This document is provided to set expectations and understanding about PREreview’s practices and services. It is not legally binding.

Current version (this document): v1, 24 April, 2023

Overview

PREreview is a fiscally sponsored project of Code for Science and Society, a registered 501(c)3 nonprofit organization based in the United States of America.

We strive to adhere to the highest ethical standards in all of our operations and are dedicated to protecting the privacy of everyone who interacts with us. We do not sell, barter, give away, rent, or permit anyone outside of PREreview, our Advisory Committee, and project-scoped contractors to use or access information about our partners, collaborators, research participants, or website visitors.

We use third-party services to publish work, keep in touch with people, and understand how we can do both of these things better. Here you can find out what these services are and how we handle all sorts of data, from event sign-up to preprint review platform data collection.

If there is additional information you would like to see in this document about our practices, or if you have other comments or questions, please reach out to contact@prereview.org.

Our site and services

We use the following services to run our websites and understand how people use them.

Website analytics

As of August 2021 we began using Fathom (Privacy Policy), a lightweight, non-invasive, GDPR, CCPA, ePrivacy, PECR-compliant web analytics service. Fathom gives us an idea of how users use our website without invading their privacy and using their data for marketing purposes.

PREreview web domain

Prereview.org domain is registered with Google Domains.

Google Drive and email

We currently use Google Workspace for Nonprofits for our email (Google Privacy Policy), calendaring, surveys and sign-up forms, and document storage. We honor requests to have files shared with us not stored in Google Drive.

AirTable

Starting in February 2023, we switched to AirTable (Privacy Policy) for surveys and sign-up forms, project planning, applications for volunteer roles, and user research.

PREreview platform

  • PREreview preprint review platform data is hosted on Fly.io (Privacy Policy)
  • PREreview preprint review platform code is openly available under MIT License on our organizational GitHub repository.
  • Signup and login are built via the ORCID public API, meaning that all PREreview users must have an ORCID iD in order to create an account.
  • PREreview provides a RESTful API documented using the OpenAPI v3.0 standard. Using this API and simple web requests, users have access to all of the same data and functionality as is exposed by the PREreview.org website. A basic overview of the API's functionality is provided here (with examples using the common open-source command-line utility cURL). The OpenAPI specification is available in JSON format here, and detailed, automatically generated documentation of all available endpoints and methods is available here.
  • Application logs are sent to Axiom.
  • Data is stored in Upstash.
  • The website is monitored with UptimeRobot.
  • Full PREreviews on our platform are licensed CC-BY 4.0 and receive a digital object identifier (DOI) via Zenodo.

Mailjet

We use Mailjet to send emails related to our request-a-review feature and COAR Notify Protocol integration. Mailjet keeps track of who sends and receives these emails by name and email address. We have turned off the feature that tracks whether or not an email is opened, but we are not able to turn off the feature that creates "contacts" from user info inside Mailjet.

Notion

We use Notion (Privacy Policy) to organize our work, track activities, and share organizational policies with team members.

Newsletter

When we send out newsletters, we use CiviCRM (Privacy policy), which stores subscribers' email addresses. We do not use the platform features for tracking links or opens. We only send our newsletter to people who expressly sign up for it.

Ghost 4

We use Ghost 4 (Privacy Policy) to host most written content on our website, including our Blog, About page, and Resource Center.

YouTube

We host videos on YouTube (Privacy Policy) both as public and unlisted videos.

Loom

We use Loom (Privacy Policy) to make demo videos to guide users on how to use our preprint review platform.

Slack

We host a Slack (Privacy Policy) organization for internal communication and community organizing. Slack stores your account information and usage data, and our administrators have access to all public channels.

Eventbrite

We use Eventbrite (Privacy Policy) for registration for some of our online events. Eventbrite stores your account information, usage data, and responses to registration questions.

Zoom

Most of our work, even before the pandemic, is done remotely. We use Zoom (Privacy Policy) for our internal and external meetings. When we want to record a call using the recording feature on Zoom, we always ask for consent and remind participants that in order to ensure their anonymity, should that be their preferred state, they need to turn off the video and change the name to reflect something that cannot be related to their identity. Recordings are saved on our Zoom cloud and are always shared with participants before they are made public. Sensitive communication is and can always be edited out prior to broader sharing.

Otter.ai

We use Otter.ai (Privacy policy) integrated into Zoom for live-captioning, audio recording, and transcript services of our calls. We routinely inform people on the call of the implication of having Otter active, ask them to consent to the recording, and share the recording with them after the call if requested.

1Password

We use 1Password (Privacy Policy) to manage our organizational passwords securely.

OpenAI

We use OpenAI (Privacy Policy) to generate text for our request-a-review feature and COAR Notify Protocol integration. The review-request information is not used to train OpenAI models.

Social media: Twitter, LinkedIn, Mastodon

We use Twitter (Privacy policy), Mastodon (Privacy policy), and LinkedIn (Privacy Policy) to share our work and promote others with aligned missions and goals.

Research

Research is an important part of our work: it helps us understand people’s needs and build better products and services.

We conduct user experience research in the form of 1:1 interviews, community calls, and user research sprints. Feedback from 1:1 interviews is kept for internal use in improving PREreview.org, though we may share trends from 1:1 interviews in the aggregate without identifying any participants. Notes and recordings from community calls and user research prints are public. We remind participants to manage their participation accordingly in ways that feel comfortable to them regarding their privacy and security at the start of each call and sprint before recording and note taking begin. We also partner with ReadySet to help us challenge our own assumptions from an equity, diversity and inclusion perspective and implement outreach and partnership strategies grounded in our values to get feedback from stakeholders in our work.

Things we don’t do

PREreview doesn’t participate in the following data processing activities:

  • Buying or selling marketing lists
  • Entering into data sharing agreements with other organizations
  • Telephone marketing
  • Postal marketing
  • CCTV surveillance

We don’t use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at PREreview. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password.

Data breaches

In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their guidance.

Exemptions

There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. This includes requirements and orders in the United States, where we are based.

Acknowledgements

In drafting this policy we used a number of different resources and inspirations. We want to offer particular thanks to Simply Secure (now rebranding as Superbloom) and Measurement Lab for their clear examples.