Privacy Policy
Last updated: 16 April 2026
Privacy Policy
Last updated: 16 April 2026
To help make this policy easy to navigate, the text is broken down
into sections covering different topics. You will find an overview of
all sections in the contents. Each section starts with a short summary
and a list of subsections.
Introduction
- This Privacy Policy describes how ResearchConnectX
(“RCX”, “we”, “us”,
“our”) collects and uses personal data when you use our
Service. - We may amend this Privacy Policy from time to time. We suggest you
check back regularly so you are aware of how we handle your personal
data. - If you are applying for a role at RCX, please read our Researcher
Privacy Policy and, where applicable, our Candidate Privacy Notice
instead. - If you live in a jurisdiction with local data-protection laws (for
example, the UK GDPR, the EU GDPR, or US state privacy laws such as
CCPA/CPRA), those laws apply to you alongside this Privacy Policy.
Definitions
- “Member” (also referred to as “you” and “your”) – a
User who successfully registers for an account on the Service. - “RCX” (also referred to as “we” and “us”) –
ResearchConnectX, the legal entity operating the Service. Full contact
details appear in Section 13. - “Service” – the services made available at the RCX
website, its application programming interfaces (APIs), and all
associated applications, including any mobile or desktop clients. - “Researcher” – a natural person whose research
outputs or academic profile may be referenced on the Service whether or
not they are a Member. - “User” (also referred to as “you” and “your”) –
anyone who, as a recipient of the Service, accesses or uses the Service
for any purpose. - “Visitor” (also referred to as “you” and “your”) –
an unregistered User of the Service. - “GDPR” – the UK General Data Protection Regulation
and, where relevant, the EU General Data Protection Regulation
(Regulation (EU) 2016/679).
Contents
- RCX at a glance
- Data we process
- How we use data
- How we use publicly available data and data from partners
- How we use cookies and similar technologies
- AI matching, embeddings and automated processing
- Service providers and subprocessors
- Transfers to third countries
- Reporting content
- Deleting your account and retention of personal data
- Data subject rights
- Children and minimum age
- Contact information
- US-specific information
1. RCX at a glance
RCX is a research collaboration platform. Our mission is to
accelerate scientific discovery by connecting researchers with
complementary skills, projects, conferences, and surveys. Members use
RCX to showcase their credentials and research, collaborate, share
documents, manage projects, and participate in surveys. To facilitate
these connections, we process information about you — including your
work and activities on RCX — together with information we obtain from
external academic sources such as PubMed, OpenAlex, ORCID, Google
Scholar and ResearchGate public profiles.
2. Data we process
To provide our Service, we process several categories of personal
data.
2.1 Basic (technical) data
Certain data is processed automatically when you access the Service
so that we can deliver it, keep it secure, and diagnose problems. This
data is stored in logs and may include:
- IP address
- Device type, operating system, and version
- Browser type and locale
- Country derived from IP
- Referring and exit pages and URLs
- Pages viewed, features used, and time spent on pages
- Performance data (for example, average load and render times)
- Mobile advertising identifiers where relevant
Although IP addresses and device identifiers are considered personal
data, we generally cannot derive your identity from them alone.
All pages are secured using TLS (Transport Layer Security). We apply
technical and organisational measures described in our Data Protection
Policy to protect personal data.
2.2 Account data
If you create a Member account you will be asked to provide a first
and last name, email address, and a password (unless you use a single
sign-on provider). Depending on our registration criteria you may also
be asked to provide information evidencing that you are an active
researcher, such as an institutional email domain or an ORCID iD.
During registration or when updating your profile, you may choose to
provide further information that can identify or contact you, for
example a profile picture, personal website, location, institution,
occupation, academic degrees, research interests, roles, and
affiliations.
2.3 Single sign-on and
federated identity
You can choose to sign in using third-party identity providers,
including:
- ORCID – we receive your ORCID iD and, where you
consent, your public profile data. - Microsoft / Microsoft Azure AD – we receive your
name, email, and tenant information permitted by your institution. - SAML2 institutional providers – we receive
attributes released by your identity provider (typically name, email,
eduPersonAffiliation, and an entity identifier).
If you disconnect a single sign-on provider, please also update your
settings with that provider to revoke the connection.
