1. Identity of the data controller

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter, GDPR), we inform you that the personal data you provide will be processed under the responsibility of:

  • INDEX PUBLISHING, SL
  • NIF: B21713888
  • Address: Carrer de Joanot Martorell, 22, 08014, Barcelona, ​​Spain
  • Contact email: co ******@in*******.com

If you wish to contact us regarding your Personal Data, you can do so at the address indicated in the previous point.

The Data Controller will be referred to alternatively as “INDEX”, the “Controller”, or “Platform”.

 

2. Introduction

INDEX PUBLISHING, SL (hereinafter “INDEX”) owns the domain https://index-360.com of this website or the web App and any other type of computer program developed, operated and/or maintained by INDEX (hereinafter also referred to as the “Platform”).

This text provides the User with INDEX's Privacy Policy in order to describe the personal information we collect, the purpose for which we use it and, in general, the processes and ways in which we treat it as data controllers during the course of the use and/or the Platform by Users (both registered and unregistered according to the processing) during their browsing through it.

INDEX may make this Privacy Policy available to the User in different languages. In such cases, the Spanish version will prevail in the event of any conflict in interpretation.

 

3. Treatments and purposes for which we process your data as data controllers

a. Platform and website functionality

  • Purpose : To allow the use and navigation through the Platform and website by Users, ensuring its proper functioning, allowing updates and technical maintenance, and improving its navigability, security and performance.
  • Categories of data processed:
    • User Platform Usage Data and application and device data; including the following: browsing and usage data, IP address, usage preferences, visits made, language, device information, browser type, gender, language, device type and operating system, approximate location regarding region and country of access; as well as cookies where applicable; and anonymized statistical data.
    • Similarly, if the User arrives at the Platform through an external source (such as, for example, through a link from a third-party website or social network), the Controller will collect anonymous statistical information about the source from which the visitor comes in order to better understand how Users discover and arrive at the Platform and/or to improve the company's marketing and positioning strategies.
  • Categories of interested parties: Registered and unregistered users who use the Platform.
  • Method of obtaining : shared by the User through navigation through the Platform environment.
  • Legal basis : Our legitimate interest in ensuring the proper functioning, updating and guaranteeing the improvement and security of the Platform and the Users, and in knowing the origin and source from which the user comes; or the User's consent otherwise (e.g.: regarding cookies that are not necessary to guarantee the functioning of the Platform).
  • Retention period : Usage Data will be retained for a maximum of one year and several months from the date of collection. After this period, the data will be deleted unless required by a public authority. Anonymized statistical data may be stored indefinitely as it does not contain personal data.

 

b. Platform Security and Fraud Prevention

  • Purpose : We collect and analyze data from the Data Subject to ensure the security of our Users, prevent fraud, conduct timely investigations, and use the information for potential claims in our own interest or that of third parties. This processing includes:
    1. Traffic data collection: We collect information about visits to our website, including IP addresses, browser type, pages visited, time spent on the site, and other browsing data.
    2. Behavioral pattern analysis: We use analytical tools to identify unusual or suspicious behavioral patterns that may indicate fraud attempts or unauthorized access.
    3. Threat Detection: We implement intrusion and other threat detection systems that analyze traffic in real time to identify and block malicious activities.
    4. Identity verification: We use traffic data to verify the identity of Users and ensure that transactions and access are legitimate.
    5. We maintain detailed records of access and activity on our website to conduct security audits and respond quickly to any incidents.
    6. Collaboration with authorities: In the event of detecting fraudulent or suspicious activities, we may collaborate with the competent authorities by providing the information necessary for the investigation in compliance with a legal obligation.

These processes allow us to protect the integrity of our website and the security of our Users, ensuring a safe and reliable digital environment.

  • Categories of data processed : Browsing and usage data, IP address, access logs, failed login attempts and suspicious activity, device information, browser type, device type and operating system, approximate location regarding region and country of access.
  • Category of interested parties : Users who make use of the Platform.
  • Method of obtaining : shared by the User through navigation of the Platform.
  • Applicable legal basis : Compliance with legal obligations relating to the registration of access and activity. The processing will be based on the legitimate interest of the Controller in investigating, detecting, preventing and prosecuting fraud, protecting its interests or those of third parties; as well as in defending its interests against possible claims for breaches of contract or applicable regulations by Users and in ensuring the correct and secure functioning of the Platform, Users and third parties.
  • Retention period : Access and activity logs will be kept for 1 year. After this period, the data may be blocked for the legally required periods to comply with regulatory obligations and statutory limitation periods if we believe there may be a risk of receiving a claim.

