Privacy policy


If you have any questions about Zenodo's privacy policy, please don't hesitate to contact us.

Legal framework

Zenodo is hosted at CERN and subject to CERN's special legal status as an Intergovernmental Organization (IGO) and thus enjoys certain privileges and immunities under international law. Processing of personal data at CERN is governed by CERN's Operational Circular 11 (OC11) that offers data protection at the same high standards and is comparable to EU's General Data Protection Regulation (GDPR).

How is your data used

Each service at CERN is responsible for compiling its own Privacy Notice regarding the data it processes.

This Privacy Notice is part of CERN’s Layered Privacy Notice and details the processing that is unique to Zenodo. It does not address processing by other services on which this service may rely and which have their own Privacy Notice.

Personal Data we process

The personal data we have, and how it's used:

Personal Data Purpose Basis Source
Your account name [User] To identify you as a Zenodo user; To provide you with the service; For technical support and troubleshooting; To display publicly on Zenodo; To prevent spam and misuse of Zenodo Legitimate interest of CERN Your input
Your full name and affiliation [User] To identify you as a Zenodo user; Allowing others to find you on Zenodo; Pre-filling your information in forms when logged in; To display publicly on Zenodo; To prevent spam and misuse of Zenodo; For auto-completion of personal names in the record metadata Legitimate interest of CERN Your input or derived from your ORCID
Your email address [User] To identify you as a Zenodo user; To provide you with the service; For technical support and troubleshooting; To communicate with you; To send you e-mail notifications; Allowing others to find you on Zenodo; Pre-filling your information in forms when logged in; To display publicly on Zenodo (if enabled by you); To prevent spam and misuse of Zenodo Legitimate interest of CERN Your input
Your institutional affiliation [User] To verify your account; To generate summary statistics; To prevent spam and misuse of Zenodo Legitimate interest of CERN Inferred from the email address domain
Your user preferences (language, time zone, profile/email visibility, notification preferences, profile picture and display preferences) [User] Improving your experience while using Zenodo, adapting the interface to your preferences; To allow you to control if others can find you; To allow you to control if and what public information is displayed about you. Legitimate interest of CERN Your input
Your account status (e.g. blocked, verified, unverified) [User] To prevent spam and misuse of Zenodo; To rank search results Legitimate interest of CERN Zenodo service; Inferred from your institutional affiliation; Inferred by spam classifier
Your specific authorizations [User] To grant you to access to protected features on Zenodo upon your request Legitimate interest of CERN Zenodo service
Your granted quota/limits [User] To grant you additional resources on Zenodo upon your request Legitimate interest of CERN Zenodo service
Your historic login information (last login timestamp and login count) [User] For account security and debugging; To generate summary statistics; To prevent spam and misuse of Zenodo Legitimate interest of CERN Automatically recorded when you authenticate on Zenodo
Which deposits you have created and records you have published, incl. timestamp [User] To allow you to manage and edit records you upload; To prevent spam and misuse of Zenodo; To monitor compliance with Zenodo's policies Legitimate interest of CERN Your input
Which communities you have created and manage, incl. timestamps [User] To allow you to manage communities you create; To prevent spam and misuse of Zenodo; To monitor compliance with Zenodo's policies Legitimate interest of CERN Your input
Which records you have been granted access to [User] To allow you to access restricted content from other users Legitimate interest of CERN Access granted by another user to records they own
Your authorized third-party applications [OAuth] To allow you to authenticate with your Zenodo account on third-party websites; To provide third-party websites with API access to your account Consent Your input
Your access tokens and developer applications [OAuth] To authenticate you on the REST API; To allow you to authenticate Zenodo users in your third-party website Consent Your input or generated upon your request
Your browser sessions (IP address, corresponding timestamp, country, browser and device) [Session] For account security, debugging and rate limiting; To allow you to logout from your devices remotely; To prevent spam and misuse of Zenodo; to infer the country from the IP address of your devices. Legitimate interest of CERN Automatically detected from the web browser you are using
