Appendix G — Databrary Privacy Policy
Effective Date: June 1, 2020
Revised: February 1, 2021
1. Introduction
Databrary (“we”, “our”) is a web-based data library provided by New York University (“NYU”). Databrary is designed for the storage, sharing, and re-use of Research Data, especially video and audio recordings and associated Contents, some of which may contain personally identifying or sensitive information about human or non-human animal research participants. Some Contents on Databrary are available to any User, but most Contents are accessible only to a restricted community of Authorized Users who have approval from an Institution to browse, stream, and download Contents and to upload, store, and share Contents with other Authorized Users for educational, research, medical, or charitable purposes.
As used in this Privacy Policy, “you”, “your” include all individuals accepting these policies as described below.
We are committed to maintaining the highest level of privacy and security in order to protect researchers and research participants. We collect no information about you for commercial marketing or any other purpose unrelated to our mission.
2. Definitions
We use the following defined terms:
Authorized Investigator: A person who has permission from an Institution to conduct independent research and who has received authorization from an Institution and from Databrary to access Databrary.
Affiliate: A person who conducts research under an Authorized Investigator’s sponsorship and supervision and who has been granted access to Databrary by the Authorized Investigator. In most cases, Affiliates are students or research staff and are not eligible for Authorized Investigator status.
Authorized Users: An Authorized Investigator or Affiliate who makes use of our Websites.
Institution: An academic, not-for-profit, research, government, or health entity whose employees or students conduct scientific research or educational activities.
Content: Includes but is not limited to Data files, procedural videos, videos of research participation, consent forms, participant demographics, coding sheets, analysis scripts and output, comments, tags, URLs, documents, and descriptive text.
Research Data: Content collected by scientific researchers about the behavior or functioning of human or non-human animal participants for the purpose of discovery and the advancement of human knowledge.
Identifiable Data: Collections of information that might be used singly or in combination to determine the identity of research participants or other individuals depicted in recordings or Research Data.
Restricted Data: Research Data that is sensitive or contains Identifiable Data and which requires that access be restricted to specific individuals, namely Authorized Users.
Users: All persons, aged 18 years-of-age or older, who use our Websites.
Websites: The websites maintained by Databrary, including databrary.org, www.databrary.org, nyu.databrary.org, datavyu.org, and www.datavyu.org.
Access Agreement: The Databrary Access Agreement between an Authorized Investigator and his or her Institution and New York University (NYU) on behalf of Databrary.
3. Consent
By using our Websites, you acknowledge and accept the privacy practices described in this Privacy Policy. If you choose to publish personal information on our Websites, it will be made available to other users.
4. Changes to this Privacy Policy
We may modify this Privacy Policy in whole or in part at any time. The modified policy will be posted on our Websites with an updated effective date. Please review any posted changes to our Privacy Policy carefully. If you agree to the terms, simply continue to use our Websites. If you object to any of the changes to our Privacy Policy, please do not continue to access our Websites, as your continued use of our Websites and Services after we have posted a notice of changes to the Privacy Policy shall constitute your consent to the changed terms or practices. Note that any personal data we collect about you is subject to the Privacy Policy in effect at the time of its collection, and, further, that you have certain rights with respect to that personal data, as described in this Privacy Policy.
5. Content
Databrary’s mission is to accelerate scientific discovery by facilitating the storage, sharing, and re-use of Research Data, including Restricted Data like video and audio recordings. Where Restricted Data about humans are stored and shared, the permission of research participants or the waiver of the requirement for that permission by an Institution is required. This means that Authorized Users can upload to Databrary research-related information (“Content”) as permitted by their institutions, including, but not limited to, data files, procedural videos, videos of research participation, consent forms, participant demographics or characteristics, coding sheets, and analysis scripts and output. In uploading or downloading Content, Authorized Users agree to uphold the highest ethical standards, as laid out in the [Databrary Access Agreement] (https://databrary.org/about/agreement.html). Ultimately, Authorized Users are in control of both the nature of the Content stored on Databrary, and with whom and to what extent that Content is shared, within the bounds of what Research Data participants agreed to share and what use has been authorized by the Authorized User’s Institution.
6. Information Collected
Information Collected from Users
Unless you are a member of the general public with limited viewing rights to Content, in order to fully use our Websites, you must register and create an account that provides us with your name, institutional email address, institution name, profile web page at your institution, a password, and permission to contact your institution’s appointed contracts agent and related contact information in order to complete a Databrary Access Agreement on your behalf.
