SCC Privacy Policy

system · July 9, 2025, 5:43pm

Privacy Policy

Effective Date: September 12, 2025

The Specify Collections Consortium (“SCC”, “we”, “us” or “our”) values the privacy of online visitors and members and is committed to protecting their personal information. This Privacy Policy explains how the SCC collects, uses, and safeguards data when someone:

Joins the SCC
Subscribes to our Specify Cloud hosting service
Participates on our Discourse forum (the “Speciforum”) (https://discourse.specifysoftware.org)
Visits our main website (https://www.specifysoftware.org)
Uses the Specify 7 web application
Explores the Specify Web Portal(s)

1. Information We Collect

When joining the SCC or interacting with SCC Services, the SCC may collect:

Account information provided. This includes:
- Full Name
- Title
- Pronouns
- Email
- Institution
- Institutional Title
- Institutional Address
- SCC Role
- Picture (if provided to the Speciforum)
- Login Credentials
Usage data, including:
- Pages or screens viewed
- Feature usage in the Specify application
- Timestamps.
Technical data, such as:
- IP address
- Browser or Device Type
- Operating system
- Referring pages
- Error logs

The SCC never collects protected health information (PHI), payment card data (PCI DSS), or other highly sensitive personal data.

2. Cookies and Similar Technologies

To improve online visitors’ experiences, the SCC uses cookies and similar technologies:

Session cookies to keep visitors logged in during a visit.
Preference cookies to remember settings like language or display options.

Visitors may disable or delete cookies via browser settings, though some features of SCC Services may no longer function as intended.

3. No Advertising and No Data Sharing

The SCC does not display any advertisements on SCC Services. The SCC does not sell, rent, or otherwise share visitors or members’ personal information with third parties for marketing or advertising purposes. Your data belongs to you—SCC makes no claim on content entered by visitors or members into our applications or hosting platforms.

4. Service Providers and Third-Party Hosting

To deliver and maintain SCC Services, the SCC relies on trusted third-party providers:

Amazon Web Services (AWS) is the primary host of SCC databases and application servers. AWS complies with numerous international security standards (SOC 2 Type 2, ISO 27001).
Discourse.org provides the SCC forum platform; their privacy policy governs their handling of your forum activity.
Any other integrations (e.g., SSO or external identity providers) are used only at the visitor’s direction and under their respective privacy policies.

While these providers process data on behalf of the SCC, they do so only to enable the Services the SCC offers and under strict confidentiality agreements. The SCC has no advertising relationships or data-sharing partnerships with them beyond necessary service delivery.

5. Links to Other Websites

SCC Services may link to external websites (e.g., GitHub). The SCC is not responsible for the privacy practices of those sites. Please review their privacy policies before providing any personal information.

6. Security

The SCC implements administrative, technical, and physical safeguards—built on AWS’s security infrastructure—to protect visitor and member data from unauthorized access, disclosure, alteration, or destruction. All network traffic to and from SCC Services is encrypted via HTTPS/TLS. However, no system can guarantee absolute security; the SCC encourages the use of strong, unique passwords and keeping contact information up to date.

7. Data Ownership and Access

The SCC recognizes that every specimen record, metadata field, user comment, and image uploaded is the intellectual property of the institution or individual user. The SCC does not assert any ownership or license rights over this data—whether it resides in the institution or individual’s on-premises database, in the Specify Cloud servers, on a Web Portal export, or within the Speciforum.

7.1 Data Ownership

All collection data—including specimen information, localities, taxonomic hierarchies, images, attachments, and annotations—remains the sole property of the institution or individual user who creates it. The SCC’s role is strictly custodial: the SCC stores and serves member data but never repurpose it for analytics, research publications, marketing, or any other use outside the scope of the support and hosting services subscribed to.

7.2 Export and Portability

An institution or individual user may export their data at any time, for any reason, in multiple formats:

CSV spreadsheets via the Specify Query Builder
JSON-formatted records through the Specify 7 REST API
Full SQL dumps of your database (including schema and data)

If assistance is required to schedule automated nightly or monthly exports—pushed to an SFTP endpoint controlled by the institution or individual user—the SCC support team is happy to help configure that workflow.

7.3 Backups and Recovery

For Specify Cloud customers, the SCC maintains a multi-tiered backup strategy:

Nightly database snapshots retained for 7 days
Weekly full backups retained for 30 days
Monthly full backups retained for 12 months
Annual backups retained for the duration of your hosting contract

Members may request a one-time or recurring transfer of any backup to their own AWS account or on-premises server. In the event of accidental deletion or data corruption, SCC support can restore a prior snapshot to the member’s live environment.

7.4 Retention and Deletion

Hosted members determine how long historical data is retained. If the member decides to close their Specify Cloud account or discontinue support, the SCC will, upon request, provide a complete data export and subsequently purge the data from SCC systems. For compliance with institutional or legal requirements, members may also request early deletion of specific datasets or personally identifiable user accounts; the SCC will promptly honor and document such requests.

7.5 Administrative Access and Audit Logging

SCC staff do not alter production data without member’s explicit permission. All administrative actions—whether executed by an institution’s Specify administrators or by SCC staff—are fully audited. Logs capture user IDs, timestamps, and detailed action descriptions. Members with database permission can review these audit logs at any time via the Audit Log tool.

Collections data is always under the member’s control—backed up, accessible, and removable on the member’s terms—while benefitting from SCC’s secure managed infrastructure.

8. Changes to This Privacy Policy

The SCC may update this policy at any time. The “Effective Date” at the top will reflect the last revision. The SCC encourages visitors and members to review this page periodically. If the SCC makes material changes affecting visitor and member rights or how information is used, the SCC will post a prominent notice.

9. Contact Us

If you have questions or concerns about this Privacy Policy or SCC data practices, please contact us at support@specifysoftware.org.

Topic		Replies	Views
About Specify Documentation Specify-7 , Specify-6	0	1180	September 8, 2023
Support Services Guide Policies Specify-7	0	43	August 7, 2025
SCC Membership and Technical Support Services Prices SCC Governance	1	107	June 6, 2025
Specify Cloud Documentation	0	409	June 6, 2025
SCC Mission Statement and Core Values SCC Governance	1	11	September 5, 2025

Related topics