Privacy Policy

3.1 Data You Provide Directly

When you interact with our website, you may provide:

• Contact Information: Name, email address, institutional affiliation, and message content when you use our contact form.
• Newsletter Subscription: Email address when you subscribe to our newsletter.
• Account Information: If you create an account or log in (for admin/authenticated areas), we collect your email and authentication credentials.
• Comments and Feedback: Any information you provide in blog comments or feedback forms.

3.2 Data Collected Automatically

When you visit our website, certain information is automatically collected through cookies and similar technologies:

• Device and Browser Information: Browser type and version, operating system, device type, screen resolution.
• Usage Data: Pages viewed, time spent on pages, click patterns, scrolling behavior, referral source.
• IP Address and Location: Your IP address (which may reveal approximate geographic location at city or country level).
• Session Data: Session identifiers, cookies, and local storage data.
• Technical Logs: Error logs, performance metrics, and server logs.

3.3 Data from Third-Party Sources

We may receive limited data from:

• Academic APIs: Publicly available publication and citation data from Google Scholar (via SerpAPI) and Scopus API to display research metrics.
• Social Media: Public profile information if you interact with us through social media platforms.

4.1 Consent (Article 6(1)(a))

We rely on your explicit consent for non-essential data processing activities:

• Analytics cookies that track your usage patterns for website improvement.
• Marketing cookies for personalized content and newsletter subscriptions.
• Email marketing communications (you can withdraw consent at any time).

4.2 Contract Performance (Article 6(1)(b))

Processing is necessary to provide the services you request:

• Responding to contact form inquiries and providing requested information.
• Delivering newsletter content to subscribers.
• Providing access to authenticated areas of the website.

4.3 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, balanced against your rights:

• Security and Fraud Prevention: Protecting our website and users from malicious activity, spam, and unauthorized access.
• Website Performance: Analyzing and improving website functionality, user experience, and technical performance.
• Academic Purposes: Displaying publicly available research metrics and academic achievements.
• Business Communications: Responding to legitimate inquiries and maintaining professional relationships.

Balancing Test: We have assessed that these legitimate interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests.

4.4 Legal Obligations (Article 6(1)(c))

We process data to comply with legal requirements:

• Tax and accounting record retention as required by law.
• Responding to valid legal requests from authorities.
• Maintaining records to demonstrate GDPR compliance.

5.1 Types of Cookies We Use

5.2 Managing Cookie Preferences

You can manage your cookie preferences at any time. When you first visit our website, you'll see a cookie consent banner where you can:

• Accept all cookies
• Reject non-essential cookies
• Customize your preferences

Note: Disabling essential cookies may affect website functionality.

5.3 Browser Cookie Controls

You can also control cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Settings → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Cookies
• Edge: Settings → Privacy → Cookies

6.1 Vercel Analytics

Provider: Vercel Inc.
Purpose: Privacy-friendly web analytics
Data Collected: Page views, referrers, device types, geographic location (country-level), session duration
Data Anonymization: IP addresses are anonymized; no personal identifiers are stored
Privacy Policy: https://vercel.com/legal/privacy-policy

6.2 No Third-Party Advertising

We do not use Google Analytics, Facebook Pixel, or other third-party advertising tracking technologies. We do not sell or share your data with advertisers.

7.1 Hosting and Infrastructure

Vercel (Website Hosting)
Location: United States
Purpose: Website hosting, content delivery, and performance optimization
Safeguards: Standard Contractual Clauses (SCCs), GDPR-compliant Data Processing Agreement
Privacy Policy: https://vercel.com/legal/privacy-policy

MongoDB Atlas (Database)
Location: EU (Ireland), US East, etc.]
Purpose: Secure storage of website content, user data, and application data
Safeguards: Encryption at rest and in transit, access controls, GDPR-compliant DPA
Privacy Policy: https://www.mongodb.com/legal/privacy-policy

7.2 Email Services

Titan Email / Nodemailer
Purpose: Sending and receiving emails (contact form responses, newsletters, notifications)
Data Shared: Email addresses, names, message content
Contact: info@nikolaosantonakakis.com is hosted via Titan Email services

7.3 Authentication Services

NextAuth.js
Purpose: Secure user authentication for admin and authenticated areas
Data Processing: Authentication tokens, session data
Storage: Encrypted in our MongoDB database

7.4 Research Data APIs

To display academic research metrics, we retrieve publicly available data from:

SerpAPI (Google Scholar Data)
Purpose: Fetching publicly available citation metrics and publication data
Data Shared: Only public researcher identifiers; no visitor data is shared
Privacy Policy: https://serpapi.com/privacy

Scopus API (Elsevier)
Purpose: Fetching publicly available publication and citation data
Data Shared: Only public researcher identifiers; no visitor data is shared
Privacy Policy: https://www.elsevier.com/legal/privacy-policy

7.5 Legal Disclosures

We may disclose your Personal Data if required by law, court order, or government regulation, or if necessary to:

• Comply with legal processes
• Enforce our terms and conditions
• Protect our rights, property, or safety
• Prevent fraud or security threats

8.1 Safeguards

When we transfer Personal Data outside the EU/EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with all processors in third countries.
• Adequacy Decisions: Where possible, we work with providers in countries recognized by the EU Commission as providing adequate data protection.
• Additional Safeguards: We implement supplementary technical measures including encryption, pseudonymization, and access controls.

