Privacy policy

1. Data controller

Personal data submitted through this website is processed by CERTCRYPT.

For any privacy-related inquiries or data protection requests, you may contact:

[email protected]

CERTCRYPT is currently in the process of formal organizational structuring. This Privacy Policy may be updated to reflect changes in legal status or governance.

2. Scope

This Privacy Policy applies to certcrypt.com and to related public website pages and subdomains operated directly by CERTCRYPT, including blog.certcrypt.com, docs.certcrypt.com, and other public *.certcrypt.com properties.

It applies to personal data processed through the contact form, the use case submission flow, and technical website operation.

It does not apply to third-party websites or services that may be referenced or linked from this site.

3. How this privacy policy should be read

This Privacy Policy is intended to explain how CERTCRYPT processes personal data in connection with the public website.

It is a public disclosure document describing limited website-related processing. It is not an internal compliance manual or internal operational policy document.

Where this Privacy Policy refers to website processing, it refers to the public website environment and the associated communication and intake channels described below.

4. Sources of personal data

CERTCRYPT generally receives personal data directly from you when you choose to submit it through the website or when technical data is generated by the operation of the website.

Depending on the interaction, personal data may come from:

• Information you enter into the contact form
• Information you enter into the use case submission flow
• Technical request and browser metadata generated during website access
• Security and abuse-prevention systems used to protect website forms and infrastructure
• Optional analytics mechanisms that operate only where consent has been provided

5. Zero-data infrastructure and website boundary

CERTCRYPT's zero-data and proof-without-custody principles apply to the certification infrastructure model. They do not eliminate the need for limited data handling in the operation of a public website.

When you communicate with CERTCRYPT through this website, or when you submit a use case for internal review, certain personal and technical data must be processed so the website can function securely and so submitted requests can be handled responsibly.

We therefore distinguish between the certification infrastructure model and the limited operational data processing required to run certcrypt.com.

6. Contact form data

When you submit the contact form, we may process the information you choose to provide together with limited technical metadata needed for delivery, abuse prevention, and response handling.

CERTCRYPT does not request sensitive personal data through the contact channel and asks you not to submit unnecessary personal or confidential information through free-text fields.

• Full name
• Email address
• Subject line
• Message content
• Message delivery and response-handling metadata
• Security verification tokens used to validate human submissions
• Basic request metadata such as timestamp, IP address, and user-agent information as captured in server logs

7. Use case submission data

When you use the use case submission flow, CERTCRYPT may process both the information you actively provide and limited review metadata generated as part of the intake process.

The use case flow supports draft progression and review before final submission. As a result, certain data may be stored before you complete the final submission step.

• Full name
• Email address
• Organization
• Country or region
• Use case type and related descriptive fields
• Use case description and additional notes
• Company sector and related operational context
• Expected volume, urgency, and integration mode
• Draft identifiers and submission state
• Internal review metadata such as completion state, prioritization signals, and scoring fields
• Hashed IP data and user-agent data associated with draft creation, update, and submission security

Use case submissions are reviewed internally. Submission does not imply selection, acceptance, onboarding, or follow-up communication.

8. Website technical and abuse prevention data

When you browse the website or interact with protected forms, limited technical information may be processed automatically for operational security, traffic integrity, abuse prevention, and technical performance.

Public CERTCRYPT websites may also be delivered or protected through Cloudflare infrastructure, which may process limited technical request data as part of request proxying, traffic filtering, caching, TLS termination, and related security functions.

Some of this processing exists specifically to detect bots, spam, fraud, hostile automation, malformed submissions, or repeated abusive traffic. Protected forms may use Cloudflare Turnstile for security verification and abuse prevention.

If optional analytics cookies are enabled by you, aggregated usage statistics may also be processed to improve technical performance. These statistics are used in aggregated form and are not used for profiling or behavioral advertising.

• Server log data
• IP address and related network request metadata
• User-agent and device/browser request information
• Security challenge or bot-verification signals used for abuse prevention
• Rate-limiting, abuse-prevention, and security monitoring signals
• Essential cookie data required for secure operation
• Optional analytics data where consent has been provided

9. Purpose of processing

Personal data is processed only for legitimate and limited website purposes such as communication handling, internal use case review, abuse prevention, and secure technical operation.

These purposes may include:

• Reviewing institutional, technical, or strategic inquiries
• Responding to submitted contact requests where appropriate
• Receiving, storing, reviewing, and internally prioritizing submitted use cases
• Determining whether clarification or follow-up is needed for a submitted use case
• Preventing abuse, spam, or malicious activity
• Maintaining operational and technical security
• Improving technical performance where optional analytics are enabled

10. What CERTCRYPT does not do

CERTCRYPT applies a restrictive approach to website data handling.