2.4 Research profile and
publication data
RCX is designed to help researchers showcase and discover work. To
support this, we:
- Collect publications you add to your profile.
- Aggregate publications attributed to you from external academic
sources such as PubMed, OpenAlex, Google Scholar and ResearchGate public
profiles. - Collect subject areas, methodologies, and research interests you
enter. - Generate AI summaries, topic classifications and vector embeddings
from this information to power matching (see Section 6).
You can review and edit the research profile we build for you at any
time in your Account settings.
2.5 Project and collaboration
data
If you create or join a project you may provide or generate the
following data:
- Project title, description, objectives, methodology and
timelines - Milestones, kanban cards, tasks and comments
- Documents and files uploaded to the project
- Calendar entries and meeting schedules
- Team membership and role assignments
Project data is visible to members of that project in accordance with
the access controls chosen by the project owner.
2.6 Survey data
If you create or take part in a survey you may provide or
generate:
- Survey content you author (questions, branching logic,
templates) - Survey responses you submit
- Metadata about your participation (for example, time of submission
and completion status)
Where a survey is distributed on behalf of a third-party researcher
or institution, they act as joint or independent controller for the
responses and their own privacy notice also applies.
2.7 Communications and
messaging
When you message other Members, post in discussion threads, or
contact our support team, we process the content of your communication
together with your name, email address and account information. For
certain emails we also process information about whether the email was
opened or links were clicked.
2.8 Billing and subscription
data
If you subscribe to a paid tier, our payment processor collects and
processes the payment instrument, billing name, and address. We store a
transaction reference, invoice data, and a record of the subscription
tier. We do not store full payment card details on our systems.
3. How we use data
We use personal data for the following purposes.
3.1 Maintain your account
To create, maintain, and secure your account and to suggest
information to add to your profile. Where you create a Member account,
your public profile may be viewable by Visitors and indexed by search
engines unless you change the visibility in your Privacy Settings.
Legal basis: performance of a contract under Art.
6(1)(b) GDPR.
3.2 Personalise your
experience
To recommend relevant researchers, projects, conferences and surveys
using the AI matching engine described in Section 6, and to personalise
the home feed, search results and notifications.
Legal basis: performance of a contract under Art.
6(1)(b) GDPR; otherwise our legitimate interest in providing a tailored
service under Art. 6(1)(f) GDPR.
3.3 Communicate with you
To respond to your enquiries, support requests and reports and to
provide operational updates.
Legal basis: Art. 6(1)(b) GDPR where communications
are necessary to perform our contract; otherwise our legitimate interest
in responding to enquiries under Art. 6(1)(f) GDPR.
3.4 Transactional emails
and notifications
To send service messages (for example, account verification, password
resets, security alerts, calendar reminders and project notifications).
You cannot opt out of essential transactional emails while you hold an
account.
Legal basis: Art. 6(1)(b) GDPR; otherwise Art.
6(1)(f) GDPR (our legitimate interest in operating the Service).
3.5 Product updates and
research highlights
Where you have opted in, we may send occasional updates highlighting
relevant conferences, funding calls or product changes. You can withdraw
your consent at any time using the unsubscribe link or the Email
Settings in your account.
Legal basis: your consent under Art. 6(1)(a)
GDPR.
3.6 Security of personal data
We process data — including pages visited and rates of access — to
prevent scraping, credential stuffing, fraud, unauthorised access and
the loss or alteration of personal data.
Legal basis: Art. 6(1)(c) GDPR (legal obligation to
secure data) and Art. 6(1)(f) GDPR (legitimate interest in securing our
Service).
3.7 Improve the Service
We generate statistics and conduct research and development to
improve RCX and its features. Where technically feasible we aggregate or
de-identify data first.
Legal basis: Art. 6(1)(f) GDPR.
3.8 Aggregated and
de-identified information
We may combine personal data (including publicly available data and
data from partners) to produce aggregated, statistical or de-identified
information for internal and external reporting. De-identified and
aggregated information does not identify any individual and is not
treated as personal data.
3.9 Other purposes
To the extent permitted by data-protection law, we may use your data
for new purposes that are compatible with the purpose for which the data
was originally collected. We will inform you in advance where
required.
4.
