Privacy Policy

DSGVO — Art. 13 & 14 Information

Last updated: 10 May 2026  ·  Effective: 10 May 2026

Contents

  1. Controller & Contact
  2. Data Protection Officer
  3. Data We Collect
  4. Cookies & Local Storage
  5. Legal Basis for Processing
  6. Purposes of Processing
  7. Processors & Third-Party Recipients
  8. International Data Transfers
  9. Data Retention
  10. Automated Decision-Making & Profiling
  11. Data Security
  12. Children's Privacy
  13. Your Rights (GDPR Art. 15–21)
  14. Right to Lodge a Complaint
  15. Changes to This Policy

1. Controller & Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data-protection laws is:

CertWatchr
Philipp Gualdi
8010 Graz, Austria
E-mail: office@certwatchr.com

For all matters relating to the processing of your personal data or the exercise of your data-subject rights, please contact us at the e-mail address above. We endeavour to respond within 30 days.

2. Data Protection Officer

We are not currently required to appoint a Data Protection Officer under Art. 37 GDPR. Data-protection enquiries should be directed to the contact given in Section 1.

3. Data We Collect

3.1 Data You Provide Directly

Category Examples When collected
Account data E-mail address, hashed password Registration
Domain data Hostnames, port numbers, certificate metadata Domain management
Notification settings Alert thresholds, webhook URL, e-mail preference Settings page
Feedback Free-text you submit via the feedback form Feedback submission
Billing data Stripe customer ID, subscription status, plan type Payment / upgrade

3.2 Data Collected Automatically

Category Examples Purpose
Access logs IP address, HTTP method, URL path, timestamp, HTTP status code, browser type Security, abuse prevention, debugging
Session data Encrypted session cookie Authentication, CSRF protection
UI preferences Colour-theme choice (light / dark) Personalisation

We do not use third-party analytics trackers, advertising networks, or social-media pixels.

4. Cookies & Local Storage

We use only technically essential storage mechanisms. No consent is required for these under § 25 (2) TDDDG (German Telecommunications and Digital Services Data Protection Act).

Name Type Purpose Expiry
session Cookie (HttpOnly, Secure, SameSite=Lax) Maintains your logged-in session and CSRF protection Session / 31 days if "remember me" is active
bs-theme localStorage Stores your colour-theme preference (light / dark) Persistent until cleared; overwritten by DB setting for logged-in users

You can clear localStorage at any time via your browser's developer tools. Clearing the session cookie will log you out.

5. Legal Basis for Processing

Processing activity Legal basis
Providing the monitoring service, managing your account Art. 6 (1)(b) GDPR — performance of a contract
Sending certificate-expiry alerts and transactional e-mails Art. 6 (1)(b) GDPR — performance of a contract
Billing via Stripe Art. 6 (1)(b) GDPR — performance of a contract; Art. 6 (1)(c) GDPR — legal obligation (tax / accounting records)
Access logs for security and abuse prevention Art. 6 (1)(f) GDPR — legitimate interest (network and service security). Balancing test: the security interest outweighs the limited privacy impact of short-lived server logs.
Colour-theme preference Art. 6 (1)(f) GDPR — legitimate interest (user experience)
Compliance with legal retention obligations (accounting, tax) Art. 6 (1)(c) GDPR — legal obligation

6. Purposes of Processing

  • Service delivery. Monitoring SSL/TLS certificates, computing expiry dates, storing domain data, and delivering alerts via e-mail or webhook.
  • Account management. Creating and maintaining your account, enabling authentication, and processing password resets.
  • Billing. Processing subscription payments, issuing invoices, and managing subscription lifecycle events via Stripe.
  • Security. Detecting and preventing unauthorised access, abuse, and fraudulent activity.
  • Service improvement. Analysing aggregate, anonymised usage patterns to improve reliability and features. We do not build individual user profiles for this purpose.
  • Legal compliance. Retaining records required by applicable law (e.g. commercial and tax law in Germany: § 257 HGB, § 147 AO).

