Introduction

Index Data is deeply steeped in the library ethos of privacy, and this extends to how information about our clients and potential clients is collected and processed. This document explains how we (Index Data ApS in Denmark and Index Data LLC in Massachusetts) use the personal information we collect when you use our website and our services.

Last updated: 22-October-2025.

What data do we collect?

Website Visitors

We may collect this contact information: your name, organization, title, and email address.

When you visit our website, our analytics engine learns about how you arrived at the website, the path of pages you browsed on the website, and which links you followed off of the website.

We do not use third-party advertising network trackers on our website. See our report on The Markup’s Blacklight service: https://themarkup.org/blacklight?url=www.indexdata.com.

SaaS Service Users

When your institution uses our SaaS services (FOLIO, ReShare, VuFind, or LDP), the data in those systems is controlled by your institution. We process data only to provide the contracted services. The type and amount of data depends on how your institution configures and uses the services.

How do we collect your data?

Website Data

We collect contact information in web forms, such as “Contact-us” and webinar registration forms.

We host our own web analytics engine (using the Piwik/Matomo software). Web analytics information is not processed by third-party services.

The information you supply to us on web forms is not correlated with the website analytics data.

SaaS Service Data

For our SaaS services, your institution provides the data as part of using the service. We do not collect or access this data except as necessary to provide the contracted services and support to your institution.

How will we use your data?

Website Data

We use return email addresses to answer the email we receive. Such addresses are not shared with outside parties.

We use contact information to register you for webinars that you request and to send you information about products and services we think you will like.

In order to process webinar registrations, we may send your information to third party online meeting services (such as Zoom).

SaaS Service Data

For data processed through our SaaS services:

  • We use the data only to provide the contracted services to your institution
  • We do not use your institution’s data for any other purpose
  • We do not share your institution’s data with third parties except as necessary to provide the services (such as hosting infrastructure)
  • We process data according to your institution’s instructions and our service agreement

How do we store your data?

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have implemented appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect.

Website Data

Your website data is stored in:

  • Spreadsheets, databases, and email systems at Google under our Google Workspace account
  • Our self-hosted Matomo analytics server

SaaS Service Data

Service data is stored in:

  • Amazon Web Services (AWS) infrastructure
  • Multiple AWS regions and availability zones for reliability and performance
  • Specific data location may be discussed as part of your service agreement

All data is encrypted at rest using AES-256 or stronger encryption, and encrypted in transit using TLS 1.2 or higher.

How do we protect your data?

Index Data takes information security seriously. We maintain a comprehensive security program and are pursuing ISO 27001 certification, the international standard for information security management.

Our Security Measures Include:

Infrastructure:

  • Services hosted on Amazon Web Services (AWS)
  • Multiple availability zones for reliability
  • AWS maintains compliance certifications including ISO 27001 and SOC 2
  • 24/7 monitoring and threat detection

Data Protection:

  • All data encrypted at rest using AES-256 or stronger
  • All data encrypted in transit using TLS 1.2 or higher
  • Secure key management practices
  • Regular backups with defined recovery objectives

Access Security:

  • Multi-factor authentication (MFA) required for system access
  • Role-based access control – users only get access they need
  • Regular access reviews to ensure appropriate permissions 
  • Immediate access removal when team members leave

Ongoing Security:

  • Annual penetration testing by third-party security firms
  • Continuous vulnerability scanning and patching
  • Regular security awareness training for all team members
  • Documented incident response procedures

Security Incidents

If we become aware of any security incident that affects your personal information, we will notify you promptly so you can take appropriate protective measures. For incidents affecting SaaS service data, we will notify your institution within 72 hours of confirming the impact.

Questions About Security

For detailed information about our security practices, please contact security@indexdata.com. We’re happy to discuss our security program with current and prospective customers.

Our SaaS Services – How We Handle Your Data

When your institution uses our SaaS services (FOLIO, ReShare, VuFind, or LDP), we process data on your behalf to provide these services.

