PRIVACY POLICY
Last updated: April 04, 2026
1. INTRODUCTION
The Organizing Committee of the Interdisciplinary Student Conference in Informatics of the Ionian University - IUSCI (hereinafter referred to as "Conference", "we", "us" or "Data Controller"), organized under the auspices of the Department of Informatics of the Ionian University, is fully committed to protecting the personal data of every natural person who interacts with our website and our services. This Privacy Policy aims to transparently and thoroughly inform you regarding the personal data we collect, the purposes and legal bases for their processing, the security measures we implement, the retention periods, any disclosures to third parties, and the rights granted to you by applicable legislation. This policy is drafted and implemented in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 - GDPR), the Greek implementing law (Law 4624/2019), as well as any other applicable data protection legislation.
The Conference website is located at https://iusci.di.ionio.gr.
2. DATA CONTROLLER
The data controller of personal data, within the meaning of Article 4(7) of the GDPR, is the Organizing Committee of the IUSCI Conference, with the following contact details:
Department of Informatics, Ionian University, Tsirigoti Square 7, 49100 Corfu, Greece. Contact email address: info.iusci.di@ionio.gr. Website address: https://iusci.di.ionio.gr/contact.
For any issue related to the protection of your personal data, you may contact us directly at the email address info.iusci.di@ionio.gr.
3. DATA WE COLLECT AND PURPOSES OF PROCESSING
3.1 Conference Participant Registration
During your online registration for the Conference through the dedicated registration form, we collect the following data: first name, last name, email address, university or institution, school, department, capacity (student, faculty member, other), year of study (if applicable), type of participation (attendee, speaker, paper author), paper title (if the registrant is a presenter or author), presentation title (if applicable), dietary requirements (for catering planning), as well as the date and time of registration submission (automatically recorded). These data are stored in encrypted form in our database (specifically the fields: first name, last name, email and department are encrypted using the AES-256-CBC algorithm).
Purpose of processing: The completion of your registration, the organization and technical support of the Conference, communication with you regarding the program and participation details, the issuance of certificates, and the overall implementation of the Conference. Legal basis: Performance of a contract to which the data subject is a party, namely your participation in the Conference, in accordance with Article 6 paragraph 1 point (b) of the GDPR.
Upon your registration, a confirmation message is automatically sent to the email address you provided.
3.2 Contact Form
Through the Contact page of our website, we collect the following data: full name, email address, message subject (optional), and message text. Messages sent through the contact form are stored in our database and an automatic confirmation of receipt is sent to the address you provided.
Purpose of processing: The management of and response to the inquiries and messages we receive. Legal basis: Legitimate interest of the Data Controller (responding to requests and inquiries from interested parties), in accordance with Article 6 paragraph 1 point (f) of the GDPR.
3.3 Workshop Proposals
Through the workshop proposal form, we collect the following data: proposer's full name, email address, institution or organization (affiliation), workshop title, detailed description, thematic area, desired duration, and technical requirements. Proposals are evaluated by the competent members of the Organizing Committee, who may send a response via email.
Purpose of processing: The evaluation of workshop proposals and the organization of the Conference program. Legal basis: Performance of a contract (participation through submission of a proposal), in accordance with Article 6 paragraph 1 point (b) of the GDPR.
3.4 Participation and Presentation Certificates
When requesting the issuance of a certificate, the following details are required: legal first name (in uppercase Greek letters), legal last name (in uppercase Greek letters), and presentation title (if it is a presentation certificate). Certificates are generated in PDF format using the TCPDF library and are stored on our server. Access to the certificate issuance form requires identity verification through verification of the email address provided during registration.
Purpose of processing: The issuance of official certificates of participation or presentation at the Conference. Legal basis: Performance of a contract, in accordance with Article 6 paragraph 1 point (b) of the GDPR.
3.5 Conference Evaluation (Feedback)
The Conference evaluation form is fully anonymous. No identifying information is collected. The data gathered exclusively include satisfaction ratings on a scale of one (1) to five (5) in categories such as organization, presentations, venue, registration, topics, and speakers, as well as comments and suggestions for improvement in free-text format. The evaluation may be based on dynamic questionnaires designed by the Conference Administration and may include multiple-choice questions, scales, free text, and other types. Access to the evaluation form is provided through a unique link (magic link) sent to the email address provided by the participants. Although sending the link requires an email, the responses are not linked to the identifying information of the data subject.
