Ukrainian Science Diaspora

Privacy Policy

Effective from June 7, 2026.

Introduction

This Privacy Policy explains what personal data we collect on the ukrdiaspora.nauka.gov.ua platform (the "Platform"), how we use it, with whom we share it, and how you can control your data. The Platform serves Ukrainian scientists — both members of the diaspora abroad and those working inside Ukraine. Because of the ongoing war, additional safety provisions apply to accounts of scientists working inside Ukraine; these are described below.

1. Data Controller

Controller: the "Ukrainian Science Diaspora" project under nauka.gov.ua. Privacy contact: via the contact form on the site or the team email listed in the "Contact" section.

2. What Data We Collect

We collect only the data you voluntarily provide during registration or profile editing, plus minimal technical server data.

2.1 Registration data (required)

  • First and last name;
  • Email address;
  • Password (stored only as a cryptographic hash — we never see it in plaintext);
  • Year of birth, gender;
  • ORCID iD (link to your public ORCID profile);
  • Field of science (from the international ORCID classification);
  • Acceptance of the Terms of Service.

2.2 Data based on where you work

At registration you indicate whether you work in Ukraine or abroad. Depending on your answer we ask different fields.

If you work in Ukraine:

  • Region (oblast) and city;
  • Work address (optional);
  • Name of your institution in Ukraine (optional).

If you work abroad:

  • Country of residence;
  • Name of your current (host) institution;
  • Address of the host institution (optional, used to pin you on the map);
  • Name of your home institution in Ukraine (optional);
  • Oblast you left (optional);
  • When you left (before / after 24.02.2022, optional);
  • Current title / occupation (optional).

2.3 Additional data

  • CV in PDF, DOC or DOCX format — optional;
  • Profile photo — optional;
  • Mentor biography / statement — optional, only for users who choose to act as mentors;
  • Publications list — optional (may also be auto-fetched from ORCID).

2.4 Technical data

The server automatically logs a minimal set of technical data needed for security and basic analytics: IP address, browser type, time of visit, pages viewed. These logs are retained for no longer than 90 days.

3. Special Safeguards for Scientists Working in Ukraine (Wartime Conditions)

We recognise that public disclosure of a scientist's precise work location during wartime can create safety risks. For accounts marked "I work in Ukraine" we therefore apply the following rules, which will not be changed without your separate consent:

  • The precise work address is stored only in our own database and is never displayed on the public map. The map shows only the centroid of your city.
  • The precise address is not shared with third parties, except with the LocationIQ geocoding service for a one-off coordinate computation at registration (see section 6).
  • We do not collect or store information about equipment, lab infrastructure, schedules of presence, or anything else that could identify a physical asset as a target.
  • The full profile of scientists in Ukraine is visible only to authenticated users. Anonymous visitors see only aggregate information (field of science and region).
  • You can hide or delete your profile at any time — the button takes effect immediately.

If you notice information on the Platform that you believe creates a risk, contact us — we will remove it or restrict access within 24 hours.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Creating and maintaining your account and profile on the Platform;
  • Showing you on the scholars map and directory (subject to your visibility settings);
  • Connecting scientists, diaspora members and partners;
  • Mentor programme (if you opted in as a mentor);
  • Participation in microhubs (research groups) — at your own initiative;
  • Sending communications you opted in to (optional);
  • Platform security and abuse prevention;
  • Compliance with legal obligations.

5. AI Processing

The Platform has features that use third-party large language models (LLMs) to process text. This includes specifically:

  • Automated CV processing. If you upload a CV, the document text is processed by a third-party AI model (OpenAI gpt-4o-mini) to extract structured information: research direction, publications, grants received, year of PhD defence. The generated description is shown to you for review and editing before publication — the AI-generated text is never published without your explicit confirmation.
  • Smart search. Your search query may be sent to an AI model to improve result relevance. The query itself is not linked to your account beyond the duration of one request.
  • Microhub descriptions. If your profile is part of a microhub, AI may generate a summary description of the group from the public profiles of its members. The summary is reviewed by the hub lead before publication.
  • Internal system tasks — spam filtering in the Telegram bot, address parsing. For these tasks we use the free-tier providers listed in section 6.

