Frequently Asked Questions
The term “usage data” refers to data about how a website, mobile app or other resources are accessed and used, such as visits to a web page. Elsevier web servers automatically record usage data, which may be personally identifiable to individual users.
We support the right of individuals to have control over how their personal information is collected and used. We strive for transparency in all personal data management, as articulated in our Privacy Principles and Privacy Policy and demonstrated by our user Privacy Center.
Personal usage data helps Elsevier support its customers and individual users in several ways:
Customization and Personalization: We offer our users customized content and personalization options to improve their efficiency. For example, anonymized and aggregated usage data is used for ScienceDirect’s Recommendations on the Article Page.
Product Development: We proactively review usage patterns to enhance our products and services. For instance, as part of our agile product development process we often run A/B tests, comparing the performance of different user journeys or functionality upgrades to determine which serves our end-users most effectively.
System Monitoring: We monitor usage data to prevent system failure and to help protect our platforms (and customers) against cybersecurity risks and to suggest future enhancements. We use a variety of technologies that process usage data to identify operational system anomalies and potential threats, prevent fraud and unauthorized access, and ensure our solutions remain continuously available.
Regulatory or Contractual Obligation: We use usage data to comply with our legal and contractual obligations, such as reporting on usage under subscription agreements, resolving disputes and enforcing our agreements.
Many of our products offer personalization options to help users work more efficiently or support insights. On ScienceDirect, registered users can save or revisit their search or download histories, making it easier to resume a previous line of research. This type of functionality is dependent on our systems being able to identify users, so they are openly asked to set up an account by sharing minimal personal information. If a user chooses not to register and use personalization, they will still be able to use products like ScienceDirect, albeit with limited personalization options. Personalization does not work unless our systems are able to recognize a person, albeit based on limited personal data required to make the service viable. We only request information that is strictly relevant to the functionality and the exchange is transparent and confined to our products. There are benefits for those customers who choose this additional functionality in terms of research efficiency.
No, we do not sell personal usage data to any third party. We provide usage reports to customer institutions and consortia as part of our contractual obligations, which are restricted solely to their authorized users (i.e. we do not share the usage details of other customers). Such reports typically include information on the number of articles end users viewed or downloaded and support customer use cases such as usage analysis, subscription management, course management, testing, and remediation. Aggregated usage data is made available externally on some of our solutions — e.g., the total number of readers of articles indexed by Mendeley — but no personal information is disclosed. We sometimes share usage data with the suppliers and service providers that support our solutions — for example, to help ensure the ongoing stability of a platform — and these organizations are required to meet the same high data protection standards as Elsevier.
To achieve a consistently high standard for data security, Elsevier utilizes a Defense-in-depth methodology. This consists of controls and processes designed to protect against unauthorized access and alteration of data, like:
Encryption: We use industry standard encryption technologies for sensitive data in transmission and at rest to protect our data and make it unreadable to unauthorized users.
Physical Security: Data is stored and processed at physically secure data centers protected by segregated security zones.
Network Security: Elsevier utilizes a variety of network security technologies and processes to identify, prevent and detect unwanted traffic.
Log Management: Logs and log management tools are used to capture a variety of usage data, application and system logs, including but not limited to aggregated and anonymous usage activity (such as search queries), server activity and registered user logins. Access to logs is restricted with logs being securely stored based on their data classification.
Identity & Access Management: Access to our subscription products is restricted to authorized users and customers. User accounts, passwords, roles, groups and content subscription licenses are used to support appropriate authorization and authentication. User credentials are securely stored and protected.
Elsevier retains personal data for as long as necessary to provide the service and for other essential purposes such as complying with legal and contractual obligations, as described in the Elsevier Privacy Policy. Because these needs can vary for different data types, the context of our interactions with the user, and/or use of products, actual retention periods vary.
Third parties that process data on behalf of Elsevier agree by contract to only process such data for the specifically permitted purposes. Additionally, they must use appropriate technical and organizational security measures to safeguard the data. All third parties processing personal data as part of their services to us are required to agree to the RELX Privacy and Data Protection Requirements for Suppliers or comparable terms. International personal data transfers are subject to appropriate safeguards, such as Standard Contractual Clauses, as required under applicable law.
No, Elsevier does not use any “spyware” (malicious software secretly installed on a user’s device to gather data). If users have any concerns or questions, we encourage them to contact us directly.
No, Elsevier does not use LexisNexis® ThreatMetrix®.
No, ScienceDirect does not monitor mouse movements. We use software called Mouseflow to analyze interactions with website buttons to optimize their usability, but this does not capture mouse movements or any personal data or IP addresses.
ScienceDirect does not use “Targeting Cookies” for personalized advertising. Cookies are sometimes used to support contextual advertising, for example, to place a chemistry conference banner advertisement on the page of a chemistry journal. However, we do not sell or share personal usage data for targeted advertising.
Elsevier operates a defense-in-depth security methodology to protect our end-users, our customers and our own systems against cybersecurity threats. It is necessary to collect IP addresses to detect, prevent, investigate and report unauthorized access, misuse and theft of content, malicious IP addresses and suspicious patterns of use. Sometimes it is necessary to store this data for up to thirteen months to conduct trends analysis and year-on-year reporting and longer where necessary for legal reasons, such as pending investigations and litigation.
COUNTER reporting enables publishers, aggregators and technology providers to deliver credible, consistent, comparable usage metrics to libraries and consortia around the world.
We are required to collect the IP addresses of users to meet Elsevier’s contractual COUNTER usage reporting obligations. This data is retained for up to thirteen months to support the annual COUNTER compliance audit to allow us to reproduce reports where any errors may have occurred including to confirm our compliance with our contractual obligations to our customers, societies and others.
ScienceDirect is hosted on behalf of Elsevier BV by Amazon Web Services EMEA Sarl in its EU-West-1 (Ireland) data center with back up by Amazon Web Services Inc. in its US-East-1 (Virginia) data center. International transfers of personal data are subject to appropriate safeguards compliant with applicable law, including the EU Standard Contractual Clauses.