SAR Membership Data Protection Policy
1. Rationale & Scope
This Privacy Policy explains how the Society for Artistic Research (SAR) processes personal data when you visit our website, become a member, register for events, subscribe to newsletters, or otherwise interact with SAR services.
This Policy applies to the website operated at societyforartisticresearch.org, to the Research Catalogue ("RC"; researchcatalogue.net), to the RC discussion forum (rcforum.net), as well as to the Journal for Artistic Research ("JAR"; jar-online.net).
This Policy summarises data processing across the platforms named above.
SAR processes personal data in compliance with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). Whether and to what extent these laws apply depends on the individual case.
Please read this Privacy Policy to learn about your rights, what information we collect, how we use and protect it.
2. Controller
The controller responsible for the processing of personal data on this website is:
| Name | Society for Artistic Research (SAR) |
| Legal form | Association under Articles 60 et seq. of the Swiss Civil Code (Verein) |
| Registered address | c/o FIDURIA AG, Bruckfeldstrasse 16, 3012 Bern, Switzerland |
| info@societyforartisticresearch.org | |
| Website | https://societyforartisticresearch.org |
Our representative in the European Union (Art. 27 GDPR), where required, will be provided by an appropriate paid service. SAR is completing this appointment; the representative's contact details will be inserted here once it is finalised.
3. Contact
For all matters relating to data protection, including the exercise of your rights or in case of data privacy concerns, please contact SAR via the email address above.
4. Categories of personal data processed
Depending on how you interact with SAR, the following categories of personal data may be processed:
- Identification data: name, title.
- Contact data: postal address, email address, telephone number.
- Affiliation data: institution, role, country of practice.
- Membership data: membership type, dates, payment status.
- Communication data: correspondence, newsletter preferences, opt-in records.
- Technical data: IP address, browser metadata, device information, server logs.
- Event data: registration details, dietary or accessibility requirements where voluntarily provided.
- Analytics: The SAR and JAR websites operate no web-analytics solution (no Google Analytics, Tag Manager, Matomo or comparable tag). The Research Catalogue (RC) performs first-party, self-hosted usage measurement only — aggregate visitor statistics (counts, duration, and country derived locally from IP address) and page/endpoint access — which is not linked to individual users and not shared with any third party; RC uses no external analytics service. Any future analytics deployment is announced through this policy before activation.
- Analytics (Research Catalogue): RC performs first-party, self-hosted usage measurement only. It records aggregate visitor statistics for expositions and portals — visit counts, duration, and country (the latter derived locally from the IP address) — together with which pages and endpoints are accessed. This information is not linked to individual user identities and is not shared with any third-party processor. RC uses no Google Analytics or other external analytics service; server-side monitoring (Grafana) runs locally on the RC server. When a user accepts the RC Terms of Use, the IP address is logged as a record of that acceptance and retained with RC's server logs.
- Platform content data (RC, JAR): account and registration data, user-uploaded research content and expositions (RC), journal submissions and published author metadata such as name, affiliation and biography (JAR).
5. Purposes and legal bases
SAR processes personal data for the purposes set out below. Where GDPR applies, the legal basis under Article 6 GDPR is identified; the equivalent provisions of the revFADP apply in parallel.
| Activity | Data categories | Legal basis | Retention |
|---|---|---|---|
| Membership administration | Name, contact details, affiliation, payment confirmation | Contract performance (Art. 6(1)(b) GDPR) | Duration of membership plus 10 years (Swiss accounting retention, Art. 958f CO) |
| Payment processing | Name, payment reference, transaction metadata | Contract and legal obligation (Art. 6(1)(b)(c) GDPR) | 10 years (Art. 958f CO) |
| Newsletter subscription and distribution | Email address, double opt-in confirmation record, engagement metrics | Consent (Art. 6(1)(a) GDPR) | Until withdrawal of consent |
| Website operation and security | Server logs, IP address, browser metadata | Legitimate interest in secure operation (Art. 6(1)(f) GDPR) | Web-server access logs and application logs retained for 7 days, then automatically deleted. |
| Event registration and meetings | Name, contact details, dietary or accessibility needs where provided | Contract and consent (Art. 6(1)(b)(a) GDPR) | Up to 12 months after the event |
| Contact form enquiries | Name, email, message content, timestamp | Legitimate interest in handling enquiries (Art. 6(1)(f) GDPR); pre-contractual steps where applicable (Art. 6(1)(b)) | Until the enquiry is resolved, then deleted, generally within 12 months |
| Membership applications | Applicant name, contact details, institution affiliation, supporting information provided by the applicant | Steps prior to entering a membership contract (Art. 6(1)(b) GDPR); legitimate interest in assessing applications (Art. 6(1)(f)) | Rejected applications deleted after the decision; accepted applications retained for the duration of membership plus the accounting period (10 years, Art. 958f CO) |
