Privacy Policy
This Privacy Policy describes how personal data is processed by the hosted Aleph∞One service operated at the aleph-one.com domain. It does not apply to independent, self-hosted deployments of the Aleph∞One open-source software run by third parties, which are operated under their own responsibility.
1 Who we are (data controller)
The data controller responsible for the personal data processed through the hosted Aleph∞One service is:
- Name: Carlo Andrea Cossu, data controller.
- Contact address: Padova, Italy. The full postal address is available on request via privacy@aleph-one.com.
- General contact: hello@aleph-one.com
- Data protection contact: privacy@aleph-one.com
- Data Protection Officer (DPO): None appointed. For any data protection matter, please use the data protection contact above.
In this policy, "we", "us" and "the operator" refer to the data controller named above. "Platform" and "service" mean the hosted Aleph∞One application and the aleph-one.com website.
2 Scope of this policy
Aleph∞One is a One Health relational platform for integrated epidemiological data management. It records samples and results across the animal–human–environment interface (wildlife, livestock, humans and environmental samples) for research institutions, veterinary bodies and public-health organisations.
This policy covers two distinct kinds of personal data:
- Account and usage data — the personal data of the people who register for and use the service (see section 3, where we act as controller).
- Research data uploaded by users — the epidemiological records that users enter into the platform, which may contain personal data of third parties, including human subject data (see section 3, where we generally act as processor on the user's behalf).
The Aleph∞One software itself is open-source and licensed under the AGPL-3.0. Anyone may run their own independent instance; those deployments are outside the scope of this policy and are governed by the operator of that instance. This policy applies only to the hosted service we operate at aleph-one.com and app.aleph-one.com.
3 Controller vs. processor: account data and uploaded research data
The GDPR distinguishes between a controller (who decides why and how personal data is processed) and a processor (who processes personal data on a controller's instructions). Our role differs depending on the data:
Account and usage data — we are the controller
For the personal data of registered users (name, email, professional details, and how the service is used), we determine the purposes and means of processing and therefore act as the data controller. This is the data described in section 4 under "Account data" and "Usage and technical data".
Research and epidemiological data you upload — we are generally the processor
When you upload or enter epidemiological records — which may include personal identifiers and human subject data — you (or your organisation) remain the controller of that data, and we process it on your behalf as a data processor. You decide what to collect, from whom, and why; we host and process it to provide the service and only on your documented instructions (the account you configure and the actions you take in the platform).
This means you are responsible for having a valid legal basis, any required ethics or institutional review approvals, and appropriate information notices and consents for the subject data you enter. Where this processor relationship applies, it is governed by a data processing agreement (DPA) between you (or your organisation) and the operator, in accordance with Article 28 GDPR. For questions about the subjects in your uploaded data, data subjects should contact the organisation that uploaded it; we will assist that organisation in responding.
4 Categories of personal data we process
Account data (you provide this when registering)
- Full name and professional title
- Email address
- Occupation / role
- Organisation or affiliation
- ORCID identifier (optional)
- Date of birth (optional)
- Password (stored only as a salted cryptographic hash)
Usage and technical data (generated when you use the service)
- Authentication and session information
- Audit-trail records of actions taken in the platform (creation, edits, timestamps, the acting user), which are integral to the platform's traceability and reproducibility features
- Log data such as IP address, browser/user-agent and access timestamps
Acceptance records
- A record that you accepted these documents, including the exact
version identifier (e.g.
2026-06-29) and the date/time of acceptance.
Research data you upload (may contain third-party personal data)
The platform stores epidemiological records that you enter or import. Depending on your study, these may include personal data and personal identifiers of third parties — for example human sample data, subject or patient identifiers, and associated metadata. This may constitute special-category (health) data under Article 9 GDPR. We do not determine the content of this data; you do (see sections 3 and 6).
5 Purposes and legal bases
Where we act as controller (account and usage data), we rely on the following legal bases:
| Processing activity | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account creation & authentication | Create and secure your account, sign you in, provide the service you requested. | Art. 6(1)(b) — performance of a contract (our Terms of Service). |
| Service operation & audit trails | Run the platform, maintain traceability and reproducibility, prevent misuse. | Art. 6(1)(b) — contract; and Art. 6(1)(f) — legitimate interest in a secure, auditable service. |
| Optional profile fields (ORCID, date of birth) | Attribute research contributions and, where relevant, confirm eligibility. | Art. 6(1)(a) — consent (you choose whether to provide them). |
| Security & logging | Detect, investigate and prevent security incidents, fraud and abuse. | Art. 6(1)(f) — legitimate interest in protecting the service and its users. |
| Recording acceptance of terms | Evidence which policy version you agreed to and when. | Art. 6(1)(c) — legal obligation / Art. 6(1)(f) — legitimate interest in demonstrating compliance. |
| Service communications | Send essential notices (e.g. security, changes to terms, service status). | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest. |
| Legal compliance | Comply with applicable law and respond to lawful requests. | Art. 6(1)(c) — legal obligation. |
For research data you upload, we act as processor and do not set our own legal basis for the underlying data — the legal basis (and, for health data, an Article 9 condition) must be established by you as controller. See sections 3 and 6.
