Privacy Policy - The Neon Moth
Last updated: May 30, 2026
1. Introduction
Welcome to The Neon Moth ("we," "our," "us"), an academic networking platform operated from Vienna, Austria. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our comprehensive academic networking platform.
The Neon Moth is an independent, volunteer-run platform with no legal, contractual, or organizational relationship with the Central European University (CEU). Its members are individuals who identify themselves as alumni, current students, faculty, or staff of CEU departments. It provides job, fellowship, grant, and opportunity listings, enables collaboration through department feeds and the shared bulletin board, supports research discovery, and offers various academic networking tools. By using our platform, you agree to the collection and use of information in accordance with this policy.
Contact Information: For any questions about this Privacy Policy, please use our contact form.
2. Information We Collect
2.1 Account and Profile Information
When you create an account, we collect:
- Basic Details: First name, last name, email address
- Academic Information: Title, institutional affiliation, department, research interests, research areas
- Location Data: Current location, place of origin (for networking purposes)
- Profile Media: Profile photographs and other images uploaded to our platform
- Languages: Language skills
- Profile Status: Whether your profile is published or in draft mode
- Communication Preferences: Whether you have opted in to receive email notifications about new messages, and whether you have subscribed to our optional newsletter
2.2 Platform Usage Data
We automatically collect usage information including:
- Technical and Analytics Data: Each time you view a page, our analytics system records, for that page view: your IP address (stored in full, unredacted form), your browser/user-agent string, the HTTP referrer (the page you came from, where available), the page you visited, a session identifier, and a timestamp. This information is stored in our internal "page views" table for up to 90 days (see Section 7) and is processed on the basis of our legitimate interest (GDPR Article 6(1)(f)) in understanding how the Platform is used, diagnosing technical problems, and protecting the Platform and its members against abuse and security threats.
- Interaction Data: We also record individual interactions — such as clicks, searches, filters used, likes, follows, and feature usage — together with the type and target of the interaction and a timestamp, stored in our internal "user interactions" table for up to 90 days.
- Web Vitals / Performance Data: Core Web Vitals metrics (CLS, INP, FCP, LCP, TTFB), the page URL where they were measured, and your browser's user-agent string, used to monitor and improve site performance.
- Authentication Data: Login sessions, last login times, authentication tokens, and (to protect your account) a count and timestamp of failed login attempts, which is automatically reset upon your next successful login.
- Personal Analytics: Individual user statistics available through your own analytics dashboard (page views, feature usage, interaction counts)
2.3 Content and Communications
Content you create and share on our platform:
- Bulletin Board: Posts, comments, images, reactions, categories, subcategories
- Forum: Forum posts, replies, and category participation (including anonymous posts where you chose that option)
- News Posts: News articles and event posts you author on the platform
- Messaging: Direct messages, conversation histories, message images
- Academic Content: Job postings, gig listings, volunteering opportunities, fellowship and grant listings, calls for papers
- Research: Research profiles, research feed posts, research locations, research clusters, and field clusters
- Bookmarks: Saved links, bookmark folders, public/private bookmark collections
- Favorites & Calendar: Jobs, grants, fellowships, news, and bulletin events you favorite or save are recorded against your account and used to build your personal Calendar view
- Polls: Polls you create and your responses to polls (responses are linked to your account unless the poll is marked anonymous)
- My Feed: Items you hide from your personalised feed are recorded against your account so they stay hidden
- Professional Network: Member follows
- Invitations: Any member can invite others to join the Platform. When you send an invitation, we store the recipient's email address, your personal message (if any), and the invitation status against your account
- Chatbot: When you use the chatbot, your question and the recent conversation context (up to the last 6 messages) are transmitted to Anthropic's API to generate a response. Regular chat messages are not stored by us. If you submit feedback on a response (thumbs up/down), the question and answer are stored without your name or user ID to help improve the service
2.4 File Storage and Media
Images and files you upload are stored securely using:
- DigitalOcean Spaces: Cloud storage for profile images, post images, message attachments, and job/gig photos
- Image Processing: Automatic compression and optimization for web delivery
- File Validation: Type checking and size limitations for security
2.5 Legal Basis for Processing
Under the GDPR, we rely on the following legal bases (Article 6) depending on the type of processing:
- Performance of a contract (Art. 6(1)(b)): Creating and maintaining your account and profile, and providing the core networking, messaging, listings, and content features you sign up to use.