| Member discussion threads and private messages | Author user ID, message content, timestamp | Performance of the community service (Art. 6(1)(b) GDPR); legitimate interest in operating the community (Art. 6(1)(f)) | Until the user deletes the content or the account is closed |
| Community Area member profile | Login email and username (mandatory); hashed password; optional public profile fields (display name, picture, short bio, institution, interests and tags, RC profile link); private notification preferences | Account: performance of the membership relationship (Art. 6(1)(b) GDPR). Optional public fields: consent (Art. 6(1)(a)) | Follows the member account lifecycle; profile data editable and deletable by the member at any time |
| Research Catalogue (RC) platform use | Account/registration data (data the user provides on signup); user-uploaded research content and expositions; self-declared identity and affiliation data. | Contract performance (Art. 6(1)(b) GDPR); consent for optional content (Art. 6(1)(a)); retention of published expositions and authorship metadata: legitimate interest in scholarly integrity and public-interest archiving (Art. 6(1)(f); Art. 17(3) GDPR) | Account data is deleted when the RC account is terminated; published material and its authorship metadata cannot be removed and form a permanent scholarly record. Identity-verification documents are transmitted by encrypted email and then held offline by the SAR Back Office, with no online copy retained (the transmitting emails are deleted). Further detail is set out in the Research Catalogue's own privacy policy. . |
| Journal for Artistic Research (JAR) platform use | Editorial account data (channel-editor, moderator roles); journal submissions; published author metadata (name, affiliation, bio) | Contract performance (Art. 6(1)(b) GDPR); legitimate interest in editorial operation (Art. 6(1)(f)) | Account duration; published content retained for archival/scientific-record purposes |
| Third-party communications and enquiries (press, partner organisations, suppliers) | Name, role, contact details, message content | Legitimate interest in maintaining relationships and handling enquiries (Art. 6(1)(f) GDPR); contract where the exchange serves a supplier or partner agreement (Art. 6(1)(b)) | For the duration of the exchange and the underlying relationship, then deleted; accounting-relevant correspondence kept for 10 years (Art. 958f CO) |
| Assertion of legal claims and defence (legal disputes and regulatory proceedings) | Any personal data relevant to the claim or defence | Legitimate interest in establishing, exercising or defending legal claims (Art. 6(1)(f) GDPR); legal obligation where applicable (Art. 6(1)(c)) | For the duration of the proceedings and until the applicable limitation periods have expired, as a rule up to 10 years (Art. 127 CO) |
| Research Catalogue: Terms of Use acceptance | Account and registration data (name, optional alias, email, RC password, optional country of residence); user-uploaded research content and expositions; identity-verification data provided on direct registration. | Contract performance (Art. 6(1)(b) GDPR); consent for optional fields (Art. 6(1)(a)); legitimate interest in scholarly integrity and public-interest archiving for published material (Art. 6(1)(f); Art. 17(3)). | Account data is deleted when the RC account is terminated; published material and its authorship metadata cannot be removed and form a permanent scholarly record. Identity verification: where verification of a Research Catalogue account is required, users may currently be asked to provide identifying information. This data is kept to the minimum necessary, access-restricted, and retained only for as long as verification requires. SAR is moving to a self-declaration and email-based verification model and will discontinue document collection once that is in place. |
| Journal for Artistic Research (JAR): editorial processing and publication | Author submissions and metadata; peer-reviewer data; published author details (name, biography, and photograph where provided); editorial correspondence | Performance of the author and reviewer relationship and of publication (Art. 6(1)(b) GDPR); consent for published biographies and photographs (Art. 6(1)(a)); legitimate interest in maintaining the editorial record (Art. 6(1)(f)). Published author identity and metadata form part of the permanent scholarly record (Art. 6(1)(f); Art. 17(3) GDPR). | Published articles, author details and the public list of peer reviewers form part of the permanent scholarly and editorial record and are retained indefinitely. Reviewer accounts are retained for the duration of the reviewer relationship (the JAR reviewer pool); a reviewer may request removal. Review reports, exposition snapshots and other editorial working records are retained by the editorial office for documentation purposes; a defined retention schedule for these records is being established. Rejected submissions are removed from the active portal following the decision. |
| RC discussion forum (rcforum.net) | Registered forum users' email addresses and account credentials. No visitor tracking or analytics. | Steps taken at the user's request and performance of the forum service (Art. 6(1)(b) GDPR); legitimate interest in operating the forum (Art. 6(1)(f)) | For the life of the forum account; deleted when the account is closed. |
Where you have given us your consent to process your personal data for specific purposes (for example, when you sign up to receive newsletters, or accept the Terms of Use in connection with the use of the Research Catalogue or JAR), we will process your personal data within the scope of and on the basis of this consent, provided we have no other legal basis and such a basis is required. Consent given may be withdrawn at any time; however, this will not affect any data processing that has already taken place.