CERTCRYPT does not use personal data obtained through the website for:

• Behavioral profiling
• Targeted advertising
• Sale or resale of data
• Marketing automation unrelated to a submitted inquiry
• Public disclosure of submitted contact or use case content
• Collection of user documents through public website forms as part of normal website operation

11. Legal basis

Processing is carried out on the basis of user-initiated communication, legitimate interests in secure website operation and abuse prevention, and, where applicable, consent where consent is the appropriate legal basis.

Submission of the contact form or use case form implies a request by you for CERTCRYPT to review the submitted information for the stated website purpose.

Optional analytics cookies are activated only where you provide consent through the cookie banner.

• Responding to user-initiated inquiries
• Reviewing user-initiated use case submissions
• Maintaining secure website operation
• Ensuring technical integrity and abuse-prevention controls

12. Data minimization

CERTCRYPT applies a strict minimization approach.

Only data necessary for secure communication, user-initiated submission handling, abuse-prevention measures, and essential website operation is processed.

CERTCRYPT does not process more data than is reasonably necessary for the website purpose you invoke.

13. Retention

Personal data is retained only for periods reasonably necessary for the purposes described in this Privacy Policy, subject to operational, legal, compliance, and security requirements.

Retention may vary depending on data category and processing context.

• Contact requests may be retained for communication handling, operational continuity, follow-up where needed, and security review
• Use case drafts may be retained long enough to support draft progression, internal review state management, abuse prevention, and related operational controls
• Submitted use cases may be retained for internal review, prioritization, and limited operational follow-up
• Server logs and security-related metadata may be retained for limited technical periods consistent with operational security practices
• Optional analytics data, where enabled, may be retained according to the limited technical and reporting configuration of the analytics service in use

Data is not intended to be retained longer than reasonably necessary for the website purposes described in this Privacy Policy.

14. Third-party processors

Certain technical functions may involve trusted third-party processors providing services related to:

These processors act solely for operational delivery, security, or technical performance purposes and do not use data for independent commercial purposes.

Where such providers operate across multiple jurisdictions, appropriate safeguards are implemented consistent with applicable data protection standards.

• Email delivery providers
• Cloudflare infrastructure used for public website delivery, proxying, caching, TLS termination, and related security functions
• Hosting infrastructure providers
• Database or storage infrastructure providers
• Cloudflare Turnstile and comparable security challenge or bot-verification services used for abuse prevention
• Optional analytics providers (if enabled)

15. International processing

If data is processed outside the jurisdiction from which it was submitted, such processing is carried out under appropriate safeguards consistent with applicable data protection requirements.

Depending on infrastructure, service provider architecture, and operational needs, data may be processed in more than one jurisdiction.

16. Security

CERTCRYPT implements reasonable technical and organizational measures designed to protect processed data against unauthorized access, misuse, loss, or disclosure.

This includes measures intended to reduce abuse, malicious automation, and unauthorized access to website submission channels.

No online system can guarantee absolute security. Security controls are periodically reviewed and improved.

17. Children

This website is intended for professional, organizational, and general business or technical use and is not directed to children.

CERTCRYPT does not intentionally solicit or knowingly collect personal data from children through its public website forms.

18. Automated decision-making and profiling

CERTCRYPT does not use personal data submitted through the public website to make legally significant automated decisions about you.

CERTCRYPT does not use website-submitted personal data for behavioral profiling or targeted advertising.

19. Your rights and complaints

You may request:

To exercise any such request, please contact:

[email protected]

Requests will be reviewed and handled in accordance with applicable data protection requirements.

Where applicable law provides such a right, you may also lodge a complaint with a competent data protection supervisory authority.

• Access to personal data submitted through the contact or use case channels
• Correction of inaccurate data
• Deletion of personal data
• Restriction of processing where applicable
• Objection to processing where applicable

20. Cookies and tracking

CERTCRYPT applies a minimal and security-oriented approach to cookies.

The website uses essential cookies required for secure operation. Optional analytics cookies may be enabled only with your consent.

CERTCRYPT does not use advertising or behavioral tracking technologies.

For more information, please see our Cookies policy.

21. Changes

This Privacy Policy may be updated as website operations, infrastructure design, legal expectations, or compliance requirements evolve.

The effective revision date is shown at the top of this page.