Ferry Privacy Policy
Last updated: 25 May, 2026
1. Who we are
Ferry is run by Utrecht University. The team in charge is the Digital Data Donation Infrastructure (D3I) embedded in the Department of Methodology and Statistics in the Faculty of Social and Behavioral Sciences. In this policy, "we" or "the Operator" means that team at the University. "Ferry" is the tool itself.
Ferry helps researchers at Dutch universities run data donation studies. In these studies, people choose to share some of the data that online platforms hold about them. That data comes from a file called a Data Download Package, or DDP. We call the people who donate "Respondents." We call the people who run studies "Researchers."
How to reach us:
- General questions: support@ferry-platform.eu
- Privacy questions: privacy-fsw@uu.nl
This policy explains how we handle personal data. We handle two kinds, and we treat them very differently:
- Data about Researchers, who have accounts and run studies.
- Data about Respondents, who donate to a study. Section 3 explains the extra protections we build in for them.
2. Data about Researchers
2.1 Account data
When you make an account or sign in with your university login, we keep:
- Your email address.
- Your name, if you or your university gives it.
- Where you work, if your university shares it or you tell us.
- Your sign-in method. This is either a password (we store it scrambled, never as plain text) or a link to your university login, such as SURFconext through SURF SRAM.
2.2 What you do on Ferry
When you use Ferry, you build and run studies. We keep:
- The studies and tasks you make, and how you set them up.
- The text you write, such as welcome text and consent text.
- The storage place you pick for each study, and the settings you enter for it, such as an upload link.
- Who you invite to help on your studies, and what they are allowed to do.
- A record of when you sign in, sign out, and do important things, like publishing a study, making a study live, or changing where data is sent.
2.3 Storage keys
To send donated data to your chosen storage, Ferry needs the key or link for that storage. We treat these as sensitive:
- We lock them with strong encryption (AES-256-GCM, one value at a time), and we keep the encryption key apart from the database. The database also sits on an encrypted disk (see Section 7).
- Only you and the helpers on your study can see them, plus the part of Ferry that sends the data.
- You should pick the safest option. We strongly prefer short-lived upload links over long-term passwords. Our Acceptable Use Policy explains more.
2.4 Why we use this data, and our legal reasons
We use Researcher data to:
- Run the service. We sign you in, run your studies, and help deliver data to your storage. Legal reason: we need this to provide the service you signed up for (GDPR Article 6(1)(b)).
- Keep Ferry safe. We watch for abuse, break-ins, and rule-breaking. Legal reason: our legitimate interest in keeping the service secure (GDPR Article 6(1)(f)).
- Plan and report. See Section 4.
2.5 How long we keep it
- Account data: we keep it while your account is open. If you delete your account, we keep it for 30 more days, in case it was a mistake. After that we clear your personal details. A blank internal marker stays, with no personal information in it, so the safety log still makes sense.
- Study setup: we keep it while the study exists. If you delete a study, we keep it for 30 more days and then remove it.
- Safety records: Ferry keeps a log of important actions, such as making an account, signing in or out, publishing or changing a study, and changing storage. Each log line holds only basic facts: an internal ID, what happened, and the time. It holds no IP address, no browser details, no email, and nothing else that points to a person. Because these logs hold no personal details, and because we need them to keep the service safe, we keep them for as long as Ferry runs. We keep them even after an account is deleted.
3. Data about Respondents
3.1 Our main promise
We built Ferry so that a Respondent's personal data stays on their own device. The only thing that leaves is what they look at and agree to share. And even that does not come to us. Here is what that means:
- The data export (DDP) is opened and read inside the Respondent's browser. We never get, keep, or send the full export.
- The data a Respondent agrees to share goes straight from their browser to the Researcher's storage. It never passes through Ferry (see Sections 3.2 and 3.3).
- We do not collect a Respondent's IP address, device details, browser type, time zone, language, clock, or anything like that.
- We do not keep file names or folder names from the export.
- Any status and error messages from the browser tool are limited to a small, fixed set of safe values. Section 3.4 explains.
3.2 What leaves the Respondent's device
When a Respondent looks at the data and agrees to share, two things happen, and they go to two different places:
- To the Researcher's storage: the data the Respondent agreed to share goes straight from their browser to the storage the Researcher set up. We do not receive, keep, or pass on this data.
- To Ferry: the browser sends us a short delivery note, so we can confirm it arrived and try again if it failed. This note holds only a few technical items: codes for which study and task it was, a one-time key to avoid duplicates, the ID from the Respondent's invitation link, the time they agreed and the time they sent, and, only if delivery failed, a short error code from a fixed list. It holds none of the shared data.
About the invitation-link ID: if the Researcher used a personal invitation link (for example, an ID from a research panel or a university sign-up pool), that ID is part of the delivery note. The Respondent does not type it. It comes from the web address. On its own, Ferry cannot use it to learn who the Respondent really is.
3.3 We never hold the donated data
Because the data goes straight from the browser to the storage (Section 3.2), it never sits on Ferry. We do not hold it before, during, or after delivery. The Researcher's storage is the only place it lives.
