1. Data Controller

The IKAPO Project Team at the University of Oulu acts as the Data Controller for the personal data processed within the ITEE SPOT platform.

2. Information We Collect

To provide a functional collaborative environment, we collect and process the following categories of data based on our database schema:

• Identity & Account Information: Full name, email address, and avatar URL (via GitHub or email authentication).
• Academic & Professional Profile: University, degree level, major, year of study, job title, company name, and company unit.
• External Identifiers: Links to GitHub and LinkedIn profiles.
• Project & Content Data: Project titles, descriptions, YouTube links, and any information provided in "fun facts" or project files.
• Technical Identifiers: Invitation records (member emails) and system logs including IP addresses (stored for a maximum of 24 hours).

3. Purpose of Processing & Public Visibility

Data is processed strictly to facilitate the matchmaking of students with projects and industry partners. Important regarding Profile Visibility:

By using the platform, your professional profile and project contributions are made visible to other registered participants and authorized judges to facilitate networking and project evaluation. We do not sell or share your data with third parties for marketing purposes.

4. Legal Basis (GDPR)

We process your data based on your explicit consent provided during account creation. For system security and log maintenance, we process data based on legitimate interests. You have the right to withdraw consent at any time by deleting your profile.

Users are advised not to provide special sensitive personal information.

5. Data Storage and Third-Party Processors

Your data is securely stored and processed using infrastructure provided by CSC – IT Center for Science (Finland). All data is hosted within the European Union (EU). We ensure that Data Processing Agreements (DPA) are in place with these providers to guarantee your data is handled in compliance with GDPR."

• Data Location: All personal data is hosted on servers located within the European Union (EU), specifically utilizing CSC's Finnish infrastructure to self-hosting Supabase.
• Special Data Handling: Consistent with CSC requirements, we do not process special categories of personal data (sensitive data) unless explicitly agreed upon.
• Security Measures: We implement industry-standard security protocols, including TLS/SSL encryption for data in transit and restricted access at the infrastructure level.
• Infrastructure: We leverage Supabase's Row Level Security (RLS) to maintain strict isolation of user data.
• Data Isolation: We utilize Row Level Security (RLS) within our self-hosted database to ensure that users can only access their own authorized data.
• Maintenance: Regular security patches and updates are applied to the self-hosted environment to protect against vulnerabilities.

6. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Access & Portability: The right to request a copy of your stored data in a structured format.
• Rectification: The right to update or correct inaccurate data at any time.
• Erasure: The right to request the deletion of your account ("Right to be Forgotten").
• Restriction: The right to object to certain processing activities.