Privacy notice
Plain-language summary
If you sign the declaration, we publish your name, your optional affiliation or background, and — if you choose — an optional comment. We store the authentication evidence needed to keep the list verifiable and withdrawable: your ORCID iD, or for the email route your verified email domain plus a keyed, non-reversible email fingerprint. For email signatures, the full email address is stored encrypted and shown to moderators only while the signature is under review, including while we wait for a requested correction, and for 7 days after approval or rejection, then removed from the signature record. We do not sell or share your data for advertising. We do not track you across the web. There are no analytics cookies. You can ask us to correct or delete your data at any time.
1. Who we are
The Leiden Declaration on Artificial Intelligence and Mathematics is a community initiative. Pending formation of a legal entity (a Swiss Verein or Dutch stichting is under discussion by the working group), the data controllers act in a personal capacity:
- Johannes Schmitt, c/o Department Mathematik, Rämistrasse 101, CH-8092 Zürich, Switzerland.
- Bartosz Naskręcki, Collegium Mathematicum, Uniwersytetu Poznańskiego 4, 61-614, Poznań, Poland; joint administrator and secondary contact.
- All correspondence for this project routes through admin@leidendeclaration.ai. Please do not send privacy requests to personal email addresses.
The addresses above are used purely as legal and contact service addresses. They do not imply any endorsement of the declaration by ETH Zürich, Adam Mickiewicz University in Poznań, or any other institution.
Joint controllers. Schmitt and Naskręcki are joint controllers within the meaning of GDPR Article 26 in respect of the personal data described in this notice. They have agreed in writing on the allocation of responsibilities; the essence of that arrangement is summarised below and the full text is available on request via admin@leidendeclaration.ai:
- Data-subject requests (access, rectification, erasure, withdrawal of consent, portability, objection, restriction) are handled jointly. You may exercise your rights against either controller and against both; addressing your request to admin@leidendeclaration.ai reaches both.
- Information of data subjects (this notice, breach notifications) is the responsibility of both controllers acting jointly.
- Day-to-day operation of the website, hosting, and processor relationships is led by Schmitt; day-to-day operation of moderation, contact-form intake, and identity-verification is shared between both.
EU contact point. Naskręcki is established in the EU (Poland), so an Article 27 GDPR representative is not needed: data subjects in the EU/EEA can address themselves directly to either joint controller and to admin@leidendeclaration.ai. The same address serves as the project’s single point of contact for authorities under Article 11 of the Digital Services Act and for service recipients under Article 12 of the Digital Services Act.
2. What we collect and why
We deliberately collect the minimum data needed to run a verifiable, withdrawable public declaration. The table below lists every category of personal data the site stores, keyed to the activity that causes us to collect it.
2.1 Just visiting the site
- Request metadata — URL, timestamp, browser user-agent, source IP — is processed to serve the page. Our hosting provider and network proxy log this transiently (see §4). We ourselves do not retain an identifier tied to you from plain browsing.
- A short session cookie is set so forms and CSRF protection work. It is a technical cookie; no tracking cookies are set.
2.2 Signing with ORCID
When you click “Sign with ORCID,” you are redirected to orcid.org, log in there, and return to us with the following information:
- Your ORCID iD, your given name, and your family name as ORCID returns them.
- We additionally make a server-to-server call to ORCID’s public API to read the most recent public affiliation (employment or education) on your ORCID profile, if any. If one is available, we pre-fill the affiliation field with it so you don’t have to re-type it. If nothing is public, the field is left blank. This query only retrieves data you have already chosen to make public on ORCID.
- On the signing form you then confirm (and may edit) your display name and affiliation or background, and may leave an optional comment.
- You tick three checkboxes (public display; this privacy notice; terms of participation).
We do not store ORCID OAuth access tokens in our database or session. They are used transiently within the callback request to read your ORCID iD, name, and public affiliation, then discarded.
2.3 Signing with an institutional email
- You enter your institutional email address. We check the domain against a vendored allowlist of academic domains.
- We email you a single-use magic link (valid for 20 minutes). Clicking it lands you on a confirmation page; you click a confirm button to complete the email verification. This pattern is designed to survive automatic URL scanning by corporate mail servers. If the message does not arrive, please check your spam or junk folder.