7. Processors & Third-Party Recipients

We do not sell your personal data. We engage the following processors under data-processing agreements (Art. 28 GDPR):

Processor Purpose Location
Hosting provider (e.g. Hetzner / Contabo) Server infrastructure, data storage EU (Germany)
Stripe, Inc. Payment processing, subscription management USA (SCCs in place — see Section 8)
E-mail delivery provider Transactional alert e-mails, password reset [EU / USA — specify]

We may also disclose data to competent authorities (courts, law enforcement, regulatory bodies) where we are legally required to do so.

8. International Data Transfers

Where personal data are transferred to countries outside the European Economic Area (EEA) that do not offer an equivalent level of data protection, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) — used for Stripe and, where applicable, our e-mail provider.
  • EU-US Data Privacy Framework (DPF) — Stripe is certified under the DPF.

You can request a copy of the applicable safeguards by contacting us at office@certwatchr.com.

9. Data Retention

Data category Retention period Reason
Account data (e-mail, password hash) Duration of the contract + 3 years after account closure Contractual claims limitation period (§ 195 BGB)
Domain and certificate data Duration of the contract; deleted within 30 days of account closure Contract performance
Billing records and invoices 10 years from invoice date § 257 HGB, § 147 AO (German commercial and tax law)
Access logs 90 days Security / debugging; deleted automatically
Feedback submissions Until the request is resolved, then deleted within 30 days Legitimate interest (product improvement)

You may request early deletion of your data (subject to overriding legal retention obligations) at any time — see Section 13.

10. Automated Decision-Making & Profiling

We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal or similarly significant effects on you. Domain-limit enforcement (based on your subscription tier) is a purely rule-based system, not a probabilistic profile.

11. Data Security

We implement technical and organisational measures (TOMs) appropriate to the risk, including:

  • All data transmitted over HTTPS with TLS 1.2 or higher.
  • Passwords stored using bcrypt with a cost factor of at least 12.
  • Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • CSRF tokens on all state-changing requests.
  • Role-based access controls; principle of least privilege.
  • Regular dependency and security updates.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by Art. 34 GDPR.

12. Children's Privacy

Our service is directed at adults and businesses. We do not knowingly collect personal data from children under the age of 16. If we become aware that we hold such data, we will delete it without undue delay. If you believe we may have collected data from a child, please contact us at office@certwatchr.com.

13. Your Rights (GDPR Art. 15–21)

As a data subject you have the following rights. To exercise them, contact us at office@certwatchr.com. We will respond within one month (Art. 12 (3) GDPR), extendable by two further months for complex requests.

Right What it means
Access (Art. 15) Obtain a copy of the personal data we hold about you and information about how it is processed.
Rectification (Art. 16) Have inaccurate data corrected and incomplete data completed.
Erasure (Art. 17) Request deletion of your data where there is no overriding legal basis to retain it ("right to be forgotten").
Restriction (Art. 18) Request that processing is restricted while a dispute about accuracy or lawfulness is resolved.
Portability (Art. 20) Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller, where technically feasible.
Objection (Art. 21) Object to processing based on legitimate interest (Art. 6 (1)(f) GDPR). We must then demonstrate compelling legitimate grounds that override your interests, or stop processing.
Withdrawal of consent Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

These rights are exercisable free of charge. We may request proof of identity before disclosing data.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority at any time (Art. 77 GDPR). The lead supervisory authority for CertWatchr is:

[Name of the competent German state DPA — e.g. Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)]
[Street] [Number]
[Postcode] [City], Germany
Website: [URL of the DPA]

You may also lodge a complaint with the supervisory authority of the EU member state in which you reside or work, or in which the alleged infringement occurred.

15. Changes to This Policy

We will notify registered users of material changes by e-mail at least 14 days before the new version takes effect. For non-material changes (e.g. editorial corrections, updated processor addresses), we will update the "Last updated" date without prior notice.

Your continued use of the service after the effective date of a revised policy constitutes acceptance. You may close your account at any time if you do not agree with the revised policy.

Back to Home