CertiPlace Handover

Privacy Policy

Data Controller

The data controller for personal data collected through CertiPlace Handover is the same entity that operates CertiPlace. Full details are available in the privacy policy at certiplace.app/privacy.

Data Collected

  • Product photos with GPS metadata and server timestamp.
  • Buyer's selfie (optional), with GPS metadata and server timestamp.
  • Buyer's handwritten signature (optional), with GPS metadata and server timestamp.
  • Signer's name (optional).
  • Signer's observations (optional).
  • Product condition and package sealing video (optional), with GPS metadata and server timestamp.
  • Video note (optional).
  • Product description (optional).
  • Payment data processed by Stripe, including email address for the payment receipt (CertiPlace Handover does not store card data or email addresses; report recovery uses the Stripe order ID).
  • GPS coordinates of the device at the time of each capture.

Purpose

Data is collected exclusively to generate the verified delivery report, seal it on blockchain, and enable its recovery and subsequent verification. It is not used for any other purpose.

Legal Basis

Performance of the service contract (Art. 6(1)(b) GDPR).

Data Retention

  • PDF report: retained indefinitely on CertiPlace servers (the hash on Hedera is permanent).
  • Sealed video: deleted from CertiPlace servers after 60 days. The SHA-256 hash on Hedera Hashgraph is permanent and independent of CertiPlace.
  • Photos, selfie and signature: retained indefinitely as part of the report.
  • Email: processed and retained by Stripe as part of the payment transaction; CertiPlace Handover does not store email addresses on its own servers.

Your Rights

You may exercise your rights of access, rectification, erasure, objection, portability and withdrawal of consent by writing to [email protected]. Note that erasure may not be possible for the hash sealed on Hedera Hashgraph, which is immutable by design.

International Transfers

Data may be processed on servers located outside the EEA by providers such as AWS (S3) and Hedera Hashgraph, with appropriate safeguards under applicable data protection legislation.

Contact

[email protected]