Privacy Policy
Information pursuant to GDPR Art. 13 and Art. 14 | Version 1 | April 2026
1. Data Controller
Lennart Sieden & Stefan Bechtel GbR (moreNetwork / PeerDesk)
Heuspachstr. 79, 72644 Oberboihingen, Germany
Email: [E-Mail — JavaScript erforderlich]
PeerDesk does not currently appoint a Data Protection Officer (DPO), as the processing does not meet the thresholds under GDPR Art. 37. Data protection inquiries are handled by the representatives named in the Legal Notice.
2. Personal Data Categories, Legal Bases, and Retention
PeerDesk processes personal data in the following categories:
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| Account & Profile | Name, email, institution, ORCID identifier, password hash, profile bio, institutional email | Art. 6(1)(b) GDPR — contract performance | Duration of account + 30 days after deletion request |
| Manuscript & Review | Manuscript text, abstracts, keywords, author lists, review content, scores, comments, editorial decisions, revision history | Art. 6(1)(b) GDPR — contract performance | 10 years minimum (scientific record integrity) |
| Payment Data | Transaction records, earnings, invoices (payment processor: Stripe Inc.) | Art. 6(1)(b) GDPR — contract; Art. 6(1)(c) GDPR — legal obligation | 10 years (§ 147 AO, § 257 HGB — tax and accounting records) |
| COI Declarations | Conflict-of-interest signals, flags, declarations | Art. 6(1)(b) GDPR — contract performance | 10 years (manuscript record) |
| Communication | Email addresses, notification preferences, support requests | Art. 6(1)(b) GDPR — contract; Art. 6(1)(f) GDPR — legitimate interest | Duration of account + 1 year |
| Consent Records | Terms acceptance timestamps, IP address, user agent string at time of consent | Art. 6(1)(c) GDPR — legal obligation (GDPR accountability, Art. 5(2)) | Duration of account + 3 years |
| Security & Anti-Fraud | IP addresses, device fingerprints, login timestamps, anomaly detection signals, audit logs | Art. 6(1)(f) GDPR — legitimate interest (platform integrity) | 3 years (audit logs) / 5 years (fraud investigation) |
| Analytics | Page views, session data, anonymized IP, device/browser info (via Google Analytics — planned, not yet active) | Art. 6(1)(a) GDPR — consent (will be requested via cookie banner when activated) | 26 months (Google Analytics default retention) |
3. Mandatory vs. Voluntary Information
Mandatory fields (required to use PeerDesk): first name, last name, email address, password. Without these, a contract cannot be formed and the service cannot be provided.
Optional fields (voluntary, improve service quality): profile bio, institutional email address, ORCID iD, research expertise areas, institution name. Providing optional data may improve reviewer matching quality and trust level, but is not required for basic platform access.
4. Data Flows to Third Parties
PeerDesk shares personal data with the following categories of third parties only to the extent necessary to provide the service:
- Stripe, Inc. (payment processor): When a reviewer sets up a payout account or receives compensation, we transmit reviewer identity data (name, email, banking details for KYC), transaction amounts, and payout instructions to Stripe. Stripe processes this data as an independent controller for its financial compliance obligations, and as a processor for payment execution on our behalf. See Stripe Privacy Policy.
- ORCID, Inc. (identity provider): If you connect your ORCID iD, we receive your ORCID identifier and any public profile data you have authorized (employment, publication list). This import is triggered by you and governed by your ORCID privacy settings. See ORCID Privacy Policy.
- Hetzner Online GmbH (hosting provider): All platform data — including personal data of users, manuscripts, and reviews — is stored on Hetzner servers in Germany. Hetzner processes this data exclusively on our behalf as a GDPR-compliant data processor under GDPR Art. 28. No data leaves the EU/EEA via Hetzner.
- united-domains AG (email service provider): Transactional emails (invitations, notifications, password resets) are sent via united-domains. They receive the recipient email address and the email content (which may include your name and notification details). united-domains is based in Germany and acts as a data processor under GDPR Art. 28.
