Privacy Policy
Escienta Ltd — Company No. 11263048 — trading as EBAMetrix
Effective date: 2 May 2026 | Version: 1.0
1. Who We Are
Escienta Ltd (“we”, “us”, “our”), company number 11263048, registered at 26 Wood Road, Grove, Wantage, Oxfordshire, England, OX12 0RQ, is the data controller for the EBAMetrix platform.
For any data protection enquiries, please contact us at biplob@escienta.com.
2. What Personal Data We Collect
2.1 Account Data
- Full name and email address
- Role (Platform Admin, Publisher Admin, or Publisher User)
- Publisher organisation you are associated with
- Password — stored as a bcrypt hash (cost factor 12); never stored or transmitted in plain text
- Account creation and last-updated timestamps
2.2 Invitation and Consent Data
- Invitation email address and name (held temporarily until accepted or expired)
- Date and time of consent to these Terms and Privacy Policy
- IP address recorded at the moment of account activation (for proof-of-consent purposes)
- Version of Terms of Service and Privacy Policy accepted
2.3 Usage Data
- Actions performed within the platform (offers created, edited, or viewed)
- Login timestamps and session activity
2.4 Publisher Organisation Data
- Organisation name, contact email, website, and authorised email domains
- Subscription dates and pricing (used solely for platform administration)
- Catalogue data: ebook titles, journal ISSNs, pricing — uploaded by your organisation
2.5 Technical and Cookie Data
- Session cookie (
session): an encrypted JWT stored in an httpOnly, Secure, SameSite=Lax cookie. Essential for authentication. Expires after 7 days. - Analytics cookies: if Google Analytics is enabled on this deployment, Google sets
_gaand_gidcookies to measure platform usage.
3. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing and operating the EBAMetrix service | Performance of contract — Article 6(1)(b) |
| Authentication and account security | Performance of contract / Legitimate interests — Article 6(1)(b)(f) |
| Sending invitation and password-reset emails | Performance of contract — Article 6(1)(b) |
| Recording consent to Terms and Privacy Policy | Legal obligation / Legitimate interests — Article 6(1)(c)(f) |
| Monitoring platform security and preventing abuse | Legitimate interests — Article 6(1)(f) |
| Analysing platform usage (Google Analytics) | Consent — Article 6(1)(a) |
4. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with trusted processors acting on our behalf, each subject to a data processing agreement:
| Processor | Purpose | Processing Location |
|---|---|---|
| Amazon Web Services (SES) | Transactional email delivery (invitations, password resets) | EU (eu-west-1, Ireland) |
| Neon Inc. | PostgreSQL database hosting | EU (eu-west-2, London) |
| Google LLC | Usage analytics (Google Analytics) | USA (Standard Contractual Clauses apply) |
We may also disclose data where required by law, court order, or to protect the rights and safety of Escienta Ltd, our users, or the public.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Active user accounts | Duration of account + 30 days after deletion request |
| Invitation tokens | 48 hours from issue, then automatically expired |
| Password reset tokens | 1 hour from issue, then automatically invalidated |
| Consent records (UserConsent) | 7 years from acceptance (legal obligation) |
| Google Analytics data | 14 months (Google's default retention) |
6. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations
- Right to restriction — request that we limit how we process your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent for analytics at any time via your browser settings
To exercise any right, contact us at biplob@escienta.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.
7. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
session | Essential | Encrypted authentication session token | 7 days |
_ga | Analytics | Google Analytics — distinguishes users | 2 years |
_gid | Analytics | Google Analytics — session identifier | 24 hours |
You can disable analytics cookies at any time through your browser settings or by opting out via Google's opt-out tool. The essential session cookie cannot be disabled without losing access to the platform.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- bcrypt password hashing with a cost factor of 12
- httpOnly, Secure, SameSite=Lax session cookies to prevent XSS and CSRF attacks
- All data transmitted over HTTPS/TLS
- JWT session tokens with a 7-day expiry
- Time-limited invitation and password-reset tokens (48 hours and 1 hour respectively)
- Role-based access control limiting data visibility to authorised users only
9. International Data Transfers
Your data is primarily processed within the UK and European Economic Area (EEA). Where data is transferred to the USA (Google Analytics), we rely on Standard Contractual Clauses (SCCs) as the legal mechanism under Article 46 UK GDPR.
10. Changes to This Policy
We will notify registered users by email of any material changes to this Privacy Policy at least 14 days before the changes take effect. The effective date and version number at the top of this page will be updated accordingly.
11. Contact Us
Escienta Ltd
26 Wood Road, Grove, Wantage
Oxfordshire, England, OX12 0RQ
Company number: 11263048
Email: biplob@escienta.com