- Consent (Art. 6(1)(a)): Non-essential cookies and analytics/functional preferences (see Section 5), the optional newsletter, and any other feature where we ask for your explicit opt-in. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legitimate interest (Art. 6(1)(f)): Platform usage analytics (page views, interactions, IP address, user-agent, referrer — see Section 2.2), security monitoring, audit logging, rate limiting, and fraud/abuse prevention. We have considered that this processing is proportionate, limited in retention (see Section 7), and necessary to keep the Platform safe and functioning.
- Legal obligation (Art. 6(1)(c)): Retaining certain records where required by Austrian or EU law (e.g., for tax or legal proceedings).
3. How We Use Your Information
3.1 Core Platform Services
- Academic Networking: Create and maintain your professional profile in our member directory
- Bulletin Board: Post and comment on academic and community content across department feeds and the shared community board
- Direct Messaging: Facilitate private communications between members, including image sharing
- Job and Opportunity Sharing: Post and discover academic jobs, gigs, volunteering opportunities, fellowships, grants, and calls for papers
- Research Tools: Share and discover research via the research feed, research map, research clusters, and field clusters
- Bookmark Collections: Save and organize academic resources, with public/private sharing options
- Calendar: Build a personal calendar from jobs, grants, fellowships, news, and bulletin events you favorite or save, plus their deadlines
- My Feed: A personalised activity feed based on your research interests and the members you follow, with the ability to hide items you're not interested in
- Polls: Create community polls and vote on polls created by other members
3.2 Communication and Notifications
- Email Notifications: New posts in followed categories, messages, event updates
- Platform Notifications: Real-time updates for interactions and mentions
- Newsletter: If you choose to subscribe, we send an occasional newsletter with platform updates and announcements to your email address. This is based on your consent (Art. 6(1)(a) GDPR) — you can subscribe or unsubscribe at any time via your account settings or the unsubscribe link included in every newsletter email.
- Invitation System: Send and manage invitations to join the platform
3.3 Platform Enhancement
- Web Analytics: Track Core Web Vitals and user experience metrics
- Usage Analytics: Understand feature adoption and platform performance through page views, user interactions, and feature usage patterns
- Personal Analytics Dashboard: Provide users with insights into their own platform usage (page views, interactions, most visited features)
- Search and Discovery: Improve content recommendations and search functionality
- Geographic Mapping: Display member locations and job opportunities on interactive maps
3.4 Security and Administration
- Rate Limiting: Prevent abuse and ensure fair platform usage
- Content Moderation: Review and moderate user-generated content
- Audit Logging: Track administrative actions and platform changes
- Security Monitoring: Detect and prevent unauthorized access or misuse
4. Information Sharing and Disclosure
We do not sell, trade, or rent your personal information to third parties. Information sharing occurs only in the following specific circumstances:
4.1 Public Information on Platform
- Published Profiles: Name, title, affiliation, research interests, location, and profile photo (only for published profiles)
- Bulletin Board Posts: Public posts, comments, and associated images
- Opportunity Listings: Academic jobs, gigs, volunteering, fellowships, grants, and calls for papers you post
- Research Content: Research posts and profiles you share on the platform
4.2 Private Information
- Email Addresses: Only visible to platform administrators for moderation purposes
- Draft Profiles: Only visible to administrators and marked with distinctive styling
- Private Messages: Only accessible to conversation participants
- Private Bookmarks: Only accessible to bookmark owners
- Usage Analytics: Aggregated and anonymized for platform improvement
4.3 Third-Party Service Providers
We share limited information with the following named service providers who assist in platform operation. Each acts as a data processor under a Data Processing Agreement or equivalent contractual safeguards:
- DigitalOcean (USA): Cloud hosting (DigitalOcean App Platform) and object storage (DigitalOcean Spaces, Frankfurt region) for profile images, post images, and message attachments. Data stored in the EU (fra1). Transfer basis: Standard Contractual Clauses.
