Privacy Policy

Collectiv is a multi-tenant research participation management platform that enables university departments to manage their student participant pools and optionally share participants across universities through the Common Pool. This privacy policy applies to all users of the Collectiv platform, including students, researchers, instructors, and department coordinators.

Each subscribing department or academic unit (“Institution”) is the data controller for its users' data. Collectiv acts as a data processor on behalf of each Institution. We process personal data only as directed by the Institution and in accordance with this policy.

Account information provided by your institution:

• Name and institutional email address (provisioned by your department coordinator)
• University and department affiliation
• Role designation (student, researcher, instructor, coordinator)
• Course enrollment information (for students)

Information generated through platform use:

• Prescreen questionnaire responses (used for study eligibility matching)
• Study registration and participation records
• Credit and attendance records
• Study listings created by researchers

Technical information collected automatically:

• Authentication session data (stored as secure HTTP-only cookies)
• Timestamps of platform interactions (audit trail)

We do not collect social security numbers, financial information, health records, or any data beyond what is necessary to operate the participant pool.

We use collected information solely to:

• Operate and maintain the participant pool management platform
• Match eligible students with available studies based on prescreen responses
• Track research participation credits and requirements
• Calculate Common Pool fairness metrics using aggregate, department-level data
• Send transactional notifications (study reminders, credit confirmations, cancellation notices)
• Maintain audit logs for institutional compliance and dispute resolution
• Provide department coordinators with reporting on their pool's activity

We do not use personal information for advertising, marketing to individual users, profiling, or any purpose unrelated to the operation of the participant pool.

The Common Pool allows participating departments to share study access across universities. This section explains exactly what data crosses university boundaries and what does not.

Shared across the Common Pool network:

• Study metadata: title, description, eligibility criteria, credit value, and duration
• Aggregate participation counts (e.g., “12 students have completed this study”)
• Department-level fairness metrics: total tokens earned and spent (no individual-level data)

Never shared across university boundaries:

• Student names, email addresses, or any personally identifiable information (unless the student voluntarily consents)
• Individual credit balances or transaction history
• Prescreen questionnaire responses
• Course enrollment or academic records
• Which specific studies a student has completed
• Internal department coordination data or configuration

No student personally identifiable information crosses university boundaries within the Platform unless the student voluntarily consents to share their information (e.g., for credit administration). Students may voluntarily consent to share their name or email address with a researcher for the purpose of credit administration. This consent is optional and can be withdrawn at any time. Students will not be penalized for declining to share their information. Collectiv is not responsible for data collected by researchers through external survey tools or study procedures conducted outside the Platform.

Collectiv is designed with the Family Educational Rights and Privacy Act (FERPA) in mind. Under FERPA, student education records are protected and may only be disclosed with consent or under specific exceptions.

Collectiv operates under the “school official” exception (34 CFR § 99.31(a)(1)). Each Institution determines that Collectiv has a legitimate educational interest in accessing the student data necessary to operate the participant pool. We access only the data required to fulfill this function.

Collectiv does not collect grades, transcripts, or disciplinary records. Research participation and credit records maintained by Collectiv may constitute education records under FERPA and are handled accordingly.

Institutions using Collectiv are responsible for including Collectiv as a school official with a legitimate educational interest in their annual FERPA notification to students, in accordance with 34 CFR 99.31(a)(1)(i)(B).

When data crosses university boundaries through the Common Pool, only aggregate, non-identifiable information is shared (see Section 4). No student education records are disclosed to other institutions.

We retain personal data for as long as necessary to provide the service to the Institution and comply with legal obligations:

• Active accounts: Data is retained for the duration of the Institution's subscription. Student accounts persist across semesters to maintain credit history.
• After subscription ends: Institution data is exported (if requested) and deleted within 90 days of subscription termination.
• Audit logs: Retained for 3 years to support institutional compliance requirements, then permanently deleted.
• Common Pool fairness data: Department-level token balances reset each semester. Historical aggregate data is retained for fairness trend analysis but contains no individual-level information.

Institutions may request data export or deletion at any time by contacting us at privacy@researchcollectiv.com.

We implement technical and organizational measures to protect personal data:

• Encryption: All data encrypted in transit (TLS 1.2+). Data at rest encrypted by our infrastructure provider.
• Database isolation: Row-Level Security policies on every table
• Authentication: Server-side rendered sessions using secure HTTP-only cookies (not localStorage). All users authenticate via email one-time passcode (no passwords stored). Institutional SSO available upon request.
• Audit trail: Synchronous, append-only logging of all data mutations
• Infrastructure: Hosted on enterprise-grade cloud infrastructure in the United States with automated backups

In the event of a confirmed security breach involving personal data, Collectiv will:

• Notify affected Institutions without unreasonable delay and no later than 72 hours after becoming aware of the breach
• Provide details including: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken to address the breach
• Cooperate with the Institution's investigation and breach notification obligations under applicable law
• Maintain records of all security incidents and make them available to the Institution upon request

The Institution remains responsible for notifying affected individuals as required by law.

We use a limited number of third-party services to operate the platform:

• Supabase: Database and authentication services (hosted on AWS, US infrastructure)
• Postmark: Transactional email delivery (study reminders, OTP codes, credit notifications)
• Vercel: Application hosting (US infrastructure)
• Umami: Website analytics (privacy-focused, no cookies or personally identifiable data stored)
• PostHog: Product analytics (US infrastructure)

We use privacy-focused analytics to improve the Platform. Analytics data is used solely to understand usage patterns and improve the service — never for advertising, profiling, or marketing. We do not embed third-party advertising or tracking scripts. We do not share personal data with any third party for marketing purposes.

Each third-party service provider processes data only as necessary to provide their service and is contractually bound to protect the data.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data, subject to our retention obligations and the Institution's requirements
• Export: Request your data in a portable format

Because Collectiv acts as a data processor on behalf of your Institution, rights requests should generally be directed to your department coordinator first. You may also contact us directly at privacy@researchcollectiv.com and we will coordinate with your Institution.

Students have additional rights under FERPA, including the right to inspect education records and request amendments. These rights are administered by your Institution, not by Collectiv.

California Residents (CCPA/CPRA):

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; opt out of the “sale” or “sharing” of your personal information (Collectiv does not sell or share personal information as defined by the CCPA); and non-discrimination for exercising your privacy rights. To exercise these rights, contact privacy@researchcollectiv.com or your department coordinator. We will respond within 45 days.

Other State Residents:

Residents of states with comprehensive privacy laws (including Virginia, Colorado, and Connecticut) have similar rights including access, correction, deletion, and data portability. You also have the right to appeal our response to a privacy request.

Collectiv is designed for use by university students (typically 18+), researchers, and institutional staff. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@researchcollectiv.com.

Collectiv uses cookies solely for functional purposes — specifically, to maintain your authenticated session. We do not use cookies for advertising, analytics, or cross-site tracking. No third-party tracking cookies are set by the Platform.

We may update this Privacy Policy from time to time. When we make material changes, we will notify subscribing Institutions via email at least 30 days before the changes take effect and update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@researchcollectiv.com
• General inquiries: hello@researchcollectiv.com

For questions about how your Institution uses Collectiv, please contact your department coordinator directly.