iCohort

Privacy Policy · v2026-05-13

Privacy Policy

Last updated May 13, 2026. This policy describes what we collect, how we use it, and the choices you have.

1. The short version

iCohort is a platform for connecting researchers. We collect what we need to operate that service: your account details, what you choose to put on your profile, the content you post, and basic technical signals from your visits. We do not sell your data. We do not run third-party advertising trackers. We use a small set of subprocessors to host the service and send transactional email.

2. What we collect

When you create an account and use iCohort, we collect:

  • Account details — name, email address, password hash. If you sign up with an external identifier (such as ORCID), we receive the identifier and any public profile data the provider shares with us under the scope you grant.
  • Profile information — anything you choose to add (handle, bio, skills, institution text, links, country, training stage, etc.).
  • Content you create — projects, applications, messages, skill suggestions, and similar artifacts.
  • Activity and technical signals — sign-in events, IP address, user-agent string, and timestamps of significant actions, for security and abuse prevention.
  • Cookies — a session cookie set by our auth system. We do not set third-party advertising or cross-site tracking cookies.

3. ORCID and external identity data

If you connect an ORCID iD, we fetch your public ORCID record via the ORCID API using the OAuth scope you grant. We store the resulting access and refresh tokens encrypted at rest. You can disconnect ORCID at any time from your profile settings; disconnecting revokes our access and removes the stored tokens.

Other external identifiers we may support in the future will be handled with the same principle: minimum data, encrypted at rest, disconnectable on demand.

4. How we use what we collect

We use your data to:

  • Provide the platform: render your profile, deliver messages, run search.
  • Communicate with you about your account, your projects, and your applications.
  • Investigate abuse, security incidents, and policy violations.
  • Improve the product by understanding how features are used in aggregate.
  • Comply with legal obligations when they apply.

5. Who we share data with

We do not sell your personal data. We share information only with:

  • Other users, but only to the extent of what you've chosen to make visible (your profile visibility setting, your project posts, your messages with accepted collaborators).
  • Service providers we use to operate iCohort, under contracts that limit them to processing data on our behalf. Currently these include our managed database (Neon), our transactional email provider (Resend), and our background job runner (Inngest). We will update this list as we evolve.
  • Legal authorities when we are required to by valid legal process, or to protect users from imminent harm.

6. Retention

We keep your account data while your account is active. If you close your account, we delete or anonymize your personal data within 30 days, except for records we are legally required to retain (for example, certain audit logs). Content you posted in public-facing surfaces (such as project descriptions other people applied to) may remain in archival form to preserve the integrity of others' records, with your name removed where reasonable.

7. Security

We use industry-standard practices: TLS in transit, encryption at rest for sensitive tokens, password hashing via an established algorithm, audit logs for consequential actions, and access controls for our own operators. No system is perfectly secure, and we ask you to use a strong, unique password and to notify us promptly if you suspect any unauthorized access to your account.

8. Your choices

You can:

  • Edit or delete your profile content at any time.
  • Disconnect any linked external identifier (such as ORCID) at any time.
  • Adjust your profile visibility (public, login-required, private, etc.).
  • Close your account, which triggers deletion as described above.
  • Request a copy of the personal data we hold about you. We will provide a reasonable export on best-effort basis.

Depending on where you live, you may have additional rights under GDPR, UK GDPR, CCPA, or other local laws — including the right to lodge a complaint with a supervisory authority. To exercise any of these rights, contact us at the address published before general availability.

9. International data

iCohort is hosted on infrastructure that may be located outside your country. By using the service, you understand that your data may be processed in jurisdictions whose data-protection laws differ from those of your home jurisdiction. We use reasonable safeguards with our subprocessors to ensure your data is handled appropriately.

10. Children

iCohort is not directed to anyone under 18. If you believe a minor has created an account, contact us and we will close it and delete the associated data.

11. Patient data is not allowed

iCohort is not a platform for handling protected health information or patient data. The Terms of Service explicitly prohibit posting any patient identifiers, case details, or regulated personal data through the service. If a user posts such content, we will remove it on becoming aware of it. Even if we do, the responsibility for the disclosure remains with the user who posted it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The version at the top of this page is updated when we do. Substantive changes will be flagged in-product.

13. Contact

Privacy questions can be sent to the contact address that will be published before general availability. During early access, raise concerns through the feedback channel inside the product.

See also our Terms of Service.