1. Data Controller

Certiplace.app is the data controller for the personal data processed through this platform.

Lead supervisory authority: Spanish Data Protection Agency (AEPD) — www.aepd.es

2. Data We Process

During report generation, the following data is processed temporarily:

Photographs taken with the user's device camera
GPS coordinates: latitude, longitude, altitude, and accuracy
Device fingerprint: User-Agent, screen resolution, language, timezone, hardware information
NTP-synchronized server timestamps (UTC)
Presence selfie: photograph of the user to verify physical presence

All of this data is deleted from our servers after report delivery, except the SHA-256 hash recorded on the Hedera Hashgraph public network (see section 4).

3. Data We Do NOT Store

CertiPlace does not maintain any persistent storage of personal data:

No user accounts or profiles
No photos or images after report generation
No personal identification data
No tracking or advertising cookies
No browsing history
No payment card data (processed exclusively by Stripe)

4. Blockchain Record

The only permanent record is the SHA-256 hash of the generated PDF, stored on the Hedera Hashgraph public network. This hash is a one-way cryptographic fingerprint: it is mathematically impossible to reconstruct personal data, photographs, or any report content from this hash. Its sole purpose is to allow verification of the document's integrity and authenticity.

5. Legal Basis for Processing (GDPR)

The legal basis for data processing is contract execution (Art. 6(1)(b) GDPR). When you pay for and use CertiPlace, you enter into a service agreement. Data processing is necessary to fulfill this agreement (generate the requested report). Once the report is delivered, all temporary data is deleted.

6. Payment Processing

Payments are processed by Stripe, Inc. CertiPlace does not store, process, or have access to any payment card information. The Stripe order number is used exclusively for report recovery during the 30-day period.

Please refer to Stripe's Privacy Policy for details on how they handle payment data.

7. Cookies

CertiPlace uses only essential technical cookies required for the service to function: language preference (stored in localStorage) and temporary session data during report generation. No analytics, tracking, or advertising cookies are used. Google Analytics with IP anonymization is used for aggregate traffic metrics, without personal identification.

8. Report Availability and Recovery

Generated PDF reports are available for immediate download and for a limited time via the share link. Reports can be recovered within 30 days of purchase using the Stripe order number at certiplace.app/recover.

After 30 days, CertiPlace cannot recover the PDF file. The PDF file is stored temporarily and linked to the Stripe order for recovery purposes only — no personal data from the report is accessible through this mechanism.

9. Rights Under the GDPR (EU/EEA Users)

Under the General Data Protection Regulation (EU 2016/679), you have the right to:

Access: Request information about what personal data we process.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your personal data.
Portability: Request transfer of your data in a machine-readable format.
Objection: Object to the processing of your data in certain circumstances.
Restriction: Request restriction of processing.

Practical note: Since CertiPlace does not maintain persistent storage of personal data and does not require user accounts, most of these rights are fulfilled by design (privacy by design). After report generation and delivery, no personal data remains on our servers.

To exercise any right, contact: [email protected]

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

10. Rights Under the LGPD (Brazilian Users)

Under the Lei Geral de Proteção de Dados (Law 13,709/2018), Brazilian users have the right to:

Access: Confirmation of the existence of and access to personal data.
Correction: Request correction of incomplete, inaccurate, or outdated data.
Deletion: Request deletion of personal data processed with consent.
Portability: Request transfer of data to another service provider.
Consent revocation: Revoke consent at any time.

Reference authority for Brazilian users: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd

11. Rights Under the CCPA (California Residents)

Right to Know: Request information about the categories and specific personal data collected.
Right to Delete: Request deletion of personal data collected.
Right to Opt-Out of Data Sales: CertiPlace does not sell personal data to third parties.
Right to Non-Discrimination: We will not discriminate against users who exercise their CCPA rights.

12. International Data Transfers

CertiPlace uses the following services that may involve international data transfers:

Hedera Hashgraph: Global public blockchain network. Only the SHA-256 hash is recorded (non-personal data).
Stripe: Payment processing. Complies with the GDPR via EU Standard Contractual Clauses.
AWS: Temporary file storage. Complies with the GDPR through Standard Contractual Clauses and international security certifications.

13. Security

Encrypted communications via HTTPS/TLS
Temporary cloud storage with restricted access
Automatic data deletion after report delivery
No password or credential storage (no user accounts)

14. Use by Minors

CertiPlace is not intended for individuals under 16 years of age (GDPR threshold). We do not intentionally collect data from minors. If you become aware that a minor has used the service, please contact [email protected].

15. Changes to This Policy

CertiPlace reserves the right to update this privacy policy. Changes will be published on this page with the corresponding update date. Continued use of the service after publication of changes constitutes acceptance of the updated policy.

16. Contact

For any inquiries about this privacy policy or to exercise your data protection rights:

Email: [email protected]