Privacy

Privacy Notice

This notice explains what personal data the NetSec website processes, why, and the rights you have over it under the EU General Data Protection Regulation (GDPR).

Data Controller Universiteit Leiden
Grant Holder Institution, CA24154

Last updated 18 May 2026

Version 1.2

1. Who we are

This website (netsec-cost.eu) is operated for COST Action CA24154, Networking European Security Knowledge (NetSec), a four-year research network funded by COST (European Cooperation in Science and Technology) and the European Union.

The Data Controller is Universiteit Leiden (Leiden University), the Grant Holder Institution for the Action, where the Vice-Chair and Grant Holder Scientific Representative Dr Marie Robin is based. For questions about your personal data, please contact:

Action Vice-Chair, Dr Marie Robin, m.p.c.e.robin@fgga.leidenuniv.nl
Leiden University's Data Protection Officer, privacy@leidenuniv.nl

2. What data we process, and why

Contact form submissions

When you submit the contact form on the home page, we collect:

your name;
your email address;
your institution or organisation (optional);
the message you send.

Purpose, to read and respond to your enquiry.
Legal basis, your consent (by submitting the form, GDPR Article 6 (1)(a)) and the Action's legitimate interest (Article 6 (1)(f)) in communicating with the research and policy community.
Processor, submissions are delivered to us by Formspree, Inc. (United States), which acts as our data processor under the European Commission's Standard Contractual Clauses for transfers outside the EEA. See Formspree's privacy policy.
Retention, for as long as needed to respond to your enquiry; at most two years from submission unless further correspondence is initiated.

Founding contributors listing

The Founding contributors section on About NetSec lists the 52 researchers across 21 countries who participated in the COST Open Call proposal OC-2024-1-27931 establishing this Action. Each entry shows:

name (with academic title);
country of affiliation;
institutional affiliation as recorded in the Open Call proposal;
whether the participant indicated availability for MC representation at the time of the proposal.

No contact details, photographs, or biographical text are displayed; the structured fields above are the only personal data this listing carries.

Purpose, to acknowledge the institutional commitment that established the Action and to document the founding cohort for audit-trail purposes (the Action's own deliverables reference the Open Call participants).
Legal basis, the data was made public by the data subjects in a professional capacity in support of the Open Call submission (Article 6 (1)(f), legitimate interest of the Action in transparent attribution; Article 9 (2)(e) is not applicable since no special-category data is processed).
Source, the published Open Call proposal (cost.eu/actions/CA24154) and the proposal cover document referenced as OC-2024-1-27931.
Opt-out, to request removal from this listing, please use the contact form. The listed entry will be removed within fourteen days. Removal does not affect the underlying Open Call proposal document, which is under COST's control and not editable by the Action.

Server-level access logs

The website is hosted on GitHub Pages. GitHub processes minimal request metadata, IP addresses, user-agent strings, requested URLs, to deliver the site and protect against abuse. We do not have access to these logs. See GitHub's privacy statement.

Third-party content delivery

To render correctly, the site loads a small number of assets from third-party content delivery networks. Loading them sends your IP address and user-agent string to:

Google Fonts (Google LLC, USA), serves the Inter and Lexend typefaces. policies.google.com/privacy
FlagCDN, serves the country flag thumbnails in the Management Committee by Country grid. flagcdn.com

Legal basis, legitimate interest in efficient content delivery (Article 6 (1)(f)). The site does not embed third-party tracking pixels, advertising, or analytics, and does not use cookies of its own.

Local storage

The site uses your browser's localStorage to remember small UI preferences across visits:

netsec-theme, your choice of light or dark theme.
netsec-mc-countries-open, whether you previously expanded the Management Committee by Country list.

These values stay on your device, are not transmitted to us or any third party, and contain no personal data. You can clear them at any time via your browser's privacy settings. Because they are functional preferences rather than tracking, they do not require a consent banner under the ePrivacy Directive.

3. Recipients of your data

We do not sell, rent, or share personal data with third parties for marketing purposes. The only recipients of personal data submitted through the contact form are:

the Action Chair, Vice-Chair, and, where the message warrants, the relevant Working Group leadership;
our form processor, Formspree (see above).

4. International data transfers

Some of our service providers (Formspree, Google, GitHub) are based in the United States. Where personal data is transferred outside the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses or, where applicable, the EU–U.S. Data Privacy Framework.

5. Your rights under the GDPR

You have the right to:

Access the personal data we hold about you (Article 15);
Rectify inaccurate or incomplete data (Article 16);
Request erasure of your data, "right to be forgotten" (Article 17);
Restrict processing (Article 18);
Object to processing based on legitimate interest (Article 21);
Receive your data in a portable, machine-readable format (Article 20);
Withdraw consent at any time, where processing is based on consent (Article 7 (3)).

To exercise any of these rights, contact us at the addresses in Section 1. We aim to respond within one month of receiving your request, as required by Article 12 (3).

You also have the right to lodge a complaint with a supervisory authority. The lead authority for the Data Controller is the Autoriteit Persoonsgegevens (Netherlands), but you can also complain to the regulator in your country of residence.

6. Automated decisions and profiling

We do not use your personal data for automated decision-making or profiling within the meaning of Article 22.

7. Security

The website is served exclusively over HTTPS. Form submissions are transmitted over TLS to Formspree's API. Beyond this, we rely on the security practices of our hosting and processing providers (GitHub, Formspree), see their respective documentation.

8. Children

The NetSec website is intended for an academic, policy, and practitioner audience. It is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has submitted personal data through the contact form, please contact us and we will erase it.

9. Changes to this notice

We may update this notice from time to time, for example to reflect changes in our processors or in the legal framework. The Last updated date at the top of the page shows the most recent revision. Where a change materially affects your rights, we will notify any users who have personal data on file before the change takes effect.

Privacy Notice v1.2 · prepared 15 May 2026 · licensing moved to licensing.html on 18 May 2026.