Privacy Policy

This Privacy Policy explains how Submittio (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Submittio platform available at submittio.com (“Platform”).

Submittio is operated by Dalibor Rodić. We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (GDPR) and applicable data protection law.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

Data Controller contact:
Email: dalibor@submittio.com
Website: submittio.com

This Privacy Policy applies to all users of the Platform, including:

• Conference organisers (Admins) — individuals or institutions who create and manage conference events
• Authors — researchers who submit papers or abstracts to conferences
• Reviewers — individuals assigned to evaluate submitted papers
• Participants — individuals who register to attend conference events
• Visitors — anyone who browses the Platform without creating an account

We collect only the personal data necessary to provide the Platform’s services. The data we collect depends on how you use the Platform.

3.1 Account data
When you create an account, we collect:

• Full name
• Email address
• Institutional affiliation (optional)
• Short biography (optional, Authors only)
• Your selected role (author, reviewer, organiser, or participant)

3.2 Submission data
When you submit a paper or abstract, we collect:

• Paper title and abstract
• Uploaded paper files (PDF or DOCX)
• Submission type and selected conference session
• All version history of uploaded files

3.3 Review data
When you review a paper, we collect:

• Review decisions and comments
• Internal notes (visible to organisers only, not to authors)

3.4 Registration data
When you register for an event (with or without an account), we collect:

• Full name
• Email address
• Registration status (confirmed or waitlisted)

3.5 Newsletter and marketing data
When you subscribe to our newsletter or the newsletter of a conference organiser on the Platform, we collect:

• Email address
• Subscription date
• Unsubscribe status and date (if applicable)
• A unique unsubscribe token to process opt-out requests

3.6 Communication data
When you use the Platform’s messaging features (threaded paper comments), we collect:

• Message content
• Timestamp and sender identity

3.7 Technical data
When you use the Platform, we automatically collect:

• Session authentication data (stored via strictly necessary cookies — see our Cookie Policy)
• No IP addresses, device fingerprints, or behavioural tracking data are collected

We process your personal data on the following legal bases under GDPR:

4.1 Performance of a contract (Art. 6(1)(b))
We process account data, submission data, review data, registration data, and communication data to provide the Platform’s core services — enabling conference organisers to run events and authors to submit and track papers.

4.2 Legitimate interests (Art. 6(1)(f))
We process technical session data to maintain secure authenticated sessions and protect the Platform against unauthorised access. Our legitimate interest is the secure and functional operation of the Platform.

4.3 Consent (Art. 6(1)(a))
We process newsletter and marketing email data based on your explicit consent, given when you subscribe. You may withdraw your consent at any time by clicking the unsubscribe link in any email we send or by contacting us at dalibor@submittio.com.

We do not use your personal data for automated decision-making or profiling.

If you have subscribed to a newsletter through the Platform, we may send you:

• Announcements of new conferences listed on the Platform
• Updates about the Submittio platform and new features
• Other communications relevant to the academic conference community

You can unsubscribe at any time using the unsubscribe link included in every marketing email. Unsubscribing from marketing emails does not affect transactional emails related to your active submissions or registrations.

We use the following third-party services that may process your personal data on our behalf. All are bound by appropriate data processing agreements and comply with GDPR.

We do not share your personal data with any other third parties. We do not sell your data. We do not use advertising networks, analytics trackers, or social media pixels.

All personal data is stored within the European Union:

• Database and file storage: Supabase, Frankfurt, Germany (eu-central-1)
• Email delivery: Resend, Dublin, Ireland

We apply appropriate technical and organisational security measures including:

• Encrypted data transmission (HTTPS/TLS)
• Row-Level Security (RLS) policies enforced at the database level — users can only access their own data
• Secure authentication managed by Supabase Auth
• Service role keys stored as encrypted environment variables, never exposed in code

Note on paper submissions: Once a paper has been submitted to a conference, the submission record (including all versions) is retained to maintain the integrity of the academic record for the relevant conference organiser. Authors may request removal of personal identifying information from a submission by contacting us, subject to the organiser’s agreement.

If you are located in the European Economic Area, you have the following rights regarding your personal data:

Right of access — You may request a copy of the personal data we hold about you.

Right to rectification — You may request correction of inaccurate or incomplete personal data.

Right to erasure — You may request deletion of your personal data. Note that deletion of account data may not extend to paper submissions if an organiser has a legitimate interest in retaining the conference record.

Right to data portability — You may request your personal data in a structured, commonly used, machine-readable format.

Right to object — You may object to processing based on legitimate interests.

Right to restriction — You may request that we restrict how we process your data in certain circumstances.

Right to withdraw consent — Where processing is based on consent (newsletter and marketing), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at dalibor@submittio.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. If you are based in Bosnia and Herzegovina, the relevant authority is the Personal Data Protection Agency of Bosnia and Herzegovina (Agencija za zaštitu ličnih podataka u Bosni i Hercegovini).

All data is stored and processed within the European Union. No international transfers of personal data outside the EU/EEA are made. Both Supabase and Resend operate their services for Submittio within EU-based infrastructure.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at dalibor@submittio.com and we will take steps to delete it.

We use only strictly necessary cookies. For full details of the cookies we set and your options for managing them, please see our Cookie Policy.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this document and, where appropriate, notify registered users by email. Your continued use of the Platform after changes are published constitutes your acknowledgement of the updated policy.

For any privacy-related queries, to exercise your rights, or to report a data protection concern, please contact:

Dalibor Rodić
Email: dalibor@submittio.com
Website: submittio.com

Note: Once Submittio is operated by a registered legal entity, this policy will be updated to reflect the company name, registration number, and registered address.