- If the verified domain matches an entry in our vendored academic-domain dataset, we pre-fill the affiliation or background field with the institution name as a suggestion. You can edit or replace it freely.
- After confirmation you fill in display name, optional affiliation or background, optional comment, and the three required checkboxes.
- We use the full email address to send that verification message. The magic-link row stores the address encrypted while the link is outstanding, so it can be attached to the signature if you complete verification. After verification, we store the full address encrypted so moderators can verify the signature. It is visible in the organizer interface only to authorized moderators while the signature is under review, including while we wait for a requested correction, and for 7 days after approval or rejection, then removed from the
Signaturerecord. - After verification, we also retain a keyed, non-reversible fingerprint of your normalised email so we can detect duplicates and look up your signature for withdrawal without needing the full address after the short moderation window.
- Your email domain is stored in the clear, to drive the “verified email at example.edu” badge. The badge attests only to the domain you verified, not to anything you write in the free-text affiliation field.
2.4 Signature correction requests
If an email-authenticated signature needs clarification before publication, an authorized organizer may send a correction request to the temporarily retained verified email address. The message contains a single-use link, valid for 7 days, which lets the signer revise only their public name, affiliation or background, and optional public comment. The updated entry returns to moderation and is never published automatically. Any optional organizer note included in the message is stored encrypted with the correction-request record until that record is purged. ORCID-only signatures cannot receive this automated email unless the site has separately retained a verified email address.
2.5 Leaving a comment
Comments are optional. If you leave one, it is queued for moderation. Once approved, it is shown publicly under your signature. If a signature or comment is rejected, the rejected internal record remains visible to organizers for a short review period so accidental rejections can be reversed. You can ask us to edit or remove your comment at any time.
2.6 Report form
When you submit the Report form, we store the category you selected, your message, the reference IDs you provide, and (if you enter one) your reply email. Submissions create an internal record in our moderation/admin interface. If we enable email notifications, they are intended to go only to admin@leidendeclaration.ai and to contain only admin-links rather than the body of your message.
2.7 Withdrawing a signature
When you use /withdraw we process the verification evidence you provide (re-authenticating with ORCID or re-verifying the email). On successful verification, your signature row is marked withdrawn, its publicly-exposed fields are blanked, and the ORCID/email linkage we kept for future duplicate detection (orcid_id, email_hmac, email_domain) is deleted.
2.8 Metadata attached to every signature
Each signature also stores, for integrity and compliance reasons:
- A timestamp of when you ticked the consent checkbox (
consent_public_display_at). - A timestamp of when you accepted the terms of participation (
terms_accepted_at). - The version labels of the privacy notice and terms of participation in force when you signed.
- A keyed, non-reversible fingerprint of your source IP for short-term abuse detection. The raw IP is never stored; the fingerprint is purged by maintenance after 30 days.
3. Legal bases
Different pieces of data rely on different legal bases — we do not hide behind a single blanket claim of “consent.”
3.1 Under the EU/EEA GDPR (Regulation 2016/679)
- Consent — Art. 6(1)(a): the public display of your name, affiliation or background, ORCID link, and optional comment. You can withdraw this consent at any time; withdrawal takes your signature off the public list and deletes the retained identity linkage for future duplicate detection.
- Legitimate interest — Art. 6(1)(f): security logging, abuse and impersonation response, the audit trail of moderator actions, rate limiting when enabled, temporary encrypted retention of email addresses for moderator verification, correction requests, and appeal handling, and keeping a non-reversible email fingerprint so we can deduplicate and handle impersonation reports after the full address is removed. We have balanced your rights against these interests; the documented balancing test is available on request via the report form.
- Legal obligation — Art. 6(1)(c): record-keeping required by applicable Swiss or EU law, e.g. the Digital Services Act’s transparency and notice-and-action duties.
3.2 Under the Swiss revised Federal Act on Data Protection (nFADP)
Because one controller is established in Switzerland, the Swiss nFADP applies in parallel with the GDPR. We process personal data in line with the FADP principles of lawfulness, good faith, proportionality, transparency, purpose limitation, data accuracy, and data security (Arts. 6 and 8 nFADP). This notice is the information we provide under the FDPIC duty to inform (Art. 19 nFADP). The FADP categories of “particular personal data” (e.g. health, religious, or trade-union data) are not processed by this site.