- Stableserver (email provider): Transactional system emails (account invitations, password resets, notifications) are sent via an SMTP server operated by Stableserver. Your email address is transmitted to this provider solely for the purpose of delivering system emails.
- Anthropic (USA): AI language model (Claude Haiku) used to power the platform chatbot. When you use the chatbot, your question and recent conversation context are transmitted to Anthropic's API to generate a response. No persistent storage of chat data occurs on Anthropic's side under API usage; data is processed in transit only. Transfer basis: Standard Contractual Clauses. See Anthropic's Privacy Policy for details.
- OpenStreetMap / Nominatim: Geocoding for location-based features (member maps, location search). Your location text is sent to Nominatim to convert it to geographic coordinates. No personal identifiers are transmitted.
- Cloudflare (CDN): Map tile assets for interactive maps are loaded from Cloudflare's CDN. Your IP address is visible to Cloudflare as part of normal HTTP requests. See Cloudflare's Privacy Policy for details.
4.4 Legal and Safety Requirements
We may disclose information when required for:
- Legal compliance and law enforcement requests
- Protection of platform security and user safety
- Prevention of fraud, harassment, or illegal activities
- Enforcement of our Terms of Service
5. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience:
5.1 Cookies We Set
next-auth.session-token(Essential): An HTTP-only, secure cookie containing your encrypted JWT session. Set on login, expires based on your session length preference. Required for authentication — the platform cannot function without it.neonmoth-view-dept(Functional): Stores the department view selected by administrators using the department switcher. Only set for admin accounts.nm_bulletin_last_seen(Essential): Stores the timestamp of the last time you viewed the bulletin board, so we can show you which posts are new since your last visit. Contains no personal data beyond a timestamp.neonmoth-analytics-session(Analytics): An HTTP-only, randomly generated session identifier used to group your page views into a single visit for the usage analytics described in Section 2.2 and 4. Expires after 30 minutes of inactivity and contains no personal data beyond a random ID.
5.2 Browser Storage (localStorage)
We use your browser's localStorage (not cookies) for the following preferences, which never leave your device:
cookieConsent: Records whether you accepted, declined, or customised cookie settings.cookiePreferences: Stores your detailed analytics and functional cookie choices as JSON.- Layout and display preferences (e.g.
membersLayoutMode,allDeptLayoutMode,jobsLayoutMode,members-table-column-widths,nm-theme): Remember your preferred table/card layouts, column widths, and light/dark theme on various pages. - Dismissed-notice flags (e.g.
hideMapToast,hideUnpublishedNotice,hideArticleNoConfirm,myFeedAlertDismissed,newsTickerVisible): Remember which informational hints and notices you have already dismissed, so we don't show them again. bulletin-followsandbulletin-main-category-order/user-category-order-*: Remember which bulletin board categories you follow and your preferred ordering of categories.members-cache: A local cache of member directory data (names, titles, locations) to speed up page loading. This data never leaves your device and mirrors what is already visible to you on published profiles.geocodedOriginsCache/GEO_CACHE_*: A local cache of place names and their geographic coordinates returned by our geocoding feature, used to avoid repeat lookups.newsletter_draft_id: (Administrators only) Remembers an in-progress newsletter draft.
5.3 Cookie Categories
- Essential: Required for platform functionality — cannot be disabled.
- Analytics: Page views, feature usage, and user behaviour patterns to improve the platform.
- Functional: Enhanced features such as personalised content preferences.
5.4 Cookie Management
You can control cookie settings through:
- The cookie preference centre (accessible from the site footer)
- Your browser settings
- Your account settings page
6. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- SSL/TLS encryption for data transmission
- Secure data storage with encryption at rest
- Regular security audits and updates
- Access controls and authentication requirements
- Regular backups and disaster recovery procedures
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
7. Data Retention
We retain your personal information only for as long as necessary for the stated purpose. Specific retention periods are as follows:
- Account and profile data: Retained while your account is active. Upon account deletion, all personal data is permanently removed from our live database within 24 hours.