Where we rely on legitimate interests, you have the right to object (see section 8). Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.
6 Health and other special-category data
The platform can store data that qualifies as special-category data under Article 9 GDPR — in particular health-related human sample data. Because you decide what to upload, you as controller are responsible for ensuring that an appropriate Article 9 condition applies to that data (for example explicit consent, scientific research purposes under Article 9(2)(j) with suitable safeguards, or public-health grounds), and for obtaining any ethics committee or institutional review board approvals your research requires.
We strongly recommend that you pseudonymise or anonymise subject data wherever possible before entering it, and that you avoid uploading direct identifiers unless strictly necessary for your study.
7 Data retention
We keep personal data only as long as necessary for the purposes above:
| Data | Retention period |
|---|---|
| Account data | For the life of your account, then deleted or anonymised within 90 days. |
| Acceptance records (policy version + timestamp) | Retained for the lifetime of your account plus 10 years, to evidence agreement. |
| Security / access logs | 12 months. |
| Research data you upload | Retained under your control for as long as your account/project is active, and deleted or returned on your instructions or on termination, subject to the DPA. Retention of the underlying research records is determined by you as controller; by default, on termination your uploaded data remains exportable for 30 days and is then deleted, unless otherwise agreed. |
| Backups | Backups are rotated and expire within 30 days after deletion from the live system. |
8 Your rights
Where we are the controller of your personal data, you have the following rights under the GDPR:
- Access — obtain confirmation of, and a copy of, the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — have your data deleted where the conditions apply.
- Restriction — limit how we process your data in certain circumstances.
- Portability — receive the data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — where processing is based on consent, at any time.
- Complain — lodge a complaint with a supervisory authority (see section 15).
To exercise these rights, contact us at privacy@aleph-one.com. We will respond within one month, as required by the GDPR. If your request concerns subject data uploaded by a user (data for which we act as processor), we will direct you to, and assist, the organisation that uploaded it, since they are the controller of that data.
9 International data transfers
Aleph∞One is operated from within the European Union. The technical operation of the platform, including hosting and storage, is delegated to 16bit S.r.l. (see section 10), and personal data is hosted in the European Union, in Germany.
The platform may also be used to manage data originating outside the EU, for example from field programmes in Africa. In addition, the operator (the data controller) accesses and administers the service from outside the EEA, currently from South Africa.
Where personal data is transferred to, or accessed from, a country outside the EEA that does not benefit from an adequacy decision of the European Commission, we rely on appropriate safeguards under Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses (SCCs) together with any supplementary measures. You can request further information using the contact details in section 15.
10 Hosting and sub-processors
We rely on trusted third parties to host and operate the service. When acting as processor for the data you upload, these are our sub-processors, and we remain responsible for their compliance under our agreement with you.
- Marketing website (aleph-one.com): Cloudflare, Inc. provides edge/CDN static hosting.
- Application, database, storage, email delivery and backups (app.aleph-one.com): the technical operation of the platform is delegated to 16bit S.r.l., an Italian company based in Milan, which acts as our processor (and, for the research data you upload, as a sub-processor) and may in turn engage its own sub-processors to provide hosting (in the European Union, Germany), storage, email and backup services.
An up-to-date list of the sub-processors engaged by 16bit S.r.l., including their locations, is available on request, and material changes will be notified in line with the applicable data processing agreement. The delegation to 16bit S.r.l. is, or should be, governed by a data processing agreement under Article 28 GDPR.
12 Security
We implement appropriate technical and organisational measures to protect personal data, including encrypted transport (HTTPS), hashed passwords, role-based access control (administrators, editors, viewers, and a read-only guest mode), audit logging, and access restrictions. No system is perfectly secure, but we work to protect your data against unauthorised access, alteration and loss, and will notify you and any competent supervisory authority of a personal data breach where legally required.
13 Children
The service is intended for professional and research users and is not directed at children. We do not knowingly create accounts for children. Note that research data you upload may relate to data subjects of any age; responsibility for the lawful basis of that data rests with you as controller.
14 Changes to this policy
We may update this policy from time to time. When we do, we will change the version identifier and the "Last updated" date at the top of this page. Material changes will be communicated through the service, and — where your continued use or a renewed acceptance is required — you may be asked to accept the new version. The version you accepted is recorded against your account.
15 How to contact us and complain
For any privacy question or to exercise your rights, contact privacy@aleph-one.com or write to the controller using the contact address in section 1.
You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU country where you live or work or where the alleged infringement took place. For Italy, this is the Garante per la protezione dei dati personali (garanteprivacy.it). As the controller is resident in Italy, the competent supervisory authority is the Italian Garante per la protezione dei dati personali.