3.3 Automated decision-making
We do not subject you to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you (GDPR Article 22). All moderation decisions are taken by a human moderator. Risk-based auto-approval of low-risk signatures is not an automated decision against you in the Article 22 sense; it is the absence of friction, not the imposition of an effect.
4. Who we share data with
We use a small number of external providers. None receive your data for their own commercial purposes; each processes data on documented contractual instructions from us.
| Provider | Role | What it sees | Location |
|---|---|---|---|
| Hetzner Cloud | Hosts the virtual server and encrypted backups | Everything the site writes to disk, including the database and short-lived request logs (retained 14 days) | Germany (EU) |
| Cloudflare | DNS and inbound email routing for admin@ |
Our website DNS records currently route HTTPS requests directly to our Hetzner server, so Cloudflare does not terminate website TLS or process website request bodies. For inbound mail to admin@, Cloudflare processes message envelopes and bodies before forwarding them. |
US-HQ; EU edge PoPs. Standard Contractual Clauses and the EU-US Data Privacy Framework are in place for the Cloudflare services we use. |
| Postmark | Transactional email (signing and withdrawal links) | Recipient email address and message body for the verification messages we send | United States. Postmark’s parent (ActiveCampaign) is a participant in the EU-US Data Privacy Framework; transfers also rely on Standard Contractual Clauses. |
| ORCID | Identity provider for the ORCID sign-in path; public-affiliation lookup | What is implied by an OAuth redirect: your ORCID session, the fact that you authenticated for our app, and the scope you authorised. We additionally make a server-to-server request to ORCID’s public API for your public employments/educations; that request carries our server’s IP and your ORCID iD, not yours. | United States (non-profit). The transfer of your ORCID identifier to ORCID Inc. happens because you initiated the OAuth handshake by clicking “Sign with ORCID”; we rely on Article 49(1)(b) GDPR (transfer necessary for the performance of a contract with the data subject). Our server-to-server lookup of your public ORCID profile relies on the same basis. |
| Personal mailboxes of forwarders | admin@ forwards to the administrators’ personal inboxes |
Any message routed to admin@ becomes part of the personal inbox of the recipient. The recipient’s mail provider therefore acts as a sub-processor of any message body. Forwarders treat admin@ correspondence as confidential project data; access is restricted to the joint controllers. |
Varies (personal email providers) |
Each named provider above is engaged under a written data-processing agreement. We do not use Google Analytics, Facebook Pixel, Google Fonts, or any third-party script or font on auth-sensitive pages.
5. International transfers
Cloudflare inbound email routing, Postmark, and ORCID involve processing by providers with US operations. The transfer mechanism for each is recorded in §4: the EU-US Data Privacy Framework and Standard Contractual Clauses for Cloudflare and Postmark; Article 49(1)(b) GDPR (contract initiated by the data subject) for ORCID. Stored data that we ourselves keep — the application database and its encrypted backups — does not leave the EU and Switzerland.
If the EU-US Data Privacy Framework is invalidated or amended, we will fall back to the Standard Contractual Clauses (Module Two for Cloudflare and Postmark), document a Transfer Impact Assessment, and update this notice.
6. How long we keep data
All timestamps recorded with signatures, audit-log entries, and request logs are stored in UTC. Where a date is shown on the public site without a time, it is the UTC date.
