← Back to Home

Privacy Policy

Last updated: January 2025

This Privacy Policy describes how Certificate collects, uses, stores, and protects your personal information. By using our Services, you agree to the collection and use of information in accordance with this Policy.

1. Jurisdiction and Governing Law

Certificate operates under the jurisdiction of Romania. This Privacy Policy is governed by and construed in accordance with Romanian law, specifically the General Data Protection Regulation (GDPR) (EU) 2016/679 and Romanian Law 190/2018 on measures to implement the GDPR.

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the Romanian courts. By using our Services, you consent to the jurisdiction and venue of such courts and waive any objection as to inconvenient forum.

2. Information We Collect

We collect and process the following categories of personal data in accordance with Article 6(1) GDPR, based on the legal grounds of contract performance, legitimate interests, and legal obligations:

  • Account Information: Email address, username, password (encrypted), and authentication credentials required for account creation and service access
  • Hardware Identifiers: Hardware ID (HWID), system specifications, operating system version, and device information for license validation and fraud prevention
  • Payment Information: Transaction data processed through third-party payment processors (Stripe, PayPal). We do not store complete payment card details on our servers
  • Usage Data: Service logs, IP addresses, feature usage statistics, session duration, and technical diagnostics for service improvement and security
  • Communications: Support tickets, Discord interactions, email correspondence, and any other communications with our team
  • Technical Data: Browser type, time zone settings, operating system, and other technology on the devices you use to access our Services

3. How We Use Your Information

We process your personal data for the following purposes, in accordance with GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): To provide, maintain, and deliver our Services, process your orders, manage your account, and fulfill our contractual obligations
  • Payment Processing: To process transactions, manage subscriptions, handle billing, and prevent payment fraud
  • Legitimate Interests (Art. 6(1)(f)): To prevent fraud, abuse, and unauthorized access; to improve our products and services; to conduct analytics and research
  • Legal Obligations (Art. 6(1)(c)): To comply with applicable laws, regulations, legal processes, and enforceable governmental requests
  • Communication: To send you service-related notices, security alerts, support messages, and administrative communications
  • Security: To detect, prevent, and address technical issues, security incidents, and violations of our Terms of Service

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your information only in the following limited circumstances:

  • Legal Obligations: When required by law, regulation, legal process, or enforceable governmental request, including compliance with court orders and subpoenas
  • Protection of Rights: When necessary to protect our rights, property, or safety, or that of our users or the public, as required or permitted by law
  • Service Providers: With trusted third-party service providers who assist in our operations (payment processors, hosting providers, analytics services) under strict confidentiality agreements and data processing agreements compliant with GDPR Article 28
  • Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company, subject to confidentiality obligations
  • With Your Consent: When you have given explicit consent for a specific purpose

All third-party service providers are contractually obligated to maintain the confidentiality and security of your personal data and may only use it for the purposes we specify.

5. Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

  • Encryption: End-to-end encryption for sensitive data, including passwords (bcrypt/Argon2) and payment information
  • Secure Transmission: TLS/SSL protocols for all data transmission between your device and our servers
  • Access Controls: Role-based access control (RBAC) systems ensuring only authorized personnel can access personal data
  • Security Audits: Regular security assessments, vulnerability scans, and penetration testing
  • Staff Training: Mandatory data protection and security training for all personnel with access to personal data
  • Incident Response: Documented incident response and recovery procedures compliant with GDPR Article 33 and 34
  • Data Minimization: We collect and retain only the minimum data necessary for specified purposes
  • Pseudonymization: Where possible, we pseudonymize personal data to reduce privacy risks

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to improve our security practices.

6. Data Retention

In accordance with GDPR Article 5(1)(e) (storage limitation principle), we retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Active Accounts: Account data is retained for the duration of your active subscription plus 90 days after expiration
  • Inactive Accounts: Accounts inactive for more than 12 months may be deleted after notice
  • Transaction Records: Financial records retained for 7 years to comply with Romanian tax and accounting laws
  • Legal Obligations: Data retained as required by applicable laws, regulations, or legal proceedings
  • Dispute Resolution: Data retained as necessary to resolve disputes and enforce our agreements
  • Security Logs: Security and access logs retained for 12 months for fraud prevention and security purposes

Account Suspension/Ban Policy: When your account is suspended or banned, data deletion is paused for the duration of the appeal period (21 days). If you do not appeal or your appeal is denied, and no legal dispute or chargeback is active, your data will be automatically deleted after this timeframe, except for data we are legally required to retain (transaction records, security logs related to violations).

