Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller is Certo Governance Institute with its registered office in Poland. Contact: privacy@certogov.org

2. What data we collect

• Authentication data: email address, full name, profile picture — obtained during login via Google or Microsoft OAuth.
• Technical data: IP address, browser type, visit time — collected automatically in server logs.
• Session data: authentication tokens stored in cookies.

3. Purpose and legal basis for processing

| Purpose | Legal Basis | |---------|------------| | Enabling login and access to documents | Art. 6 para. 1 lit. b GDPR | | Ensuring service security | Art. 6 para. 1 lit. f GDPR | | Conducting statistics | Art. 6 para. 1 lit. f GDPR | | Fulfilling legal obligations | Art. 6 para. 1 lit. c GDPR |

4. Data Recipients

• Supabase Inc. — database and authentication infrastructure.
• Vercel Inc. — hosting infrastructure.
• Google LLC — login via Google OAuth.
• Microsoft Corporation — login via Microsoft OAuth.

5. User Rights

You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. To exercise your rights: privacy@certogov.org. You also have the right to lodge a complaint with the President of UODO.

6. Cookies

The service uses exclusively session and authentication cookies. We do not use marketing or tracking cookies.

7. Data Retention Period

Authentication data — for the duration of account ownership. Technical logs — 90 days. After account deletion, data is anonymized within 30 days.