Purpose of processing: The improvement of the quality and organization of future conferences. Legal basis: Legitimate interest, in accordance with Article 6 paragraph 1 point (f) of the GDPR.
3.6 Newsletter
Based on your Conference registration details, particularly your email address, you may receive informational messages regarding the program, events, and developments of the current or future conferences. The data maintained in the newsletter system include: email address, full name (if available), subscription status (active or cancelled), registration source, and registration date. For measuring the effectiveness of the newsletters, the following information is recorded: whether the message was opened (via a one-by-one pixel PNG tracking pixel), whether a link was clicked (via URL redirection), as well as the date and time of the opening or click. Tracking data is stored exclusively with numerical sending identifiers (IDs), without direct association with the recipient's personal details at the tracking endpoint. Tracking is carried out exclusively through our proprietary system on our server, and no third-party provider is involved.
Purpose of processing: Informing you about the activities of the Conference and measuring communication effectiveness. Legal basis: Legitimate interest, in accordance with Article 6 paragraph 1 point (f) of the GDPR. You may at any time request your removal from the recipient list by sending a relevant request to info.iusci.di@ionio.gr.
3.7 Administration Accounts (Organizing Committee Members)
For members of the Organizing and Scientific Committee who have access to the internal Conference management platform, the following data are stored: username, email address, password (stored in bcrypt encrypted form), display name, registration date, role, and platform access rights. Access rights are assigned based on the committees to which the user belongs (Role-Based Access Control system - RBAC). Members may modify their display name, email address, and password through their profile.
Purpose of processing: Providing access to management tools and the secure operation of the platform. Legal basis: Performance of a contract (organizational function and assumption of duties), in accordance with Article 6 paragraph 1 point (b) of the GDPR.
3.8 Publicly Displayed Information of Committee Members and Keynote Speakers
For members of the Organizing Committee, the Scientific Committee, and the Keynote Speakers of the Conference, the following information, voluntarily provided by the members themselves, is published on the website: full name (in Greek and English), institution, specialty or role, curriculum vitae (keynote speakers), portrait photograph, as well as profile links, including website, LinkedIn, Google Scholar, ORCID, ResearchGate, and social media.
Purpose of processing: The public display of Conference members and speakers. Legal basis: Consent, in accordance with Article 6 paragraph 1 point (a) of the GDPR. Members may withdraw their consent at any time, resulting in the removal of their published information.
4. TECHNICAL DATA, COOKIES AND TRACKING TECHNOLOGIES
4.1 Session Cookies
Our website uses technically necessary session cookies for its proper and secure operation. Specifically, a session cookie named IUSCI_SESS is used, which serves the management of user sessions and protection against Cross-Site Request Forgery (CSRF) attacks. This cookie has the following security characteristics: it is HttpOnly (not accessible via JavaScript), uses a SameSite policy (Strict), is transmitted exclusively over an encrypted HTTPS connection (Secure flag), does not contain personal data, and expires automatically upon session termination or after one (1) hour of inactivity.
4.2 Language Cookie
To maintain your language preference (Greek or English) while browsing the website, a cookie named lang is stored. This cookie exclusively contains the language code (el or en), is HttpOnly, and its validity is one (1) year.
4.3 Google Analytics
Our website uses the Google Analytics service (measurement ID: G-8NX20QLKTK) provided by Google LLC, for the purpose of statistical analysis of traffic. The data collected through this service include: number of visits and page views, approximate geographic region (based on IP address), device type and operating system, browser type, traffic source (referrer), as well as page interaction information. These data are anonymized and do not allow direct identification of the user. Google LLC processes this data in accordance with its own privacy policy (https://policies.google.com/privacy) and the Standard Contractual Clauses (SCCs) for data transfers outside the European Economic Area.
Legal basis: Legitimate interest (traffic analysis and service improvement), in accordance with Article 6 paragraph 1 point (f) of the GDPR.
4.4 External Content Services
The website uses the following external services for loading display elements: Google Fonts (fonts.googleapis.com) for loading fonts, as well as Cloudflare CDN (cdnjs.cloudflare.com) for loading the Font Awesome icon library. When loading these resources, the provider receives technical connection data, such as the user's IP address, in accordance with their own privacy policies.
