Data protection

Privacy policy

How Certenticat handles account, NFC, product, verification, support, desktop bridge, and blockchain-related data.

Last updated: May 16, 2026

Data we process

Certenticat may process account details such as email address, role, allowlist status, customer workspace information, settings, support requests, and authentication session data.

NFC workflows may process UIDs, ATR values, chip family, Forum type, NDEF records, memory and writability indicators, reader names, scan timestamps, verification results, counter values, and registration or lifecycle status.

Product and tokenization workflows may process item names, descriptions, image URLs, product numbers, SKU numbers, creator fields, wallet addresses, contract addresses, token identifiers, Tap2Mint state, Tap2Redeem campaign data, and audit events.

Why we process data

We process data to provide the service, verify NFC cards, prevent replay and counterfeit activity, operate customer workspaces, support Tap2Mint and Tap2Redeem, handle support requests, maintain security logs, and improve reliability.

CertentiKey and secure seed functions are treated as restricted administrative or developer tooling. Customer-facing Certenticat workflows should not expose secure seed access to ordinary customer accounts.

Local desktop bridge data

The desktop bridge is designed to run locally and communicate with the web application through a local bridge endpoint. It may display reader health, reader names, card detection events, scan results, and operational logs.

Local logs can contain technical NFC or reader details. Do not paste sensitive seed material, private keys, passwords, or unrelated personal data into bridge settings or logs.

Blockchain visibility

Where a workflow uses a blockchain, wallet addresses, contract addresses, token identifiers, transaction hashes, and metadata references may become public and may not be practically erasable from the underlying network.

Certenticat can update or delete data in systems it controls where legally and technically possible, but it cannot erase public blockchain history controlled by third-party networks.

Sharing and retention

We share data with infrastructure, hosting, email, storage, analytics, security, blockchain, and operational providers only where needed to run the service, secure the platform, or satisfy legal obligations.

Retention periods depend on the data type, account status, security requirements, audit needs, and legal obligations. Security, fraud prevention, support, and blockchain-related records may need longer retention than ordinary account preferences.