Privacy Statement

InAcademia Affiliation Validation Service (hereinafter referred to as: ”Service”) is a registered trademark of GÉANT VERENIGING (Association) and is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”)

InAcademia Service is a proxy utilised by commercial retail services and other services outside the normal scope of national federations that allows users to get additional discounts or special offers at merchants’ websites (web shops) on the basis of the positive verification of your affiliation with your academic institution.

It is a lightweight alternative to full federated identity access for merchants with minimal and pseudonymised attribute release to assist the preservation of user privacy. It intends to remove the need for merchants to request e-mail address-based ‘authentication’ or asking for scans of ID cards by accurately representing the real time affiliation of a person in the academic community

Merchants embed InAcademia into their validation processes, and users that are asked to consent to InAcademia sharing their confirmed affiliation to their home institution with the relevant service benefit from doing so in such a way that preserves their privacy and minimises the exchange of personal information that would otherwise be necessary to share.

This privacy statement describes how we process the personal data of you, the end user, when you use InAcademia Service.

Transfer of personal data

When you try to prove your eligibility for an offer that is only available to the academic and student community, a retailer or merchant that has registred with InAcademia will send a  request to InAcademia to handle the validation of a specific academic affiliation (“student”, “staff”, “faculty”, “member” or “employee”). When the merchant sends the request to InAcademia, that request  does not contain any of your personal data or any details of the transaction that you’re trying to process. A transient session identifier is exchanged between the merchant and InAcademia to identify the session.

InAcademia will then ask you to prove your affiliation with your Institution. This is done by asking you to authenticate at your home institution, and that process allows your institution to provide the following information to InAcademia:

  • Your affiliation to your institution (“student”, “staff”, “faculty”, “member” or “employee”)
  • A persistent or transient identifier, that will identify the session between InAcademia and the system of your institution over a given period of time subsequent to the first validation, provided that the relevant attributes are supported and released by your institution.

Upon successful authentication, InAcademia will evaluate the affiliation received from your institution and will decide how to respond to the merchant.

If the affiliation provided by your institution matches the requested validation, InAcademia will signal to the merchant a successful affiliation validation was made. Upon request of the merchant, InAcademia may send a pseudonymised persistent identifier, name of your institution as part of this confirmation. InAcademia will ask your consent before sending a positive response to the merchant.

If the affiliation provided does not match the requested affiliation, InAcademia will signal to the merchant that the affiliation validation has failed. No identifiable data is sent to the merchant as part of such a transaction.

The service requests a variety of identifiers in order to reflect the heterogeneous nature of support for the various identifiers across Europe.

Personal data Purpose Technical representation
Unique transient session identifier To initiate a new and unique request to the service Session UUID
Unique identifier To create a persistent ID if the merchant is requesting a persistent identifier. For the transient flow, the unique identifier is not used.

 

 

eduPersonTargetedID

eduPersonPrincipleName

Pairwise_ID

Subject_ID 

eduPersonUniqueID

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Affiliation To validate your eligibility for the offer eduPersonScopedAffiliation

eduPersonAffiliation

Home institution To validate that you are able to authenticate at the institution you declared to the merchant initiating the request towards InAcademia eduPersonScopedAffiliation

schacHomeOrganization

Table 1: prerequisites

Data Storage

All our data is stored within the EEA.

Purposes of the processing

InAcademia collects your affiliation from your institution and evaluates it on behalf of the merchants connected to InAcademia for the purposes of validating whether you are eligible to receive a specified product, service, discount or offer alone. The InAcademia Services plays no further role in the transaction and claims no relationship with the end user.

Data provided by your institution with your consent will be used for the purposes of:

  • Allowing a third party merchant to evaluate whether you qualify for a specified offer. 
  • Investigate abuse, fraud or technical issues.

InAcademia has no visibility of either your user profiles, account or order history at the merchant, and no details of the transaction between you and the merchant are shared at any point during the validation process.

Other processing of personal data within the service

What data is stored and processed?

