CertifylizeCertifylize

Privacy Policy

Protecting personal data is important to us. We process personal data in accordance with applicable data protection laws, in particular the GDPR. This policy explains what data we process, for what purposes, and which rights you have.

1. Controller

Controller under the GDPR:
Certifylize
Owner: Fatmir Hasani
Hauptstraße 32a
79540 Lörrach
Germany
Email: support@certifylize.com
Phone: +49 176 21667673
VAT ID (Germany): DE330116839
Further legal information: Legal Notice.

2. Scope & purposes of processing

We process personal data only insofar as it is necessary to provide a functional website and our digital services. Typical purposes include:

  • Providing the website and platform features (including verification pages/verify links)
  • Authentication, authorization and account management (including roles/permissions within organizations)
  • Processing certificate/record data initiated by users/issuers (including document uploads, metadata and validity information)
  • Security and abuse prevention (e.g., attack detection, rate limits, fraud/abuse signals)
  • Audit trail / logging of relevant actions (e.g., issuance, status changes, imports, integrations) for traceability
  • Communication (e.g., contact requests, support)
  • Technical analysis for stability and improvement (e.g., performance, error diagnosis)

3. Legal bases

We process personal data based on Art. 6(1) GDPR, in particular:

  • Art. 6(1)(b) GDPR (contract / pre-contract) – e.g., account, platform use, support, billing
  • Art. 6(1)(f) GDPR (legitimate interests) – e.g., IT security, stability, abuse prevention, fraud/attack detection
  • Art. 6(1)(c) GDPR (legal obligation) – e.g., statutory retention requirements
  • Art. 6(1)(a) GDPR (consent) – where we request consent (e.g., optional cookies)

The applicable legal basis depends on the specific processing activity. In B2B scenarios, additional contractual terms (e.g., DPA) may apply.

4. Hosting, access data & server logs

When you access our website, information may be processed automatically by your browser and/or our hosting infrastructure to deliver the site and ensure IT security. This may include:

  • IP address
  • date and time of access
  • requested URL/endpoint and status code
  • amount of data transferred
  • referrer URL
  • browser type, operating system, language settings

This processing is necessary for delivering the website, ensuring security (e.g., DDoS protection), detecting abuse, troubleshooting and maintaining stability.

5. Cookies, local storage & technical consents

Depending on usage and features, we may use technical storage mechanisms (e.g., cookies, session storage, local storage) to provide core functionality, such as:

  • session cookies / session tokens (e.g., login session)
  • security tokens (e.g., CSRF protection)
  • technical preferences (e.g., language/locale), if implemented
  • temporary UI/workflow state where technically required

If optional cookies/tracking are used, we will obtain consent where required. The current focus is on technically necessary components.

6. Contacting us

If you contact us (e.g., via contact form or email), we process the data you provide to handle your request.

  • name
  • email address
  • company (optional)
  • message/request
  • optional technical metadata (e.g., time of request)

Purpose is communication and handling your request (including follow-ups).

We generally store contact data only as long as necessary to process your request or as required by law.

7. Accounts, authentication, roles & platform operation

When using protected areas, we process data required for authentication, authorization, and account operations. For organization-based accounts, we also process role/permission data.

  • login data (e.g., email address)
  • role/permission information (e.g., owner/admin/member)
  • organization/team association
  • session information (e.g., session ID, expiration)
  • security-related logs (e.g., login events, errors)
  • audit logs of relevant actions (e.g., create/update/delete, status changes), depending on setup

Purpose is secure platform operation, account/permission management, traceability of critical actions, and abuse prevention.

Certificate/record content is processed only as part of the respective use. Customers/issuers are responsible for ensuring they process only necessary data and that uploaded content is lawful (especially where personal data is involved).

8. API, webhooks & technical logs

If you use API and/or webhook functionality (e.g., issuing certificates via API key or receiving events via webhooks), we process technical data needed to execute and secure requests.

  • API key/secret association (e.g., to an issuer/account/organization) – keep keys/secrets confidential
  • request and delivery metadata (e.g., time, endpoint/event, status code, retry information)
  • security/abuse signals (e.g., rate limiting, signature/auth failures)
  • logs for troubleshooting and stability (e.g., error messages, trace IDs) where necessary

Please send only data required for the purpose and avoid unnecessary personal data. For webhooks, we recommend signatures/secrets and secure endpoint configuration.

9. Blockchain references (hashes), off-chain storage & verification

Certifylize may use blockchain technology to anchor checksums (hashes) and references to support consistency verification and tamper detection. Certificates and documents may also be stored off-chain and linked via references.

  • We generally do not store personal data in clear text on-chain.
  • Technical references (e.g., hashes) may be processed as integrity indicators; depending on setup, a transaction/anchor reference may also be stored.
  • Documents (e.g., PDFs, attachments) are typically stored off-chain; the blockchain then serves as a reference layer only.
  • Verification pages/verify links may display technical status information (e.g., valid, revoked, expired), depending on the issuer setup.

Depending on context and underlying inputs, a hash could theoretically be considered personal data. Therefore: data minimization and avoid unnecessary personal data in certificate content. Also note: blockchain entries are generally not erasable, which can technically limit certain rights (e.g., erasure).

10. Recipients, processors & disclosure

We disclose personal data only where necessary or legally permitted. Recipient categories may include:

  • IT/hosting providers (processors) for website/platform delivery
  • email/support infrastructure (e.g., inquiries and system emails)
  • storage/upload infrastructure for documents (off-chain), where used
  • payment providers if you use paid services
  • blockchain infrastructure/providers (e.g., nodes/explorers) where technical references are processed
  • public authorities if required by law

Where providers act as processors, we use processor agreements (Art. 28 GDPR) where required.

11. International transfers

Depending on the providers used, processing in third countries (e.g., the US) may occur. Where required, we implement appropriate safeguards (e.g., EU Standard Contractual Clauses) and consider additional technical measures.

12. Retention & deletion

We retain personal data only as long as needed for the respective purpose. Typical guidance includes:

  • server logs: short-term for operations/security (longer in case of incidents)
  • API/webhook logs: as short as possible; extended where needed for troubleshooting, billing, and security/abuse investigations
  • contact requests: until resolved; longer only if retention duties apply
  • account data: for the duration of the relationship; thereafter as required
  • certificate/record data & uploads: based on issuer/process requirements; deletion may be limited by legal/technical constraints (e.g., blockchain immutability)
  • billing/payment data (if applicable): according to statutory retention periods

Specific periods may vary depending on the case (e.g., support history, security events, legal requirements, contractual terms with organizations).

13. Data subject rights

You have the following rights (where applicable):

  • access (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection (Art. 21 GDPR)
  • withdraw consent with effect for the future (Art. 7(3) GDPR), where processing is based on consent

To exercise your rights, email support@certifylize.com. We may request additional information to verify identity and prevent abuse. In certain cases, rights (e.g., erasure) may be limited by legal obligations or technical immutability (e.g., blockchain references).

14. Right to lodge a complaint

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

For Baden-Württemberg, this is in particular the State Commissioner for Data Protection and Freedom of Information (LfDI BW).

15. Security measures

We implement appropriate technical and organizational measures to protect data against unauthorized access, loss, alteration or destruction. This may include access controls, role/permission concepts, transport encryption (TLS), logging/audit trails, and abuse prevention mechanisms. See also Security & Privacy.

16. Updates to this policy

We update this policy when legal requirements, our services, or processing activities change.

Last updated: January 2026