Privacy Policy

Last updated: March 18, 2026

Introduction

This Privacy Policy describes how Annotrieve ("we", "our", or "us") collects, uses, and protects information when you use our service. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Annotrieve is a research platform for accessing eukaryotic genome annotations. We collect minimal server-side logs solely for the purpose of understanding usage patterns by geographic location (country level).

Data We Collect
We collect only the minimum data necessary for usage analytics

When you access Annotrieve, our web server automatically logs the following information for each request:

  • IP Address – Your Internet Protocol address, which we use to determine your approximate geographic location (country level only). We extract the real client IP from the X-Forwarded-For header when available.
  • Request URI – The specific page or API endpoint you accessed (e.g.,/annotrieve/api/v0/annotations).
  • HTTP Method – The type of request (GET, POST, etc.).
  • Timestamp – The date and time of your request in ISO 8601 format.
  • User Agent – Information about your browser or client application (e.g., browser type and version).
  • HTTP Referer – The webpage that referred you to our service (if applicable).
  • HTTP Status Code – The response status (e.g., 200, 404, 500).
  • Request Processing Time – How long it took to process your request (in seconds).

What we do NOT collect:

  • No cookies or tracking identifiers
  • No personal information (name, email, etc.)
  • No client-side analytics or tracking scripts
  • No data from static asset requests (images, CSS, JavaScript files are excluded from logging)
How We Use Your Data
Limited use for usage analytics only

The logged data is used exclusively for the following purposes:

  • Usage Tracking by Country – We process IP addresses to determine the country of origin for requests. This helps us understand the geographic distribution of our users and the global reach of the Annotrieve platform.
  • Service Optimization – Analyzing request patterns, response times, and error rates to improve service performance and reliability.
  • Research Analytics – Understanding how the platform is used for research purposes, including which API endpoints are most accessed and usage trends over time.

We do NOT: use this data for commercial purposes, share it with third parties, create user profiles, or use it for marketing or advertising.

Legal Basis for Processing

Under GDPR, we process your data based on legitimate interests (Article 6(1)(f) GDPR). Our legitimate interests are:

  • Understanding usage patterns to improve and optimize our research platform
  • Monitoring service performance and ensuring reliability
  • Analyzing geographic distribution of users for research impact assessment

We have balanced our legitimate interests against your privacy rights and determined that the minimal data collection (IP addresses and request metadata) is necessary and proportionate for these purposes.

Data Retention

Server logs are retained for a reasonable period necessary for analytics and troubleshooting. The specific retention period may vary based on operational needs, but we aim to:

  • Retain detailed logs for a limited period (typically several months)
  • Aggregate usage statistics by country may be retained longer for research analytics
  • Delete or anonymize logs when they are no longer needed for the purposes described above
Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Logs are stored securely on our servers with restricted access
  • Access to log data is limited to authorized personnel only
  • We use industry-standard security practices to protect against unauthorized access, alteration, disclosure, or destruction of data
Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access – You can request information about what personal data we hold about you.
  • Right to Rectification – You can request correction of inaccurate data.
  • Right to Erasure – You can request deletion of your data (subject to legal obligations).
  • Right to Restrict Processing – You can request that we limit how we use your data.
  • Right to Data Portability – You can request a copy of your data in a structured format.
  • Right to Object – You can object to processing based on legitimate interests.
  • Right to Withdraw Consent – If processing is based on consent, you can withdraw it at any time.

Note: Since we only collect IP addresses and request metadata, and we do not maintain user accounts or personal identifiers, it may be difficult to identify specific requests associated with you. However, if you can provide your IP address and approximate timestamps, we will do our best to assist with your request.

Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:

Data Protection Contact

Email: emilio.righi@crg.eu

We will respond to your inquiry within 30 days as required by GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.