Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller is Certo Governance Institute with headquarters in Poland. Contact: privacy@certogov.org

2. What data we collect

• Authentication data: email address, first and last name, profile picture — obtained during login via Google or Microsoft OAuth.
• Technical data: IP address, browser type, visit time — automatically collected in server logs.
• Session data: authentication tokens stored in cookies.

3. Purpose and legal basis for processing

| Purpose | Legal basis | |---------|-------------| | Enable login and document access | Art. 6 sec. 1 lit. b GDPR | | Ensure service security | Art. 6 sec. 1 lit. f GDPR | | Conduct statistics | Art. 6 sec. 1 lit. f GDPR | | Fulfill legal obligations | Art. 6 sec. 1 lit. c GDPR |

4. Data recipients

• Supabase Inc. — database and authentication infrastructure.
• Vercel Inc. — hosting infrastructure.
• Google LLC — login via Google OAuth.
• Microsoft Corporation — login via Microsoft OAuth.

5. User rights

You have the right to access, correct, delete, restrict processing, transfer data, and object. To exercise your rights: privacy@certogov.org. You also have the right to lodge a complaint with the President of the UODO.

6. Cookies

The service uses only session and authentication cookies. We do not use marketing or tracking cookies.

7. Retention period

Authentication data — for the duration of account ownership. Technical logs — 90 days. After account deletion, data is anonymized within 30 days.