Privacy Policy — CertControl

Summary: CertControl is hosted in the EU, GDPR aligned, and we do not sell your data. We collect only what is needed to operate the service.

1. Who we are

CertControl is a certificate and attack surface security platform built and operated in Denmark. References to "we", "us", or "our" in this policy refer to the CertControl team.

For questions about this policy, contact us at mail@certcontrol.pro.

2. What data we collect

We collect the following categories of data:

Account data: name, email address, company name, and password (bcrypt-hashed)
Usage data: actions performed in the platform, scan results, endpoint configurations
Technical data: IP addresses, browser type, session identifiers
Communication data: messages sent via the contact form or email

We do not collect payment card details directly — payments are handled by our payment processor.

3. How we use your data

To provide and operate the CertControl platform
To send service-related notifications (certificate expiry alerts, scan results)
To respond to support requests and enquiries
To improve platform security and performance
To comply with legal obligations

We do not use your data for advertising and do not sell or share it with third parties for marketing purposes.

4. Legal basis (GDPR)

Our processing is based on:

Contract performance — to deliver the service you signed up for
Legitimate interest — to improve the platform and ensure security
Legal obligation — where required by applicable law
Consent — for optional communications, where applicable

5. Data storage and transfers

All data is stored on infrastructure located within the European Union. We do not transfer personal data to countries outside the EU/EEA without adequate safeguards in place.

A Data Processing Agreement (DPA) is available on request for customers who require one for their own compliance obligations.

6. Data retention

We retain account data for as long as your account is active, plus a reasonable period thereafter to fulfil legal obligations. Scan data and audit logs are retained according to the retention policy configured in your account settings.

You may request deletion of your data at any time by contacting us.

7. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you
Rectify inaccurate or incomplete data
Request erasure ("right to be forgotten")
Restrict or object to processing
Data portability
Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at mail@certcontrol.pro.

8. Security

CertControl is built with security as a core requirement. We apply industry-standard practices including encryption at rest and in transit, multi-factor authentication, session management, and regular security reviews. All private keys are encrypted using AES-256-GCM. Full audit logging is maintained for all administrative actions.

9. Cookies and local storage

We use the following technologies on certcontrol.pro:

Session cookie (sid): Required for login and authentication. Expires when the browser is closed. No consent required — technically necessary.
CSRF cookie (XSRF-TOKEN): Required for security (cross-site request forgery protection). Session-scoped. No consent required — technically necessary.
Analytics session ID (_cw_session, localStorage): A randomly generated identifier used to measure anonymous page usage (page views, feature interactions). Deleted after 30 minutes of inactivity. Requires your consent.
UTM parameters (_cw_utm, sessionStorage): Stores campaign source data (e.g. from email links) for a single browser session. Requires your consent.
Consent preference (cwp-cookies, localStorage): Remembers your cookie choice so the banner is not shown on every visit. Technically necessary for the consent mechanism to function.
Language preference (cc-lang, localStorage): Stores your selected display language. Technically necessary for user-defined settings.

All analytics data is first-party and processed solely by CertControl. We do not share analytics data with third parties and do not use third-party tracking scripts.

You can view or change your cookie preferences at any time via Cookie settings.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active users by email. The "last updated" date at the top of this page reflects the most recent revision.

11. Contact

For any privacy-related questions or requests:
Email: mail@certcontrol.pro
Web: certcontrol.pro/contact