Your support requests and enquiries (including name, affiliation and email address) [Support] To provide you with the requested service; To manage the handling of your request; To investigate compliants Legitimate interest of CERN Your input
Your linked accounts (GitHub, ORICD and OpenAIRE IDs) [Linked accounts] To allow you to use GitHub, ORCID and OpenAIRE AAI to signup and authenticate; To facilitate integration with GitHub, ORCID and OpenAIRE; To generate summary statistics; To prevent spam and misuse of Zenodo; Legitimate interest of CERN From GitHub, ORCID or OpenAIRE when you use them to sign up, authenticate or link your external account
Your subscription to our newsletters [Newsletter] To send you email newsletters about Zenodo Consent Your input
Which communities you are a member of, your role in them, and your membership visibility [Memberships] To grant you access to a specific community and its content; To display your membership to other members; To display your membership publicly (if requested); To prevent spam and misuse of Zenodo Legitimate interest of CERN Your input by accepting an invitation to join a community
Which communities you have been invited to and which invitations you have sent, and the corresponding timestamp with you action. [Invitations] To allow you to invite other users to become members of a community; To allow you to accept/decline invitations and for the community manager to see your response; To prevent spam and misuse of Zenodo Legitimate interest of CERN Your input by inviting users; Your input by accepting/declining an invitation to join a community
Your requests, your comments/assignments/reviews on requests, and actions you perform on requests [Requests] To allow you to make requests to other users and administrators and perform actions on those requests; To communicate with other users; To allow other users involved in the request to see your actions on the request as well as see historic requests Legitimate interest of CERN Your input
Your access requests (including email address, name and justification) to restricted/embargoed records [Requests] To allow you to request access to restricted content from other users without having a Zenodo account Legitimate interest of CERN Your input
Your GitHub repositories, releases that you created, and the metadata associated with both of them [GitHub] To allow automatic submissions of releases from your GitHub repository into to Zenodo Consent From GitHub if you activate the synchronisation between GitHub and Zenodo
Your IP address, visited URLs on Zenodo, any errors you experienced, and corresponding timestamp [Logs] To provide you with user support for website debugging, security auditing and to produce anonymous aggregated statistics; To prevent spam and misuse Legitimate interest of CERN Automatically detected when you are browsing on the Zenodo web sites
Any actions you perform in a community including on records part of the community and corresponding timestamp while logged in [Community audit logs] To provide transparency for actions performed by the community, to facilitate collaborative editing and team work Legitimate interest of CERN Automatically recorded when you perform actions
Any actions you perform while logged in [Audit log] For security auditing and troubleshooting; To prevent spam and misuse Legitimate interest of CERN Automatically recorded when you perform actions
Your names, affiliations, persistent person identifiers (e.g. ORCID, ISNI or GND) [Vocabularies] To uniquely identify you as an author; To facilitate search for authors; For auto-completion of personal names in the record metadata Legitimate interest of CERN ORCID; OpenAIRE Graph
Your names, affiliations, persistent person identifiers (e.g. ORCID, ISNI or GND) and role as part of the record metadata, record files and references/citations [Research outputs] For the scientific justification of published records and cited/citing sources; To curate metadata of records Legitimate interest of CERN Your and other users input; Automatically through deduplication and enrichment of record metadata
Your Submission Information Packages (SIPs) containing IP Address, email address, the record metadata and files [SIP] For quality assurance, for instance to be able to recover your published record in case of technical issues; For scientific justification of published records. Legitimate interest of CERN Your input

Description of legal basis for processing of Personal Data by Zenodo

  • Contract: To fulfil a contractual relationship with the individual, or in preparation for a contract with the individual
  • Legal Obligation: To comply with a legal obligation of CERN.
  • Consent: By having received and recorded consent from the individual.
  • Legitimate interest of CERN: In the legitimate interests of CERN supporting the professional activities of the individual or their security and safety.

