Privacy
Taking your personal information seriously – the OpenAthens privacy policy.
OpenAthens is committed to protecting your privacy. This notice applies wherever we decide why and how we process personal data and therefore act as a Data Controller under data protection law.
OpenAthens is part of Jisc. For more information on how to exercise your data subject rights, additional privacy information and how to contact us, please refer to our overarching Privacy Notice.
How do we use your personal data?
The following table outlines why we process your personal data and our lawful basis for doing so. We may rely on more than one lawful basis for processing your personal data, depending on the context of the processing activity.
| Purpose/activity | Personal data processed | Lawful basis for processing |
|---|---|---|
| To facilitate product and service updates, and secure personal data within our platform. | Name, Email Address, Organization | This processing is carried out for legitimate interest purposes to ensure our customer's best experience. |
| To tell you about our monthly newsletters, events, webinars, training invites, related content and promotions/offers that we’ll be running. To process your information when you fill in an online form to express interest in any of our products | Name, Email Address, Organization | This processing relies on legitimate interest to raise awareness of our business. We also seek your consent for the type of marketing content you wish to receive |
| To conduct user experience testing, market research and send feedback invites. This could be in the form of an online survey or via analytics tracking on our platform. | Name, email, organisation, job title, details of platform use including IP address, location, video recording, survey responses | This processing is carried out in our legitimate interest to conduct such research as part of our continuous improvement. It may also be carried out with your consent to record any video interviews. |
| To provide customer training on use of the platform for administrators. | Name, email, organisation, job title | This processing is carried out in our legitimate interest to ensure optimal use of the platform |
| To respond to complaints and queries. | Name, Email Address, Organization, Job Title. | This processing is carried out in our legitimate interest to facilitate your request. |
| To collect contact details which will be stored on our CRM system. For some markets, we may pass this information to our trusted channel partners/resellers. | Name, email, organisation, job title. | This processing is carried out in our legitimate interest to manage our contractual relationship with you. For some markets we may share these details with our partners, so they can manage the processing relationship. Our contract prohibits these organisations from using the information for anything else. |
Keeping your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For instance, we are required by law to keep financial records such as purchase orders and invoices for six years. If you’re the nominated contact for your organisation, your details might appear on these records.
Sharing your personal data
We will only disclose your personal data to the following recipients where necessary:
Channel Partners and Authorised Resellers: we’ll share this information with Channel Partners and Authorized Resellers, so they can manage the purchasing process. Our contract prohibits these organisations from using the information for anything else. You can view our partners in more detail here.
We also will make use of software applications and other services to deliver our product that may require sharing personal data; for example, we store our customer contact details on a Customer Relationship Management tool (CRM), and use an email distributer for direct marketing. You can view our appointed sub-contractors (sub-processors) here. (or below for this document)
Data processor statement for OpenAthens users
OpenAthens also processes personal data when we act on behalf of our clients and therefore act as a Data Processor under data protection law.
OpenAthens acts as a data processor for customers who subscribe to the service under a contract that includes Terms required by UK data protection law. The personal data processed under these Terms allows the use of your name and email address (or ID) to facilitate the implementation of our service at your organisation. OpenAthens does not use your personal data for purposes outside of these Terms. Customers determine their own purposes for using our services and are the data controllers for personal information processed under this contract. Questions and privacy rights requests relating to the use of personal data for these purposes should be addressed directly to your library or institution.
Security
We have in place appropriate policies, rules, and technical and organisational measures to protect your personal data from unauthorised or unlawful processing, and against accidental loss, destruction or damage. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
Jisc provides some services certified to ISO27001 and aligns to these standards across the business. Read about Jisc’s certification.
Processors & Sub Processors
The table below provides information regarding sub-processors we use in connection with the performance of the OpenAthens service. OpenAthens is a part of Jisc, which is a group of companies that includes a wholly owned subsidiary Jisc International APAC Pte Limited which is registered in Singapore. Any data that is shared with this subsidiary is covered by a comprehensive data processing agreement that includes Standard Contractual Clauses and the UK Addendum.
| Processor/Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform and associated Google services including BigQuery (organisational analytics), Pubsub (API), Google Workspace | The Google Cloud Platform is used to host all OpenAthens applications and data stores, apart from the exceptions listed below. | UK and US Data Centres |
| Amazon Web Services | Amazon Web Services is used to store data backups. | UK Data Centre |
| VeloxServ | VeloxServ provide hosting for the OpenAthens Managed Proxy Service in Europe. The Managed Proxy Service holds IP addresses of customer organisations. | UK Data Centre |
| Atlassian Status Page, Jira Product Discovery, Jira Service Management. | Provides information on the status of OpenAthens services and sends maintenance and incident notifications. Anyone can subscribe to notification alerts by providing an e-mail address or mobile phone number. The Jira Product is used for the Service platform offered to track service requests. | Amazon Web Service US Data Centre |
| Mailjet | Hosts the e-mail service to which sends system e-mails to administrators (for example: account activation e-mails). E-mail addresses are temporarily stored in its logs. | Data Centres in Germany and Belgium |
The table below provides information regarding third parties used by OpenAthens where we act as a controller, for example to store customer contact details or to raise awareness of our business:
| Processor/Sub-processor | Purpose | Location |
|---|---|---|
| Salesforce, Tableau | Salesforce is used as a CRM to store customer contact details. Tableau is used as a dashboard for feedback to aid product development | EU |
| Used to recruit for surveys and interviews globally. OpenAthens may use LinkedIn Predictive Audiences for targeted advertising opportunities. LinkedIn matches our customer list with a ‘lookalike’ list of potential customers on their platform. | US | |
| Eventsforce | Used to register delegates for events | UK Data Centre |
| Dovetail | Customer insight tool | Australia |
| Aha! | Upvoting tool used for marketing purposes for insights into customer experience and product development | US |
| Lyssna | Used to capture customer interactions | Australia |
| Hotjar | Cookie that is used to track customer experience | EU |
| Google analytics | Cookie that is used to track customer experience | US |
| MS Teams & SharePoint , Excel | Used to organise videoconferencing meetings to gather feedback and temporarily store recordings | UK data centre |
| Calendly | Used to organise meetings for events | US |
| Adestra | Used for email marketing purposes | EU |
| Apollo | This is lead generation platform that stores individual contact details for use in marketing campaigns. | US |
| Jisc Online Surveys | Used to conduct customer surveys to track customer experience | UK |
| MiniOrange | Used to provide SSO capabilities that allows admins to login to our service desk platform. | US |
International transfers and UK data protection laws:
We will use appropriate measures to secure any transfers, including Adequacy Agreements, Standard Contractual Clauses (SCCs) and the UK Addendum where appropriate, or the UK International Data Transfer Agreement (IDTA). Any necessary Transfer Risk Assessments will be undertaken.
Last updated 9.12.25