Alternative PHD ("we", "us", "our") respects your privacy. This document explains what personal data we process, for what purposes, on what legal grounds, how long we keep it, and what rights you have under the Law of Ukraine "On the Protection of Personal Data" No. 2297-VI of 1 June 2010, other applicable Ukrainian regulations, and, where relevant, the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Alternative PHD is a Ukrainian-domiciled service and Ukrainian law applies as the primary legal framework.
1. Data controller
The "controller of personal data" within the meaning of the Law of Ukraine "On the Protection of Personal Data" is the Alternative PHD project. You can reach us using the contact details in section 9. No separate third-party processor is used.
2. What personal data we process
We deliberately minimise the personal data we collect. While you use the site we process the following categories only:
- Account data: username, email address, password hash (bcrypt), and role (author/editor). You provide this when you register.
- Submission data: title, abstract, the uploaded manuscript file (PDF or DOCX), the generated PDF, technical timestamps, and moderation status. The author provides this in the upload form.
- Contact data: name, email address, subject, and the body of any message sent through the contact form.
- Session data: session identifier in a cookie and authentication timestamps. This is required for the site to work.
- Server logs: in case of server errors, we may temporarily record IP address, User-Agent header, and request path in server logs for diagnostics. We do not use these for profiling.
We do not collect payment data, we do not use analytics or advertising cookies, we do not share data with third parties for marketing, and we do not sell personal data.
3. Purposes of processing
Your personal data is processed solely for the following purposes:
- providing access to the site and to publication features (registration, authentication, managing your own submissions);
- editorial review and publication of approved research articles;
- handling and responding to messages submitted through the contact form;
- ensuring the information security of the site and preventing abuse;
- compliance with applicable Ukrainian law.
4. Legal grounds for processing
We process personal data on the grounds set out in articles 7 and 11 of the Law of Ukraine "On the Protection of Personal Data" (and, where applicable, articles 6 and 9 of the GDPR), namely:
- Your consent — given when you register, submit an article, or use the contact form.
- Performance of a contract with you for access to publication and reading on the site (the terms of use).
- Legitimate interest — securing the site and preventing abuse.
- Compliance with a legal obligation in cases expressly required by law.
5. Cookies
We use only essential (technical) cookies without which the site cannot operate correctly:
connect.sid— session identifier for an authenticated user;_csrf— protection against Cross-Site Request Forgery (CSRF);lang— your selected interface language;cookie_consent— remembers your choice in the consent banner.
We do not use analytics, advertising, or any other third-party trackers.
6. Data security
Passwords are stored only as cryptographic hashes (bcrypt, cost factor 12). Session cookies carry the HttpOnly and SameSite=Lax flags; in production HTTPS and the Secure flag are required. All state-changing forms are protected by CSRF tokens. Access to the server and database is restricted to the minimum necessary set of administrators.
7. Retention periods
- Account data is retained while your account exists. You may request deletion at any time (see section 9).
- Submission data is kept for as long as the article remains published or until you request its removal.
- Contact-form messages are retained for up to 24 months from the date of correspondence and then deleted.
- Server logs are kept for no longer than 30 days and rotate automatically.
8. Data sharing
We do not share your personal data with third parties except as expressly required by law, by an enforceable court order, or by a lawful request from a competent authority. Data is processed on servers we control.
9. International transfers
We do not engage in cross-border transfers of personal data to states that do not provide an adequate level of protection. If such a transfer becomes necessary, we will apply the safeguards required by article 29 of the Law of Ukraine "On the Protection of Personal Data".
10. Your rights as a data subject
Under article 8 of the Law of Ukraine "On the Protection of Personal Data" (and articles 12–22 of the GDPR where applicable), you have the right to:
- know about the collection of your personal data and the procedure for accessing it;
- receive information about access conditions, including third parties to which the data is transferred;
- access, rectify, and update your personal data;
- erase (the right to be forgotten) your personal data when it is processed unlawfully or if you withdraw consent;
- restrict processing;
- object to processing;
- receive your data in a structured, machine-readable format (data portability);
- withdraw your consent at any time;
- lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) at www.ombudsman.gov.ua or in court.
11. Privacy enquiries
For any questions about the processing of your personal data, exercising your rights, or withdrawing consent, write to legacy@alternative.phd or use the contact form. We respond to data-subject requests within 30 calendar days.
12. Changes to this policy
This policy may be updated as the law, the technology, or our processes change. The "Last updated" date appears at the top. For material changes, we will notify users with a banner on the site.