| Data | Retention |
|---|---|
| Public signature fields (name, affiliation or background, ORCID link, approved comment) | Indefinite — this is the point of a public declaration. Blanked on withdrawal. |
| Full institutional email address | Stored encrypted while the magic link is outstanding and while an email signature is under review, including while a correction request is outstanding, then for 7 days after approval or rejection. After that it is removed from the signature record. Postmark necessarily processes it to deliver verification and correction-request messages. |
| Non-reversible email fingerprint for deduplication and withdrawal lookup | Kept while your signature is active; deleted on withdrawal. For rejected signatures, deleted when the rejected record is purged. |
| Verified email domain | Kept while your signature is active so the verified-email badge can be shown; deleted on withdrawal. For rejected signatures, deleted when the rejected record is purged. |
| Rejected signature records | Retained for 7 days after rejection so organizers can reverse an accidental rejection or handle a prompt appeal, then purged by maintenance. |
| Non-reversible IP fingerprint | 30 days, then purged by maintenance. |
| Magic-link token records | Links expire after 20 minutes, are invalidated immediately on first use, and stale rows are periodically purged. |
| Signature-correction request records and encrypted organizer notes | Correction links expire after 7 days and are invalidated immediately on first use, cancellation, or replacement. Stale records and their encrypted notes are periodically purged. |
| ORCID OAuth access tokens | Not stored beyond the callback request. |
| Audit log of moderator actions | 2 years. |
| Report form submissions | 2 years (same as audit log), so appeals and statements of reasons remain reconstructable. |
| Server logs (nginx, Django) | 14 days on disk. Not backed up. Tokens in magic-link URLs are redacted before logging. |
7. Your rights
You have real, actionable rights over your data. If you’re not sure which one applies to you, ask us and we will treat your message as a request under whichever right best fits.
- Access — get a copy of the personal data we hold about you.
- Rectification — have inaccurate data corrected.
- Erasure — have your data deleted; for signatures this is the same as withdrawal.
- Restriction — ask us to hold data but not process it further while we resolve a dispute.
- Objection — object to processing that we base on legitimate interests. If you object to our retention of your email fingerprint for impersonation tracking, we will weigh your objection against the security interest of other signatories and either delete the fingerprint or document why we keep it; in the latter case you can complain to a supervisory authority (see §12).
- Data portability — receive your data in a structured, machine-readable format where applicable.
- Withdrawal of consent — withdraw your consent to public display at any time.
- Complaint — see §12 below.
How to exercise your rights. Use the Report form and choose the relevant category, or email admin@leidendeclaration.ai. To withdraw a signature self-service, use /withdraw. We aim to respond within 30 days; for complex requests we may extend this by up to two months and tell you why.
Proof of identity. To protect you from impersonation, we may ask you to verify your identity before we act on an access, rectification or erasure request — for ORCID signatures by re-authenticating with ORCID; for email signatures by re-verifying the same address through a fresh magic link or, for manual requests, by responding from that address. We ask for no more proof than is necessary.
8. Cookies and tracking
We set one strictly-necessary cookie — a Django session cookie — so forms, CSRF protection, and the organiser login work. It is marked HttpOnly and SameSite=Lax, and in production also Secure. We set no analytics, advertising, or cross-site tracking cookies. If we ever add analytics, it will be a cookie-less, EU-hosted option (Plausible or Cloudflare Web Analytics) and this notice will be updated before it is enabled.
9. Security
- All traffic is served over HTTPS with HSTS and a strict Content Security Policy.
- Administrator TOTP secrets and temporarily retained email addresses are stored encrypted with Fernet/MultiFernet. The encryption keys are held outside the application database, are rotated periodically, and are accessible only to the joint controllers. On the email-sign path, the full email address is removed from the signature record after the short moderation and review window described above.
- Magic-link tokens are short-lived (20 minutes), single-use, and their token portion is redacted from server and error logs.
- Organizer access is protected by unique passwords, login rate limiting, and least-privilege Django groups that restrict access to moderation, contact-message handling, and other admin functions. The application also supports optional TOTP two-factor authentication for privileged accounts.
- If we become aware of a personal-data breach that presents a risk to you, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and, where the risk is high, inform you directly (GDPR Art. 34).
10. Children
The site is intended for adults. We ask that signatories be at least 16 years old. If you become aware that a signature was submitted by a child below that age, please contact us and we will remove it.
11. Changes to this notice
Each signature stores the notice in force at sign time, so the record of what you agreed to is stable. When we materially change this notice, we publish a new version and note the change on the About page; minor clarifications may be made without a version bump and are dated here.
12. Complaints
If you believe we are processing your data unlawfully, we would rather hear from you directly first — use the Report form — but you have the right to complain to a supervisory authority without going through us:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch.
- Poland (where one joint controller is established): Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl.
- EU/EEA generally: the data protection authority of your country of residence or place of work. The full list of national authorities is published at edpb.europa.eu.