Open Athens
Search OpenAthens Open Athens


Taking your personal information seriously – the OpenAthens Privacy Notice

OpenAthens is a brand name of Eduserv which is a company limited by guarantee (registered in England & Wales, company number: 3763109) and a charity (charity number 1079456), whose registered office and principal place of business is 4 Portwall Lane, Bristol, BS1 6NB, UK. If you are a visitor to this website or an OpenAthens user, or if you represent an organisation that uses OpenAthens, we want to explain how we respect your privacy. If you have any questions about this privacy notice or about your personal information, then please call 0300 121 0043 or email

Our overall policy is to collect the minimum personal data that we need to provide you with the OpenAthens service and to keep you updated about it. We keep personal data for as short a period as possible and take good measures to protect it. We’re always happy for you to check the data we have about you and we’ll delete it if you want us to – unless this would mean we wouldn’t be able to provide your organisation with the OpenAthens service.

How have we got your information

  • You may have given us your personal data yourself. For example, you may have given us your business card at an event, emailed us requesting information, or filled in an online form so that you could download a report, document or some other information.
  • We may have found your contact details at some publicly available source but in this case, we wouldn’t use them without your consent.
  • The organisation you work for may have given us your personal data or asked you to give it to us because your role is key to the OpenAthens service or because you need to be an OpenAthens user.
  • If you visit our websites ( or, we might use cookies and analytical tools to collect anonymous information about your visit. Cookies are small text files placed on your computer to collect standard internet log and visitor behaviour information. Tracking and analysing visitor activity enables us to improve the website. For further information visit or You can set your browser not to accept cookies and the above-mentioned websites tell you how to remove cookies from your browser. However, this might disable some of the key website features.

What information do we collect

  • If you are an OpenAthens user your organisation may have asked us to create an account for you. To do this we only need your name and email address. We encrypt this information so that we don’t disclose your identity to the publishers whose resources you need to access unless your organisation asks us to do so. If your organisation creates your account they will choose what information to collect and what information to disclose to publishers. This OpenAthens Privacy Notice can’t address that situation, you need to contact your organisation’s OpenAthens administrator if you have any questions.
  • If you are the OpenAthens contact for your organisation or someone who has expressed an interest in OpenAthens, we only require your name, your role or job title, your department, the name of your organisation and your business contact details (phone numbers and email address).
  • Occasionally we might ask you for other personal information when we run an event or an online survey. We’ll always make it clear why we’re collecting that information and how long we’ll keep it and of course, it will be up to you whether you want to participate in the event or survey.

What we do with your information

We only use your information in connection with the OpenAthens service.

  • We may contact you with news about OpenAthens including changes and improvements to service and to tell you about any events or surveys that we’ll be running. 
  • If you’re the nominated contact for your organisation, we may also need to use your personal data to process your purchase orders, invoices and payments and to contact you about the service. This means we might need to share your personal data with some of our suppliers/service providers.
  • We’ll never sell your data. We might need to share it with third parties but only in connection with the OpenAthens service – for example, if you are located outside the UK then one of our local partners may need to use your personal data so as to deliver some aspects of the OpenAthens service for us. Sometimes we’ll run communication campaigns using carefully selected marketing agencies to contact you on our behalf and so we’d have to give them your contact details. All third parties must give us contractual commitments to only use your information in connection with OpenAthens. If any of them want to put you on their own mailing lists, they need your specific agreement and they should let you review their own privacy policy.
  • If you’re an OpenAthens user and we were responsible for creating your account, we anonymise your personal data when we deliver the OpenAthens service to you and we do not sell or share your personal data with any third party.

Contact us for if you’d like details about any specific third party that we’re using.

How we protect your information

  • We adopt best industry practice to protect your information by aligning with the international standards for information security such as ISO27017 and ISO27018 and we hold our own ISO27001 certification. We keep your personal information behind firewalls to prevent unauthorised access and it’s encrypted in transit.
  • If you’re the nominated contact for your organisation your information may also be kept in public or private clouds used by the service providers we’ve selected for our finance systems. We only use service providers where we are happy with the security measures they implement to protect the data we entrust them with.
  • All other third parties, wherever they are located, who have to use your information in connection with the OpenAthens service must give us contractual commitments to adopt practices consistent with the requirements of the General Data Protection Regulation.

