Privacy Policy

This Privacy Policy explains how the Baba Kinaram Research Foundation ("BKRF", "we", "us", "our") collects, uses, shares, and protects personal data when you use the Journal of Holistic Health and Well-Being (JHHWB) portal at jhhwb.org (the "Portal"). Please read it carefully.

1. Controller

The data controller is:
Baba Kinaram Research Foundation
[Registered Address — to be confirmed by legal team]
Contact: privacy@jhhwb.org

2. Data We Collect

2.1 Account data

When you create a JHHWB account, we collect your given name, family name, email address, password (hashed — we never store plain-text passwords), institutional affiliation, country, and, optionally, your ORCID iD, biographical information, profile photo URL, H-index, and a link to your curriculum vitae or professional profile.

2.2 Submission data

When you submit a manuscript we collect the manuscript text, title, abstract, keywords, author list, declarations (ethics, conflicts of interest, funding, data availability, AI disclosure), uploaded files, and correspondence between authors and editors.

2.3 Review data

When you act as a peer reviewer we collect your review text, ratings, and recommendation, as well as metadata about invitation acceptance and review deadlines.

2.4 Payment data

When you pay an Article Processing Charge (APC), payment details are processed directly by our payment provider (Razorpay / Stripe). We receive only a transaction identifier, amount, and status. We do not store card numbers or bank account details on our servers.

2.5 Usage and technical data

We collect IP addresses (for rate limiting and security), browser user-agent strings, and session identifiers stored in secure, HttpOnly cookies. We do not use third-party analytics trackers that follow you across the web.

2.6 Contact messages

If you use the contact form we collect your name, email address, subject, and message text.

3. How We Use Your Data

Purpose	Lawful basis
Creating and managing your account	Contract
Processing manuscript submissions and peer review	Contract / Legitimate interests
Processing APC payments	Contract
Sending transactional emails (verification, decisions, reminders)	Contract
Security monitoring and fraud prevention	Legitimate interests
Improving the Portal	Legitimate interests
Complying with legal obligations	Legal obligation

4. Cookies

We use a small number of cookies that are strictly necessary to operate the Portal. We do not use advertising cookies. See our Cookie Policy for details.

5. Disclosure to Third Parties

We do not sell your personal data. We share data only with:

• Cloudflare — infrastructure (CDN, DNS, Pages hosting, D1 database, R2 storage, KV, Queues). Data may be processed in Cloudflare's global data centres.
• MailChannels — transactional email delivery. Your email address and name are transmitted to send messages you have requested.
• Razorpay / Stripe — APC payment processing. Your payment details are sent directly to these processors; we receive only confirmation data.
• ORCID — if you authenticate via ORCID OAuth, ORCID's servers process the authentication flow.

We require all processors to handle data in accordance with applicable data protection law.

6. International Transfers

Your data may be stored and processed outside your country of residence as a consequence of Cloudflare's global infrastructure. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect such transfers.

7. Data Retention

Category	Retention period
Account data	Duration of account + 3 years after last activity, then deleted on request
Manuscript and review data (accepted / published)	Indefinitely (forms part of the scientific record)
Manuscript and review data (rejected / withdrawn)	7 years from final decision
Payment records	7 years (financial / tax obligation)
Session tokens	30 days from creation or on logout
Email verification tokens	24 hours or until consumed
Audit logs	5 years
Contact messages	2 years

8. Your Rights

Subject to applicable law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data where we no longer have a lawful basis to retain it. Note that data forming part of the scientific record (author names on published articles) may need to be retained.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@jhhwb.org. We will respond within 30 days.

9. Security

We implement technical and organisational security measures including: passwords hashed with scrypt, HTTPS enforced across all pages, HttpOnly and Secure session cookies, rate limiting on authentication endpoints, and access controls limiting staff access to personal data on a need-to-know basis. No method of transmission or storage is 100% secure; please notify us immediately at security@jhhwb.org if you believe your account has been compromised.

10. Children

This Portal is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via a notice on the Portal and, where required, by email. The "Effective date" at the top of this page will always reflect the current version.

12. Contact

For privacy-related questions or to exercise your rights:
Privacy Officer, JHHWB
Baba Kinaram Research Foundation
Email: privacy@jhhwb.org

If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.