Privacy Policy

SUM Open Data Platform (ODP)

Last updated: 1 June 2026

This Privacy Policy explains how personal data is collected, processed and protected when you use the SUM Open Data Platform (the "Platform"), accessible at https://sum-odp.eu and https://odp.sum-project.eu.

The Platform is operated as part of the SUM (Seamless Shared Urban Mobility) project, which has received funding from the European Union's Horizon Europe Research and Innovation programme under Grant Agreement No 101103646.

We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and applicable national data protection law.


1. Who is responsible for your data (Data Controller)

The data processing carried out through the Platform is the joint responsibility of the SUM Consortium, the group of partner organisations participating in the SUM project.

The project is coordinated by INRIA (Institut National de Recherche en Informatique et en Automatique), which acts as the primary point of contact for data protection matters relating to the Platform.

  • Coordinator / point of contact: INRIA — SUM project coordination
  • Data protection contact: odp@sum-project.eu
  • INRIA Data Protection Officer (DPO): dpo@inria.fr

Each SUM Consortium partner has designated a Data Protection Officer for the project and is responsible for the personal data it collects, generates and processes within its own activities.


2. What personal data we collect

We limit the collection of personal data to what is necessary for the purposes described below (data minimisation).

Account and registration data. When you register for a Living Lab user account on the Platform, we collect:

  • your name;
  • your email address;
  • a password (stored in encrypted/hashed form);
  • the Living Lab(s) you are associated with;
  • your account status (e.g. pending verification, active, disabled).

Living Lab accounts are verified by a Platform administrator before activation.

Contact and messaging data. When an administrator contacts a Living Lab, or when you submit a contact/message form, we process the content of the message and the identifiers needed to deliver it (e.g. sender and recipient account details). A record of messages sent through the Platform is retained.

Technical data. When you use the Platform, our servers process limited technical information required to operate the service securely and to maintain your login session (see Section 7, Cookies).

Open data published on the Platform. The datasets, KPI results and Living Lab content published openly on the Platform are anonymised and aggregated. Only anonymised and aggregated data is made openly available, so that individual data subjects cannot be identified, unless explicit consent has been obtained in accordance with the GDPR.

We do not process special categories of personal data (sensitive data) within the meaning of Article 9 GDPR through the Platform.


3. Why we process your data and the legal basis

We process personal data for the following purposes, each with a lawful basis under Article 6 GDPR:

  • To create and manage your user account and to verify Living Lab administrators — necessary to provide the service you request (Article 6(1)(b) GDPR, performance of a contract / steps at your request).
  • To enable communication between administrators and Living Labs through the Platform's messaging features — based on our legitimate interest in operating the collaboration features of the Platform (Article 6(1)(f) GDPR).
  • To operate, secure and maintain the Platform (authentication, session management, prevention of unauthorised access) — based on our legitimate interest in the security and integrity of the service (Article 6(1)(f) GDPR).
  • To publish open mobility data in the public interest and for scientific research purposes, using only anonymised and aggregated data (Article 6(1)(e) and/or Article 6(1)(f) GDPR). Where identifiable personal data would ever be published, this is done only with your explicit consent (Article 6(1)(a) and Article 7 GDPR).

Where consent is the legal basis, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.


4. How long we keep your data

We keep personal data in a form that permits your identification for no longer than is necessary for the purposes for which it is processed (Article 5(1)(e) GDPR).

  • Account data is kept for as long as your account remains active. If your account is disabled or you ask us to delete it, your personal data is deleted or anonymised within a reasonable period, subject to any legal retention obligations.
  • Messages sent through the Platform are retained for traceability of Platform communications for 5 years.
  • Open data published on the Platform is anonymised/aggregated and is intended to be preserved long-term to support research and decision-making beyond the lifetime of the project.

5. Who has access to your data

Access to personal data is restricted to authorised personnel only.

  • SUM Consortium partners and authorised Platform administrators access account and messaging data strictly as needed to operate the Platform.
  • The Platform hosting infrastructure is provided on INRIA servers (see Section 8).
  • Authorised personnel of the funding authority of the project may access project data where required.

We do not sell your personal data, and we do not share it with third parties for advertising or marketing purposes.


6. International data transfers

Some SUM Consortium partners are based outside the European Economic Area (EEA) — for example, in Israel. Where any personal data needs to be transferred to a recipient outside the EEA, such transfer takes place only in accordance with:

  • an adequacy decision of the European Commission (Article 45 GDPR); or
  • appropriate safeguards such as Standard Contractual Clauses (Article 46 GDPR).

7. Cookies

The Platform uses only strictly necessary cookies required to operate the service and to keep you logged in (session and authentication cookies). These cookies are essential for the Platform to function and do not require your consent.

The Platform does not use advertising cookies, third-party tracking, or web analytics tools that profile users.

If this changes in the future (for example, if analytics are introduced), this policy will be updated and, where required, your consent will be requested before any non-essential cookies are set.


8. Where your data is stored and how it is secured

The Platform is hosted on INRIA servers at Parc scientifique de la Haute-Borne, 40 avenue Halley – Bât A – Park Plaza, 59650 Villeneuve d'Ascq, France.

We apply appropriate technical and organisational measures, based on a risk assessment, to protect personal data against accidental loss and unauthorised access, including:

  • encrypted connections (HTTPS);
  • user authentication and individual accounts with password protection;
  • access controls limiting access to authorised personnel;
  • firewall protection and regular security updates;
  • regular backups and integrity checks.

In the event of a personal data breach, the responsible party will notify the competent national supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, and will inform affected data subjects where the breach is likely to result in a high risk to their rights and freedoms (Articles 33 and 34 GDPR).


9. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — to obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten") — to have your data deleted where there is no legitimate reason to keep it.
  • Right to restriction of processing — to limit how we use your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object — to object to processing based on legitimate interests.
  • Right to withdraw consent — at any time, where processing is based on consent.

To exercise any of these rights, contact us at odp@sum-project.eu


10. Right to lodge a complaint

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of work, or of the alleged infringement.

In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (CNIL) https://www.cnil.fr .


11. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in the Platform or in legal requirements. The current version, with its date, is always available on the Platform.


12. EU funding disclaimer

Co-funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Climate, Infrastructure and Environment Executive Agency (CINEA). Neither the European Union nor the granting authority can be held responsible for them.

Copyright © SUM Consortium.