Privacy Policy.
What personal data GIKSN Research collects, why we collect it, and the rights you have over it. Written for compliance with India's Digital Personal Data Protection Act 2023, the IT Rules 2021, and California's CCPA and CPRA, with equivalent rights honoured for readers elsewhere.
1. Who we are
GIKSN Research (“we”, “us”, “the lab”) is the Data Fiduciary responsible for personal data processed through this platform. We are a research lab operating from India. General enquiries and privacy questions can be sent to research@giksn.com. Details of the grievance officer are in section 13.
2. What this policy covers
This policy covers personal data we collect when you read the archive, submit a paper or an update, comment under a paper, apply to contribute, or use the admin panel. It does not cover third-party websites we link to; those sites have their own policies.
3. Information we collect
We collect only what the platform actually needs to work, plus optional analytics that require your consent. We do not embed advertising trackers and we do not use behavioural profiling.
- Submissions. When you submit a paper or an update, we collect the name you choose to credit, one contact handle (email, X, GitHub or Telegram, at your choice), the abstract and body you provide, and metadata such as the submission timestamp.
- Comments. When you comment, we collect the display name, a public handle and the comment body. Comments are published publicly under the paper.
- Admin accounts.For admin sign-in we store the admin's email and a scrypt hash of the admin's password. Passwords are never stored in plaintext and cannot be recovered by us.
- Session cookie. After admin sign-in we set a single HttpOnly cookie called
giksn_admin. It contains the admin email, an expiry timestamp and an HMAC signature, and nothing else. It is not a tracking cookie. - Server logs. Our hosting provider records standard request metadata such as IP address, user-agent and requested path for security, abuse prevention and debugging. Logs are retained for a rolling 30 days.
- Analytics (only with your consent). If, and only if, you accept the analytics banner, we use Google Analytics to record aggregate usage: page views, referrer, screen size, approximate location derived from a truncated IP address, session identifier and interactions such as clicks and scrolls. See section 11 for what is set, how to withdraw consent and how the data is treated.
We do not collect government-issued identifiers, precise geolocation, financial account details, biometric data, sex-life or sexual-orientation data, religion, health data or any other category defined as “sensitive personal information” under CCPA §1798.140(ae), and we do not process such categories.
4. How we use it
- To display submissions and comments on the platform.
- To credit authors and contributors.
- To let editors reach contributors about their submissions.
- To authenticate admins.
- To secure the platform and investigate abuse.
- To meet legal and regulatory obligations.
5. Legal grounds for processing
Under the DPDPA 2023 we process personal data on the following grounds. Where CCPA / CPRA or another local law applies, we process for the equivalent business purpose.
- Your consent for submissions, comments and application forms. You give consent by choosing to submit, and can withdraw it as described in section 10.
- Legitimate uses under §7 of the DPDPA for admin authentication, session management and security logging.
- Legal obligation where retention or disclosure is required by Indian law or other applicable law.
6. Sharing and disclosure
We do not sell personal data. We do not share personal data for cross-context behavioural advertising. Because we neither sell nor share personal information within the meaning of CCPA §1798.140, no “Do Not Sell or Share” link is required or offered.
We disclose personal data only in three narrow situations:
- Processors. We use Neon (managed Postgres hosted in the United States) for the database, and we may use email delivery infrastructure for transactional messages. These processors act on our written instructions and cannot use the data for their own purposes.
- Analytics processor. Where you have granted analytics consent, Google LLC processes analytics data on our behalf through Google Analytics 4, with advertising features and Google Signals explicitly disabled by us. See section 11 for details.
- Legal disclosure. Where required by a lawful order of a court or a competent authority, or to defend our legal rights.
- Public content. Anything you publish under a paper (your name, handle, comments, abstract, body) is public by design.
7. Cross-border transfers
Our database is operated by Neon, a service provider based in the United States. Where you have granted analytics consent, usage data is processed by Google LLC on servers operated by Google in the United States and other Google regions. Processing personal data on servers outside India involves a cross-border transfer. Under §16 of the DPDPA, such transfers are permitted unless the Central Government specifically restricts a destination country by notification. As at the effective date, transfers to the United States are not restricted. If a restriction is later notified we will adjust our processing accordingly.
8. Retention
- Public content. Papers, comments and the associated author metadata are retained for as long as the entry remains published. On request from the author, we will remove or anonymise the entry unless retention is required by law.
- Admin accounts. Retained while active. Deleted on written request or when the account is no longer needed.
- Session cookies. Expire 30 days after issue. Cleared on sign-out.
- Server logs. Rolling 30-day retention, then automatically deleted.
- Backups. Encrypted database backups may persist for up to 90 days before being overwritten.
