Skip to main content

Privacy Policy

This document is provided to set expectations and understanding about PREreview’s practices and services. It is not legally binding.

Current version (this document): v1, 24 April, 2023


PREreview is a fiscally sponsored project of Code for Science and Society, a registered 501(c)3 nonprofit organization based in the United States of America.

We strive to adhere to the highest ethical standards in all of our operations and are dedicated to protecting the privacy of everyone who interacts with us. We do not sell, barter, give away, rent, or permit anyone outside of PREreview, our Advisory Committee, and project-scoped contractors to use or access information about our partners, collaborators, research participants, or website visitors.

We use third-party services to publish work, keep in touch with people, and understand how we can do both of these things better. Here you can find out what these services are and how we handle all sorts of data, from event sign-up to preprint review platform data collection.

If there is additional information you would like to see in this document about our practices, or if you have other comments or questions, please reach out to

Our site and services

We use the following services to run our websites and understand how people use them.

Website analytics

As of August 2021 we began using Fathom (Privacy Policy), a lightweight, non-invasive, GDPR, CCPA, ePrivacy, PECR-compliant web analytics service. Fathom gives us an idea of how users use our website without invading their privacy and using their data for marketing purposes.

PREreview web domain domain is registered with Google Domains.

Google Drive and email

We currently use Google Workspace for Nonprofits for our email (Google Privacy Policy), calendaring, surveys and sign-up forms, and document storage. We honor requests to have files shared with us not stored in Google Drive.


Starting in February 2023, we switched to AirTable (Privacy Policy) for surveys and sign-up forms, project planning, applications for volunteer roles, and user research.

PREreview platform


We use Mailjet to send emails related to our request-a-review feature and COAR Notify Protocol integration. Mailjet keeps track of who sends and receives these emails by name and email address. We have turned off the feature that tracks whether or not an email is opened, but we are not able to turn off the feature that creates "contacts" from user info inside Mailjet.


We use Notion (Privacy Policy) to organize our work, track activities, and share organizational policies with team members.


When we send out newsletters, we use CiviCRM (Privacy policy), which stores subscribers' email addresses. We do not use the platform features for tracking links or opens. We only send our newsletter to people who expressly sign up for it.

Ghost 4

We use Ghost 4 (Privacy Policy) to host most written content on our website, including our Blog, About page, and Resource Center.


We host videos on YouTube (Privacy Policy) both as public and unlisted videos.


We use Loom (Privacy Policy) to make demo videos to guide users on how to use our preprint review platform.


We host a Slack (Privacy Policy) organization for internal communication and community organizing. Slack stores your account information and usage data, and our administrators have access to all public channels.


We use Eventbrite (Privacy Policy) for registration for some of our online events. Eventbrite stores your account information, usage data, and responses to registration questions.


Most of our work, even before the pandemic, is done remotely. We use Zoom (Privacy Policy) for our internal and external meetings. When we want to record a call using the recording feature on Zoom, we always ask for consent and remind participants that in order to ensure their anonymity, should that be their preferred state, they need to turn off the video and change the name to reflect something that cannot be related to their identity. Recordings are saved on our Zoom cloud and are always shared with participants before they are made public. Sensitive communication is and can always be edited out prior to broader sharing.

We use (Privacy policy) integrated into Zoom for live-captioning, audio recording, and transcript services of our calls. We routinely inform people on the call of the implication of having Otter active, ask them to consent to the recording, and share the recording with them after the call if requested.


We use 1Password (Privacy Policy) to manage our organizational passwords securely.


We use OpenAI (Privacy Policy) to generate text for our request-a-review feature and COAR Notify Protocol integration. The review-request information is not used to train OpenAI models.

Social media: Twitter, LinkedIn, Mastodon

We use Twitter (Privacy policy), Mastodon (Privacy policy), and LinkedIn (Privacy Policy) to share our work and promote others with aligned missions and goals.


Research is an important part of our work: it helps us understand people’s needs and build better products and services.

We conduct user experience research in the form of 1:1 interviews, community calls, and user research sprints. Feedback from 1:1 interviews is kept for internal use in improving, though we may share trends from 1:1 interviews in the aggregate without identifying any participants. Notes and recordings from community calls and user research prints are public. We remind participants to manage their participation accordingly in ways that feel comfortable to them regarding their privacy and security at the start of each call and sprint before recording and note taking begin. We also partner with ReadySet to help us challenge our own assumptions from an equity, diversity and inclusion perspective and implement outreach and partnership strategies grounded in our values to get feedback from stakeholders in our work.

Things we don’t do

PREreview doesn’t participate in the following data processing activities:

We don’t use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at PREreview. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password.

Data breaches

In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their guidance.


There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. This includes requirements and orders in the United States, where we are based.


In drafting this policy we used a number of different resources and inspirations. We want to offer particular thanks to Simply Secure (now rebranding as Superbloom) and Measurement Lab for their clear examples.