IRB & Ethics Brief
This document is written for researchers who need to describe Samply to an Institutional Review Board (IRB), ethics committee, or data protection officer. It covers what data Samply collects, where it goes, and how it is protected — in plain language, without legal boilerplate.
Last updated: May 2025
Contact: yury.shevchenko@uni.kn — Yury Shevchenko, iScience Research Group, University of Konstanz, Germany.
What Samply is
Samply is a notification-scheduling platform for experience-sampling and diary studies. Researchers configure notification schedules on the Samply website. Participants install the Samply Research app on their phone, join a study, and receive push notifications at the times the researcher has set. Tapping a notification opens the researcher's external survey link — Samply does not host or collect survey responses.
Data collected from participants
| Data item | Purpose | Stored by Samply |
|---|---|---|
| E-mail address and hashed password | Account authentication | Yes |
| Push notification token | Delivering notifications to the device | Yes |
| Internal participant ID (Samply ID) | Pseudonymous identifier passed to survey URLs so researchers can link responses | Yes |
| Notification receipt timestamp | Compliance tracking — records when a notification was sent and whether it was opened | Yes |
| Timezone preference and quiet-hour window | Scheduling notifications within the participant's preferred hours | Yes |
| Geolocation (geofencing studies only) | Triggering location-based notifications when the participant enters or exits a defined area; not shared with researchers or third parties | Device only — coordinates are processed on-device and not transmitted to the server |
| Survey responses | Not applicable | No — responses go directly to the researcher's survey platform (Qualtrics, LimeSurvey, etc.) |
Data collected from researchers
| Data item | Purpose |
|---|---|
| E-mail address and hashed password | Account authentication |
| Study configuration (title, description, schedule, survey URLs) | Running the study |
What Samply does not do
- Samply does not collect, store, or have access to participants' survey responses. Responses are submitted directly from the participant's browser to the researcher's survey tool.
- Samply does not collect participants' names, phone numbers, or any free-text personal information beyond an e-mail address.
- Samply does not share participant data with third parties, advertisers, or other researchers.
- Samply does not use participant data for any purpose other than delivering scheduled notifications for the study the participant has joined.
- Samply does not retain GPS coordinates on its servers. Geofence calculations run on the participant's device.
Participant pseudonymity
Each participant is assigned an internal Samply ID — a random alphanumeric string. This ID is appended to the survey URL when the participant taps a notification (e.g., https://your-survey.com/?pid=a3f9b2c1). The researcher receives this ID in their survey data and can use it to link survey responses across time points without knowing the participant's e-mail address.
Researchers do not see participant e-mail addresses in the Samply dashboard. The link between an e-mail address and a Samply ID exists only in the Samply database and is not exported.
Participant rights
- Withdrawal: Participants can leave a study at any time from the app. Leaving stops all future notifications immediately.
- Account deletion: Participants can delete their account from the app settings. This permanently removes their e-mail address, Samply ID, push token, and all associated records from Samply's database. Deletion cannot be undone.
- Data access: Participants may request a copy of their data by contacting yury.shevchenko@uni.kn.
Data storage and security
- The Samply platform is operated by the iScience Research Group at the University of Konstanz, Germany.
- Data is stored on servers operated by the University of Konstanz.
- Passwords are stored as bcrypt hashes and are never stored or transmitted in plain text.
- All communication between the app, the website, and the server uses HTTPS/TLS encryption.
- Push notifications are delivered via Apple Push Notification Service (APNS) and Google Firebase Cloud Messaging (FCM). The notification payload contains only the study title and a prompt text set by the researcher — no personal data.
Retention
Participant data is retained for the duration of the study and until the participant deletes their account. Researchers may delete individual participant records or all study data at any time from the dashboard. There is no automatic deletion schedule.
Suggested IRB description
The following paragraph can be adapted for use in an ethics application or consent form:
Notifications will be delivered via the Samply Research app (samply.uni-konstanz.de), developed and operated by the iScience Research Group at the University of Konstanz, Germany. Samply will store your e-mail address, a push notification token, and a pseudonymous participant ID for the purpose of delivering scheduled notifications. Samply does not collect your survey responses; those are submitted directly to [name of survey platform]. You can withdraw from the study and delete your Samply account at any time from the app. For data protection questions, contact yury.shevchenko@uni.kn.
Questions
If your IRB or data protection office has specific questions not answered here, please write to yury.shevchenko@uni.kn. We are happy to provide additional documentation or to speak directly with your ethics reviewer.