6. Recipients and processors
In the course of our activities and for the purposes set out in clause 5, we may also disclose such information to third parties, where permitted and where we deem it appropriate, because they process such information on our behalf. SAR engages selected service providers to operate its digital infrastructure. These providers act as data processors. The principal processors are:
| Service | Provider | Location | Function |
|---|---|---|---|
| Website hosting (JAR and SAR) | Hetzner Online GmbH | Germany (EU) | Hosting of the SAR website and the JAR website |
| Website hosting (RC) | KTH | Sweden | Hosting of the Research Catalogue web platform |
| Website hosting (rcforum.net) | antagonist.nl | Netherlands (EU) | Hosting of the RC Forum |
| Email correspondence | Privacy-focused email provider hosted in the EEA or Switzerland (provider selection in progress) | EEA / Switzerland | SAR email correspondence |
| Payment processing | Mollie B.V. | Netherlands (EU) | Membership and event payments |
| Newsletter delivery | Drupal Simplenews module (in-stack) | Germany (Hetzner DE) | Newsletter distribution |
| Bookkeeping and accounting | Administratiekantoor Van Tunen + Partners | Netherlands (EU) | Member payment records, accounting data and related supporting documentation where required on behalf of SAR |
| Cookie consent management | Self-hosted Klaro consent management (open source, BSD-3) will be installed on the SAR website before any third-party embed or non-essential cookie is enabled. No external consent processor is used. Strictly-necessary login session cookies require no consent. | Not applicable | Cookie consent banner and preference storage |
| Analytics | none | Not applicable | No third-party analytics on any platform. SAR and JAR run no analytics; RC performs first-party, self-hosted usage measurement only (Grafana), with no external analytics service or processor. |
| Research Catalogue hosting and infrastructure | KTH Royal Institute of Technology / KTH.se | Sweden (EU/EEA) | Hosting and operation of the Research Catalogue (researchcatalogue.net), including first-party usage statistics (Grafana) |
| RC discussion forum hosting (rcforum.net) | Antagonist (antagonist.nl) | Netherlands (EU/EEA) | Hosting and operation of the RC discussion forum; processes registered users' email addresses only |
| JAR website hosting and infrastructure | Hetzner Online GmbH | Germany (EU] | Hosting and operation of the Journal for Artistic Research (jar-online.net) |
| Content delivery, DNS and security proxy (JAR) | Cloudflare, Inc. | USA (European visitors served from EEA edge nodes; transfers safeguarded by EU Standard Contractual Clauses) | Reverse proxy, DNS, CDN and security for the JAR website; processes visitor connection data (IP address, request metadata) |
| Scholarly infrastructure (DOI registration and author identifiers) | Crossref, ORCID | USA — publication metadata only, intended for public dissemination; safeguarded by EU Standard Contractual Clauses | Assignment of DOIs and linking of author identifiers (e.g. ORCID) for published works |
SAR does not sell, rent or otherwise transfer personal data to third parties for marketing purposes.
7. International data transfers
Most data processing takes place within the European Economic Area or Switzerland. As part of our business activities and for the purposes set out in section 5, we may, where permitted and where we deem it appropriate, also disclose personal data to third parties, either because they process such data on our behalf or because they intend to use it for their own purposes. In particular, this includes the following recipients:
- our service providers (within SAR as well as external providers, such as banks and insurance companies), including processors (e.g. IT providers);
- distributors, suppliers, subcontractors and other business partners;
- customers;
- domestic and foreign authorities, official bodies or courts;
- media;
- the public, including visitors to websites and social media;
- competitors, industry organisations, associations, institutions and other bodies;
- acquirers or potential acquirers of business units or parts of SAR;
- other parties in potential or actual legal proceedings; together referred to as “recipients”.
These recipients are located partly in Switzerland but may be anywhere in the world. In particular, you must expect your data to be transferred to any country in which SAR is represented by branches or other offices, as well as to other countries in Europe.
