Legal
Privacy Policy
Last updated: 8 March 2026
Libre Biotech ("we", "us", "our") operates the librebiotech.org platform. This policy explains what personal data we collect, why we collect it, how we process it, and your rights regarding that data.
We are committed to transparency, minimal data collection, and respecting your privacy. We do not sell personal data, serve advertising, or build behavioural profiles.
1. Who we are
Libre Biotech is operated as a sole trader registered in Queensland, Australia. For privacy enquiries, contact:
- Email: privacy@librebiotech.org
- Postal: Available on request
2. What data we collect
2.1 Account data
When you register an account, we collect:
- Name
- Email address
- Password (stored as a bcrypt hash — we never store plaintext passwords)
- Optional profile fields: affiliation, ORCID, biography, avatar image
2.2 Research data
You may upload or create research data on the platform, including:
- Investigation, study, and process metadata
- Sample records and annotations
- Protocol text and versioned instructions
- Data files (FASTQ, BAM, CSV, images, PDFs, etc.)
- Analysis pipeline configurations and results
- Comments, posts, and reviews
You own your research data. See our Data Sovereignty Statement for details.
2.3 Automatically collected data
When you use the platform, our web server automatically logs:
- IP address
- Browser user-agent string
- Pages requested and timestamps
- HTTP referrer
These logs are used for security monitoring and debugging. They are retained for up to 90 days and are not shared with third parties.
2.4 Cookies
We use only essential cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your login session | Browser session |
| lb-theme | Stores your light/dark theme preference | Persistent (localStorage) |
We do not use analytics cookies, tracking pixels, or third-party advertising cookies.
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing and maintaining the platform | Contract performance |
| Sending transactional emails (password reset, notifications you opt into) | Contract performance / Consent |
| Security monitoring and abuse prevention | Legitimate interest |
| Displaying your public profile and contributions | Contract performance |
| Aggregated, anonymised usage statistics (internal only) | Legitimate interest |
We do not use your data for: advertising, behavioural profiling, selling to third parties, or training machine learning models.
4. Third-party services
We use the following third-party services that may process personal data:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting | All platform data resides on Hetzner infrastructure | Falkenstein, Germany (EU) |
| SMTP email provider | Transactional email delivery via PHPMailer | Email address, message content | Depends on configured SMTP server |
| Let's Encrypt | TLS/SSL certificates | Domain name, server IP | United States |
We do not use Google Analytics, Facebook Pixel, or any other third-party tracking service.
5. Where your data is stored
All platform data (database, uploaded files, backups) is stored on a dedicated server operated by Hetzner Online GmbH in Falkenstein, Germany. Germany is within the European Union and subject to GDPR.
Backups are transferred daily via encrypted connection to a backup server in Australia.
6. Data retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Research data: Retained while your account is active or while the data is part of an active group/investigation. You may export and delete your data at any time.
- Server logs: Retained for up to 90 days.
- Backups: Retained for up to 30 days after data is deleted from the live system.
7. Your rights
Under the GDPR and the Australian Privacy Act 1988, you have the right to:
| Right | What it means |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Correct inaccurate personal data |
| Erasure | Request deletion of your account and personal data (GDPR Article 17) |
| Data portability | Export your data in standard, machine-readable formats (ISA-JSON, CSV, RO-Crate) |
| Restriction | Request that we limit processing of your data |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
To exercise any of these rights, email privacy@librebiotech.org. We will respond within 30 days.
8. Data sharing with group members
Research data on Libre Biotech is organised into groups and investigations with configurable visibility:
- Private: Visible only to group members
- Group: Visible to members of associated groups
- Public: Visible to anyone, including non-logged-in visitors
You control the visibility of your data. Group leaders and managers can adjust visibility for data within their groups. We do not change visibility settings without your group's instruction.
9. Security
We implement the following security measures:
- TLS encryption for all connections (HTTPS)
- Passwords stored using bcrypt hashing
- CSRF protection on all forms
- Role-based access control
- Daily encrypted backups
- Server access restricted to SSH key authentication
- Regular software updates
10. Children
Libre Biotech is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email to registered users and noted on this page with an updated date. Continued use of the platform after changes constitutes acceptance.
12. Contact and complaints
For privacy enquiries or complaints:
- Email: privacy@librebiotech.org
If you are not satisfied with our response, you may lodge a complaint with:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- EU: Your local data protection authority