What This Means:

  • Your institution controls the data – Your institution decides what data is in the system and how it’s used
  • We process data to provide services – We access and process data only as necessary to deliver the contracted services
  • We protect the data – We implement comprehensive security measures as described above
  • We don’t use data for other purposes – We don’t use your institution’s data for marketing, analytics, or any purpose beyond providing your services

Your Rights as an Individual User

If you are an individual user of our SaaS services (such as a library patron or staff member) and have questions about your data, please contact your institution as they manage access to these systems and control the data.

For Institutions

For detailed information about how we process your data, including:

  • Security measures and controls
  • Data location and infrastructure
  • Our mutual responsibilities
  • Data handling procedures
  • Incident response
  • Data return upon service termination

Please contact us at privacy@indexdata.com to request more information.

International Operations

Index Data operates as a distributed, global organization. This allows us to:

  • Provide “follow the sun” support across time zones
  • Maintain resilience and high availability
  • Serve library customers worldwide

Our Team Locations

We have team members in the United States, Canada, Denmark, United Kingdom, Sweden, Australia, and Nigeria.

Our Service Infrastructure

All services are hosted on Amazon Web Services (AWS) infrastructure. We use multiple AWS regions to provide reliable, high-performance service to customers globally.

What This Means for Your Data

Your data may be processed by team members or stored in facilities in different countries as we provide services to you. We implement appropriate security measures to protect your data regardless of where it’s processed or stored.

Customer Control

For SaaS customers, you can discuss specific data location requirements when establishing your service agreement. We’re committed to working with you to meet your institution’s data governance needs.

How Long Do We Retain Data?

Website Contact Information

Contact information collected through web forms is retained as long as needed to fulfill the purpose for which it was collected:

  • Inquiry responses: Until the inquiry is resolved, plus 1 year
  • Webinar registrations: Until the webinar occurs, plus 1 year for follow-up
  • Marketing contacts: Until you opt-out or request deletion

Website Analytics

Matomo analytics data is retained for 24 months and then automatically deleted.

SaaS Service Data

For data in our SaaS services:

  • Data is retained for the duration of your service agreement
  • Retention is defined in your service agreement with your institution
  • Upon service termination, we follow the data return or deletion procedures specified in your agreement

Legal Obligations

We may retain data longer when required by law, to resolve disputes, or to enforce our agreements.

Marketing

We would like to send you information about products and services of ours that we think you may be interested in. If you agreed to receive marketing material, you may always opt-out later. You have the right at any time to stop us from contacting you for marketing purposes. Please email info@indexdata.com to opt-out.

What are your data protection rights?

[REVISED SECTION]

Every user is entitled to the following data protection rights:

The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request us to complete the information you believe is incomplete.

The right to erasure – You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

How to Exercise Your Rights

If you make a request, we have one month to respond to you.

To exercise any of these rights, please contact us:

When you contact us, we will verify your identity to protect your data from unauthorized access. We may ask you to provide:

  • Your name and contact information
  • Description of your relationship with Index Data (website visitor, institutional contact, service user, etc.)
  • Details about your request

For SaaS service users: If you are an individual user of our services (such as a library patron), please first contact your institution, as they control the data in the system. If needed, we will support your institution in responding to your request.

What are cookies?

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.

For further information, visit allaboutcookies.org.

How do we use cookies?

We use cookies to improve your experience on our website by understanding how you use the information on this website.

Our analytics cookies are from our self-hosted Matomo instance – not third-party advertising networks. We use these cookies to:

  • Understand which pages are most useful
  • Identify technical issues
  • Improve navigation and content
  • Track general usage patterns (anonymized)

How to manage your cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Most browsers allow you to:

  • See what cookies are stored
  • Delete cookies individually or all cookies
  • Block cookies from specific sites
  • Block all cookies
  • Delete all cookies when you close the browser

Privacy policies of other websites

Our website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Changes to our privacy policy

Index Data reviews this privacy policy regularly and will place any updates on this web page.

How to contact us

If you have any questions about Index Data’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

General Privacy Inquiries:

Security Questions:

  • Email: security@indexdata.com

SaaS Service Data Processing Agreements:

  • Email: privacy@indexdata.com

Mailing Addresses:

Denmark:
 Index Data ApS
 Univate
 Njalsgade 76, 13
 2300 København S
 Denmark

United States:
 Index Data LLC
 One Boston Place
 Suite 2600
 Boston, MA 02108
 USA