If a recipient is located in a country without an adequate level of statutory data protection, we contractually oblige the recipient to comply with the applicable data protection laws (for this purpose, we use the revised standard contractual clauses of the European Commission, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), unless the recipient is already subject to a legally recognised framework ensuring data protection or we can rely on an exception. Such exceptions may apply in particular in the context of legal proceedings abroad, but also in cases of overriding public interest, where disclosure is necessary for the performance of a contract, where you have given your consent, or where it concerns data that you have made generally accessible and the processing of which you have not objected to.
In addition, content published on the Research Catalogue and the Journal for Artistic Research may contain third-party embedded content (e.g. YouTube, Vimeo, Sketchfab). Where present, loading such content may transmit technical data, including the visitor's IP address, to the relevant provider, which may be located outside Switzerland or the EEA, in particular the United States. These transfers are governed by the respective provider's own data-protection terms.
The JAR website is delivered through Cloudflare (Cloudflare, Inc., USA), which acts as a reverse proxy and processes visitor connection data such as IP address. Although European visitors are served from Cloudflare edge nodes within the EEA, Cloudflare, Inc. is established in the United States; this transfer is safeguarded by the EU Standard Contractual Clauses.
8. Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by Swiss accounting and tax law, in particular Article 958f of the Swiss Code of Obligations, which prescribes a retention period of ten years for accounting records. Specific retention periods are indicated in the processing table above. Moreover, personal data may be retained for as long as claims can be brought against our association or where legitimate business interests so require (for example for evidential and documentation purposes). Where statutory retention rules apply, such as Swiss CO Art. 958f for accounting records, those periods take precedence over deletion. As soon as your personal data is no longer required for the purposes mentioned above, it will, as a rule and where possible, be deleted or anonymised. Personal data deleted from live systems may persist temporarily in technical backups for up to 30 days, until the backup rotation completes.
9. Your rights
Subject to the conditions set out in the revFADP and, where applicable, the GDPR, you have the following rights with respect to your personal data:
- Right of access: to obtain confirmation of whether SAR processes your personal data and, if so, a copy of that data.
- Right to rectification: to have inaccurate or incomplete data corrected.
- Right to erasure: to request deletion of your data, subject to legal retention obligations.
- Right to restriction: to request limitation of processing in defined circumstances.
- Right to data portability: to receive your data in a structured, commonly used and machine-readable format (GDPR only).
- Right to object: to processing based on legitimate interests, in particular for direct marketing.
- Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out before withdrawal.
Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection laws. In particular, we may need to continue to process and keep your personal data in order to perform a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permitted, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a request in whole or in part (for example by redacting content that concerns third parties or our trade secrets). If exercising certain rights will incur costs on you, we will notify you thereof in advance.
In particular, the right to erasure is limited for published research content. Once an exposition on the Research Catalogue or an article in the Journal for Artistic Research has been published, it forms part of the permanent scholarly and publication record. SAR retains such published material and its associated authorship metadata on the basis of its legitimate interest in the integrity of the scholarly record and the public interest in archiving (Art. 17(3) GDPR), and removes it only where SAR is legally required to do so. Account and other non-published data remain subject to the erasure right as described above.
To exercise these rights, please contact SAR using the email address above. SAR may request reasonable proof of identity to ensure that the request originates from the data subject.
10. Right to lodge a complaint
If you consider that the processing of your personal data infringes data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern. Data subjects in the EU may contact the supervisory authority in their country of residence, place of work, or place of the alleged infringement.
11. Cookies and tracking technologies
11.1 What are cookies
Cookies are small text files that a website places on your device when you visit. They allow the website to recognise your device on subsequent visits, to remember your preferences and to support core functions such as login and security.
11.2 Legal framework
Under Swiss law, the use of cookies is governed by Article 45c of the Federal Telecommunications Act (FMG). For visitors in the European Economic Area, Article 5(3) of the ePrivacy Directive and the GDPR apply, requiring prior consent for the storage of, or access to, information on the user device, except where strictly necessary for the operation of the requested service.
On the SAR website, SAR applies the more protective standard to all visitors: cookies that are not strictly necessary are loaded only after the user has given explicit consent, requested at the point of an embedded video via a click-to-load card rather than a global banner. Consent handling differs on the Research Catalogue and the Journal for Artistic Research, where some embedded third-party content is not yet consent-gated; see section 11.6.
