Accountterms.

• A user account (the "Account") is a separate, password-protected set of resources and permissions within the iccsh2027.org service (the "Service"), enabling Congress registration, abstract submission, management of billing details, and access to documents issued by the Organizer (including confirmations and invoices).
• Creating an Account is voluntary but necessary to use functionality that requires authentication (Congress registration, abstract submission, the participant panel).
• Only a natural person with full legal capacity may create an Account, acting in their own name or on behalf of a represented entity under appropriate authorization.
• Creating an Account requires providing an e-mail address and setting a password, followed by confirmation of the e-mail address as described in 5.4.
• One e-mail address may be associated with only one Account.

The password is set by the user. The password must meet the following minimum requirements:

• a minimum length of 12 characters;
• the password must not be identical to, or contain in full, the user's e-mail address;
• the password must not appear on lists of commonly known, dictionary, or publicly breached passwords (the Service may reject such a password).

The Service does not impose mandatory periodic password changes or artificial composition rules (e.g. mandatory special characters) — consistent with current technical guidance (for reference: NIST SP 800-63B), the priority is password length and uniqueness. Long passphrases and the use of a password manager are recommended.

The password is stored by the Controller only as a cryptographic hash generated with a modern, attack-resistant algorithm (Argon2 or bcrypt) using an individual salt. The Controller does not store and does not know the password in plaintext and will never ask the user to disclose the password by phone, e-mail, or in any form other than the Service login form.

The user is obliged to:

• keep the password confidential and not disclose it to third parties;
• set a password not used by them on other services;
• promptly change the password and notify the Controller (info@iccsh2027.org) upon any suspicion that the password or Account has been disclosed, lost, or accessed by an unauthorized person.

• The user is responsible for keeping their authentication credentials (e-mail address and password) confidential and for all actions performed in the Service using their Account, unless Account access resulted from causes attributable to the Controller.
• Sharing the Account with third parties is prohibited, including sharing login credentials, reselling, lending, or transferring the Account. Each Account is assigned to one identified person.
• The user undertakes to provide true, current, and complete data and to update it if it changes.
• Using the Account in a manner that violates the law, good morals, third-party rights, or Service security is prohibited — in particular, attempting unauthorized access to other Accounts or to the Controller's server resources.

• After an Account is created, an automated message (account-confirmation) containing a single-use activation link (token) is sent to the provided e-mail address.
• The activation link is single-use — it expires after the first successful use — and time-limited, remaining valid for a limited period (a new link must then be requested).
• Until the e-mail address is confirmed, Account functionality may be limited (e.g. inability to finalize registration or submit an abstract).
• E-mail confirmation verifies that the user controls the indicated address and that it is valid for transactional delivery (including payment confirmations, invoices, and abstract decisions).

• If a password is lost, the user initiates the recovery procedure by providing the e-mail address associated with the Account.
• A message containing a single-use link (token) enabling the setting of a new password is sent to that address. The link is single-use — it expires once a new password is successfully set, remains valid for a limited period (a new link must then be requested), and expires once a newer reset link is generated.
• For security reasons, if no Account exists at the indicated address, the Service may display a message identical to that shown for an existing address (so as not to reveal the existence of an Account).
• A successful password change may log out all active Account sessions and trigger an e-mail notification of the password change.

• To protect the Account against attacks (e.g. password guessing, credential stuffing), the Service applies mechanisms limiting the number of failed login attempts.
• After a number of consecutive failed login attempts, the Account may be temporarily locked (suspended) for a limited period or until unlocked via the password reset procedure. The mechanism may be supplemented with exponential backoff and IP-based limits.
• The Controller may also suspend or block an Account where there is a justified suspicion of a breach of Service security or of other users' data, where the user has breached these terms or the law, or where a formal request is received from a competent authority.
• The user is informed of a suspension under the preceding point at the e-mail address associated with the Account, unless precluded by security considerations or applicable law.

The Account processes in particular: the e-mail address, the password hash (passwordHash), the preferred interface language (language), and the e-mail confirmation status (emailConfirmed). Registration data, billing data, and submitted abstracts may be associated with the Account — the rules for processing them are set out in the Service's Privacy Policy.

• The user may request deletion of the Account at any time — independently (if the Service provides such a function) or by a request to info@iccsh2027.org.
• The deletion request is carried out without undue delay, no later than within 30 days of receipt, subject to the exceptions described in 6.3.
• A request to delete the Account simultaneously gives effect to the right to erasure ("right to be forgotten") under Article 17 GDPR, in respect of Account-related data whose further retention is not required on another legal basis.

• Deleting the Account before the Congress may prevent management of an active registration and access to submitted abstracts via the Service.
• Paid registration: Account deletion does not automatically constitute withdrawal from participation or grounds for a refund — cancellation and refund rules are governed by the participation/registration terms. Data necessary to deliver participation and to meet tax and accounting obligations may be processed despite Account deletion (see 6.3).
• Abstract under review: a request to delete the Account may result in withdrawal of the abstract from the review process, unless the user indicates otherwise and further processing is feasible. An abstract already accepted and included in the Congress program/materials may require further processing of author data necessary to publish the program.
• After Account deletion, data not covered by the exceptions in 6.3 is deleted or irreversibly anonymized.

In accordance with Article 17(3) GDPR, the right to erasure does not apply insofar as processing is necessary for compliance with a legal obligation to which the Controller is subject, or for the establishment, exercise, or defense of legal claims. In particular, the Controller retains:

VAT invoices and accounting documents (including the buyer's billing data) — Art. 17(3)(b) GDPR; Polish Accounting Act (Art. 74(2)(4)) and Tax Ordinance (Art. 86 § 1)

5 years from the end of the calendar year in which the tax payment deadline fell

Data needed to establish, exercise, or defend claims (e.g. proof of contract, complaint correspondence) — Art. 17(3)(e) GDPR; Art. 6(1)(f) GDPR (legitimate interest)

Until expiry of claim limitation periods (generally 3–6 years under the Polish Civil Code)

Consent/accountability records (e.g. records of granting and withdrawing consents) — Art. 5(2) and Art. 7(1) GDPR (accountability)

For the period necessary to demonstrate compliance, no longer than the claim limitation period

Technical records necessary for security (login-event security logs) — Art. 6(1)(f) GDPR

For a limited period needed for security

Data retained on the above grounds is processed only to the extent and for the period resulting from the relevant legal basis, after which it is deleted or anonymized.

After Account deletion, the e-mail address may be retained in anonymized form (e.g. as a hash) solely to prevent re-registration where justified on security grounds, or deleted entirely — depending on the Service configuration.

For how associated registration, billing and abstract data is handled, see the Privacy Policy.