Clarification on Pavlovia Session IDs and Anonymity in EMS Integration

Hi there,

I’m conducting an online experiment for my master’s thesis using Pavlovia, and participants access the study via a university recruitment system (EMS, similar to SONA). The EMS sends participants to Pavlovia using a URL parameter like ?participant=ABC123, and once they complete the study, they are redirected back to EMS for credit.

For my ethics committee (SMEC at KU Leuven), I need to clarify whether the data collected on Pavlovia is anonymous or merely pseudonymized.

Specifically, could you please confirm:

1. Does Pavlovia store the participant query parameter along with the session data?
2. Is there any internal logging (even temporarily) that links session IDs to identifiable information such as EMS/SONA codes?
3. If such linking is possible, can it be disabled, or does it require active deletion?

I want to ensure that no personal or indirectly identifiable information is stored alongside the experimental data.

Many thanks in advance
Kind regards

1. The value of “participant” is stored in the PsychoPy data file. Whether it is identifiable or not depends on how it was generated. For example, in SONA I think you can choose whether to have the value be randomly generated each time or for each participant to always be assigned the same value.
2. Please could you clarify what you mean here?

even if the experiment data itself only stores a session ID, does Pavlovia internally or temporarily log the full URL or associate the participant ID with session data in any way — for debugging, system logs, or server management purposes?

I need to determine whether there exists any technical possibility — even outside the researcher’s access — that someone could later link the session/data back to the participant code.

Thanks for the clarification!
Just to make sure I fully understand:

• When the ?participant=XYZ value is passed via the URL, this is saved in the data file.
• So even if that code isn’t personally identifying by itself, it still ends up in the dataset.

Would you say that if the code is randomly generated and not stored or logged anywhere else (e.g. not linked to email or name), the data can still be considered anonymous — or would it still technically fall under pseudonymized data under GDPR, since the ID exists in the file?

This is important for my ethics application, so I appreciate your help!

If EMS needs to know which participant id was assigned to a particular participant in order to credit the correct person at the end, then you would need to ask EMS whether than ID is stored. If someone hacking into EMS can only theoretically discover the IDs of participants who are mid session, then I would regard the data as fully anonymous. If the assignment of IDs to participants is stored by EMS then it is pseudo-anonymous.

You might also regard the data as pseudo-anonymous if the date and time is stored by EMS, since you could order the personal data by timestamp and they try to line it up with the time data in the data file.