11.3 Categories of cookies used
| Category | Purpose | Consent | Duration |
|---|---|---|---|
| Strictly necessary | Required for the website to function. Includes session management, login state, security. | Not required | Session or short term |
| Functional | Remember user preferences such as language and accessibility settings. | Required | Not in use |
| Embedded content | Set by the embed provider after consent. YouTube embeds use the privacy-enhanced domain (youtube-nocookie.com); Vimeo uses Do-Not-Track mode. Cookies set by these providers are governed by their own privacy policies. | Required | Per third party policy |
11.4 Cookies inventory
The following cookies are currently in use on these websites:
societyforartisticresearch.org
| Cookie name | Provider | Category | Purpose and duration |
|---|---|---|---|
| SSESS<random-hash> | SAR (Drupal core, served from Hetzner DE) | Strictly-necessary | Maintains the logged-in session for members. Set only after sign-in. Session, expires on sign-out or browser close. Maximum 23 days. |
| Drupal-visitor-shopping_cart-* | SAR (Drupal Commerce, served from Hetzner DE) | Strictly necessary | Holds the membership / event-fee cart between page loads. Set only when a visitor places something in the cart. Session, deleted on checkout completion. |
No analytics, marketing, or third-party cookies are set on the public SAR website. Embedded video providers may set their own cookies once a visitor has clicked to load the embed.
The JAR website sets no analytics or other non-essential cookies. A session cookie is set only for logged-in editors and moderators; anonymous visitors receive no cookies.
| Cookie name | Provider | Category | Purpose and duration |
|---|---|---|---|
| SSESS<random-hash> | JAR (Drupal core, served from Hetzner DE) | Strictly necessary | Maintains the logged-in session for editors and moderators. Set only after sign-in; not set for anonymous visitors. Session cookie, expires on sign-out or browser close. Drupal default maximum 23 days. |
Researchcatalogue.net
Cookies on the Research Catalogue (RC). RC sets a strictly-necessary session cookie to maintain login state for signed-in users; it contains no personal information and requires no consent. RC does not use third-party advertising or tracking cookies, and its usage measurement is first-party and not linked to individual users (see section 6). Because RC does not currently operate a cookie-consent banner, third-party content embedded in expositions may set its own cookies when loaded, as described in section 11.6. Full detail is set out in the Research Catalogue's own privacy policy.
11.5 Managing your cookie preferences
The SAR website does not set any non-essential cookies on page load and does not load any third-party content automatically. Where an embedded video from YouTube or Vimeo is offered, it is shown as a placeholder until you click to load it. Loading the embed transmits your IP address and browser metadata to the provider; the placeholder makes this explicit before any data is sent. Your choice is remembered locally on your device, and you can clear it at any time through your browser settings.
11.6 Third party cookies and embedded content and other external assets
SAR minimises the use of third-party content. Where YouTube or Vimeo embeds are added to the SAR website, they use the providers' privacy-enhanced modes (youtube-nocookie.com, Vimeo Do-Not-Track) and are placeholder-gated: the embed is replaced with a click-to-load card and does not contact the third-party provider until the visitor has given explicit consent. SAR receives no information about the visitor from these providers. No social-network embeds, share buttons, or pixels are used.
Research Catalogue — embedded content in expositions. Expositions on the Research Catalogue are created by users and may contain third-party embedded content (for example YouTube, Vimeo or Sketchfab). Unlike the SAR website, this content is not currently consent-gated: opening an exposition may load it directly, transmitting your IP address and potentially setting cookies under the third party's own privacy and tracking policies, over which SAR has no control. SAR is reviewing consent-gating for embedded content on the Research Catalogue; until then, individual expositions may contain external elements whose tracking behaviour differs from that of the Research Catalogue itself.
Journal for Artistic Research — embedded content. Articles and materials published on the JAR website may likewise contain third-party embedded content (for example YouTube or Vimeo). This content is not currently consent-gated and may load when a page opens, transmitting your IP address and potentially setting cookies under the third party's own privacy and tracking policies, over which SAR has no control. SAR is reviewing consent-gating for embedded content on the JAR website; until then, pages may contain external elements whose tracking behaviour differs from that of the JAR website itself.
Other external assets. All web fonts (Inter typeface) are self-hosted on the SAR Drupal server. No Google Fonts CDN, no font.gstatic.com, no third-party JavaScript CDN, and no social-media pixels are loaded on the SAR website. The Research Catalogue additionally loads a JavaScript module loader (es-module-shims) from a third-party CDN (jspm.io); this transmits only technical connection data (IP address and browser metadata), no account or usage data.
12. Security
SAR implements appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These measures are reviewed regularly and adapted to the state of the art.
13. Children
SAR, RC and JAR services are directed to adult researchers, students and institutional members. SAR does not knowingly collect personal data from children under the age of sixteen without verifiable parental consent.
14. Changes to this Privacy Policy
SAR may update this Privacy Policy from time to time to reflect changes in legal requirements or in SAR services. The current version is always available on the SAR, RC and JAR websites with an indication of the date of last update.