ScholarMail — Privacy Policy

This Privacy Policy explains how The ScholarMail Project ("we", "us") collects, uses and protects personal data in connection with the ScholarMail forwarding service ("the Service").

We are committed to data minimisation and respect for user privacy.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

1. Overview

ScholarMail provides email forwarding only. We do not host email mailboxes and do not store the contents of messages sent to ScholarMail addresses.

This Policy applies to:

• website visitors

• applicants and registered users

• individuals contacting the Project
  
  

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

2. Data We Collect

2.1 Account & Verification Data

When you apply for a ScholarMail address we may ask for:

• full name

• personal email

• institutional email

• forwarding preference

• institution / role

• ORCID iD

• verification information

• timestamps and audit logs
  
  

This data enables us to create and maintain a forwarding address and verify eligibility.

2.2 Routing Data

To operate forwarding, we store:

• your ScholarMail address

• your current forwarding destination
  
  

We do not store message bodies or attachments.

2.3 Website Analytics

The ScholarMail website uses Google Analytics to collect pseudonymous usage statistics (e.g. page views, device type, referrers). Our website host, Google Sites, should display a cookie consent banner automatically.

We do not use analytics for behavioural advertising or marketing profiling.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

3. Data We Do Not Collect

We do not collect or store:

• content of emails sent to your ScholarMail address

• attachments

• mailbox history

• advertising profiles

• direct marketing preferences
  
  

We do not run targeted advertising and do not sell user data.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

4. Lawful Bases (GDPR)

We process data under the following lawful bases:

• Contract — to provide the forwarding service (Article 6(1)(b))

• Legitimate Interests — to operate a persistent academic contact identity (Article 6(1)(f))

• Consent — where required for verification or communication (Article 6(1)(a))

• Legal Obligations — where applicable (Article 6(1)(c))
  
  

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

5. How Your Data Is Used

We use your data to:

• create and maintain your ScholarMail address

• forward email to your chosen destination

• verify your identity/eligibility

• contact you about your account

• process update or deletion requests

• ensure service security

• operate and improve the website
  
  

We do not use your data for advertising or commercial marketing.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

6. Sharing of Data

We share personal data only where necessary to operate the Service. This includes:

6.1 MXroute (Email Processing)

Incoming mail is handled by MXroute, our upstream email provider. MXroute processes mail and performs the forwarding action. MXroute may process metadata (e.g. headers) as part of normal mail transfer.

MXroute acts as an independent data processor/controller for mail routing as defined under GDPR, due to its operational autonomy and infrastructure.

6.2 Google (Forms, Sheets, Analytics)

Google processes data as part of:

• form submissions

• spreadsheet storage

• website hosting

• analytics
  
  

We use Google Workspace to operate the Service.

We do not share data with third parties for advertising or sale.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

7. International Data Transfers

MXroute and Google may process data in jurisdictions outside the UK. Where this occurs, we rely on appropriate safeguards permitted under UK data protection law.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

8. Data Retention

We retain:

• account & routing data for as long as your ScholarMail address is active

• audit logs for security and abuse prevention

• deletion logs for compliance purposes
  
  

Upon account deletion:

• forwarding is disabled

• user data is removed from active records

• minimal metadata may be retained for audit/security purposes
  
  

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

9. Your Rights (GDPR)

Users have the right to:

• access personal data

• rectify inaccuracies

• erase data (“right to be forgotten”)

• restrict processing

• object to processing

• receive data in portable form (where applicable)
  
  

You can make updates to the information on your ScholarMail account profile via the Accounts page. Other requests can be made via support@scholarmail.org.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

10. Security

We apply reasonable technical and organisational measures including:

• restricted administrative access

• verification for forwarding changes

• no content storage

• audit logging

• data minimisation

• encrypted connections between systems where supported
  
  

No system can guarantee absolute security.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

11. Cookies

Google Sites may use cookies for analytics and essential website functionality. Cookie consent for these features is handled by Google’s infrastructure, not by ScholarMail directly.

ScholarMail does not deploy additional tracking cookies of its own.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

12. Children

The Service is not intended for persons under the age of 18 and is not marketed to that audience.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

13. Contact & Complaints

For privacy-related queries:

support@scholarmail.org

Users in the UK may lodge complaints with the Information Commissioner’s Office (ICO):

https://ico.org.uk

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

14. Changes to This Policy

This Policy may be updated periodically. The “Last updated” date will be revised accordingly.

⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯

Last updated: 22nd January 2026