How long do we keep your information

  • We’ll keep your personal information until you tell us not to. All our communications will ask you if you want to continue receiving OpenAthens news. Every couple of years we’ll also contact you to check that you’re still happy to hear from us.
  • However, by law we must keep financial records such as purchase orders and invoices for six years. If you’re the nominated contact for your organisation, your details might appear on these records. But apart from this, we keep your information until your organisation tell us not to – for example when you stop working for them or because your job role has changed. In any case, we contact your organisation every two years to check that your details are still valid. One year after your organisation’s OpenAthens contract ends, we’ll contact you to see if you want us to delete your contact details or whether you’d like us to continue to send you OpenAthens news.

How you can check your information

  • We’re happy for you to check the information we have about you at any time. You can ask us to tell you what information we have, why we have it, how we protect it etc. You can also check that your information’s accurate and we’ll make any corrections promptly. Similarly, we’ll delete your information if you ask us to.
  • Please note that if you’re an OpenAthens user or the nominated contact for your organisation, we’re obliged to check with them before we delete your information. This is because they are the data controller for your information and, for example, your organisation might need us to substitute someone else’s contact details before we delete yours.
  • If you want to know about your information please use the contact details shown at the top of this notice.

Use of ‘cookies’

  1. What are cookies?
    Cookies are widely used tiny pieces of software (files) that are installed on a computer or mobile device when an individual visits a website.

Windows Explorer, which is one of the main internet browsers, will usually store these files in a folder called ‘cookies’ in ‘documents and permissions’ on computers running Microsoft Windows.

Cookies allow websites to recognise that a user on an individual computer has previously visited the site. The cookies save some information about that user for when they access the site again in the future.

By using and browsing the OpenAthens website, you consent to cookies being used in accordance with our policy. If you do not consent, you must turn off cookies or refrain from using the site.

Most browsers allow you to turn off cookies. To do this, look at the ‘help’ menu on your browser. Switching off cookies may restrict your use of the website and/or delay or affect the way in which it operates.

2. What types of cookies are there?
Broadly, there are 4 types of cookie:
Strictly necessary cookies. These are cookies that are essential to make a website work and enable features that users have specifically asked for. These types of cookies are commonly used with e-billing. Without use of cookies, these features of the website could not operate.
Performance cookies. These cookies collect anonymous information about users for the purpose of assessing the performance of a website. Common uses include well-known web analytics tools such as ‘Google Analytics’.
Functionality cookies. These are cookies that automatically remember choices that users have previously made in order to improve their experience next time they visit a website. For example, where users select their preferred settings and layout.
Targeting or Advertising cookies. These cookies are similar to performance cookies, in that they collect information about users’ behaviour. However, this information is used at individual user level to advertise products and services to users on the basis of the behavioural information collected.