How we use publicly available data and data from partners
4.1 Publicly available data
We obtain information about researchers from public sources such as
PubMed, OpenAlex, ORCID public records, and ResearchGate and Google
Scholar public profiles. We use this information to:
- Build an initial research profile that a Researcher can claim on
signup. - Associate publications, citations and co-author networks with a
profile. - Improve the quality of matches surfaced to Members.
Where you notify us that data in a public source about you is
inaccurate or unlawfully processed, we will review and, where
appropriate, correct or remove it on RCX following verification of your
identity.
Legal basis: our legitimate interest under Art.
6(1)(f) GDPR in maintaining a comprehensive and accurate research
repository and in offering a complete onboarding experience to new
Members.
4.2 Data provided by partners
Institutional partners (for example, your university’s research
office) may provide us with contact details and affiliation data to
enable rostered onboarding or institutional dashboards. Partners are
contractually required to obtain any necessary consents before sharing
data with us.
5. How we use
cookies and similar technologies
We use cookies, pixels, local storage and similar technologies in the
Service. Some are essential to the operation of the site (for example,
session management, CSRF tokens, load balancing) and some are
optional.
| Category | Purpose | Example |
|---|---|---|
| Strictly necessary | Authentication, CSRF, session routing, security | Laravel session cookie, XSRF-TOKEN |
| Functional | Remember preferences (for example, language, theme) | rcx_prefs, theme setting |
| Performance | Measure how the Service is used so we can improve it | Analytics identifier |
| Consent | Record your choices about optional cookies | rcx_cookie_consent |
You can change your preferences at any time from the Cookie Settings
link on the Service. Essential cookies cannot be disabled because the
Service will not function without them.
We do not use cookies for cross-context behavioural advertising.
6. AI matching,
embeddings and automated processing
RCX uses a smart matching engine to suggest relevant researchers,
projects, conferences and surveys. The engine works as follows:
- Input. We take information from your profile
(research interests, publications, skills, project history, preferences)
and text you provide in projects and surveys. - Embeddings. We generate numerical representations
(vector embeddings) of this text and store them in our database
alongside similar representations of projects, conferences and
surveys. - Similarity scoring. We compute cosine similarity
between these embeddings to produce a ranked list of suggestions. - Ranking and filters. Business rules — such as
availability, language, institution-wide visibility, and your stated
preferences — are then applied. - Feedback. Your interactions with suggestions
(accepting, dismissing, hiding) are used to refine future
suggestions.
Embeddings and model outputs are stored in the same security
perimeter as the source data. We do not sell embeddings or make them
available to third parties. Where embeddings are generated via a
third-party model provider, content is transmitted under a data
processing agreement and, where applicable, the provider contractually
agrees not to train its general-purpose models on our content.
Automated decision-making. The matching engine
produces suggestions only — it does not take decisions that produce
legal or similarly significant effects for you within the meaning of
Art. 22 GDPR. Human Members remain responsible for deciding which
collaborations, projects or surveys to engage with.
Your controls. You can:
- Edit the profile fields that feed the matching engine.
- Opt out of appearing in other Members’ suggestion lists via your
Privacy Settings. - Request a copy of the inputs used to compute suggestions (Section
11).
7. Service providers and
subprocessors
To provide the Service, we use service providers (processors) and
other third parties that may process personal data on our behalf. We
maintain a current list of material subprocessors in our Data Protection
Policy and contractually oblige each processor to implement appropriate
technical and organisational measures.
The categories of subprocessor we use include:
- Cloud infrastructure and compute (for example, AWS
and DigitalOcean) to host our application and queue workers. - Object storage (for example, AWS S3 and
DigitalOcean Spaces) for user-uploaded files. - Database and search (managed PostgreSQL with the
pgvectorextension, Redis for cache and sessions). - Email and transactional messaging (for example,
Amazon SES) to send account and notification emails. - Identity providers for single sign-on (Microsoft
Azure AD, ORCID, SAML2 federations). - Analytics and product telemetry to understand how
the Service is used. - Error and performance monitoring to detect
incidents. - AI model providers for embeddings and
natural-language processing. - Customer support tooling to receive, route and
respond to your enquiries. - Payment processing (for paid tiers) — the payment
processor is an independent controller for card data.
