This notice describes how the VectorPredictor web application handles personal data in connection with user accounts, sign-in, and use of the service. It should be reviewed by your data protection team before publication.

Who is responsible for your data?

The University of Glasgow is the data controller for personal data processed in relation to data shared with vectorpredictor.com. This notice explains how your personal data is used in that context.

What personal data we collect

When you register and use the service, we process data including:

• Account details: username and email address supplied on registration, plus standard account metadata maintained by the application (for example when the account was created), as stored for your user record.
• Password: you choose a password at registration. The application does not store your password in readable form. Passwords are stored using a one-way hash suitable for authentication (Django’s built-in password hashing), so staff cannot retrieve your original password from the database.
• Session data: after you sign in, the application issues a session identifier stored in a browser cookie so you can stay logged in for a limited period without re-entering your password on every request. Sessions are tracked server-side (database-backed sessions) and are tied to your account.
• Content you add while signed in: research and operational data you upload or create in the application (for example locations, specimen metadata, spectra files, and related records) is stored in the application database and file storage and is associated with your user account as the author or owner, so the system can show you your own data and enforce access appropriately.

How accounts and access work

• Password-protected access: most data-management and analysis features require you to be signed in. Unauthenticated visitors cannot use those parts of the site as if they were you.
• Your password is secret: the terms of use require you to keep your sign-in details confidential and not share them with third parties. Anyone who knows your username and password could access your account as far as the application is concerned.
• Password quality: the application uses Django’s password validators (for example minimum length, checks against common passwords, and similarity to your username or email) to encourage stronger passwords.
• Signing out: you can end your session using the log out control; you should do so on shared or public devices.
• Administrators: institutional staff with administrator access may manage user records and content for support, security, or compliance, in line with University policies and the law.

Why we need your data and legal basis

We process account and related data so that you can create and use a personal workspace, upload and manage mosquito spectral data and metadata, and run machine-learning classification (age and species) on that data. The legal basis for processing is consent, insofar as you choose to create an account and use the service, and where applicable legitimate interests in operating a secure research platform (for example fraud prevention, abuse detection, and service integrity).

Automated processing and machine learning

The service applies statistical and machine-learning models to spectra and related inputs you provide to produce predictions (for example age or species labels). Outputs are derived algorithmically from your submitted data. You should not treat automated outputs as the sole basis for high-risk decisions without appropriate scientific or human review.

Technical security measures

• Transport security: the site should be served over HTTPS in production so that data (including your password at sign-in) is encrypted between your browser and the server. The exact hosting configuration depends on how your organisation deploys the application.
• Forms and state-changing actions are protected with CSRF tokens to reduce the risk of cross-site request forgery.
• When debug mode is off (typical production configuration), the application enables additional browser protections such as HTTP Strict Transport Security (HSTS), secure and HTTP-only flags on session and CSRF cookies, XSS filtering, and MIME sniffing protections, as configured in the project settings.
• Session lifetime: the default session cookie lifetime is one hour of inactivity (configurable in deployment); after expiry you must sign in again.

Development installations may use relaxed security defaults (for example local HTTP); use a properly secured deployment for real personal or sensitive research data.

Who we share data with

Personal and research data you submit may be processed by staff at the University of Glasgow in the United Kingdom. Your data may also be shared with collaborators as described in the website terms of use, including staff at the Ifakara Health Institute (Tanzania) and the Institut de Recherche en Sciences de la Santé (Burkina Faso), where that sharing forms part of the agreed research collaboration.

Aggregated or de-identified data derived from user submissions may be used to improve VectorPredictor models, subject to project governance and applicable law.

Hosting and storage (for example cloud regions, encryption at rest, and backup policy) depend on your deployment environment; production deployments should document where data physically resides and any subprocessors.

How long we keep data

Account and content data are retained for as long as your account exists and the service needs the information to operate, unless a different retention schedule applies under University policy or law. You may request deletion of your account or data subject to any legal or research governance constraints.

Your rights

Depending on applicable law (including the UK GDPR where it applies), you may have rights to access, rectify, erase, restrict, or object to processing of your personal data, and rights related to portability and automated decision-making. Where processing is based on consent, you may withdraw consent, though that may affect your ability to use the service.

To exercise these rights, contact the University via the routes published for data subjects (for example dp@gla.ac.uk), or the webform your institution provides for subject access requests.

How far each right applies depends on the legal basis and context of processing.

Complaints

If you have concerns about how your personal data has been handled, you may contact the University’s Data Protection Officer (for example dataprotectionofficer@glasgow.ac.uk). You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

General rules for using the website are in the terms of use. For cookies and similar technologies, see the cookies notice.