Legal document
Privacy Policy
This Privacy Policy explains how Research Compass collects, processes and protects personal data under Regulation (EU) 2016/679 (GDPR).
Effective from: 15 June 2026
1. Data controller
The controller of your personal data is Jolanta Podolszanska, operating the Research Compass platform ("Research Compass", "RC", "the platform").
For privacy matters and GDPR-related requests, contact: j.podolszanska@ujd.edu.pl
2. What data we process
Core search features and some Research Compass tools are available without registration. Creating an account is voluntary.
We may process:
• Account data: email address, profile name, user identifier, account creation and confirmation dates, saved favorite journals and conferences, login and session security information. Passwords are handled securely by Supabase; the administrator cannot access plaintext passwords.
• Data entered into publication tools: title, abstract, keywords, discipline and preferences. These data are used to run the selected analysis. Do not enter patient data, research participant data or other confidential information.
• Technical data: IP address, browser type, operating system, session identifiers, visit time, error logs and security logs.
• Contact form data: name, email address, subject and message content.
• Newsletter data: email address, if you voluntarily subscribe.
• Quality feedback data: pseudonymous technical summaries and recommendation feedback, without storing the full title or abstract.
• Analytics data: anonymized information about page views, device, browser, country and traffic source collected by Umami without cookies and without directly identifying users.
3. Purposes and legal bases
We process data for the following purposes:
• Creating and managing an account, signing in, password recovery and account features: Article 6(1)(b) GDPR.
• Running analyses in the Publication Assistant and other tools: Article 6(1)(b) GDPR.
• Handling messages and requests: Article 6(1)(b) or Article 6(1)(f) GDPR.
• Protecting accounts, preventing abuse, diagnosing errors and maintaining platform security: Article 6(1)(f) GDPR.
• Establishing, pursuing or defending claims: Article 6(1)(f) GDPR and, where required, Article 6(1)(c) GDPR.
• Newsletter: Article 6(1)(a) GDPR, only after separate voluntary consent.
• Measuring recommendation quality: Article 6(1)(f) GDPR, with pseudonymization and data minimization.
Acknowledging this Privacy Policy is not marketing consent. You can create an account without joining the newsletter.
4. Is providing data required?
Providing an email address and password is voluntary, but necessary to create an account. Without them, registration, sign-in and account recovery are not possible.
The profile name is currently required in the registration form so that the platform can present the user account correctly. Data entered into publication tools are voluntary, but the selected analysis cannot be run without sufficient input.
Marketing consent is not required to create an account.
5. Cookies and browser storage
The platform uses essential browser storage mechanisms needed for login, account security and preserving started work.
Umami is used for anonymous analytics. According to Umami documentation, it does not use cookies, does not store information that directly identifies a user and does not track people across different websites.
We do not use advertising cookies or ad profiling tools.
6. Recipients and providers
Where necessary for the platform to operate, data may be processed by:
• Supabase: accounts, authentication and database services.
• Resend: account-related email delivery, such as email confirmation and password reset.
• Vercel: application hosting, site delivery and technical logs.
• Umami Cloud: anonymous visit analytics.
• Authorized technical providers and subcontractors of the above services.
• Public authorities, only where disclosure is required by law.
Data are not sold or shared with other entities for their own marketing purposes.
7. Transfers outside the EEA
Some infrastructure providers are based outside the European Economic Area or use subcontractors in third countries. In such cases, transfers are carried out using mechanisms required by Chapter V GDPR, especially adequacy decisions or standard contractual clauses approved by the European Commission.
You can ask the controller for information about applicable safeguards.
8. Data retention
• Account data: for as long as the account remains active, until deletion by the user or administrator.
• Data needed for claims or legal duties: until the relevant limitation periods or legally required periods expire.
• Technical and security logs: for the period necessary for diagnostics and platform protection, generally no longer than 90 days, subject to provider backup cycles.
• Contact form messages: until the matter is closed, and then for up to 2 years unless longer storage is needed to protect claims.
• Newsletter data: until consent is withdrawn or the newsletter is discontinued.
• Pseudonymous quality data: for as long as it is needed to evaluate recommendations; usefulness is periodically reviewed and unnecessary data are removed or anonymized.
After account deletion, some data may remain for a limited time in secured backups before being overwritten according to provider technical cycles.
9. Your rights
Under GDPR, where applicable, you have the right to:
• Access your data.
• Correct inaccurate data.
• Delete your data. You can delete your account directly in "My account"; you can also send a request by email.
• Restrict processing.
• Data portability.
• Object to processing based on the controller's legitimate interest.
• Withdraw consent where processing is based on consent. Withdrawal does not affect earlier lawful processing.
To exercise your rights, write to: j.podolszanska@ujd.edu.pl
You also have the right to lodge a complaint with the President of the Personal Data Protection Office in Poland (UODO), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl.
10. Account deletion
A signed-in user can delete the account in "My account" -> "Privacy and data" -> "Delete account".
Deletion is irreversible and includes the authentication account, email address and profile data linked to the account. Data that must be retained due to a legal duty or claim defense may be stored for the required period. Anonymized data that can no longer be linked to a user may remain in statistics.
11. Security
We use technical and organizational measures appropriate to the scale of the platform, including:
• Encrypted data transmission (HTTPS/TLS).
• Authentication and email confirmation.
• Restricted administrative access and server-side permissions.
• Data minimization and pseudonymization for recommendation quality assessment.
• Backups and infrastructure safeguards provided by service providers.
12. Automated recommendations
Research Compass tools automatically analyze publication information and generate recommendations for journals, conferences, deadlines, risk and topical fit.
Recommendations are advisory. They do not produce legal effects or similarly significant effects within the meaning of Article 22 GDPR. The final publication decision is always made by the user.
13. Data source
Account, contact form, newsletter and publication tool data are provided directly by the user. Technical data are generated automatically when using the platform. We do not obtain user account data from public databases or data brokers.
14. Changes to this policy
This policy may be updated as the platform develops or legal requirements change. The current version and effective date are always published on this page. We may also inform active account holders about material changes inside the platform or by email.
15. Contact
For questions about personal data processing, contact:
Email: j.podolszanska@ujd.edu.pl
Contact form: https://researchcompass.dev/kontakt
Privacy questions? Write to j.podolszanska@ujd.edu.pl or use the contact form.