4.5 Audit and Security Logs
For security and information system protection purposes, the following technical data are recorded: the user's IP address (for rate limiting and prevention of malicious use), the User Agent (browser information), the action performed (only for administration users), as well as the date and time. For failed login attempts to the administration platform, the IP address is recorded for the purpose of rate limiting, and this data is automatically deleted after a short period of time.
Legal basis: Legitimate interest (information systems security), in accordance with Article 6 paragraph 1 point (f) of the GDPR.
5. HOW WE PROTECT YOUR DATA
We implement comprehensive technical and organizational measures, in accordance with Article 32 of the GDPR, to protect your data. Specifically, we implement the following:
Encryption of sensitive registration fields (first name, last name, email, department) using the AES-256-CBC algorithm when storing them in the database.
Encryption of administration user passwords using the bcrypt algorithm.
Encryption of OAuth tokens (access tokens and refresh tokens) using the AES-256-CBC algorithm when storing them.
Exclusive use of encrypted HTTPS (SSL/TLS) connections across the entire website.
Implementation of HTTP security headers, including: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (blocking access to camera, microphone, geolocation).
Role-Based Access Control system (RBAC), under which each administration user gains access exclusively to the data and functions related to the duties of the committee to which they belong, with the ability for individualized permissions per user.
Rate limiting based on IP address to prevent brute-force attacks.
CSRF (Cross-Site Request Forgery) protection on all data submission forms, through random tokens generated per session.
Randomization of file names during upload (the original file name is not retained).
Automatic logout after inactivity.
Administration action logging (audit logging) for traceability and security event monitoring.
Use of parameterized queries (prepared statements) in all database interactions, to prevent SQL injection attacks.
Input validation and sanitization at every data submission point.
6. DATA DISCLOSURE TO THIRD PARTIES
Your personal data are not sold, rented, exchanged, or transferred to third parties for commercial or advertising purposes.
Data are disclosed or made accessible exclusively in the following cases:
Google LLC: Anonymized browsing data, through the Google Analytics service, exclusively for the purpose of statistical traffic analysis. Google LLC complies with the Standard Contractual Clauses (SCCs) for data transfers outside the EEA.
Microsoft Corporation: When sending emails (registration confirmation, newsletters, responses to contact messages, magic link access links), the data transmitted through the Microsoft Graph API include the recipient's email address, the subject and content of the message, as well as any attachments (such as PDF certificates). Microsoft Corporation processes the data in accordance with its own privacy policy (https://privacy.microsoft.com) and complies with the Standard Contractual Clauses.
Google Fonts and Cloudflare CDN: When loading fonts and icon libraries, technical connection data (primarily the IP address) are transmitted to the respective providers.
Department of Informatics of the Ionian University: The server on which the website and database are hosted belongs to the infrastructure of the Department of Informatics of the Ionian University. As such, the data are stored on the Department's infrastructure.
In all cases, data disclosure is carried out exclusively to the extent necessary for the fulfillment of the respective purpose and in compliance with the principles of data minimization.
7. INTERNATIONAL DATA TRANSFERS
Certain of the aforementioned service providers (Google LLC, Microsoft Corporation, Cloudflare Inc.) may process data on servers outside the European Economic Area (EEA), primarily in the United States of America. In these cases, data transfer is based on Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46 paragraph 2 point (c) of the GDPR, or on adequacy decisions in accordance with Article 45, where these exist. We ensure that every data transfer to third countries is carried out with appropriate safeguards, so as to ensure a level of protection equivalent to that provided within the European Union.
8. DATA RETENTION PERIOD
Your data are retained only for as long as necessary for the fulfillment of the purposes for which they were collected or for our compliance with legal obligations. Specifically:
Participant registration data: Retained for up to two (2) years after the end of the respective conference year.
Certificates (PDF files): Retained for up to two (2) years after the end of the respective conference year.
Contact messages: Retained for up to one (1) year after their submission or until the full resolution of the related inquiry, whichever comes first.
Workshop proposals: Retained for up to one (1) year after the end of the respective conference year.
