Privacy Policy
Last updated 7 April 2026
At QCR, your privacy matters to us. This Privacy Policy explains what data we collect, why we collect it, and how you can control it.
Who is responsible for your data.
The data controller for personal data processed through the Platform is:
QCR MTÜ
Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Järvevana tee 9, 11314, Estonia
Registry Code: 80651332
E-mail: hello@qcrepository.org
Data Protection Contact: privacy@qcrepository.org
What information we collect and how.
2.1 Data You Provide Directly
- Account registration data: name (or display name), email address, and password (stored in hashed form);
- Profile information: optional biographical information, institutional affiliation, and profile picture;
- Content metadata: author names, titles, abstracts, and descriptions associated with uploaded Content;
- Communications: messages sent to QCR MTÜ (support requests, reports, feedback).
2.2 Data Collected Automatically
- Technical data: IP address, browser type and version, operating system, device type, screen resolution;
- Usage data: pages visited, features used, timestamps, session duration, referral source;
- Analytics data: collected via Plausible Analytics, which is cookieless and does not collect personal data — all analytics data is aggregated and anonymous.
2.3 Data We Do Not Collect
QCR MTÜ does not knowingly collect special categories of personal data (Article 9 GDPR), such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data.
The legal reasons we process your data under GDPR.
QCR MTÜ processes your personal data on the following legal bases under GDPR Article 6(1):
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide the Services you requested |
| Hosting and displaying your Content | Contract (Art. 6(1)(b)) | Core platform functionality |
| QCR ID metadata retention | Legitimate interest (Art. 6(1)(f)) | Preserving scientific citation integrity |
| Essential cookies (authentication) | Legitimate interest (Art. 6(1)(f)) | Platform security and functionality |
| Service notifications and emails | Contract (Art. 6(1)(b)) | Essential service communications |
| Responding to support requests | Contract / Legitimate interest (Art. 6(1)(b)/(f)) | Providing support and improving Services |
| Legal compliance (DSA, law enforcement) | Legal obligation (Art. 6(1)(c)) | Compliance with EU and Estonian law |
| Usage analytics (Plausible) | Legitimate interest (Art. 6(1)(f)) | Improving functionality; fully anonymized, no personal data collected |
| Age verification | Legal obligation / Legitimate interest (Art. 6(1)(c)/(f)) | GDPR Article 8 compliance |
| Export control compliance | Legal obligation (Art. 6(1)(c)) | EU Dual-Use Regulation compliance |
How long we keep your data.
QCR MTÜ retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, password hash) | Duration of account + 30 days after deletion | Contract performance; backup retention |
| User Content (circuits, code) | Until deleted by User + 30 days (backup) | Contract performance; technical necessity |
| QCR ID metadata | Indefinite (subject to erasure request) | Legitimate interest in citation integrity |
| Server and access logs | 90 days | Security and debugging |
| Analytics data (Plausible, aggregated) | 24 months | Platform improvement; fully anonymized |
| Support correspondence | 24 months after resolution | Service quality; dispute resolution |
| DSA content reports | 5 years | Legal obligation (DSA Article 16) |
Upon expiration of the applicable retention period, personal data will be securely deleted or anonymized. Where anonymization is used, the process will be irreversible and the resulting data will no longer constitute personal data under the GDPR.
We don't sell your data. Here's who we may share it with.
QCR MTÜ does not sell, rent, or trade your personal data to third parties.
QCR MTÜ may share your personal data with the following categories of recipients, solely for the purposes described:
- Cloud infrastructure and hosting provider (Microsoft Azure, with data centers located in Sweden, within the European Union) for data storage and platform operation, acting as a data processor under a GDPR Article 28 agreement;
- Analytics provider (Plausible Analytics) — note: Plausible does not receive personal data, as it is designed to be cookieless and privacy-respecting;
- Law enforcement or regulatory authorities, where required by applicable law or valid legal process;
- Professional advisors (legal, accounting) bound by professional secrecy obligations.
QCR MTÜ maintains a list of its sub-processors, available upon request. All sub-processors are bound by data processing agreements that impose obligations no less protective than those in these Terms.
We only use essential cookies — no tracking.
6.1 Essential Cookies
The Platform uses the following essential cookies for authentication:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
| accessToken | JWT authentication token | 15 minutes | Secure, SameSite=Lax |
| refreshToken | Session renewal token for seamless re-authentication | 7 days | HTTP-only, Secure, SameSite=Lax |
| userId | User identification for session management | 7 days | HTTP-only, Secure, SameSite=Lax |
These cookies are strictly necessary for the Platform to function and are placed without consent under Article 5(3) of the ePrivacy Directive (2002/58/EC). They are set when you log in and are removed when they expire or when you log out.
6.2 Analytics
The Platform uses Plausible Analytics for understanding how users interact with the Platform. Plausible is a privacy-friendly analytics tool that:
- Does not use cookies;
- Does not collect personal data;
- Does not track users across websites;
- Processes all data in the EU.
No cookie consent banner is required for our analytics setup.
6.3 What We Do Not Use
The Platform does not use:
- Advertising or marketing cookies;
- Third-party tracking cookies;
- Social media tracking pixels;
- Fingerprinting or any other cross-site tracking technology.
6.4 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling essential cookies will prevent you from logging in and using authenticated features of the Platform.
How we protect your data.
QCR MTÜ implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with GDPR Article 32. These measures include, but are not limited to:
- Encryption of data in transit (TLS/HTTPS) and at rest;
- Hashed password storage using industry-standard algorithms;
- Access controls restricting personal data access to authorized personnel;
- Regular security assessments and monitoring;
- Incident response procedures for data breaches, including notification to the Estonian Data Protection Inspectorate within 72 hours where required by GDPR Article 33.
What happens if there's a data breach.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, QCR MTÜ will notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Where the breach is likely to result in a high risk to your rights and freedoms, QCR MTÜ will also notify affected Users without undue delay, in accordance with GDPR Article 34, describing the nature of the breach, its likely consequences, and the measures taken or proposed to address it.
Your rights under GDPR and how to exercise them.
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Article 15) — request a copy of your personal data;
- Right to rectification (Article 16) — correct inaccurate or incomplete data;
- Right to erasure (Article 17) — request deletion of your personal data;
- Right to restrict processing (Article 18) — limit how we use your data;
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format;
- Right to object (Article 21) — object to processing based on legitimate interests;
- Right to lodge a complaint — with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the supervisory authority in your country of habitual residence.
To exercise any of these rights, please contact us at privacy@qcrepository.org. We will respond to your request within one (1) month, as required by the GDPR. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests.
How we handle data outside the EU.
For Users located outside the European Economic Area (EEA), any transfer of personal data will be conducted in accordance with GDPR Chapter V, using appropriate safeguards such as Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or adequacy decisions.
We don't knowingly collect data from children under 13.
QCR MTÜ does not knowingly collect personal data from children under 13 without verifiable parental consent, in accordance with GDPR Article 8 and the Estonian Personal Data Protection Act. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will take steps to delete that data promptly.
How we'll notify you about policy updates.
QCR MTÜ may update this Privacy Policy from time to time. Material changes will be communicated via the Platform and, for Registered Users, by email at least thirty (30) days in advance. The effective date at the top of this policy will be updated accordingly.
How to reach us about privacy matters.
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:
QCR MTÜ
Data Protection Contact: privacy@qcrepository.org
General Contact: hello@qcrepository.org
Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Järvevana tee 9, 11314, Estonia
Estonian Business Registry Code: 80651332