Privacy Policy

Effective date: 1 May 2026  ·  Controller: Kalski Data Services

This Privacy Policy explains how Kalski Data Services (Triq Guzepp Vella, XWK-2650 Gozo, Republic of Malta) collects, uses, and protects your personal data when you use CerVault, in accordance with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act.

1. Data We Collect

• Account data: full name, date of birth, email address, password (hashed).
• Certificate data: certificate name, issuer, uploaded certificate documents (PDF/images), optional public validation URLs.
• Identity documents: passport or national ID scans uploaded for identity verification.
• LinkedIn URL: optionally provided by you for display on your public profile.
• Usage data: login timestamps, last activity time (used solely for platform security and admin statistics).

2. Legal Bases for Processing (GDPR Art. 6 & 9)

• Contract performance (Art. 6(1)(b)): processing your account and certificate data to deliver the verification service you requested.
• Legal obligation (Art. 6(1)(c)): retaining transaction records as required by Maltese and EU law.
• Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, and abuse detection.
• Explicit consent (Art. 6(1)(a) / Art. 9(2)(a)): processing your identity documents and contacting issuing institutions for verification. You give this consent when you submit a certificate or identity document for verification. You may withdraw consent at any time by deleting the document from your account, though this will prevent us from completing the verification.

3. How We Use Your Data

• To create and manage your account.
• To verify submitted certificates using AI-assisted document analysis.
• To contact the issuing institution (school, university, awarding body) directly where AI analysis cannot confirm authenticity — for example, to enquire whether a degree was awarded to you. We share only the information necessary for that enquiry (your name, the certificate details, and our verification request).
• To display your verified credentials on your public CerVault profile (only certificates you have had verified).
• To send transactional emails (verification results, account notifications) via our mail provider.

4. Data Sharing

We do not sell your personal data. We share data only:

• Issuing institutions — limited disclosure for certificate verification as described above, with your consent.
• Mail provider — for sending transactional emails.
• Legal authorities — if required by law or to prevent fraud.

5. Data Retention

• Account data is retained for as long as your account is active, plus up to 3 years after closure for legal and audit purposes.
• Identity documents are retained for the duration of the verification and for up to 12 months thereafter to handle disputes.
• Certificate documents are retained for the duration of your account.

6. Your Rights under GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectification of inaccurate data (Art. 16).
• Erasure ("right to be forgotten") where no legal retention obligation applies (Art. 17).
• Restriction of processing in certain circumstances (Art. 18).
• Data portability for data you provided to us (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email service@cervault.com. We will respond within 30 days. You also have the right to lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC).

7. Security

Uploaded documents and personal data are stored on servers located within the EU. Passwords are stored using bcrypt hashing. Access to uploaded documents is restricted to authorised staff only. We apply appropriate technical and organisational security measures in line with GDPR Art. 32.

8. Cookies

We use a single session cookie (httpOnly, Secure, SameSite=Strict) for authentication purposes only. We do not use advertising, tracking, or analytics cookies.

9. Contact & Data Controller

Data controller: Kalski Data Services
Triq Guzepp Vella, XWK-2650 Gozo, Republic of Malta
Email: service@cervault.com

10. Changes to This Policy

We will notify you by email at least 14 days before any material changes take effect. The current version is always available at cervault.com/privacy.