Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller is Certo Governance Institute with registered office in Poland. Contact: privacy@certogov.org

2. What data we collect

• Authentication data: email address, name and surname, profile picture — obtained during login via Google or Microsoft OAuth.
• Technical data: IP address, browser type, visit time — collected automatically in server logs.
• Session data: authentication tokens stored in cookies.

3. Purpose and legal basis for processing

| Purpose | Legal basis | |---------|------------| | Enabling login and access to documents | Art. 6(1)(b) GDPR | | Ensuring service security | Art. 6(1)(f) GDPR | | Conducting statistics | Art. 6(1)(f) GDPR | | Fulfilling legal obligations | Art. 6(1)(c) GDPR |

4. Data recipients

• Supabase Inc. — database infrastructure and authentication.
• Vercel Inc. — hosting infrastructure.
• Google LLC — login via Google OAuth.
• Microsoft Corporation — login via Microsoft OAuth.

5. User rights

You have the right to access, rectification, erasure, restriction of processing, data portability and objection. To exercise your rights: privacy@certogov.org. You also have the right to lodge a complaint with the President of the Personal Data Protection Office.

6. Cookies

The service uses only session and authentication cookies. We do not apply marketing or tracking cookies.

7. Retention period

Authentication data — for the duration of account ownership. Technical logs — 90 days. After account deletion, data is anonymized within 30 days.