Privacy Policy
Last updated: October 8, 2025
The Catabase is operated by the IUCN SSC Cat Specialist Group, hosted by KORA. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
Table of Contents
1. Who We Are
The Catabase is a scientific database for wild feline observation data, operated by:
Data Controller:
IUCN SSC Cat Specialist Group
c/o Stiftung KORA (Coordinated Research Projects for the Conservation and Management of Carnivores)
Talgut-Zentrum 5
CH-3063 Ittigen, Switzerland
Email:
2. What Data We Collect
We collect and process the following categories of personal data:
2.1 Account Registration Data
When you request access to the Catabase or when an administrator creates an account for you, we collect:
- Full name - For identification and correspondence
- Email address - For account creation, login, and communication
- Affiliation - Your organization or institution (optional but recommended)
- Requested access level - The type of access you need (viewer, member, staff)
- Reason for access - Brief explanation of why you need access to the database
2.2 Account Credentials
- Username - Generated from your email address or assigned by administrators
- Password - Securely hashed using bcrypt (we never store passwords in plain text)
2.3 Usage Data
- Login timestamps - When you access the database
- Account status - Whether your account is active or inactive
- Access level changes - Any modifications to your permissions
- Export activity - Records of data you've exported (filename includes your username)
2.4 Technical Data
- IP address - Automatically collected by our hosting provider (AWS) for security and system administration
- Browser type and version - Collected through standard web server logs
- Session cookies - Essential cookies for authentication (see our Cookie Policy)
2.5 Communication Data
- Access request notifications - Sent to administrators when you request access
- Account approval/rejection emails - Sent to you regarding your access request
- Password reset emails - When you request to reset your password
- Administrative communications - Important updates about the database
3. How We Use Your Data
We use your personal data for the following purposes:
Account Management
To create, maintain, and manage your user account, including authentication, access control, and password management.
Access Control
To enforce role-based permissions (Admin, Staff, Member, Viewer) and ensure users only access data appropriate to their authorization level.
Communication
To send you important information about your account, including access approvals/rejections, password resets, and essential database updates.
Data Attribution
To track who exports data and ensure proper attribution when observation data is used in research or publications (export filenames include your username).
Security and Fraud Prevention
To protect the database from unauthorized access, abuse, and security threats through monitoring of login attempts and system activity.
Scientific Research
To support conservation research and management of wild feline species by providing authorized researchers access to observation data.
4. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
- Legitimate Interest (Article 6(1)(f)) - We have a legitimate interest in operating a scientific database for conservation research, managing user accounts, and protecting our systems from security threats. Your interests and rights do not override these interests.
- Consent (Article 6(1)(a)) - When you submit an access request, you consent to us processing your data for account creation and communication purposes.
- Legal Obligation (Article 6(1)(c)) - We may process data to comply with legal obligations, such as responding to valid legal requests from authorities.
5. How We Store Your Data
5.1 Hosting Infrastructure
The Catabase is hosted on Amazon Web Services (AWS) infrastructure:
- Application Server: AWS EC2 (Europe Stockholm region)
- Database: AWS RDS PostgreSQL (Europe Stockholm region)
- Email Service: AWS SES (Europe Stockholm region)
- Data Location: All data is stored within the European Union (Sweden)
5.2 Data Transfer
Your personal data is stored exclusively within the EU (AWS Europe Stockholm region). We do not transfer your personal data outside the European Economic Area (EEA).
5.3 Data Protection Measures
- All data transmissions use SSL/TLS encryption (HTTPS)
- Passwords are hashed using bcrypt with salt (never stored in plain text)
- Database connections use SSL/TLS encryption
- Role-based access control restricts data access based on user permissions
- Regular security updates and monitoring
6. Data Sharing
We do not sell, rent, or trade your personal data. We share your data only in the following limited circumstances:
6.1 Within the Cat Specialist Group
Your name, email, and affiliation may be visible to administrators and staff who manage user accounts and access requests. This is necessary for account management and database administration.
6.2 Service Providers
We use the following third-party service providers who may process your data on our behalf:
- Amazon Web Services (AWS) - Hosting infrastructure, database, and email services (EU-based)
- Google reCAPTCHA - Anti-spam protection on access request forms (subject to Google's Privacy Policy)
6.3 Legal Requirements
We may disclose your personal data if required by law or in response to valid legal requests by public authorities (e.g., court orders, law enforcement).
6.4 Data Ownership Attribution
When you export data, your username is included in the filename for attribution purposes. This helps track data usage and ensure proper citation in research and publications.
7. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
Right of Access (Article 15)
You can request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
You can update or correct inaccurate personal data through your profile page or by contacting us.
Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data. Note that we may retain certain information if required by law or for legitimate purposes (e.g., data attribution in published research).
Right to Restriction of Processing (Article 18)
You can request that we limit how we use your data in certain circumstances.
Right to Data Portability (Article 20)
You can request a copy of your personal data in a structured, machine-readable format.
Right to Object (Article 21)
You can object to processing of your data based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe your data protection rights have been violated.
To exercise any of these rights, please contact us using the information in the Contact Us section below.
8. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes described in this policy:
- Active accounts: Retained while your account is active and you continue to use the database
- Inactive accounts: Accounts with no login for 3 years may be deactivated (data retained but access suspended)
- Deleted accounts: When you request account deletion, your data is permanently removed within 30 days, except where retention is required by law or for data attribution in published research
- Access requests: Rejected access requests are retained for 2 years for record-keeping purposes
- Security logs: Login attempts and security-related logs are retained for 1 year
9. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
Technical Measures
- SSL/TLS encryption for all data transmissions (HTTPS)
- Bcrypt password hashing with salt (minimum 12 rounds)
- Encrypted database connections
- Role-based access control (RBAC)
- Database-level permission enforcement
- Anti-spam protection (reCAPTCHA + honeypot)
- Password complexity requirements
- Forced password changes for temporary passwords
- Session management with secure, HTTP-only cookies
Organizational Measures
- Access to personal data limited to authorized administrators only
- Manual review of all access requests before approval
- Regular security updates and patches
- Monitoring of system activity and login attempts
- Data backup procedures
While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.
10. Cookies
We use strictly necessary cookies for authentication purposes only. For detailed information about our cookie usage, please see our Cookie Policy.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will:
- Update the "Last updated" date at the top of this page
- Notify active users via email for material changes
- Post a notice on the website
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
12. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:
Data Protection Contact
IUCN SSC Cat Specialist Group
c/o Stiftung KORA
Talgut-Zentrum 5
CH-3063 Ittigen, Switzerland
Email:
Response Time: We will respond to data protection requests within 30 days as required by GDPR.
🇪🇺 EU Data Protection Authority
If you are not satisfied with our response or believe we are not complying with data protection law,
you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC)
or your local supervisory authority in the EU/EEA.