 

c. Provision of the contracted services:

  • Purpose:
    • To provide the contracted services to our clients (scientific journals, societies, universities, etc.).
    • Manage access to and use of the Editorial and Publishing Management Platform.
    • Provide technical and training support to registered users.
    • Communicate improvements, updates, and relevant content about our services.
    • The processing will include the management of requests, mandates or prior and during contracting procedures and the making of communications about the operation of the service.
    • Likewise, data processing will be carried out to guarantee registration, authentication on the Platform and to manage payments, among other related processing that allows guaranteeing the provision of services and executing the contract.
    • If consent is obtained and the User configures it on their device, they will be able to receive notifications on their device.
  • Categories of data processed:
    • Identifying information: name and surname.
    • Platform access details (Username, encrypted password)
    • Data related to editorial activity: author, reviewer or editor roles, usage history.
    • Registration details: Username and password, and gender.
    • Contact information: including email address and phone number.
    • Professional data: information on professional category, position or job title, institution, curriculum data and related information.
    • Usage data of the services that are generated through the use of the services.
    • Billing information: Identification details, Tax Identification Number and tax address.
    • Payment details: Payments will be processed through external payment gateway providers, such as Stripe. In this case, the User will share their data directly with the provider. INDEX will only receive payment confirmation, the User's identification details, and the last four digits of the card and CVV code from the payment provider.
    • In the event of registration on the Platform through Apple or Google, certain personal data associated with the Google or Apple account will be automatically shared with INDEX (such as avatar/image, email and User's first and last name).
  • Categories of interested parties: Clients who contract our services, including their representatives or staff or external personnel acting on behalf of the client (e.g., employees, etc.).
  • Method of obtaining : Directly from the client when they use the Platform. We may also receive payment confirmation information from payment gateway service providers or companies that integrate these services into their business activities and for which we act as data processors.
  • Legal basis : The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Retention period: For the duration of the provision of services and after its termination, your data may be blocked for the periods legally required to comply with regulatory obligations, including tax, commercial and anti-money laundering regulations, as well as for the period of legal limitations.

 

d. Sending commercial communications:

  • Purpose : To send commercial communications, offers, promotions or similar, regarding the products offered by the Data Controller, according to the different possibilities:
    1. Email communications : Sending promotions and/or offers to the User's email address. The User may object to receiving commercial communications at any time by contacting the Data Controller's email address or, where applicable, through the unsubscribe option included in the email itself.
    2. Third-party communications : Users may only receive communications from third parties if they have previously given their express consent. You may withdraw your consent at any time by contacting the Data Controller at the provided addresses.
    3. Personalized communications : Sending personalized communications based on the interests and preferences of Users will require their prior consent, and may be withdrawn at any time.

If the User wishes to stop receiving commercial communications, they can object or withdraw their consent at any time by contacting the Controller through their postal address, email or through the channels enabled according to the different communication methods.

  • Categories of data processed:
    • Identifying information: Username.
    • Contact information: email address.
    • Data related to the User's preferences, if applicable.
  • Category of interested parties : Users who make use of the Platform or consent to receive communications.
  • Method of obtaining: Directly from the User.
    1. Registered users or INDEX customers: directly from them through their registration on the Platform.
    2. Unregistered users : Directly from the interested party through their registration in forms, newsletters and similar.
  • Bases of legitimacy:
    1. With regard to registered Users or customers: it will be based on the legitimate interests of the Controller in informing Users about contracted or similar products and relevant information, unless the User objects to such processing.
    2. Regarding Users with whom you do not have a contractual relationship: prior consent will be required.
    3. Consent will also be required for both registered and unregistered Users for the sending of personalized and third-party communications, until the withdrawal of consent, objection or deletion of account by the User.
  • Retention period : Data will be processed until the User withdraws their consent. Once this period has elapsed or consent has been withdrawn, the data may be blocked for the legally prescribed periods to comply with applicable regulatory obligations and statutory limitation periods.