You have the right to withdraw consent to AI processing at any time. AI-generated portions of your profile will then not be published, which may limit some Platform functionality for you.

6. Who We Share Data With

We do not sell or rent your personal data to third parties. We share the minimum necessary data with the following service providers, acting as data processors under GDPR:

  • OpenAI (USA) — CV processing, AI hub descriptions, smart search. We send CV text and profile metadata; we do not send passwords, emails, or IP addresses.
  • Mistral AI (France), Cerebras (USA), Groq (USA) — fallback models for system tasks (spam filtering, address parsing).
  • LocationIQ (USA) — geocoding addresses to map coordinates. We send address text and receive coordinates.
  • ORCID (USA) — public API to fetch your publications by ORCID iD. We only read public information; we never write anything to your ORCID profile.
  • SMTP provider — delivery of email (registration confirmation, microhub invitations). We send your email address and the message text.
  • Telegram (internal team notifications) — messages to the controller's team about new registrations or profile approvals. We send name, country, science area and ORCID link. Passwords and emails are not sent.
  • Law enforcement — only when required by law or to protect our rights and user safety.

The list of providers may evolve; the current version is always in this section.

7. Inviting Colleagues to Microhubs

The Platform lets a microhub lead enter colleagues' email addresses to send them an invitation. Note that:

  • Entered email addresses are stored on our server only to send the invitation and to track its status.
  • The recipient sees the lead's name, the hub name and the invitation link. No other data about you is shared without your separate consent.
  • If the recipient does not accept within 7 days, the link expires.
  • Entering someone else's email without reasonable grounds may breach GDPR — the user entering the email is responsible for having such grounds.

8. Legal Basis for Processing

Under GDPR we process your data on the following legal bases:

  • Consent — for all non-essential processing (publishing a profile, AI CV processing, mentoring, microhubs).
  • Contract performance — for basic account functioning.
  • Legitimate interest — for security, abuse monitoring, technical analytics.
  • Legal obligation — in cases defined by law.

9. Cookies

We use the minimum cookies needed for basic functionality (session, language preference, CSRF token) and visit analytics. You can restrict cookies via your browser settings; doing so may make parts of the Platform unavailable.

10. Your Rights

Under GDPR and Ukrainian data protection law you have the following rights:

  • Access — obtain a copy of all data we hold about you.
  • Rectification — update any profile field (most fields you edit yourself in your account).
  • Erasure — fully delete your account. Data is purged within 30 days. CV file is removed immediately.
  • Hide — remove your profile from the map and directory without deleting the account.
  • Restriction of processing — ask us to restrict a particular kind of processing (e.g. AI).
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — at any time, without giving reasons.
  • Complaint — to the Ukrainian Parliament Commissioner for Human Rights or to a European supervisory authority.

Submit rights requests via the contact form. We respond within 30 days.

11. Data Retention

  • Profile data — while the account is active.
  • CV file — while the profile is active or until you replace it with a new one.
  • AI-generated descriptions — while the profile is active; deleted together with it.
  • Technical logs — 90 days.
  • Processing audit log — 6 months for security purposes.
  • After account deletion — all of the above is purged within 30 days, except where law requires longer retention.

12. International Data Transfers

Some of our processors (OpenAI, Cerebras, Groq, LocationIQ, ORCID) are located outside the European Economic Area. For such transfers we rely on Standard Contractual Clauses and your explicit consent.

13. Security

We apply technical and organisational security measures: traffic encryption (HTTPS), password hashing, access controls for administrators, monitoring of suspicious activity. However, no method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

14. Changes to This Policy

We may update this Policy; the latest effective date is shown at the top. We will notify registered users of material changes by email at least 14 days before they take effect.

15. Contact

Questions, requests, complaints — via the contact form on the site: ukrdiaspora.nauka.gov.ua.