Upon expiration of the retention period, personal data will be securely deleted or anonymized in accordance with our data retention schedule.

7. Data Breach Notification

In accordance with GDPR Articles 33 and 34, in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Supervisory Authority Notification: Notify the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) within 72 hours of becoming aware of the breach, as required by Article 33
  • User Notification: Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
  • Breach Details: Provide information about the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
  • Investigation: Conduct a thorough investigation to determine the cause, scope, and impact of the breach
  • Remediation: Take immediate measures to contain the breach, mitigate harm, and prevent future occurrences
  • Documentation: Maintain detailed records of all data breaches, including facts, effects, and remedial actions taken

We maintain a documented incident response plan and conduct regular drills to ensure rapid and effective response to potential security incidents.

8. Your Rights Under GDPR

Under the GDPR and Romanian Law 190/2018, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and access to such data
  • Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete data
  • Right to Erasure (Art. 17): You have the right to request deletion of your personal data under certain circumstances, subject to legal obligations and legitimate interests
  • Right to Restriction (Art. 18): You have the right to request restriction of processing under certain conditions
  • Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format
  • Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

To exercise these rights, please contact us through our official Discord server or email. We will respond to your request within one month as required by GDPR Article 12(3).

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and store certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier.

We use the following types of cookies:

  • Essential Cookies: Required for the operation of our Services, including authentication and security features
  • Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences
  • Analytics Cookies: Help us understand how visitors interact with our Services by collecting and reporting information anonymously

We do not use advertising cookies or sell your data to third parties. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

10. International Data Transfers

As we operate under Romanian jurisdiction (an EU member state), your personal data is primarily processed within the European Economic Area (EEA). In cases where data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V:

  • Adequacy Decisions: We may transfer data to countries recognized by the European Commission as providing adequate data protection (Article 45)
  • Standard Contractual Clauses: For transfers to countries without adequacy decisions, we use Standard Contractual Clauses approved by the European Commission (Article 46)
  • Service Provider Agreements: All third-party service providers processing data outside the EEA are bound by data processing agreements with appropriate safeguards
  • Additional Measures: We implement supplementary measures where necessary to ensure data protection equivalent to that guaranteed within the EEA

We continuously monitor international data transfer mechanisms and update our practices to comply with evolving legal requirements and guidance from supervisory authorities.

11. Children's Privacy

Our Services are not directed to individuals under the age of 16 (the age of digital consent under GDPR Article 8 in Romania). We do not knowingly collect, use, or disclose personal information from children under 16 without verifiable parental consent.

If you are under 16 years of age, you may not use our Services without the consent and supervision of a parent or legal guardian. If we become aware that we have collected personal information from a child under 16 without proper parental consent, we will take immediate steps to delete such information from our servers.

Parents or legal guardians who believe their child has provided personal information to us without consent should contact us immediately through our official Discord server, and we will promptly delete such information.

12. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

When we make material changes to this Privacy Policy, we will:

  • Update the "Last updated" date at the top of this Policy
  • Notify you through prominent notice on our website or Discord server
  • For significant changes affecting your rights, provide advance notice and, where required by law, obtain your consent
  • Maintain previous versions of this Policy in our archives for your reference

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must discontinue use of our Services and may request deletion of your account and personal data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.

13. Contact Information and Data Controller

For the purposes of GDPR Article 4(7), the data controller responsible for your personal information is Certificate, operating under Romanian jurisdiction.

Contact Methods:

  • Primary Contact: Official Discord server (support tickets)
  • Email: Available through Discord support channels
  • Response Time: We aim to respond to all privacy-related inquiries within 30 days, as required by GDPR Article 12(3)

Supervisory Authority:

If you have concerns about our data processing practices or wish to lodge a complaint, you have the right to contact the Romanian National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal - ANSPDCP):

  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, România
  • Website: www.dataprotection.ro
  • Email: anspdcp@dataprotection.ro