Privacy Policy
Effective date: September 4, 2025

1. Controller

Communications in Prolactin Research
Yellow Thistle Publishing LTD
71-75 Shelton Street
Covent Garden, London
United Kingdom, WC2H 9JQ
Phone: +4991150716282
Data Protection Officer: Jakob Triebel, Editor-in-Chief, eic_cpr@protonmail.com

2. Personal data we process

Contact details
Name, email address, institutional affiliation
Communicating with authors, reviewers, readers; sending manuscript updates, reviewer invitations, newsletters
Manuscript & publication data
Title, abstract, full‑text, figures, metadata
Managing peer‑review, publishing, archiving, indexing and discovery (e.g., DOI registration)
Usage data
IP address, browser type, timestamps, cookies
Site analytics, security monitoring, improving the platform
Financial data (where applicable)
Billing address, payment details (only for APCs)
Processing article processing charges (APCs), or other paid services

3. Lawful bases for processing (UK GDPR Art 6)

Consent – e.g., when a user signs up for the optional newsletter or voluntarily provides additional data.
Contractual necessity – processing manuscript data to fulfil the publishing contract with authors.
Legitimate interests – site security, analytics, and platform optimisation (balanced against individual rights).
Legal obligations – retention of records to comply with UK publishing and tax legislation.

4. Recipients / third‑party disclosures

Peer reviewers – granted access solely to the manuscript under review.
Service providers – hosting, email delivery, analytics (e.g., Cloudflare, SendGrid, Matomo). All are bound by UK‑compliant Data Processing Agreements.
Regulatory authorities – if required by law (court orders, HMRC, ICO investigations).
We do not sell personal data to marketing firms. Any promotional contact requires explicit opt‑in.

5. Retention periods

While the user account remains active; otherwise deleted on request.
Manuscript & publication data
Minimum 10 years after first online publication (per UK scholarly‑record‑keeping norms).
Usage data & cookies
Aggregated analytics retained up to 12 months; raw logs deleted after 30 days unless needed for security incident investigation.
Financial data
Retained for 7 years to satisfy tax and accounting requirements.

6. Your rights (UK GDPR Art 15‑22)

You may at any time:

Request access to the personal data we hold about you.
Ask for correction of inaccurate or incomplete data.
Demand erasure (“right to be forgotten”) where no statutory retention applies.
Restrict processing (e.g., while a dispute is resolved).
Object to processing on grounds of legitimate interests or direct marketing.
Obtain data portability of your information in a structured, commonly used format.
To exercise any right, contact the Data Protection Officer at the email above. We will respond within one calendar month, as required by the ICO.

7. Security measures

We employ industry‑standard technical and organisational safeguards:

TLS/SSL encryption for data in transit.
Encrypted storage for sensitive files (e.g., manuscripts containing personal health information).
Role‑based access controls and regular staff training.
Routine vulnerability scanning and penetration testing.
These measures aim to protect against unauthorised access, loss, or alteration of personal data.

8. Cookies & tracking

Our website uses:

Essential cookies – session management, authentication.
Analytical cookies – optional, powered by Matomo (self‑hosted, GDPR‑compliant) to improve usability.
You can manage cookie preferences via the banner displayed on first visit.

9. Open‑Access specific provisions

Article Processing Charges (APCs) – the APC payment data is processed in line with Section 2 (Financial data) and retained for the statutory 7‑year period.
License information – Authors choose a Creative Commons licence (CC‑BY 4.0 by default). The licence metadata is stored with the article record and made publicly accessible; no additional personal data is disclosed beyond what is already part of the author list.
Public repository deposits – Upon publication, the accepted manuscript (or version of record) is deposited in open repositories (e.g., PubMed Central). Only the author‑provided metadata (name, affiliation, ORCID) is shared, consistent with the author’s consent and the chosen licence.
All Open‑Access activities respect the same data‑protection principles outlined above.

10. Changes to this policy

We may update this privacy notice to reflect regulatory changes, new services, or operational adjustments. The latest version will always be posted on our website with a revision date. Continued use of the service after a change constitutes acceptance of the updated terms.

Contact us

If you have any questions, concerns, or wish to exercise your data‑subject rights, please reach out to: Jakob Triebel, Editor-in-Chief, eic_cpr@protonmail.com