 

e. Resolution of queries made by the User

  • Purpose : To guarantee communication by Users with the Controller to make inquiries with customer service, request information, file complaints or other similar matters, through any of the Controller's contact points, including forms, electronic or postal addresses or others made available to the User.
  • Categories of data processed : identification data, specifically name and surname and contact data, including email address and/or telephone number; as well as information shared during the consultation process.
  • Categories of interested parties : Users who make the query.
  • Method of obtaining: Directly from the Users, when they contact the Controller directly or through personnel acting on behalf of the User.
  • Legal basis : User consent or legitimate interest of the Controller in responding to an inquiry after having received the request.
  • Retention period : Once the purpose for which they were collected has been achieved, the data will be kept for a maximum period of 24 months, unless for reasons of legitimate interest or legal limitation periods it is required to keep them for a longer period.

 

f. Business development: contracting of services:

  • Purpose : To allow interested parties to contact INDEX to request commercial information, as well as a meeting or a trial of the platform, and to collect basic contact information to manage requests made through the website to display products, commercial offers and manage the possible contracting of services by potential clients.
  • Data categories: identification data (name and surname); corporate contact data (including email address, telephone number); professional data (job title or position).
  • Method of obtaining: Directly from the User when they complete the contact form.
  • Categories of Interested Parties: Data of Interested Parties who wish to contract the Services or a trial version.
  • Legal basis : the processing is necessary for the performance of a contract to which the Interested Party is a party or for the application, at the request of the interested party, of pre-contractual measures; as well as the consent of the interested party when he/she gives his/her consent by clicking through a form, where appropriate.
  • Retention period : for as long as communications with the data subject continue for the purposes stated, and thereafter for 18 months, or until the data subject withdraws their consent or objects to the processing. Subsequently, the data may be blocked for the legally prescribed periods to comply with regulatory obligations, including tax, commercial, and anti-money laundering regulations, as well as for the statutory limitation periods.

 

g. Internal analysis and development

  • Purpose : The Controller may collect and process statistical and anonymized usage data to analyze the behavior and use of the Platform, browsing patterns, gender, language, functionalities used by the User in order to improve the user experience, optimize functionalities and analyze usage trends, with the aim of developing new tools or services, etc.
  • Data categories : Anonymous data on Platform usage, browsing patterns and functionalities used.
  • Categories of Interested Parties : Registered users and visitors of the Platform (in anonymized format).
  • Legitimate interest : Legitimate interests in analyzing anonymous, statistical and aggregated information to offer improved products and services to Interested Parties and to develop new products.
  • Method of obtaining : data shared by the User in relation to the use of the Services.
  • Retention period : In order to fulfill the stated purpose, the data may be stored and kept indefinitely, always in a dissociated or anonymous manner, so that the Interested Parties cannot be identified.

 

4. Where does your data come from?

As a general rule, unless otherwise specified in other sections of this Policy, all data comes from the Interested Party, either through browsing or use of the Platform or through communication made by the User by any of the means made available to him or her.

 

5. Data recipients

In general, the Controller will not communicate the User's Personal Data to third parties, except when the provision of a service implies the need for a contractual relationship and such communication is strictly necessary for the management and maintenance of the relationship between the User and the Controller and/or for the fulfillment of the purposes described in this Policy.

In such cases, communication will only take place for the time strictly necessary to achieve these purposes, and always in accordance with the principles of the General Data Protection Regulation (GDPR), through the application of appropriate technical and organizational measures to guarantee the security and confidentiality of personal data. These measures include the execution of corresponding data processing agreements with each provider, which establish obligations equivalent to those assumed by the Data Controller with regard to data protection. Once the service has been provided, the providers must return or delete the personal data as stipulated in these agreements.

In this regard, and solely to enable the operation of the Platform and the fulfillment of the purposes described, the Controller may communicate Personal Data to the following recipients:

  • Providers of essential services, including IT and technology services, payment gateway, issuance of DOIs through Crossref, cloud storage, sending communications, authentication and security services, analytics services, among other similar services that are necessary to guarantee the purposes.
  • Suppliers to whom we may subcontract the physical booths or their management.
  • Public authorities, by judicial request or by legal imperative.
  • Companies and/or consultants that help us in the management of our services and in the fulfillment of our purposes.