- Analytics data. Google Analytics data is retained for 2 months from collection, the shortest option Google offers, after which Google deletes it automatically. Aggregate metrics that no longer identify individuals may persist in reports.
9. Security
We serve the platform over HTTPS. Admin passwords are stored as scrypt hashes. Session cookies are HMAC-signed and marked HttpOnly. Database credentials and session secrets are held in environment variables, not committed to code. Access to production data is limited to admins. No online system is perfectly secure; if you believe your data has been compromised please contact us at once.
10. Your rights
10.1 Rights under the DPDPA (India)
- Right to access (§11). Ask for a summary of the personal data we hold about you and how we process it.
- Right to correction and erasure (§12). Ask us to correct, complete, update or erase your personal data, subject to overriding legal obligations.
- Right of grievance redressal (§13). Raise a grievance with the grievance officer named in section 13 before approaching the Data Protection Board.
- Right to nominate (§14). Nominate another individual to exercise your rights in the event of your death or incapacity.
Requests should be sent to research@giksn.com. We respond within a reasonable period and, in any event, within 30 days of a valid request.
10.2 Rights for California residents (CCPA / CPRA)
We voluntarily honour the CCPA / CPRA rights for California residents, whether or not statutory thresholds strictly apply to us.
- Right to know what personal information we hold and how we use it.
- Right to delete personal information subject to permitted exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing for cross-context behavioural advertising. We do neither.
- Right to limit use of sensitive personal information. We do not process such information (see section 3).
- Right to non-discrimination for exercising any of the above.
- Right to data portability where reasonably feasible.
Requests may be made to the same email address. We confirm receipt within 10 business days and respond substantively within 45 days, with a one-time 45-day extension available where reasonably necessary, in line with §1798.130.
10.3 Rights elsewhere
Where you are protected by another data protection law (including UK GDPR, the EU GDPR, or a US state privacy statute such as the Virginia CDPA, Colorado CPA, Connecticut CTDPA or Utah UCPA) we will treat your request as an exercise of the equivalent right under that law.
11. Cookies and analytics
11.1 Session cookie
The site sets one first-party cookie, giksn_admin, only after an administrator signs in. It stores the admin email, an expiry timestamp and an HMAC signature. It is HttpOnly, secure and marked SameSite. It is not a tracking cookie.
11.2 Analytics (consent-gated)
We use Google Analytics to understand which papers are read and where readers arrive from. Google Analytics is not loaded until you accept the analytics banner. Nothing is written to your browser and no data leaves your device until then.
What we configure:
- Anonymised IP addresses (
anonymize_ip: true), so full IPs are truncated before storage. - Google Signals disabled (
allow_google_signals: false), so your GA data is not joined with cross-site behavioural data Google holds about you. - Advertising personalisation disabled (
allow_ad_personalization_signals: false), so the data is not used to build ad audiences. - Consent Mode v2 initialised with
ad_storage,ad_user_dataandad_personalizationall denied. - 2-month retention in the GA property, the shortest option Google offers.
Cookies set by Google Analytics if you accept:
_gaand_ga_<property-id>for session and user identification.
Legal basis: your consent under §7 of the DPDPA and Article 6 of the UK / EU GDPR. Business purpose under §1798.140 of the CCPA. We do not sell or share this data for cross-context behavioural advertising within the meaning of §1798.140.
11.3 Manage your preference
You can turn analytics on or off at any time from the controls below. Turning it off stops further collection and prevents Google Analytics from loading. Any GA cookies already set can be cleared from your browser's cookie settings.
Loading preference…
12. Children
The service is intended for researchers, builders and readers aged 18 or above. Under §9 of the DPDPA the age threshold for a “child” is 18. The service is not directed to children within the meaning of §312 of the US Children's Online Privacy Protection Act. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we will delete it. If you believe a child has provided personal data, contact us at research@giksn.com.
13. Grievance mechanism
Under §8(9) of the DPDPA and Rule 3(2) of the IT Rules 2021 we publish contact details of the officer who handles data-privacy and content grievances.
- Grievance Officer. Contact: research@giksn.com.
- Acknowledgement. We acknowledge complaints within 24 hours of receipt as required by Rule 3(2)(a).
- Resolution. We dispose of complaints within 15 days as required by Rule 3(2)(a). Complaints concerning non-consensual intimate imagery or impersonation are actioned within 24 hours.
- Escalation. If you are not satisfied with our response you may complain to the Data Protection Board of India under §13 of the DPDPA.
14. Changes to this policy
We may update this policy from time to time. The effective date at the top of the page will change when we do. Material changes will be announced on the site.
15. Contact
Privacy questions, rights requests and grievances all reach us at research@giksn.com.