Anonymous evaluation forms: Retained for up to three (3) years for statistical analysis and improvement purposes.
Audit logs: Retained for up to one (1) year.
Newsletter tracking data: Retained for up to one (1) year.
Session cookie: Expires automatically upon session termination or after one (1) hour of inactivity.
Language cookie: Valid for one (1) year.
Organizing Committee member accounts: Retained for the duration of their active tenure.
Failed login attempt data (IP): Automatically deleted after a short period of time (fifteen minutes).
OAuth access tokens: Remain active for as long as they are in use and expire after ninety (90) days of inactivity.
Upon expiration of the respective retention period, the corresponding data are deleted or fully anonymized.
9. YOUR RIGHTS
In accordance with the GDPR (Chapter III, Articles 15 to 22) and Law 4624/2019, as a data subject you have the following rights:
Right of access (Article 15 GDPR): You have the right to know whether we process your data, what data we hold, for what purposes we process them, to whom we disclose them, for how long we retain them, as well as to receive a copy thereof.
Right to rectification (Article 16 GDPR): You have the right to request the correction of inaccurate or the completion of incomplete data.
Right to erasure (Article 17 GDPR): You have the right to request the deletion of your data (also known as the "right to be forgotten"), provided that the data are no longer necessary for the purposes for which they were collected, you withdraw your consent, or there is no other legal basis for processing.
Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of the processing of your data, among others, when you contest their accuracy or object to the processing.
Right to data portability (Article 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format, as well as to request their transfer to another data controller, provided that the processing is based on consent or on the performance of a contract.
Right to object (Article 21 GDPR): You have the right to object at any time to the processing of data based on legitimate interest, including profiling. In the event of an objection, we will cease processing, unless there are compelling legitimate grounds that override.
Right to withdraw consent: In cases where processing is based on your consent, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the processing carried out prior to the withdrawal.
To exercise any of the above rights, you may contact us at the email address info.iusci.di@ionio.gr. We will make every effort to respond to your request within thirty (30) calendar days of receiving it. In exceptional cases, this deadline may be extended by two (2) additional months, due to the complexity or number of requests, upon notifying you.
10. AUTOMATED DECISION-MAKING AND PROFILING
We do not carry out automated decision-making or profiling in accordance with Article 22 of the GDPR. None of our automated systems make decisions that produce legal effects or significantly affect data subjects.
11. PROTECTION OF MINORS
The Conference website and services are not directed at persons under the age of sixteen (16). We do not knowingly collect personal data from minors. If we become aware that data of a minor under the age of sixteen has been inadvertently collected, we will immediately proceed with their deletion. If a parent or legal guardian believes that a minor under their care has provided us with personal data, please contact us at info.iusci.di@ionio.gr.
12. CHANGES TO THE PRIVACY POLICY
This Privacy Policy may be updated or amended from time to time to reflect changes in our practices, our services, or the applicable legal framework. Any changes will be published on this page with an updated date. In the event of material changes that may affect your rights, we will notify you via email or through a prominent notice on the website, before the changes take effect. We recommend that you regularly check this page for updates.
13. RIGHT TO LODGE A COMPLAINT
If you believe that the processing of your data violates your rights under the GDPR or Greek legislation, you have the right to lodge a complaint with the competent supervisory authority:
Hellenic Data Protection Authority (HDPA), 1-3 Kifisias Avenue, 115 23 Athens, Greece. Telephone: +30 210 6475600. Website: www.dpa.gr.
Regardless of the right to lodge a complaint, we kindly ask you to first contact us at info.iusci.di@ionio.gr so that we may attempt to promptly resolve the issue.
14. APPLICABLE LAW
This Privacy Policy is governed by the General Data Protection Regulation (Regulation (EU) 2016/679), the Greek law on the protection of personal data (Law 4624/2019), and any other relevant and applicable European and national legislation. For any dispute arising from the application of this policy, the courts of Corfu shall have jurisdiction.
15. CONTACT
For any question, request, or comment regarding this Privacy Policy or the way we process your personal data, you may contact us:
Email: info.iusci.di@ionio.gr.
Contact website: https://iusci.di.ionio.gr/contact
Postal address: IUSCI Organizing Committee, Department of Informatics, Ionian University, Tsirigoti Square 7, 49100 Corfu, Greece