Privacy

Aitoware Cert is a credential issuance and verification platform operated by Aitoware Oy. Tenant organizations (issuers) use the platform to issue digital certificates to their course participants. This page describes how the platform handles personal data on behalf of those tenants.

• Aitoware (platform operator) — runs the technical infrastructure and is the data processor for tenant-supplied certificate data.
• Tenant organizations (issuers) — decide which certificates to issue and to whom. They are the data controllers for their recipients' personal data.
• Recipients — the individuals named on the certificates.

• Recipient display name (shown publicly on the credential page unless the certificate is marked private).
• Recipient email address (stored privately; never displayed publicly).
• Course name, issuer, issue date, optional expiry date, certificate ID, status.
• SHA-256 hash of the certificate's canonical payload.
• The generated PDF and a QR code image.
• Audit log entries (admin actions, hashed IPs and user-agent strings for verification views).

• We don't publish a searchable directory of recipients.
• We don't share certificate data with third parties for marketing or analytics purposes.
• We don't store raw IP addresses or unhashed user-agent strings for verification events.

Public credential pages (/c/{id}) and verification pages (/verify/{id}) are designed for sharing on LinkedIn, email, and other channels. By default they show the recipient's display name. Tenants can mark certificates as private, in which case the holder's name and the PDF download are hidden — only the certificate's status, course, issuer, and ID remain visible.

If you are a certificate recipient and want to exercise data subject rights (access, correction, deletion, or anonymization), contact the issuer using the contact information on their /i/{issuer} profile page. They are the controller of your data; Aitoware will support their action.

Where deletion would break legitimate ongoing verification (for example a credential still referenced by an employer), the issuer may offer anonymization — replacing the recipient name with a redacted placeholder while keeping the credential record verifiable.

Certificate data is stored in Google Cloud Firestore in the European Union (eur4 multi-region). PDFs and logos are stored in Google Cloud Storage, also in the EU. All admin write operations go through authenticated server endpoints; client-side direct writes to the certificate registry are blocked at the database level.

For platform-level privacy questions contact certificates@aitoware.com. For certificate-specific data subject requests contact the issuer named on the certificate.