Biodimobot Privacy Notice

1. Data Controller

The Biodimobot project is responsible for the processing of personal data collected through this platform. For questions about data protection, contact the project coordinator.

2. What Data We Collect

This platform processes two categories of personal data:

• User account data: username, hashed password, role, and consent status.
• Occurrence record metadata: names of people who recorded, identified, or georeferenced biodiversity observations (e.g., "Recorded By", "Identified By" fields in Darwin Core records).

3. Purpose and Legal Basis

Personal data is processed for the purpose of:

• Biodiversity research: collecting and curating occurrence data for publication to the Global Biodiversity Information Facility (GBIF), supporting EU biodiversity monitoring and conservation goals.
• Data provenance: maintaining audit trails to ensure scientific reproducibility and data quality.

The legal basis for processing is legitimate interest (Article 6(1)(f) GDPR) for scientific research purposes, and consent (Article 6(1)(a) GDPR) where applicable.

4. Data Retention

Occurrence records are retained for the duration of the project and may be published to GBIF as open data. User account data is retained while the account is active. Upon account deletion, personal data in occurrence records is anonymized.

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15): Request a copy of all your personal data via the "Export My Data" feature.
• Rectification (Art. 16): Request correction of inaccurate personal data.
• Erasure (Art. 17): Request deletion of your account and anonymization of associated records via the "Delete My Account" feature.
• Data portability (Art. 20): Download your data in machine-readable JSON format.
• Object (Art. 21): Object to processing of your personal data.

6. Data Sharing

Occurrence records may be published to GBIF (gbif.org) as open data under Creative Commons licenses. Before publication, you may request anonymization of personal data fields. User account data is never shared externally.

7. Data Security

Passwords are stored using industry-standard cryptographic hashing (never in plain text). All forms are protected against cross-site request forgery (CSRF). Database access is restricted and audit trails track all modifications.

8. Automated Decision-Making

This platform does not perform automated decision-making or profiling based on personal data.

Last updated: April 2026