Personal Data we keep

The personal data we store, for how long and why:

Personal Data Retention Period 1 Purpose
All data labelled [User] Lifetime of your Zenodo account To provide you with the Zenodo service
All data labelled [Newsletter], Your email address Until you unsubscribe or email address bounces twice, whatever comes first To send you email newsletters about Zenodo
All data labelled [OAuth] Lifetime of your Zenodo account, or until your token expires (1 year validity) or until you delete it, whatever comes first To allow you to authenticate with your Zenodo account on third-party websites; To provide third-party websites with API access to your account; To authenticate you on the REST API; To allow you to authenticate Zenodo users in your third-party website
All data labelled [Session] Lifetime of your Zenodo account, or 30 days after your last activity, whatever comes first For account security, debugging and rate limiting; To allow you to logout from your devices remotely; To prevent spam and misuse of Zenodo;
All data labelled [Linked accounts] Lifetime of your Zenodo account or if you disconnect the linked account or the link expires, whatever comes first To allow you to use GitHub, ORCID and OpenAIRE AAI to signup and authenticate; To facilitate integration with GitHub, ORCID and OpenAIRE; To generate summary statistics; To prevent spam and misuse of Zenodo;
All data labelled [Support] 7 years after the closure of your request To provide you with the requested service; To manage the handling of your request; To investigate complaints and disputes that may arise after the closure of the request; To facilitate the handling of future similar cases
All data labelled [Memberships] Lifetime of your Zenodo account or until you leave the community, whatever comes first To grant you access to a specific community and its content; To display your membership to other members; To display your membership publicly (if visibility is set to public); To prevent spam and misuse of Zenodo
All data labelled [Invitations] Lifetime of your Zenodo account or 1 year after the invitation was created, whatever comes first To allow you to invite other users or to become members of a community; To allow you to accept/decline invitations and for the community manager to see your response; To prevent spam and misuse of Zenodo
All data labelled [Requests] Lifetime of your Zenodo account or 1 year after granted access expires, whatever comes first To allow you to make requests to other users and administrators; To communicate with other users; To allow other users involved in the request to see your actions on the request; To allow you to request access to restricted content from other users without having a Zenodo account; To facilitate the management of access requests by providing transparency
All data labelled [GitHub] Lifetime of your Zenodo account or deactivation of the synchronisation with GitHub, whatever comes first To allow automatic submissions from your GitHub repository into to Zenodo
All data labelled [Logs] 13 months from date of action To provide you with user support for website debugging, security auditing and to produce anonymous aggregated statistics; To prevent spam and misuse
All data labelled [Community audit logs] 5 months from date of action To provide transparency for actions performed by the community, to facilitate collaborative editing and team work
All data labelled [Audit logs] 13 months from date of action For security auditing; To prevent spam and misuse
All data labelled [Vocabularies] Unlimited To uniquely identify you as an author; To facilitate search for authors; For auto-completion of personal names in the record metadata
All data labelled [Research outputs] and [SIP] Unlimited For the scientific justification of published records and cited/citing sources; To curate metadata of records; For quality assurance, for instance to be able to recover your published record in case of technical issues. You have one month after the publication to request the deletion, afterwards the request will only be granted in exceptional circumstances upon justification

Who at CERN has access

In addition to yourself, personal data collected by Zenodo is accessible by the following services, teams or individuals at CERN:

Personal Data Who Purpose
All data above Zenodo Service To provide you with the Zenodo service; For debugging, security auditing & incident investigation and response; To prevent spam and misuse; For technical support and troubleshooting; To establish anonymous reports and statistics
All data above Database on Demand Service To store the data and to provide managed database service for Zenodo including replication and backup; For technical support and troubleshooting
All data above except those labelled [Newsletter], [Support] OpenSearch Service To store the data; To provide managed search engine service for Zenodo; For technical support and troubleshooting
All data labelled [Logs] Platform-as-a-Service, Web Application Hosting Service To provide managed web application hosting for Zenodo; For technical support and troubleshooting
All data labelled [Logs] Web Analytics Service To provide managed web analytics infrastructure for Zenodo; For technical support and troubleshooting
All data labelled [Logs] Monitoring Service, HADOOP Services To provide managed logging infrastructure for Zenodo; For technical support and troubleshooting
All data labelled [Logs] Sentry Service To provide managed error logging and aggregation service for Zenodo; For technical support and troubleshooting
All data labelled [Research ouputs] EOS for Physics Service, Ceph Service, Tape Archive (CTA) Service To store the data and to provide managed storage infrastructure for Zenodo; For technical support and troubleshooting

Personal Data we may transfer to others

Personal data we share with entities or individuals outside the Organization:

Personal Data 3rd Parties Purpose
All data labelled [Research outputs] DataCite (Germany), OpenAIRE (Greece), Software Heritage (France) To register/update a Digital Object Identifier (DOI) for your published record; For fast indexing into the OpenAIRE Scholarly Knowledge Graph; For archiving in Software Heritage of records with public software source code
All data labelled [Research outputs] and [Vocabularies] General public For the scientific justification of published records and cited/citing sources; For attribution of the work in published records; For dissemination of research. All information that has been published by you, will be searchable and harvestable through our user interface and our API
Your account name, full name, affiliation, profile picture, linked accounts (GitHub, ORCID, OpenAIRE) and account status General public To display publicly on community members pages (if you set your membership to public); To display publicly on Zenodo (if profile visibility is public) related to content you have uploaded
Your account name, full name and affiliation Zenodo users Allowing others to find you on Zenodo (if profile visibility is enabled); To display to other members in communities you are a member of; To allow other users to grant you access to their restricted content
Your email address (if email visibility is enabled) Zenodo users Allowing others to find you on Zenodo and to communicate with you; To allow other users grant you access to their restricted content
All data labelled [Invitations] Zenodo users who owns or manages the community For the community manager to invite you and see your response and historic invitations
All data labelled [Requests] Zenodo users with whom you are corresponding To allow you to make requests to other users and administrators; To communicate with other users; To allow other users involved in the request to see your actions on the request and the related resource (e.g. record or community); To allow the owner of the restricted records to evaluate your request for access and see historic requests
All data labelled [Community Audit Logs] Zenodo users who owns the community To enable community owners to audit actions on the community and it's records
Your access token for a third-party application Third-party applications on which you login with your Zenodo account To enable you to grant a third-party application access to your Zenodo account and perform actions on your behalf.

Automated decision making

What automated decision making or profiling is being done by Zenodo with your personal data:

Personal Data Automated decision making or Profiling Purpose
All data labelled [User], [Linked accounts]
  • When you create an account or change your email address, we match your email address domain against our database of institutional email domains to infer your institutional affiliation. We use the institutional affiliation to automatically set your account status to verified;
  • When you publish a record or create a community we check the record/community with an automatic spam classifier which will inactivate your account, record, and community if found to be spam with a high probability. We train the spam classifier with manually classified records/communities as well as the data of the user who uploaded the given record.
To determine your account status (blocked, verified, or unverified); To prevent spam and misuse of Zenodo; To monitor compliance with Zenodo policies; Used to automatically verify an account; Used to automatically flag an account for review by Zenodo service administrators; Used for training of automatic spam classifier for automatic detection and removal of spam records; Used to automatically verify communities.
You can object to all automatic decisions by contacting us on support.

For more detailed information about personal data and privacy please refer to the Data Privacy web site.

For questions regarding this Privacy Notice, please contact us.

For questions regarding personal data and privacy please contact the Office of Data Privacy.

To request to exercise data subject rights please fill and submit the following online form.

This Privacy Notice is subject to revision.

Last revision: 23-04-2024

1 The retention period may be temporarily extended for special circumstances, in accordance with the provisions of the operation circular governing data privacy.