InAcademia keeps a technical log of the transactions at InAcademia Service to be able to investigate abuse, fraud or technical issues. This technical log is stored for 28 days and contains the following data:

  • the date and time of your transaction;
  • a session identifier for the merchant which requested the validation;
  • an identifier for the merchant;
  • a session identifier as provided by your institution;
  • the affiliation provided by your Institution (in case of positive validation – including the name of your institution or in case of negative validation in the form of a simple ‘access_denied’ error);
  • the IP address used at the time of the transaction (this is only used in exceptional circumstances to debug service issues and is used only to understand patterns of user behaviour).
  • any additional personal information that your institution might have released to the InAcademia Service at the time of your authentication
  • Indication of your response to consent

After 28 days all technical logs are purged.

Transfer of personal data to third parties

Technical operations for the InAcademia Service are outsourced by GEANT Association to SUNET, a part of the Swedish Research Council (whose registered address isVästra Järnvägsgatan 3, Box 1035, 101 38 Stockholm, Sweden)  under a formal Data Processing Agreement, in full compliance with GEANT Data Protection Code of Conduct v1.0 and the General Data Protection Regulations.

The merchants using InAcademia are:

Customer

Validating users in…

Data transferred
Koninklijke Bibliotheek, the Netherlands The Netherlands Pseudonymous transient identifier

Affiliation

Home Institution (for ‘domain claim’)

Studentenrabatt.com, Germany Germany Pseudonymous transient identifier

Affiliation

SheerID, Inc, USA The Netherlands, Denmark, France, Spain, Italy, Sweden Pseudonymous transient identifier

Affiliation

MyUNiDAYS.com, United Kingdom France, The Netherlands Pseudonymous persistent identifier

Affiliation

Table 1: downstream services registered to and customers of InAcademia

Lawful basis

The legal basis for processing your personal data is your consent.

InAcademia will ask for your consent before releasing data towards a merchant. InAcademia will not re-use previously given consent. We will therefore always ask for your consent for every validation. Your consent is the only way that allows for data to flow from InAcademia to a merchant. If you choose not to consent, no personally identifiable information will be shared with the merchant, and you may be asked to validate your eligibility for the other via another mechanism. 

Right of access, right of rectification and right of erasure of personal data

You are always free to not consent to releasing the data. In such cases, you may however not be eligible to receive the benefits or discounts on products, or gain access to specific content or services from the merchant which is using InAcademia to validate your affiliation.

You may request a copy of the technical log data we are storing of your transaction(s) as described in the “What data is stored and processed?” section. Please note we can only provide you with this data if you can provide us with a valid session identifier that was used as part of your transaction. This identifier is presented on the consent screen. To retain such session identifier you must keep a copy of the consent screen of the specific transaction. 

You have the right to withdraw your consent, which will not affect the lawfulness of processing based on consent before its withdrawal. Please note that  you must provide to us a valid session identifier that was presented on the consent screen during the original transaction. To retain such session identifier you must keep a copy of the consent screen of the specific transaction.

Please note in both cases that the transaction is only personally identifiable for a maximum of 28 days from the date and time of your transaction.

You can exercise your rights by contacting our support desk at support@inacademia.org

Moreover, you have the right to lodge a complaint to the Supervisory Authority (Autoriteit Persoonsgegevens at https://autoriteitpersoonsgegevens.nl).

Purging  of personal data

All technical logs are automatically purged of personally identifiable information 28 days from the date and time of your transaction.

Retention period

InAcademia will store a technical log of the transactions for a period of 28 days from the date of your transaction.

Security of data

Access to technical log data is restricted and can only be accessed via secure methods by specifically authorised staff. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect.

Personal data controller

GÉANT Association is the data controller.

If you have any questions about how personal data are processed within the service, please contact info@inacademia.org.

There is appointed an Data Protection Officer at GÉANT Association, who can be contacted at: gdpr@geant.org

Data Protection Code of Conduct

This service complies with the international framework GÉANT Data Protection Code of Conduct ( http://www.geant.net/uri/dataprotection-code-of-conduct/v1 ) for the transfer of personal data from identity providers to the service. This framework is intended for services in Sweden, the EU and the EEA that are used in research and higher education.

Changes to this notice

This privacy statement might be changed at our discretion at any time. When we make changes to this notice, we will update the last modified date at the bottom of this page. If you are a regular user of this service, we encourage you to review this privacy statement regularly to stay informed about how we are protecting your data.

Last revision:  July 2021