8.2 Transfers to the United States

Some of our processors (e.g., Vercel, MongoDB) may process data in the United States. Following the invalidation of Privacy Shield and subsequent EU-US Data Privacy Framework developments, we ensure compliance through:

• Standard Contractual Clauses
• Technical measures to minimize data exposure (encryption, anonymization)
• Regular compliance audits and reviews

9.1 Retention Periods

• Contact Form Inquiries: Up to 3 years after the last interaction, or until you request deletion.
• Newsletter Subscriptions: Until you unsubscribe or request deletion.
• Account Data: Until account deletion or 2 years of inactivity.
• Analytics Data: Aggregated data retained for up to 24 months; individual session data anonymized after 7 days.
• Cookie Data: As specified in cookie settings; typically 30 days to 12 months.
• Security Logs: Up to 12 months for security and fraud prevention.
• Legal Records: As required by applicable law.

9.2 Deletion Procedures

When the retention period expires or you request deletion, we:

• Securely delete or anonymize your Personal Data from our active systems
• Remove data from backups within reasonable timeframes (typically within 90 days)
• Retain only anonymized or aggregated data that cannot be linked back to you
• Keep records of deletion requests for compliance purposes

10.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your Personal Data and, if so, to access that data along with information about:

• The categories of data we hold about you
• The purposes of processing
• The recipients or categories of recipients
• The retention period or criteria for determining it
• Your other rights (rectification, erasure, etc.)

10.2 Right to Rectification (Article 16)

You can request correction of inaccurate Personal Data and completion of incomplete data.

10.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

You may request deletion of your Personal Data in certain circumstances:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding grounds
• The data was unlawfully processed
• Deletion is required to comply with a legal obligation

Exceptions: We may retain data if needed for legal compliance, to establish/defend legal claims, or for archiving in the public interest.

10.4 Right to Restriction of Processing (Article 18)

You may request that we limit how we use your data in specific situations:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing and we're verifying whether our legitimate grounds override yours

10.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you can receive your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller.

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes:

• Direct Marketing: You can object at any time, and we will stop processing for that purpose.
• Legitimate Interests: You can object based on your particular situation. We will stop processing unless we can demonstrate compelling legitimate grounds.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint (Article 77)

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the competent supervisory authority:

Hellenic Data Protection Authority (HDPA)
Website: https://www.dpa.gr
Email: contact@dpa.gr
Address: 1-3 Kifisias Ave., 115 23 Athens, Greece

Note: While we hope to resolve any concerns directly, you always have the right to contact the supervisory authority.

10.9 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what Personal Information is collected, used, shared, or sold
• Right to delete Personal Information
• Right to opt-out of the sale of Personal Information
• Right to non-discrimination for exercising your rights
• Right to correct inaccurate Personal Information
• Right to limit use of sensitive Personal Information

Note: We do not sell Personal Information as defined by CCPA.

11.1 Request Process

When submitting a request:

1. Email us with the subject line "Privacy Rights Request - [Your Name]"
2. Specify which right(s) you wish to exercise
3. Provide sufficient information to verify your identity (e.g., email address associated with your data)
4. Describe the specific data or processing activity, if applicable

11.2 Identity Verification

To protect your privacy and security, we must verify your identity before responding to your request. We may ask for:

• Confirmation of your email address
• Answers to security questions
• Additional identifying information consistent with our data minimization principles

11.3 Response Timeframe

We will respond to your request:

• Within 1 month of receiving a verifiable request (as required by GDPR)
• We may extend this by 2 additional months for complex requests, and we will notify you
• We will inform you if we cannot comply with your request and explain why

11.4 Fees

We will not charge a fee to process or respond to your request unless it is manifestly unfounded, excessive, or repetitive. If we determine a fee is necessary, we will inform you and explain why before processing your request.

12.1 Technical Measures

• Encryption: HTTPS/TLS encryption for all data transmitted between your browser and our servers
• Database Encryption: Data at rest is encrypted in MongoDB Atlas
• Authentication: Secure authentication with password hashing (bcrypt) for admin accounts
• Access Controls: Role-based access controls limiting data access to authorized personnel only
• Security Headers: Implementation of security headers (CSP, HSTS, X-Frame-Options)
• Regular Updates: Timely security patches and dependency updates

12.2 Organizational Measures

• Data Minimization: We collect only data necessary for specified purposes
• Least Privilege Principle: Access is granted on a need-to-know basis
• Regular Reviews: Periodic review of security practices and data processing activities
• Incident Response: Documented procedures for data breach detection and response
• Vendor Management: Due diligence in selecting processors with appropriate security measures

12.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Notify affected individuals without undue delay if the breach poses a high risk
• Provide information about the nature of the breach, likely consequences, and mitigation measures

12.4 Your Responsibility

While we implement robust security measures, you also play a role in protecting your data:

• Use strong, unique passwords for your accounts
• Keep your login credentials confidential
• Log out after using shared or public devices
• Report any suspicious activity or security concerns to us immediately

13.1 Age Restrictions

If you are under 16 years old, please do not:

• Submit any Personal Data through our contact forms
• Subscribe to our newsletter
• Create an account on our website

13.2 Parental Rights

If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us at info@nikolaosantonakakis.com. We will promptly investigate and delete such information.

13.3 Educational Context

Our website contains academic and educational content. If children under 16 access this content under the supervision of a parent, educator, or institution with appropriate consent mechanisms in place, such access may be permissible under applicable law.

14.1 Notification of Changes

When we make material changes to this policy, we will:

• Update the "Last updated" date at the top of this page
• Display a prominent notice on our website for at least 30 days
• Send an email notification to newsletter subscribers (if the changes significantly affect their rights)
• Obtain fresh consent where required by law (e.g., for new data processing activities)

14.2 Continued Use

Your continued use of our website after we publish or notify you of changes to this Privacy Policy constitutes your acceptance of the updated policy, unless otherwise required by law.

14.3 Policy History

You can request previous versions of this Privacy Policy by contacting us.

15.1 General Inquiries

For general questions about our website, services, or academic work, please use the contact form on our website.

15.2 Data Protection Officer

Dr. Antonakakis serves as the primary contact for all privacy matters.