- Database backups: Automated backups are retained for a maximum of 30 days, after which they are permanently deleted. Deleted user data will be purged from all backups within 30 days of account deletion.
- Uploaded files (images, attachments): Permanently deleted from cloud storage within 24 hours of account deletion.
- Platform analytics and usage logs: Aggregated analytics data is retained for up to 12 months. Raw event logs (page views, interactions) are deleted after 90 days.
- Security and compliance audit logs: Retained for up to 1 year. These logs record administrative actions, security events, and data changes and are accessible only to platform administrators.
- Failed login / rate-limiting data: We keep a count and timestamp of recent failed login attempts on your account to enforce a temporary lockout (15 minutes after 5 failed attempts). This counter is automatically reset to zero as soon as you log in successfully — it is not kept as a separate log.
- Password reset tokens: Expire automatically and are removed within 24 hours of expiry.
- Legal compliance: Where we are required by law to retain certain data (e.g., for tax or legal proceedings), we will retain only the minimum necessary for the legally required period.
When we no longer need your information, we will securely delete or anonymize it.
8. Your Rights and Choices
You have the following rights regarding your personal information:
8.1 Access and Portability
- Request a copy of your personal information via our contact form
- Data portability (GDPR Article 20): Download a JSON export of all data we hold about you at any time via the "Download my data" button in the Settings menu. The export includes your profile, account details, bulletin posts, forum posts, news posts, messages, bookmarks, and research locations.
8.2 Correction and Updates
- Update your profile information
- Correct inaccurate information
8.3 Deletion
- Request deletion of your account and personal information
- Right to be forgotten (subject to legal requirements)
8.4 Restriction and Objection
- Restrict processing of your information
- Object to certain types of processing
- Opt-out of marketing communications
8.5 How to Exercise Your Rights
To exercise these rights, please use our contact form or your account settings.
9. International Data Transfers
The platform is hosted on DigitalOcean infrastructure with primary data storage in the EU (Frankfurt region). Some third-party service providers listed in Section 4.3 are based in the USA. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as the legal transfer mechanism, as noted for each provider.
10. Children's Privacy
Our platform is intended for academic professionals and researchers, and our Terms require members to be at least 18. In line with the digital age of consent set by Austrian law (§ 4 Abs. 4 DSG), we do not knowingly collect personal information from children under 14 years of age. If we become aware that we have collected personal information from a child under 14, we will take steps to delete such information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.
11. Third-Party Links and Services
Our platform may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party services you use.
When you click on links to external sites or use integrated third-party services, you may be subject to their privacy policies and terms of service.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through:
- Email notification to your registered email address
- Prominent notice on our platform
- Update of the "Last updated" date at the top of this policy
Your continued use of our platform after such changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Contact: Contact form
Response Time: We aim to respond to all privacy-related inquiries within 30 days.
14. Governing Law and Supervisory Authority
This Privacy Policy is governed by the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Austrian data protection law, including the Austrian Data Protection Act (Datenschutzgesetz, DSG).
The data controller is the operator of this Platform, an individual established in Vienna, Austria. For the controller's name and contact address, see our Impressum.
Right to lodge a complaint (GDPR Article 77): If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority — either the Austrian Data Protection Authority (Datenschutzbehörde) at the address below, or the supervisory authority of the EU/EEA member state in which you live, work, or where the alleged infringement occurred.
Datenschutzbehörde
Barichgasse 40–42, 1030 Wien, Austria
Email: [email protected]
Website: www.dsb.gv.at
Right to a judicial remedy (GDPR Article 79): Independently of any complaint to a supervisory authority, you have the right to an effective judicial remedy. You may bring proceedings against us either before the courts of Austria, where we are established, or before the courts of the EU/EEA member state in which you have your habitual residence.
This privacy policy is designed to comply with GDPR and applicable Austrian data protection law. If you have any concerns about how we handle your data, please don't hesitate to contact us.