Privacy Policy — MANDRAGORA

Version 1.0 — Effective date: January 1, 2026

1. Data Controller

The MANDRAGORA consortium, represented by its founding institutions (Mulhouse Zoo and Akongo), is the data controller for your personal data.

2. Data Collected

We collect the following data:

  • Identification data: email address, display name (optional)
  • Professional data: affiliated institution, role within the institution
  • Contribution data: interactions created, votes, discussions, messages
  • Technical data: connection logs, IP address (for security purposes)
  • GDPR consent: date and version of the accepted Terms of Service

3. Purposes of Processing

  • User account management and authentication
  • Institutional attribution of contributions (scientific transparency)
  • Confidence score calculation
  • Notifications related to platform activity
  • Content moderation
  • Audit and traceability (action log)

4. Legal Basis

Processing is based on your consent (Article 6(1)(a) of the GDPR), obtained at the time of registration. For the audit log, the legal basis is the legitimate interest of the consortium in ensuring the traceability of scientific contributions.

5. Data Retention Period

  • Account data: retained until account deletion
  • Scientific contributions: anonymised but retained indefinitely for their scientific value
  • Technical logs: 12 months
  • Audit log: 5 years

6. Your Rights

Under the GDPR, you have the following rights:

  • Right of access: obtain a copy of your personal data
  • Right to rectification: correct inaccurate data
  • Right to erasure: delete your account (contributions are anonymised)
  • Right to data portability: export your data in JSON format
  • Right to object: object to the processing of your data

These rights can be exercised directly from your profile (export and deletion) or by contacting the team at contact@mandragora-consortium.org.

7. Sub-processors

  • Firebase (Google Cloud): hosting, authentication, database
  • Vercel: web application hosting

These sub-processors comply with the GDPR and provide appropriate safeguards for data transfers outside the EU (standard contractual clauses).

8. Security

We implement appropriate technical and organisational measures to protect your data: encryption in transit (HTTPS), secure authentication, role-based access control, immutable audit log.

9. Cookies

MANDRAGORA uses a session cookie (AuthToken) strictly necessary for authentication. No tracking or advertising cookies are used.

10. Contact

For any questions regarding the protection of your data, contact our Data Protection Officer at: dpo@mandragora-consortium.org