If you are authorized by your Institution to access to Databrary, either as an Authorized Investigator or as an Affiliate, you will be asked to enter your institutional email address (user ID) and Databrary password for all subsequent access. In accessing Databrary as an Authorized User, you agree to keep the information you have provided us (name, email, institution) current and accurate. Your information may be modified by accessing your user profile. If you choose to cancel your Databrary access, you may delete your user account by emailing contact@databrary.org.
You may optionally provide a profile picture and your unique ORCID https://orcid.org/ identifier. If you choose to provide us with any additional information about yourself, including through an e-mail message, form, survey, etc., we will take every precaution to keep the information confidential and protect your privacy to the extent allowable by law.
How We Use the Information Collected from Users
Your Databrary account will be used to organize, track, and label any data you might choose to upload, as well as to track any Content you download from our Website. This is done so that we can obtain aggregated usage statistics and to identify the account responsible for any breaches of the Databrary Access Agreement, Terms of Service, or this Privacy Policy.
We may periodically contact you via email to notify you of changes or improvements in the Databrary website, to ask you for feedback on our service, or to notify you of changes in Databrary’s policies. In rare cases, we may contact you with information related to a specific dataset you have downloaded (e.g., if a participant or researcher has revoked consent to share the data). You may opt out of automatic communications in the Notifications section of your user profile.
Information Collected and Stored Automatically
Log files and IP addresses
We may collect information from the devices and networks that you use to visit our Websites in order to help improve the services we provide, including the date and time of your visit, the operating system of your computer or device, the version of the web browser or other program you use, the Application Programming Interface (“API”) you use, your mobile device carrier, your Internet Service Provider (“ISP”), and your Internet Protocol Address (IP Address). An IP address is a number that is automatically assigned to your computer whenever you access the Internet. For example, when you request a page from one of our sites, our servers log your IP address to create aggregate reports on user demographics, traffic patterns, and for purposes of system administration. Every time you request or download a file from one of our Websites, Databrary may store data about these events and your IP address in a log file. We may use this information to analyze trends, administer the site, track users’ movements, and gather broad demographic information for aggregate use or for other business purposes. When you access or leave our Websites by clicking on a hyperlink, we may receive the URL from the site from which you last visited or the one to which you’re directed. We also may receive location data passed to us from third-party services or GPS-enabled devices that you have set up in order to customize your experience based on location information.
Web Beacons
Our Websites also may use web beacons and other technologies, such as pixels and JavaScript tags, to collect non-personal information about your use of our site and the sites you visit, your use of special announcements or newsletters, and other activities. The information collected by web beacons allows us, for example, to statistically monitor how many people are using our Websites; how many people open our emails; and for what purposes these actions are being taken.
Google Analytics
Our sites use Google Analytics, a service which transmits website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. Google Analytics relies on cookies; a list of the cookies used by Google Analytics can be found at (https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage).
You may refuse the use of cookies by selecting the appropriate settings on your browser, and you may opt-out of Google Analytics altogether by using the Google Analytics Opt-Out Add-on, available at (https://tools.google.com/dlpage/gaoptout?hl=en).
How We Use the Information Provided Automatically
This information is aggregated and used only for statistical purposes to help improve Databrary for all users. Unless specifically stated otherwise, no additional information will be collected about your use of the Databrary website. We do not share personally identifiable information with any third-party advertisers.
7. Contacting Databrary
If you contact Databrary, we collect information that helps us categorize your question or report, respond to it, and, if applicable, investigate any breach of this Privacy Policy. We also may use this information to track potential problems and trends in order to improve our services to you and to the community as a whole.
8. Disclosure
An Authorized Investigator who has shared Content on Databrary for use by other Databrary users may request a list of those users who have downloaded the Content. In that case, we will provide the person who requested the list of users with your name and institution name. In no other case will Databrary disclose, give, sell, or transfer any other personal information about our visitors or users, unless required to do so by law enforcement or by statute, or upon mutual agreement between the relevant party and Databrary.
9. Third Party Sites
Databrary may link to external sites that are not controlled by NYU or Databrary. Your use of such websites will be subject to the privacy policies of those websites, which we encourage you to read. Databrary is not responsible for the privacy practices or the content of such websites and does not make any representations about them.