You can request additional information about communications made to the Data Controller through any of the contact points indicated in this Policy.

 

6. International data transfers

Some of the services used by INDEX may involve the international transfer of data (for example, cloud storage or web analytics services). In these cases, INDEX will ensure that such transfers are carried out under appropriate safeguards in accordance with Articles 44 et seq. of the GDPR.

 

7. Processing of personal data on behalf of our clients

When the Platform is used by our clients within their business activity under a service contract, INDEX will process the personal data that said client makes available to it for the provision of services on behalf of said clients, acting as the Data Processor.

In this case, the aforementioned client will be the Data Controller of the personal data that he/she shares with INDEX, or that he/she enters into the Platform.

The processing of personal data by INDEX as Data Processor will not be governed by this Privacy Policy, but by the provisions of the service provision contract between the Platform and the client, in accordance with the instructions and purposes specified therein, as well as by virtue of a specific processing agreement and with the client's privacy policy that integrates our services, in compliance with current data protection regulations.

 

8. Treatment modality

The processing of the data provided is based on the principles of lawfulness, transparency, purpose limitation and storage, data minimization, accuracy, integrity and confidentiality, and will be carried out, in any case, subject to the provisions of EU Regulation 2016/679 and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights.

In particular, the processing may be carried out using paper, computer and telematics tools, also in accordance with the provisions of Article 29 of EU Regulation 2016/679 and, in any case, with adequate means to guarantee its security and confidentiality in accordance with the provisions of Article 32 of the same EU Regulation No. 2016/679.

 

9. Automated decisions

There is no automated decision-making process, not even for the purpose of profiling, in accordance with Article 13.2(f) of EU Regulation No. 679/2016.

 

10. Retention of your personal data

As a general rule, the Controller will retain your Personal Data only for as long as necessary for the purpose for which it was initially collected, and for the maximum periods indicated in each of the processing activities referred to in this Policy.

Retention periods according to the type of data, purposes and applicable regulations:

After the aforementioned periods have elapsed, the data will be automatically deleted, without prejudice to its subsequent retention blocked when necessary for compliance with certain obligations, by legal provisions or responsibility, or requests and/or orders issued by Public Administrations and/or Control Authorities, for some of the reasons indicated in the previous sections.

With regard to anonymous and statistical information, the Controller shall apply the provisions of Recital 26 of the GDPR, which states: “ The principles of data protection should therefore not apply to anonymous information, i.e., information which does not relate to an identified or identifiable natural person, or to data rendered anonymous in such a way that the data subject is no longer identifiable .” Consequently, this Regulation does not affect the processing of such anonymous information, including for statistical or research purposes.

 

11. Data Security

INDEX implements the necessary technical and organizational measures to guarantee the security of personal data and prevent its alteration, loss, unauthorized processing or access, in accordance with the provisions of the GDPR.

 

12. Cookie Policy

Our website uses its own and third-party cookies for analytical purposes and to improve the user experience. For more information, please see our [link to cookie policy].

 

13. What are your rights regarding your data? 

 In accordance with the GDPR, the Data Subject has the following rights in relation to their Personal Data:

  • Access to your data, which you can also view in the “my data” section
  • Correction of your data, because we also want to ensure that your information is accurate and up-to-date,
  • Deletion of your data,
  • Limitation of the processing of your personal data,
  • Objection to the processing of your data, when the legal basis for processing your data is our legitimate interest,
  • Withdrawal of your consent for the processing of your data, when the legal basis for processing your data is your consent, and
  • Data portability, when the legal basis for processing your data is your consent or the execution of a contract.

To exercise their rights, the Interested Party may contact the Controller through the addresses designated in this Policy.

Furthermore, the Interested Party has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they have any doubts or are not satisfied with the exercise of their rights or the processing we carry out, whose contact details are:

  • Spanish Data Protection Agency - Spain - (AEPD)
  • Jorge Juan Street, 6 // Postal Code: 28004 – Madrid
  • Telephone support: +34 901 100 099 // +34 91 266 35 17
  • https://www.aepd.es

 

14. Updates

This Privacy Policy may be updated at any time to reflect legal or technical changes. The most recent version will always be available on our website.

Last updated: 19/11/2025