- Google Ireland Limited (analytics — planned): When Google Analytics is activated in a future release, anonymized usage data will be transmitted to Google. This processing will only occur after you have given explicit consent via our cookie consent banner. The analytics feature is not yet active.
- Journals and publishers: When you participate in a review process for a specific journal, relevant data (reviewer profile, review content, editorial decisions) is shared with the editors of that journal, who act as a joint controller for that manuscript's processing.
We do not sell personal data. We do not share personal data with advertisers or data brokers.
5. International Data Transfers
Some of our third-party service providers are located outside the European Economic Area (EEA). We ensure that any such transfer complies with GDPR Chapter V through the following mechanisms:
- Stripe, Inc. (United States): Stripe participates in the EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 (Adequacy Decision C(2023) 4745). Transfers are additionally covered by Standard Contractual Clauses (SCCs, Commission Decision 2021/914).
- ORCID, Inc. (United States): Transfers are covered by Standard Contractual Clauses (SCCs). Your use of ORCID Connect is voluntary and governed by your ORCID privacy settings.
- Google Analytics (planned, United States): Google Ireland acts as data controller for EU users. Where data is processed in the USA, Google relies on SCCs and participates in the EU-US DPF. IP anonymization will be enabled.
- Hetzner and united-domains: Both are German companies operating within the EU/EEA. No international transfer applies.
A copy of the applicable safeguards is available upon request at [E-Mail — JavaScript erforderlich]. For details on all sub-processors, see our Sub-Processor Register.
6. Automated Decision-Making (GDPR Art. 22)
PeerDesk uses algorithmic tools to rank and suggest reviewer candidates for manuscript assignments. This automated ranking is based on expertise matching (discipline, keywords), historical performance, availability, and conflict-of-interest signals.
Important: No solely automated decisions with legal effect or similarly significant impact are made. Automated ranking is presented to editors as a non-binding recommendation only. All reviewer assignments are made by human editors who exercise independent judgment. Reviewers and authors are not subject to automated decision-making within the meaning of GDPR Art. 22(1).
7. Cookies
PeerDesk currently uses only strictly necessary cookies for authentication and security. Google Analytics is planned for a future release and will require your consent before activation. See our Cookie Policy for full details including cookie names, lifetimes, and how to manage your preferences.
8. Data Subject Rights (GDPR Articles 15–22)
You have the following rights with respect to your personal data:
- Right of Access (Art. 15): You may request confirmation of whether we process your personal data and obtain a copy in a machine-readable format (JSON export via your profile settings).
- Right to Rectification (Art. 16): You may correct inaccurate or incomplete personal data directly in your profile or by contacting us.
- Right to Erasure (Art. 17): You may request deletion of your account and personal data. Erasure is subject to legal retention obligations (e.g., tax records retained for 10 years). Account deletion can be initiated from your profile settings.
- Right to Restrict Processing (Art. 18): You may request that we restrict processing while you contest accuracy or lawfulness.
- Right to Data Portability (Art. 20): You may request all your personal data in a structured, commonly used, machine-readable JSON format for transmission to another controller.
- Right to Object (Art. 21): You may object to processing based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (e.g., analytics cookies once activated), you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with the competent supervisory authority.
9. Supervisory Authority
The competent supervisory authority for PeerDesk (operated by a company based in Baden-Württemberg, Germany) is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart
Website: https://www.baden-wuerttemberg.datenschutz.de/
Email: poststelle@lfdi.bwl.de
10. Contact & Data Subject Requests
To exercise any of your data subject rights or report a data protection concern:
Email: [E-Mail — JavaScript erforderlich]
Address: Heuspachstr. 79, 72644 Oberboihingen, Germany
We will respond to requests within one month of receipt (GDPR Art. 12(3)). In complex cases, the deadline may be extended by a further two months; you will be informed of any extension within one month of your request.
Version: 1 | Last updated: April 2026