We may also disclose personal data:
- In response to binding legal process or where disclosure is
necessary to protect the rights, property or safety of RCX, our Users or
the public. - In connection with a sale, merger, reorganisation or insolvency,
subject to the protections in this Privacy Policy. - To our affiliates under common control for the purposes described in
this Privacy Policy.
8. Transfers to third
countries
Some of our service providers are located outside the UK or EEA.
Where the level of data protection in the destination country is not
recognised by the UK Information Commissioner’s Office or the European
Commission as adequate, we rely on appropriate safeguards, including the
UK International Data Transfer Agreement (IDTA), the UK Addendum to the
EU Standard Contractual Clauses, or the EU Standard Contractual Clauses
(Art. 46 GDPR). In limited cases we may rely on the derogations in Art.
49 GDPR.
On request we will provide a copy of the safeguards we apply.
9. Reporting content
If you report content on RCX that you believe violates our Terms or
the law, we ask that you provide basic information about yourself so
that we can follow up. We may share your identity with the uploader of
the reported content where necessary and proportionate — for example, if
you are the rights-holder in an intellectual-property claim.
Legal basis: Art. 6(1)(c) GDPR (legal obligation)
and Art. 6(1)(f) GDPR (legitimate interest in keeping the Service
safe).
10.
Deleting your account and retention of personal data
You can delete your account at any time from your Account Settings.
How long we retain data depends on the status of your account and our
legal obligations.
- Active Members. We retain your personal data for as
long as your account is active. - Deleted accounts. We remove personal data from
productive systems within 30 days of deletion, subject to legal
obligations. - Backups and logs. Data may persist in encrypted
backups for up to 90 days and in security logs for up to 12 months. - Inactive accounts. We may delete accounts that have
been inactive for 24 months or where the contact email is no longer
operational. We will attempt to notify you first. - Legal holds. We may retain personal data longer
where strictly necessary to comply with legal obligations, defend
disputes, or enforce our Terms of Service.
11. Data subject rights
You may exercise the following rights where they are available to you
under applicable law:
- Right of access under Art. 15 GDPR.
- Right to rectification of inaccurate or incomplete
data under Art. 16 GDPR. - Right to erasure under Art. 17 GDPR.
- Right to restriction of processing under Art. 18
GDPR. - Right to data portability under Art. 20 GDPR.
- Right to object to processing based on legitimate
interests under Art. 21 GDPR. - Right to withdraw consent at any time where
processing is based on consent. - Right to lodge a complaint with your competent
supervisory authority (in the UK, the Information Commissioner’s Office;
in the EU, your local data-protection authority).
To exercise any of these rights, contact us at the address in Section
13. We may ask you to verify your identity before we action a
request.
12. Children and minimum age
RCX is directed at researchers aged 18 or over. We do not knowingly
collect personal data from children under 16. If you believe a child has
provided personal data to us, please contact us and we will take steps
to delete it.
13. Contact information
Data controller: ResearchConnectX, [registered
address — to be completed prior to launch].
Data Protection Officer / privacy contact: info@rcx.ac
If you have a complaint about how we process your personal data,
please contact us first. You also have the right to lodge a complaint
with your supervisory authority.
14. US-specific information
If you are resident in the United States, the following additional
provisions apply and, to the extent there is any conflict with other
sections, this Section 14 prevails.
14.1 Categories collected
(CCPA/CPRA)
In the preceding 12 months we have collected the categories of
personal information described in Section 2, including identifiers,
commercial information, internet or network activity, geolocation data
derived from IP, professional information, and inferences drawn from the
foregoing. We do not knowingly collect sensitive personal information
for the purpose of inferring characteristics.
14.2 Sale and sharing
We do not sell personal information for monetary consideration and we
do not share personal information for cross-context behavioural
advertising. If this changes, we will update this section and provide
any required opt-out.
14.3 US rights
Residents of California and other states with comprehensive privacy
laws may have the right to know, correct, delete, and obtain a portable
copy of their personal information, and to designate an authorised agent
to submit requests on their behalf. To exercise these rights, contact us
using the details in Section 13. We will not discriminate against you
for exercising these rights.
14.4 “Shine the Light”
California residents may request a list of third parties to which we
have disclosed their personal information for those third parties’
direct-marketing purposes. We do not currently disclose personal
information for such purposes.