10. Security
To ensure data and site security and continuous availability, we employ software programs to monitor traffic and to identify unauthorized attempts to upload, change information, download, or to otherwise cause damage. We also periodically monitor our system for possible vulnerabilities and attacks, consistent with industry standards. In the event of authorized law enforcement investigations, and pursuant to any required legal process, information from these sources may be used to help identify an individual.
You should be aware, however, that since the Internet is not a 100% secure environment, we cannot ensure or warrant the security of any information that you submit to the site. There is also no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security and integrity of your account details, including your username and password. To maintain the security of your information, you must keep your username(s) and password(s) strictly confidential and not disclose them to anyone. You will be solely responsible for any action, activities, and access to our Websites that are taken using your username and password and that occurred before you notified us of their loss.
If you become aware of any security breach of your password or of the security of the Websites or Services, you must contact us as soon as possible at info@databrary.org.
11. Data Retention
We will keep your personal information for as long as your account is active or as needed to comply with our legal obligations, even after you’ve closed your account, such as to fulfill our obligations to our others (including as described in Section 8), meet regulatory requirements, resolve disputes between users, to prevent fraud and abuse, or to enforce this Privacy Policy. We may be required to retain personal information for a limited period of time if requested by law enforcement. We also may retain indefinitely non-personally identifiable, aggregate data to facilitate our ongoing operations.
12. Data transfer
Databrary may store and process personal information on servers or on a cloud located outside of the country where you originally deposited data. The data-protection laws of the country or countries where this personal information will be stored or processed might not be as comprehensive as those in your country. If you are unsure whether this Privacy Policy is in conflict with applicable local rules, you should not submit your information to Databrary. If you are located within the European Economic Area (see 13. General Data Protection Regulation), you should note that your information will be transferred to the United States, which is deemed by the European Union to have inadequate data protection. By using our Websites and/or directly providing personal information to us, you hereby agree to and acknowledge your understanding of the terms of this Privacy Policy, and consent to have your personal data transferred to and processed in the United States and/or in other jurisdictions as determined by Databrary, notwithstanding your country of origin, or country, state, and/or province of residence.
13. General Data Protection Regulation (GDPR)
If you are a resident of or are located in the European Economic Area (“EEA”), you may have certain rights under the General Data Protection Regulation (“GDPR”). Personal data you provide is only collected with your consent, and may be transmitted outside of the EEA to Databrary (or computer servers maintained for the benefit of Databrary) pursuant to that consent.
In general, under the GDPR you may:
request access to your personal data.
have incomplete or incorrect data corrected.
have your personal data deleted.
suspend or restrict our use of your personal data, or withdraw your consent.
request a copy of your personal data.
complain to a supervisory authority if you believe your rights under the GDPR are not being respected.
Should you request a copy of your personal data, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Should you request the deletion of your personal data, Databrary will generally do so as soon as practicable, although your right to have your personal data deleted is subject to exceptions, such as, for example, compliance with a legal obligation or for the establishment, exercise or defense of legal claims. If you consider that our processing of your personal information infringes on data-protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Contact Databrary at contact@databrary.org if you have concerns regarding your personal data, or wish to exercise any of these listed rights.
Note that, if you are in the EEA, we may transfer your personal data outside of the EEA, including to the United States. By way of example, this may happen if your personal data is transferred to our servers located in a country outside of the EEA. These countries may not have similar data-protection laws to the EEA. By submitting your personal data, you’re agreeing to this transfer, storing, or processing. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. As part of New York University, Databrary shares NYU’s appointed Data Protection Officer. For more information, email info@databrary.org.
GDPR and Research Contents
Because Databrary’s Contents are stored on servers located in the United States, Restricted Data stored on Databrary may be accessed and re-used by researchers outside of the EEA. As described in the Databrary Access Agreement, Institutions and Authorized Users have obligations to ensure that consent sufficient to meet GDPR provisions was obtained from research participants prior to storing information on Databrary or sharing it with other Authorized Users. The same requirement to ensure that adequate consent to meet GDPR provisions was obtained from research participants applies when you, an Authorized User, downloads Contents shared by other Authorized Users from any jurisdiction.
14. Questions
If you have questions about this Privacy Policy or the privacy practices of Databrary, please contact info@databrary.org.