. The supervisory authorities in Germany are the state data protection commissioners (Landesdatenschutzbeauftragte) for each federal state (Bundesland), and the federal supervisory authority:
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Website: bfdi.bund.de · Postal: Graurheindorfer Str. 153, 53117 Bonn, Germany
You may also contact the supervisory authority of your place of residence or workplace within Germany. A list of all German state supervisory authorities is available at gdd.de.
© 2026 Plexus Science · GDPR-compliant · Effective 26 April 2026