3. What cookies does the OpenAthens website use?

Service Cookie Name Description Expiration Time
Google Analytics gtag.js and analytics.js _ga Used to distinguish users. 2 years
_gid Used to distinguish users. 24 hours
_gat Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>. 1 minute
AMP_TOKEN Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service. 30 seconds to 1 year
_gac_<property-id> Contains campaign related information for the user. If you have linked your Google Analytics and AdWords accounts, AdWords website conversion tags will read this cookie unless you opt-out. 90 days
Google Analytics ga.js __utma Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics. 2 years from set/update
__utmt Used to throttle request rate. 10 minutes
__utmb Used to determine new sessions/visits. The cookie is created when the javascriptlibrary executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics. 30 mins from set/update
__utmc Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmbcookie to determine whether the user was in a new session/visit. End of browser session
__utmz Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics. 6 months from set/update
__utmv Used to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics. 2 years from set/update
Google Maps NID, OGPC, APISID These cookies are used by Google to store user preferences and information when viewing pages with Google maps on them. From 1 month to 6 months
Google 1P_JAR, CONSENT, APISD, HSID, S, SIDCC, NID, SID Google uses these cookies, based on recent searches and interactions, to customise ads on Google websites. From 1 month to 20 years
DV, UULE These cookies are used by Google to collect information about how visitors use our site. 1 day
OTZ A cookie used by Google Analytics that provides an aggregate analysis of Website visitors 1 week
PHP System PHPSESSID This cookie contains information that identifies the user and is destroyed when the session expires. Session
Hotjar hjClosedSurveyInvites This cookie is set once a visitor interacts with a Survey invitation modal pop-up. It is used to ensure that the same invite does not re-appear if it has already been shown. 1 Year
_hjDonePolls This cookie is set once a visitor completes a Poll using the Feedback Poll widget. It is used to ensure that the same Poll does not re-appear if it has already been filled in. 1 Year
_hjMinimizedPolls This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site. 1 Year
_hjDoneTestersWidgets This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in. 1 Year
_hjMinimizedTestersWidgets This cookie is set once a visitor minimizes a Recruit User Testers widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site. 1 Year
_hjDoneSurveys This cookie is set once a visitor completes a survey. It is used to only load the survey content if the visitor hasn’t completed the survey yet. 1 Year
_hjIncludedInSample This session cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc. 1 Year
_hjShownFeedbackMessage This cookie is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if they navigate to another page where it is set to show. 1 Year
Twitter _ga, _gid, lang, kdt,
syndication_guest_id, dnt, guest_id,
personalization_id, twid, netpu, guest_id,
tfw_exp, remember_checked_on,
twitter_ads_id, co, auth_token
These are Twitter cookies that are used on websites with Twitter feeds and / or Twitter sharing functionalities. For more information, please see From session duration to 2 years
These cookies are set as a result ofembedded YouTube videos. They help register anonymous data on usage.
For more information, read the general Google Privacy policy.
From session duration to 20 years
Shareaholic c_id, e, lrc_e, lrc_t,
p_locc_h, p_locc_user_id_expiry,
p_orc_2, shr_br
Cookies used to share content and connect with social networks. From session to 2 years
DoubleClick DSID, IDE, _drt_, id These cookies are used for re-targeting, optimisation, reporting and attribution of online adverts From 2 days to 2 months
catAccCookies This cookie enables you to accept our cookie statement. 30 days
WordPress wp-settings-, wp-settings-time Used to customize the view of admin interface/main site interface for logged in users. 2 weeks
wordpress_test_cookie Checks if cookies are enabled to provide appropriate user experience. Session
wordpress_logged_in_ Checks whether or not the current visitor is a logged in user. Session
wordpress_sec_ Essential WordPress session management cookies for logged in users. Session
itsec-hb-login-* Set by WP Security Plugin to change the backend login URL for additional security. Session
AppNexus anj, usersync These cookies contain data denoting whether a cookie ID is synced with AppNexus partners. Read more information. 90 days
icu The icu cookie is used to select ads and limit the number of times a user sees a particular ad. 90 days
uuid2 This cookie is used to help deliver ads to people who have previously visited our websites, purchased our products or used our apps and to recommend products and services based on that activity. 90 days
sess It is used by the Platform to test whether a browser is configured to accept cookies from AppNexus. Session ayah_distiltag_sync Unclassified Session
aoc Unclassified 1 year cpSess Unclassified 1 year mako_uid, ONPLFTRH Collects data on user visits to the website, such as what pages have been accessed. The registered data is used to categorise the user’s interest and demographic profiles in terms of resales for targeted marketing. 1 year and
Session (ONPLFTRH) tp, u, pi Unclassified From Session to 1 year lc, bkc, adpq, bsc, nsc, pmc, apq, tapq, oath, cwc, lrc, tpq, rc gguuid, oxc, p2, si, roc, kc, rmuuid, cc Collects anonymous information about products and services that people own, use or have shown interest in. That information is used to provide relevant advertising and content to in ads. From session to 5 years UID, UIDR The UID cookie is associated with comScore; these are used to get 3rd party measurement of audience size. 2 years uid Registers a unique ID that identifies a returning user’s device. The ID is used for targeted ads 1 year pids Unclassified 3 months
__cfduid Used by the content network, Cloudflare, to identify trusted web traffic. 1 year
uid Assigns a user ID that is connected to a registration of the user’s IP address, browser type, browser language, date and time for visiting the website and what search query that took the user to the page. 1 year
Cloudflare __cfduid The ‘__cfduid’ cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. 1 year
VigLink vgInk.Agent.p Unclassified 10 years

Other websites

This OpenAthens website contains links to other websites. Your visit to those other websites will be governed by their own published privacy policies.

Changes to our information security practices

We review our information security practices frequently, so this privacy notice will be updated periodically, therefore we suggest you check it from time to time. The version that appears here was published in February 2018.