We do keep the short delivery note from Section 3.2, plus simple records that a Respondent arrived at a study and that a submission came in. These hold none of the shared data and nothing about the device. We keep them for as long as Ferry runs, to keep the delivery and safety record complete. For these small records, the Operator is in charge (the controller), and our legal reason is that we need them to provide the service to the Researcher whose study this was (GDPR Article 6(1)(b)). On its own, Ferry cannot link the invitation-link ID in these records to a real person.
3.4 Status and error messages
While a Respondent works through a donation, their browser may send us a few status messages about how it is going and any errors. These messages:
- Come from a small, fixed list. For example: a step started, a step finished, an error happened, a network problem, or a setup mismatch.
- Hold only the message type, the step, a time, and, for errors, a short code from a fixed list. Ferry rejects anything not on the list. So no DDP data, no file names, and no device details can slip through.
- Are sent on their own, without a separate consent step.
We use these only to check that Ferry is healthy.
3.5 Cookies
The Respondent part of Ferry uses one needed cookie to keep the session
(named _ferry_key), plus a token that blocks a common attack.
We use no tracking cookies, no ad cookies, and no outside cookies in the
Respondent flow.
3.6 Who is in charge of donated data
For the data a Respondent donates, the Researcher's university is in charge (the controller). Because that data goes straight from the browser to the Researcher's storage and never reaches Ferry (Sections 3.2 and 3.3), the Operator is not a processor of it either. If a Respondent wants to see, fix, or delete data they donated, they should contact the Researcher who ran the study, or that Researcher's university privacy office.
For Researcher account data and study setup, the Operator is in charge. When the Researcher's university is also Utrecht University, the same university plays both roles, just in different jobs.
4. Numbers we track
We keep simple counts about how Ferry is used:
- How many studies are active over time.
- Which platforms studies use (Netflix, Facebook, and so on).
- Which universities Researchers come from.
- How many submissions each study and each version got.
These come from data we already hold to run the service. We use them to plan, to manage capacity, and to report to funders and the university.
4.1 Sharing these numbers
When we share numbers in public, such as in reports, papers, or talks:
- We may share totals, such as how many studies, Researchers, or universities used Ferry in a period.
- We may share totals per university.
- We may share totals per service.
- We do not share counts that mix a single university with a single service.
- We do not share finer detail, such as per-Researcher counts, study IDs, or details about a specific study, unless that Researcher or university agrees.
We do not share anything that could point to one Researcher or their work without their okay. Legal reason: our legitimate interest (GDPR Article 6(1)(f)).
5. Sharing with others
We do not sell personal data. We do not share it except as set out below.
5.1 Storage places
Donated data goes straight from the Respondent's browser to the storage the Researcher set up (Section 3.2). It does not pass through Ferry. The Researcher and their university are responsible for that storage.
5.2 Companies that help us run Ferry
We rely on these service providers:
- Hetzner Online GmbH, which hosts Ferry in Germany, inside the European Economic Area.
- mailbox.org, which sends our emails for the Researcher side of Ferry.
We use no error-tracking, analytics, or session-recording service, on either the Researcher side or the Respondent side. Each provider may use personal data only as we tell them, and only for the reasons in this policy.
5.3 University login
When a Researcher signs in with SURFconext or SURF SRAM, login details pass between Ferry and those services under their own rules. We get what the Researcher's university chooses to share, usually a steady ID, a name, an email, and where they work.
6. Sending data abroad
All of Ferry runs in Germany, inside the European Economic Area. We do not send personal data outside the European Economic Area.
7. How we keep data safe
We use safeguards that fit how sensitive the data is, including:
- TLS encryption for all data moving over the network.
- Encryption on disk. Researcher account data and study setup sit in a database on an encrypted disk (LUKS). We hold the disk key apart from the disk itself. Storage keys get a second layer of encryption (AES-256-GCM). Disk encryption protects against a stolen disk, a disk thrown out the wrong way, a leaked raw disk copy, and a disk moved to another machine and read there. It does not protect data while the server is running and the disk is open. We guard that with the access controls and design choices in this section.
- The design promises in Section 3.1, which mean a Respondent's donated data never reaches Ferry at all.
- A clear split between the Researcher side and the admin side, each with its own sign-in.
- Access controls that limit admin access to approved staff.
- A safety log of important actions (Section 2.5).
8. Your rights
If we hold personal data about you, the GDPR gives you rights. You can ask to see it, fix it, delete it, limit how we use it, get a copy to move elsewhere, or object to how we use it. To use these rights:
- Researchers: email privacy-fsw@uu.nl.
- Respondents: contact the Researcher who ran the study, or that Researcher's university. We do not hold the kind of identity data that would let us pick out one Respondent's donations.
You can also complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or to the authority where you live.
9. Changes to this policy
We may update this policy now and then. The "last updated" date at the top shows the latest change. We will tell Researchers about big changes by email, at the address on their account.