Neureka Dashboard Privacy Notice
Trinity College Dublin · Neureka Research Dashboard · Statement of Practices
This Privacy Notice explains how Trinity College Dublin, the University of Dublin ("Trinity College", "the University", "we", "our") processes personal data for the Neureka research dashboard ("the Service"). We are committed to safeguarding your privacy rights under the EU General Data Protection Regulation (GDPR) and the Data Protection Acts 1988–2018. The Neureka Project is led by researchers from the Gillan Lab at the Trinity College Institute of Neuroscience and is designed to advance understanding of brain health using smartphone technology.
1. Our commitment to your privacy
Trinity College fully respects your right to privacy and treats all personal data shared with the Service with the highest standards of security and confidentiality. This Privacy Statement outlines:
How we collect your personal data.
The purposes and legal bases relied upon when processing your personal data.
How we securely store your personal data.
Details of third parties with whom we share your personal data.
How long we retain your personal data.
Your rights under data protection legislation.
2. How we collect your personal data
We collect personal data so that we can provide you with secure access to the Neureka dashboard. This happens when you are granted access to the Service and as you continue to use it. The personal data we collect about you as a researcher includes:
Name
As supplied when you onboard with the Service.
Institutional details
Your institutional affiliation, role, and any additional organisational context necessary for access management.
Institutional email
Used for identity verification, authentication, and security notifications.
Usage data
All user access and activity on the dashboard—including login times, data queries, and actions performed—is logged to provide a clear audit trail.
3. Purpose and legal basis for processing
We process personal data only for the specific and lawful purposes described below, ensuring compliance with Article 5 GDPR. Each processing activity is linked to the relevant legal basis under Article 6 GDPR.
| Process | Purpose | Legal basis (GDPR) |
|---|---|---|
| User authentication & access control | To grant and manage secure access to the Neureka research dashboard. | Performance of a contract (Article 6(1)(b)) – necessary to protect data integrity and meet the commitments made when granting access. |
| Auditing user activity | To log all user access and activity for security and compliance purposes, creating an audit trail. | Performance of a contract (Article 6(1)(b)) – required to safeguard the Service and uphold contractual obligations. |
| Honouring data transfer agreements | To ensure external collaborators access study data exactly as specified in the relevant data sharing agreement. | Performance of a contract (Article 6(1)(b)) – necessary to comply with the agreement governing data sharing. |
| Legal obligation | To share personal data when required by law or in response to valid requests from public authorities or legal proceedings. | Compliance with a legal obligation (Article 6(1)(c)). |
Trinity College has compiled processing records in accordance with Article 30 GDPR. For further detail please contact akhanlon@tcd.ie.
4. How we securely store your personal data
Personal data is stored confidentially and securely in line with the University's Information Systems Security Policy and Data Protection Policy. Processing activities are safeguarded through appropriate technical and organisational measures that meet Article 32 GDPR requirements.
Your personal data, handled with the same level of protection as research data, is hosted on Heroku and MongoDB servers located in Ireland (within the EEA). Key safeguards include:
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords and email addresses used for authentication are hashed before storage.
Role-based access control
Dashboard access is governed by RBAC, requiring institutional credentials and two-factor authentication (2FA).
Auditing
All user access and activity is logged to provide a transparent audit trail for security and compliance.
5. Third parties we work with
We only share your data with third parties when necessary for the purposes outlined in this Privacy Notice. Any processors engaged by the University are bound by written agreements that require them to follow our documented instructions and maintain appropriate confidentiality and security standards.
Current processors supporting the Service include:
| Data processor | Purpose |
|---|---|
| Heroku | Cloud hosting environment for the Neureka dashboard backend. |
| MongoDB | Managed database services for storing application and research metadata. |
6. How long we retain your personal data
We retain your personal data for as long as the dashboard remains operational plus an additional two years, unless a longer period is required to comply with legal or contractual obligations.
7. Your rights under data protection law
You have the following rights regarding the way we process your personal data. Further guidance is available in the Trinity College Data Subject Rights Requests Procedure.
Right of access
Request a copy of the personal data processed about you at reasonable intervals.
Rectification
Ask us to correct any inaccuracies in the personal data we hold about you.
Erasure
Request deletion of your personal data where we no longer have a lawful basis to retain it.
Restriction
Request limits on processing if you contest accuracy, believe processing is unlawful, need the data retained for legal claims, or object while we verify our legal basis.
Portability
Where technically feasible, obtain a machine-readable copy of your data or request that we transfer it to another controller.
8. Further information and contacts
For questions about this Privacy Notice or to exercise your rights, contact Anna Hanlon (akhanlon@tcd.ie) and/or Claire Gillan (gillancl@tcd.ie).
To escalate any concerns, contact the Trinity College Data Protection Officer at dataprotection@tcd.ie or by post at:
Data Protection Officer, Secretary’s Office, Trinity College Dublin, Dublin 2, Ireland.
Oifigeach Cosanta Sonraí, Oifig an Rúnaí, Coláiste na Tríonóide, Baile Átha Cliath 2, Éire.
If you are not satisfied with how your personal data is being processed, you may lodge a complaint with the Data Protection Commission via https://forms.dataprotection.ie/contact.
9. Definitions
Personal data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on personal data, such as collecting, storing, retrieving, using, combining, erasing, or destroying it.
Data subject
An identifiable individual to whom the personal data relates.
Data controller
An organisation, such as Trinity College, that determines the purposes and means of processing personal data.
Data processor
A natural or legal person that processes personal data on behalf of the controller under a binding agreement (excluding University staff acting within their employment duties).
Questions about this document?
Reach out to us at admin@neureka.ie and our privacy team will be happy to help.